[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 13/40] rtl8139: Fix receive buffer overflow check
|
From: |
Michael Roth |
|
Subject: |
[Qemu-stable] [PATCH 13/40] rtl8139: Fix receive buffer overflow check |
|
Date: |
Wed, 21 Oct 2015 12:51:43 -0500 |
From: Vladislav Yasevich <address@hidden>
rtl8139_do_receive() tries to check for the overflow condition
by making sure that packet_size + 8 does not exceed the
available buffer space. The issue here is that RxBuffAddr,
used to calculate available buffer space, is aligned to a
a 4 byte boundry after every update. So it is possible that
every packet ends up being slightly padded when written
to the receive buffer. This padding is not taken into
account when checking for overflow and we may end up missing
the overflow condition can causing buffer overwrite.
This patch takes alignment into consideration when
checking for overflow condition.
Signed-off-by: Vladislav Yasevich <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit fabdcd3392f16fc666b1d04fc1bbe5f1dbbf10a4)
Signed-off-by: Michael Roth <address@hidden>
---
hw/net/rtl8139.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index edbb61c..8a33466 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -1148,7 +1148,9 @@ static ssize_t rtl8139_do_receive(NetClientState *nc,
const uint8_t *buf, size_t
/* if receiver buffer is empty then avail == 0 */
- if (avail != 0 && size + 8 >= avail)
+#define RX_ALIGN(x) (((x) + 3) & ~0x3)
+
+ if (avail != 0 && RX_ALIGN(size + 8) >= avail)
{
DPRINTF("rx overflow: rx buffer length %d head 0x%04x "
"read 0x%04x === available 0x%04x need 0x%04x\n",
@@ -1176,7 +1178,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc,
const uint8_t *buf, size_t
rtl8139_write_buffer(s, (uint8_t *)&val, 4);
/* correct buffer write pointer */
- s->RxBufAddr = MOD2((s->RxBufAddr + 3) & ~0x3, s->RxBufferSize);
+ s->RxBufAddr = MOD2(RX_ALIGN(s->RxBufAddr), s->RxBufferSize);
/* now we can signal we have received something */
--
1.9.1
- [Qemu-stable] [PATCH 00/40] Patch Round-up for stable 2.4.1, freeze on 2015-10-29, Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 11/40] PPC: E500: Update u-boot to commit 79c884d7e4, Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 12/40] s390x/css: start with cleared cstat/dstat, Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 13/40] rtl8139: Fix receive buffer overflow check,
Michael Roth <=
- [Qemu-stable] [PATCH 15/40] cpus.c: qemu_mutex_lock_iothread fix race condition at cpu thread init, Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 14/40] rtl8139: Do not consume the packet during overflow in standard mode., Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 17/40] target-arm: Share all common TCG temporaries, Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 16/40] virtio dataplane: adapt dataplane for virtio Version 1, Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 18/40] qcow2: Make size_to_clusters() return uint64_t, Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 01/40] scsi-disk: Fix assertion failure on WRITE SAME, Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 23/40] slirp: Fix non blocking connect for w32, Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 24/40] ide: unify io_buffer_offset increments, Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 22/40] nbd: release exp->blk after all clients are closed, Michael Roth, 2015/10/21
- [Qemu-stable] [PATCH 19/40] ide: fix ATAPI command permissions, Michael Roth, 2015/10/21