[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun |
Date: |
Tue, 8 Jul 2014 12:16:46 -0500 |
From: Peter Maydell <address@hidden>
The current tx_fifo code has a corner case where the guest can overrun
the fifo buffer: if automatic CRCs are disabled we allow the guest to write
the CRC word even if there isn't actually space for it in the FIFO.
The datasheet is unclear about exactly how the hardware deals with this
situation; the most plausible answer seems to be that the CRC word is
just lost.
Implement this fix by separating the "can we stuff another word in the
FIFO" logic from the "should we transmit the packet now" check. This
also moves us closer to the real hardware, which has a number of ways
it can be configured to trigger sending the packet, some of which we
don't implement.
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Cc: address@hidden
(cherry picked from commit 5c10495ab1546d5d12b51a97817051e9ec98d0f6)
Signed-off-by: Michael Roth <address@hidden>
---
hw/net/stellaris_enet.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index 9dd77f7..8a1d0d1 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -252,10 +252,12 @@ static void stellaris_enet_write(void *opaque, hwaddr
offset,
s->tx_fifo[s->tx_fifo_len++] = value >> 24;
}
} else {
- s->tx_fifo[s->tx_fifo_len++] = value;
- s->tx_fifo[s->tx_fifo_len++] = value >> 8;
- s->tx_fifo[s->tx_fifo_len++] = value >> 16;
- s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+ if (s->tx_fifo_len + 4 <= ARRAY_SIZE(s->tx_fifo)) {
+ s->tx_fifo[s->tx_fifo_len++] = value;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 8;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 16;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+ }
if (s->tx_fifo_len >= s->tx_frame_len) {
/* We don't implement explicit CRC, so just chop it off. */
if ((s->tctl & SE_TCTL_CRC) == 0)
--
1.9.1
- [Qemu-stable] [PATCH 049/156] ssi-sd: fix buffer overrun on invalid state load, (continued)
- [Qemu-stable] [PATCH 049/156] ssi-sd: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 092/156] qcow2: Validate active L1 table offset and size (CVE-2014-0144), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 071/156] block/cloop: validate block_size header field (CVE-2014-0144), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 116/156] qcow1: Make padding in the header explicit, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 011/156] configure: Don't use __int128_t for clang versions before 3.2, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 016/156] hw/net/stellaris_enet: Correct handling of packet padding, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 047/156] virtio: validate num_sg when mapping, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 051/156] tsc210x: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 118/156] qcow1: Validate L2 table size (CVE-2014-0222), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 069/156] qemu-iotests: add ./check -cloop support, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 015/156] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun,
Michael Roth <=
- [Qemu-stable] [PATCH 152/156] qapi: zero-initialize all QMP command parameters, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 026/156] po/Makefile: fix $SRC_PATH reference, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 139/156] rdma: bug fixes, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 081/156] bochs: Fix bitmap offset calculation, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 143/156] KVM: Fix GSI number space limit, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 140/156] scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 053/156] virtio-scsi: fix buffer overrun on invalid state load, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 109/156] block: Limit request size (CVE-2014-0143), Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 007/156] scsi: Change scsi sense buf size to 252, Michael Roth, 2014/07/10
- [Qemu-stable] [PATCH 108/156] dmg: prevent chunk buffer overflow (CVE-2014-0145), Michael Roth, 2014/07/10