[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 33/78] dp8393x: Implement packet size limit and RBAE interrupt
From: |
Michael Roth |
Subject: |
[PATCH 33/78] dp8393x: Implement packet size limit and RBAE interrupt |
Date: |
Tue, 16 Jun 2020 09:15:02 -0500 |
From: Finn Thain <fthain@telegraphics.com.au>
Add a bounds check to prevent a large packet from causing a buffer
overflow. This is defensive programming -- I haven't actually tried
sending an oversized packet or a jumbo ethernet frame.
The SONIC handles packets that are too big for the buffer by raising
the RBAE interrupt and dropping them. Linux uses that interrupt to
count dropped packets.
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Tested-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit ada74315270d1dcabf4c9d4fece19df7ef5b9577)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/net/dp8393x.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 04f58ee4e1..ca8088c839 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -137,6 +137,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ##
__VA_ARGS__); } while (0)
#define SONIC_TCR_CRCI 0x2000
#define SONIC_TCR_PINT 0x8000
+#define SONIC_ISR_RBAE 0x0010
#define SONIC_ISR_RBE 0x0020
#define SONIC_ISR_RDE 0x0040
#define SONIC_ISR_TC 0x0080
@@ -770,6 +771,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const
uint8_t * buf,
s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
+ if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
+ DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
+ s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
+ dp8393x_update_irq(s);
+ dp8393x_do_read_rra(s);
+ return pkt_size;
+ }
+
packet_type = dp8393x_receive_filter(s, buf, pkt_size);
if (packet_type < 0) {
DPRINTF("packet not for netcard\n");
--
2.17.1
- [PATCH 26/78] qcow2-bitmaps: fix qcow2_can_store_new_dirty_bitmap, (continued)
- [PATCH 26/78] qcow2-bitmaps: fix qcow2_can_store_new_dirty_bitmap, Michael Roth, 2020/06/16
- [PATCH 30/78] dp8393x: Have dp8393x_receive() return the packet size, Michael Roth, 2020/06/16
- [PATCH 02/78] block/nbd: fix memory leak in nbd_open(), Michael Roth, 2020/06/16
- [PATCH 29/78] dp8393x: Clean up endianness hacks, Michael Roth, 2020/06/16
- [PATCH 24/78] intel_iommu: add present bit check for pasid table entries, Michael Roth, 2020/06/16
- [PATCH 25/78] vfio/pci: Don't remove irqchip notifier if not registered, Michael Roth, 2020/06/16
- [PATCH 32/78] dp8393x: Clear RRRA command register bit only when appropriate, Michael Roth, 2020/06/16
- [PATCH 31/78] dp8393x: Update LLFA and CRDA registers from rx descriptor, Michael Roth, 2020/06/16
- [PATCH 34/78] dp8393x: Don't clobber packet checksum, Michael Roth, 2020/06/16
- [PATCH 28/78] dp8393x: Always use 32-bit accesses, Michael Roth, 2020/06/16
- [PATCH 33/78] dp8393x: Implement packet size limit and RBAE interrupt,
Michael Roth <=
- [PATCH 35/78] dp8393x: Use long-word-aligned RRA pointers in 32-bit mode, Michael Roth, 2020/06/16
- [PATCH 36/78] dp8393x: Pad frames to word or long word boundary, Michael Roth, 2020/06/16
- [PATCH 37/78] dp8393x: Clear descriptor in_use field to release packet, Michael Roth, 2020/06/16
- [PATCH 38/78] dp8393x: Always update RRA pointers and sequence numbers, Michael Roth, 2020/06/16
- [PATCH 39/78] dp8393x: Don't reset Silicon Revision register, Michael Roth, 2020/06/16
- [PATCH 40/78] dp8393x: Don't stop reception upon RBE interrupt assertion, Michael Roth, 2020/06/16
- [PATCH 03/78] i386: Resolve CPU models to v1 by default, Michael Roth, 2020/06/16
- [PATCH 44/78] qcow2: update_refcount(): Reset old_table_index after qcow2_cache_put(), Michael Roth, 2020/06/16
- [PATCH 46/78] iotests: Test copy offloading with external data file, Michael Roth, 2020/06/16
- [PATCH 42/78] plugins/core: add missing break in cb_to_tcg_flags, Michael Roth, 2020/06/16