From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45024)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1aYUZW-0005Pg-Ry
	for qemu-devel@nongnu.org; Wed, 24 Feb 2016 03:13:23 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1aYUZS-0003VC-R4
	for qemu-devel@nongnu.org; Wed, 24 Feb 2016 03:13:22 -0500
Received: from mx1.redhat.com ([209.132.183.28]:42737)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1aYUZS-0003Uz-MC
	for qemu-devel@nongnu.org; Wed, 24 Feb 2016 03:13:18 -0500
References: <1456294293-26027-1-git-send-email-ppandit@redhat.com>
From: Jason Wang <jasowang@redhat.com>
Message-ID: <56CD6614.1000106@redhat.com>
Date: Wed, 24 Feb 2016 16:13:08 +0800
MIME-Version: 1.0
In-Reply-To: <1456294293-26027-1-git-send-email-ppandit@redhat.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH v2] net: ne2000: check ring buffer control
	registers
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>, Qemu Developers <qemu-devel@nongnu.org>
Cc: Yang Hongke <yanghongke@huawei.com>, Prasad J Pandit <pjp@fedoraproject.org>



On 02/24/2016 02:11 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
> bytes to process network packets. Registers PSTART & PSTOP
> define ring buffer size & location. Setting these registers
> to invalid values could lead to infinite loop or OOB r/w
> access issues. Add check to avoid it.
>
> Reported-by: Yang Hongke <yanghongke@huawei.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>  hw/net/ne2000.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> Update per review:
>   -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05522.html
>
> diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
> index b032212..ced4666 100644
> --- a/hw/net/ne2000.c
> +++ b/hw/net/ne2000.c
> @@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s)
>  {
>      int avail, index, boundary;
>  
> +    if (s->stop <= s->start) {
> +        return 1;
> +    }
> +
>      index = s->curpag << 8;
>      boundary = s->boundary << 8;
>      if (index < boundary)

Hongke, would you mind to test this patch to see if it fixes your issue
and add a "Tested-by" tag?

Thanks