From: Jason Wang <jasowang@redhat.com>
To: P J P <ppandit@redhat.com>, QEMU Developers <qemu-devel@nongnu.org>
Cc: Yang Hongke <yanghongke@huawei.com>,
Prasad J Pandit <pjp@fedoraproject.org>
Subject: Re: [Qemu-devel] [PATCH] net: ne2000: check ring buffer control registers
Date: Fri, 5 Feb 2016 17:04:55 +0800 [thread overview]
Message-ID: <56B465B7.8000201@redhat.com> (raw)
In-Reply-To: <1454423392-7732-1-git-send-email-ppandit@redhat.com>
On 02/02/2016 10:29 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
> bytes to process network packets. Four registers PSTART,
> PSTOP, CURPAGE and BOUNDARY are used to control ring buffer
> access. Setting these registers to invalid values could
> lead to infinite loop or OOB r/w access issues. Add checks
> to avoid it.
>
> Reported-by: Yang Hongke <yanghongke@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/net/ne2000.c | 17 +++++++++++------
> 1 file changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
> index 9dd0c67..b032212 100644
> --- a/hw/net/ne2000.c
> +++ b/hw/net/ne2000.c
> @@ -269,6 +269,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
>
> static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
> {
> + uint32_t v;
> NE2000State *s = opaque;
> int offset, page, index;
>
> @@ -309,17 +310,20 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
> offset = addr | (page << 4);
> switch(offset) {
> case EN0_STARTPG:
> - if (val << 8 <= NE2000_PMEM_END) {
> - s->start = val << 8;
> + v = val << 8;
> + if (v < NE2000_PMEM_END && v < s->stop) {
I suspect this could even work. Consider after realizing, s->stop is
zero, any attempt to set STARTPG will fail?
> + s->start = v;
> }
> break;
> case EN0_STOPPG:
> - if (val << 8 <= NE2000_PMEM_END) {
> - s->stop = val << 8;
> + v = val << 8;
> + if (v <= NE2000_PMEM_END && v > s->start) {
> + s->stop = v;
> }
> break;
> case EN0_BOUNDARY:
> - if (val << 8 < NE2000_PMEM_END) {
> + v = val << 8;
> + if (v >= s->start && v <= s->stop) {
> s->boundary = val;
This may not be sufficient, consider:
set start to 1
set stop to 100
set boundary to 50
then set stop to 10
I'm thinking maybe we need check during receiving like what we did in
dd793a74882477ca38d49e191110c17dfee51dcc?
> }
> break;
> @@ -362,7 +366,8 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
> s->phys[offset - EN1_PHYS] = val;
> break;
> case EN1_CURPAG:
> - if (val << 8 < NE2000_PMEM_END) {
> + v = val << 8;
> + if (v >= s->start && v <= s->stop) {
> s->curpag = val;
> }
> break;
next prev parent reply other threads:[~2016-02-05 9:05 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-02 14:29 [Qemu-devel] [PATCH] net: ne2000: check ring buffer control registers P J P
2016-02-05 9:04 ` Jason Wang [this message]
2016-02-05 9:29 ` [Qemu-devel] 答复: " yanghongke
2016-02-09 6:49 ` P J P
2016-02-09 6:47 ` [Qemu-devel] " P J P
2016-02-15 4:25 ` P J P
2016-02-23 3:27 ` Jason Wang
2016-02-23 8:28 ` P J P
2016-02-24 1:52 ` Jason Wang
2016-02-24 5:58 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56B465B7.8000201@redhat.com \
--to=jasowang@redhat.com \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=yanghongke@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.