qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring len

From: Jason Wang
Subject: Re: [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length
Date: Thu, 20 Oct 2016 10:03:07 +0800
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 


On 2016年09月30日 13:36, P J P wrote:

   Hello Jason,

+-- On Fri, 30 Sep 2016, Jason Wang wrote --+
| On 2016年09月30日 02:57, P J P wrote:
| > The AMD PC-Net II emulator has set of control and status(CSR)
| > registers. Of these, CSR76 and CSR78 hold receive and transmit
| > descriptor ring length respectively. This ring length could range
| > from 1 to 65535. Setting ring length to zero leads to an infinite
| > loop in pcnet_rdra_addr. Add check to avoid it.
|
| In this case, we only need to protect RCVRL I believe? (since XMTRL were not
| used).

   XMTRL is not used in this case, but could be prone to similar issues. For
ex.

     static void pcnet_transmit(PCNetState *s)
     {
         int count = CSR_XMTRL(s) - 1;
         ...
         if (count--)
             goto txagain;
     }

If CSR_XMTRL is set to zero(0), 'count' would never reach zero and function
would continue to jump to 'txagain'.


Applied and tweak the commit log by mentioning pcnet_transmit() too.

Thanks



Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
reply via email to
[Prev in Thread] Current Thread [Next in Thread]