From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:36558) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XF816-0005IL-2Z for qemu-devel@nongnu.org; Wed, 06 Aug 2014 16:41:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XF80w-0003vW-9N for qemu-devel@nongnu.org; Wed, 06 Aug 2014 16:41:00 -0400 Received: from e9.ny.us.ibm.com ([32.97.182.139]:38457) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XF80w-0003vQ-4G for qemu-devel@nongnu.org; Wed, 06 Aug 2014 16:40:50 -0400 Received: from /spool/local by e9.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 6 Aug 2014 16:40:49 -0400 From: Michael Roth Date: Wed, 6 Aug 2014 15:38:11 -0500 Message-Id: <1407357598-21541-2-git-send-email-mdroth@linux.vnet.ibm.com> In-Reply-To: <1407357598-21541-1-git-send-email-mdroth@linux.vnet.ibm.com> References: <1407357598-21541-1-git-send-email-mdroth@linux.vnet.ibm.com> Subject: [Qemu-devel] [PATCH 001/108] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org From: Peter Maydell The current tx_fifo code has a corner case where the guest can overrun the fifo buffer: if automatic CRCs are disabled we allow the guest to write the CRC word even if there isn't actually space for it in the FIFO. The datasheet is unclear about exactly how the hardware deals with this situation; the most plausible answer seems to be that the CRC word is just lost. Implement this fix by separating the "can we stuff another word in the FIFO" logic from the "should we transmit the packet now" check. This also moves us closer to the real hardware, which has a number of ways it can be configured to trigger sending the packet, some of which we don't implement. Signed-off-by: Peter Maydell Reviewed-by: Dr. David Alan Gilbert Cc: qemu-stable@nongnu.org (cherry picked from commit 5c10495ab1546d5d12b51a97817051e9ec98d0f6) Signed-off-by: Michael Roth --- hw/net/stellaris_enet.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c index d04e6a4..bd844cd 100644 --- a/hw/net/stellaris_enet.c +++ b/hw/net/stellaris_enet.c @@ -253,10 +253,12 @@ static void stellaris_enet_write(void *opaque, hwaddr offset, s->tx_fifo[s->tx_fifo_len++] = value >> 24; } } else { - s->tx_fifo[s->tx_fifo_len++] = value; - s->tx_fifo[s->tx_fifo_len++] = value >> 8; - s->tx_fifo[s->tx_fifo_len++] = value >> 16; - s->tx_fifo[s->tx_fifo_len++] = value >> 24; + if (s->tx_fifo_len + 4 <= ARRAY_SIZE(s->tx_fifo)) { + s->tx_fifo[s->tx_fifo_len++] = value; + s->tx_fifo[s->tx_fifo_len++] = value >> 8; + s->tx_fifo[s->tx_fifo_len++] = value >> 16; + s->tx_fifo[s->tx_fifo_len++] = value >> 24; + } if (s->tx_fifo_len >= s->tx_frame_len) { /* We don't implement explicit CRC, so just chop it off. */ if ((s->tctl & SE_TCTL_CRC) == 0) -- 1.9.1