From 6b37c87c96a5b148685e8e6bf09d0aca953cb1a8 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" Date: Tue, 14 Sep 2010 13:48:17 +0200 Subject: vhost: fix infinite loop on error path file.index is unsigned, hence 'while (--file.index >= 0)' will loop > forever. Change to while (file.index-- > 0). Reported-by: Jes Sorensen Signed-off-by: Michael S. Tsirkin --- hw/vhost_net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/vhost_net.c b/hw/vhost_net.c index 4a7b8194f2..c068be1f54 100644 --- a/hw/vhost_net.c +++ b/hw/vhost_net.c @@ -151,7 +151,7 @@ int vhost_net_start(struct vhost_net *net, return 0; fail: file.fd = -1; - while (--file.index >= 0) { + while (file.index-- > 0) { int r = ioctl(net->dev.control, VHOST_NET_SET_BACKEND, &file); assert(r >= 0); } -- cgit v1.2.3 From 78aeb23eded2d0b765bf9145c71f80025b568acd Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Sat, 18 Sep 2010 21:43:45 +0100 Subject: e1000: Pad short frames to minimum size (60 bytes) The OpenIndiana (Solaris) e1000g driver drops frames that are too long or too short. It expects to receive frames of at least the Ethernet minimum size. ARP requests in particular are small and will be dropped if they are not padded appropriately, preventing a Solaris VM from becoming visible on the network. Signed-off-by: Stefan Hajnoczi Signed-off-by: Michael S. Tsirkin --- hw/e1000.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/e1000.c b/hw/e1000.c index 7d7d14002f..532efdc27d 100644 --- a/hw/e1000.c +++ b/hw/e1000.c @@ -55,6 +55,7 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL); #define IOPORT_SIZE 0x40 #define PNPMMIO_SIZE 0x20000 +#define MIN_BUF_SIZE 60 /* Min. octets in an ethernet frame sans FCS */ /* * HW models: @@ -635,10 +636,19 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size) uint32_t rdh_start; uint16_t vlan_special = 0; uint8_t vlan_status = 0, vlan_offset = 0; + uint8_t min_buf[MIN_BUF_SIZE]; if (!(s->mac_reg[RCTL] & E1000_RCTL_EN)) return -1; + /* Pad to minimum Ethernet frame length */ + if (size < sizeof(min_buf)) { + memcpy(min_buf, buf, size); + memset(&min_buf[size], 0, sizeof(min_buf) - size); + buf = min_buf; + size = sizeof(min_buf); + } + if (size > s->rxbuf_size) { DBGOUT(RX, "packet too large for buffers (%lu > %d)\n", (unsigned long)size, s->rxbuf_size); -- cgit v1.2.3