From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40524) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZWyQV-0002N7-8b for qemu-devel@nongnu.org; Tue, 01 Sep 2015 23:09:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZWyQR-0008E7-7Z for qemu-devel@nongnu.org; Tue, 01 Sep 2015 23:09:31 -0400 Received: from mx1.redhat.com ([209.132.183.28]:60723) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZWyQR-0008Dr-1r for qemu-devel@nongnu.org; Tue, 01 Sep 2015 23:09:27 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (Postfix) with ESMTPS id 224843FE82 for ; Wed, 2 Sep 2015 03:09:26 +0000 (UTC) References: <1441121206-6997-1-git-send-email-vyasevic@redhat.com> <1441121206-6997-2-git-send-email-vyasevic@redhat.com> From: Jason Wang Message-ID: <55E66862.7050201@redhat.com> Date: Wed, 2 Sep 2015 11:09:22 +0800 MIME-Version: 1.0 In-Reply-To: <1441121206-6997-2-git-send-email-vyasevic@redhat.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v4 1/2] rtl8139: Fix receive buffer overflow check List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Vladislav Yasevich , qemu-devel@nongnu.org Cc: stefanha@redhat.com On 09/01/2015 11:26 PM, Vladislav Yasevich wrote: > rtl8139_do_receive() tries to check for the overflow condition > by making sure that packet_size + 8 does not exceed the > available buffer space. The issue here is that RxBuffAddr, > used to calculate available buffer space, is aligned to a > a 4 byte boundry after every update. So it is possible that > every packet ends up being slightly padded when written > to the receive buffer. This padding is not taken into > account when checking for overflow and we may end up missing > the overflow condition can causing buffer overwrite. > > This patch takes alignment into consideration when > checking for overflow condition. > > Signed-off-by: Vladislav Yasevich > --- > hw/net/rtl8139.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c > index edbb61c..8a33466 100644 > --- a/hw/net/rtl8139.c > +++ b/hw/net/rtl8139.c > @@ -1148,7 +1148,9 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t > > /* if receiver buffer is empty then avail == 0 */ > > - if (avail != 0 && size + 8 >= avail) > +#define RX_ALIGN(x) (((x) + 3) & ~0x3) > + > + if (avail != 0 && RX_ALIGN(size + 8) >= avail) > { > DPRINTF("rx overflow: rx buffer length %d head 0x%04x " > "read 0x%04x === available 0x%04x need 0x%04x\n", > @@ -1176,7 +1178,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t > rtl8139_write_buffer(s, (uint8_t *)&val, 4); > > /* correct buffer write pointer */ > - s->RxBufAddr = MOD2((s->RxBufAddr + 3) & ~0x3, s->RxBufferSize); > + s->RxBufAddr = MOD2(RX_ALIGN(s->RxBufAddr), s->RxBufferSize); > > /* now we can signal we have received something */ > Reviewed-by: Jason Wang