From: Jason Wang <jasowang@redhat.com>
To: peter.maydell@linaro.org
Cc: Jason Wang <jasowang@redhat.com>,
qemu-devel@nongnu.org, Finn Thain <fthain@telegraphics.com.au>
Subject: [PULL V2 07/23] dp8393x: Implement packet size limit and RBAE interrupt
Date: Tue, 3 Mar 2020 18:10:26 +0800 [thread overview]
Message-ID: <1583230242-14597-8-git-send-email-jasowang@redhat.com> (raw)
In-Reply-To: <1583230242-14597-1-git-send-email-jasowang@redhat.com>
From: Finn Thain <fthain@telegraphics.com.au>
Add a bounds check to prevent a large packet from causing a buffer
overflow. This is defensive programming -- I haven't actually tried
sending an oversized packet or a jumbo ethernet frame.
The SONIC handles packets that are too big for the buffer by raising
the RBAE interrupt and dropping them. Linux uses that interrupt to
count dropped packets.
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Tested-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/dp8393x.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index b5a9c6a..911f59e 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -137,6 +137,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0)
#define SONIC_TCR_CRCI 0x2000
#define SONIC_TCR_PINT 0x8000
+#define SONIC_ISR_RBAE 0x0010
#define SONIC_ISR_RBE 0x0020
#define SONIC_ISR_RDE 0x0040
#define SONIC_ISR_TC 0x0080
@@ -772,6 +773,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
+ if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
+ DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
+ s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
+ dp8393x_update_irq(s);
+ dp8393x_do_read_rra(s);
+ return pkt_size;
+ }
+
packet_type = dp8393x_receive_filter(s, buf, pkt_size);
if (packet_type < 0) {
DPRINTF("packet not for netcard\n");
--
2.5.0
next prev parent reply other threads:[~2020-03-03 10:14 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-03 10:10 [PULL V2 00/23] Net patches Jason Wang
2020-03-03 10:10 ` [PULL V2 01/23] dp8393x: Mask EOL bit from descriptor addresses Jason Wang
2020-03-03 22:44 ` Finn Thain
2020-03-04 2:43 ` Jason Wang
2020-03-03 10:10 ` [PULL V2 02/23] dp8393x: Always use 32-bit accesses Jason Wang
2020-03-03 10:10 ` [PULL V2 03/23] dp8393x: Clean up endianness hacks Jason Wang
2020-03-03 10:10 ` [PULL V2 04/23] dp8393x: Have dp8393x_receive() return the packet size Jason Wang
2020-03-03 10:10 ` [PULL V2 05/23] dp8393x: Update LLFA and CRDA registers from rx descriptor Jason Wang
2020-03-03 10:10 ` [PULL V2 06/23] dp8393x: Clear RRRA command register bit only when appropriate Jason Wang
2020-03-03 10:10 ` Jason Wang [this message]
2020-03-03 10:10 ` [PULL V2 08/23] dp8393x: Don't clobber packet checksum Jason Wang
2020-03-03 10:10 ` [PULL V2 09/23] dp8393x: Use long-word-aligned RRA pointers in 32-bit mode Jason Wang
2020-03-03 10:10 ` [PULL V2 10/23] dp8393x: Pad frames to word or long word boundary Jason Wang
2020-03-03 10:10 ` [PULL V2 11/23] dp8393x: Clear descriptor in_use field to release packet Jason Wang
2020-03-03 10:10 ` [PULL V2 12/23] dp8393x: Always update RRA pointers and sequence numbers Jason Wang
2020-03-03 10:10 ` [PULL V2 13/23] dp8393x: Don't reset Silicon Revision register Jason Wang
2020-03-03 10:10 ` [PULL V2 14/23] dp8393x: Don't stop reception upon RBE interrupt assertion Jason Wang
2020-03-03 10:10 ` [PULL V2 15/23] e1000e: Avoid hw_error if legacy mode used Jason Wang
2020-03-03 10:10 ` [PULL V2 16/23] NetRxPkt: Introduce support for additional hash types Jason Wang
2020-03-03 10:10 ` [PULL V2 17/23] NetRxPkt: fix hash calculation of IPV6 TCP Jason Wang
2020-03-03 10:10 ` [PULL V2 18/23] hw: net: cadence_gem: Fix build errors in DB_PRINT() Jason Wang
2020-03-03 10:10 ` [PULL V2 19/23] block/replication.c: Ignore requests after failover Jason Wang
2020-03-03 10:10 ` [PULL V2 20/23] tests/test-replication.c: Add test for for secondary node continuing replication Jason Wang
2020-03-03 10:10 ` [PULL V2 21/23] net/filter.c: Add Options to insert filters anywhere in the filter list Jason Wang
2020-03-03 10:10 ` [PULL V2 22/23] colo: Update Documentation for continuous replication Jason Wang
2020-03-03 10:10 ` [PULL V2 23/23] l2tpv3: fix RFC number typo in qemu-options.hx Jason Wang
2020-03-03 13:45 ` [PULL V2 00/23] Net patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1583230242-14597-8-git-send-email-jasowang@redhat.com \
--to=jasowang@redhat.com \
--cc=fthain@telegraphics.com.au \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).