diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2016-02-04 14:17:11 +0000 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2016-02-04 14:17:11 +0000 |
| commit | bac8e20367994991eebd94b4407179684a5995ce (patch) | |
| tree | 28856888a5c30ca1e0b9c6cdc1255e9ec53568e3 /hw | |
| parent | ae533a46a10a931ba45f4650ef2439ca87098bd5 (diff) | |
| parent | aa9156f4b1036ee7caf9d2a254dfc7147a084f41 (diff) | |
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging
# gpg: Signature made Thu 04 Feb 2016 08:26:24 GMT using RSA key ID 398D6211
# gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211
* remotes/jasowang/tags/net-pull-request:
net/filter: Fix the output information for command 'info network'
net: always walk through filters in reverse if traffic is egress
net: netmap: use nm_open() to open netmap ports
e1000: eliminate infinite loops on out-of-bounds transfer start
slirp: Adding family argument to tcp_fconnect()
slirp: Make udp_attach IPv6 compatible
slirp: Add sockaddr_equal, make solookup family-agnostic
slirp: Factorizing and cleaning solookup()
slirp: Factorizing address translation
slirp: Make Socket structure IPv6 compatible
slirp: Adding address family switch for produced frames
slirp: Generalizing and neutralizing ARP code
slirp: goto bad in udp_input if sosendto fails
cadence_gem: fix buffer overflow
net: cadence_gem: check packet size in gem_recieve
qemu-doc: Do not promote deprecated -smb and -redir options
net/slirp: Tell the users when they are using deprecated options
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/net/cadence_gem.c | 12 | ||||
| -rw-r--r-- | hw/net/e1000.c | 6 |
2 files changed, 16 insertions, 2 deletions
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c index f9e409192b..0346f3e335 100644 --- a/hw/net/cadence_gem.c +++ b/hw/net/cadence_gem.c @@ -678,6 +678,10 @@ static ssize_t gem_receive(NetClientState *nc, const uint8_t *buf, size_t size) } else { unsigned crc_val; + if (size > sizeof(rxbuf) - sizeof(crc_val)) { + size = sizeof(rxbuf) - sizeof(crc_val); + } + bytes_to_copy = size; /* The application wants the FCS field, which QEMU does not provide. * We must try and calculate one. */ @@ -863,6 +867,14 @@ static void gem_transmit(CadenceGEMState *s) break; } + if (tx_desc_get_length(desc) > sizeof(tx_packet) - (p - tx_packet)) { + DB_PRINT("TX descriptor @ 0x%x too large: size 0x%x space 0x%x\n", + (unsigned)packet_desc_addr, + (unsigned)tx_desc_get_length(desc), + sizeof(tx_packet) - (p - tx_packet)); + break; + } + /* Gather this fragment of the packet from "dma memory" to our contig. * buffer. */ diff --git a/hw/net/e1000.c b/hw/net/e1000.c index 4eda7a3289..0387fa0646 100644 --- a/hw/net/e1000.c +++ b/hw/net/e1000.c @@ -909,7 +909,8 @@ start_xmit(E1000State *s) * bogus values to TDT/TDLEN. * there's nothing too intelligent we could do about this. */ - if (s->mac_reg[TDH] == tdh_start) { + if (s->mac_reg[TDH] == tdh_start || + tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) { DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); break; @@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt) if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) s->mac_reg[RDH] = 0; /* see comment in start_xmit; same here */ - if (s->mac_reg[RDH] == rdh_start) { + if (s->mac_reg[RDH] == rdh_start || + rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) { DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); set_ics(s, 0, E1000_ICS_RXO); |