Martin Natano wrote: > Below the uiomove() conversion for bpf. bd_hlen is a signed integer, but > can't be negative, because it contains the size of a buffer. Thus, the > conversion to size_t is ok.
Looks good. bd_hlen is assigned from bd_slen which is in turn computed in bpf_catchpacket(). This function makes sure that bd_slen does not exceed the size of a buffer. > Index: net/bpf.c > =================================================================== > RCS file: /cvs/src/sys/net/bpf.c,v > retrieving revision 1.132 > diff -u -p -u -r1.132 bpf.c > --- net/bpf.c 7 Jan 2016 05:31:17 -0000 1.132 > +++ net/bpf.c 9 Jan 2016 11:03:33 -0000 > @@ -212,7 +212,7 @@ bpf_movein(struct uio *uio, u_int linkty > m->m_len = len; > *mp = m; > > - error = uiomovei(mtod(m, caddr_t), len, uio); > + error = uiomove(mtod(m, caddr_t), len, uio); > if (error) > goto bad; > > @@ -488,7 +488,7 @@ bpfread(dev_t dev, struct uio *uio, int > * We know the entire buffer is transferred since > * we checked above that the read buffer is bpf_bufsize bytes. > */ > - error = uiomovei(d->bd_hbuf, d->bd_hlen, uio); > + error = uiomove(d->bd_hbuf, d->bd_hlen, uio); > > s = splnet(); > d->bd_fbuf = d->bd_hbuf; > > cheers, > natano >
