From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39328) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aZBeq-0005f4-Ou for qemu-devel@nongnu.org; Fri, 26 Feb 2016 01:13:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aZBei-0001Ti-EI for qemu-devel@nongnu.org; Fri, 26 Feb 2016 01:13:40 -0500 Received: from mx1.redhat.com ([209.132.183.28]:59474) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aZBei-0001TT-8f for qemu-devel@nongnu.org; Fri, 26 Feb 2016 01:13:36 -0500 References: <1456294293-26027-1-git-send-email-ppandit@redhat.com> <56CD6614.1000106@redhat.com> From: Jason Wang Message-ID: <56CFED09.8060207@redhat.com> Date: Fri, 26 Feb 2016 14:13:29 +0800 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=gbk Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] =?utf-8?b?562U5aSNOiBbUEFUQ0ggdjJdIG5ldDogbmUyMDAw?= =?utf-8?q?=3A_check_ring_buffer_control_registers?= List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: yanghongke , P J P , Qemu Developers Cc: Prasad J Pandit On 02/24/2016 05:25 PM, yanghongke wrote: > Good day to you! > > After my test, I find that the issue is fixed with this patch. > When receiving packet, ne2000_buffer_full return 1, ne2000_receive imm= ediately return -1,so it avoid infinite loop or OOB r/w access issues. Thanks for the testing. (Btw please use bottom posting on the list). Apply the patch with your "Tested-by". > -----=D3=CA=BC=FE=D4=AD=BC=FE----- > =B7=A2=BC=FE=C8=CB: Jason Wang [mailto:jasowang@redhat.com]=20 > =B7=A2=CB=CD=CA=B1=BC=E4: 2016=C4=EA2=D4=C224=C8=D5 16:13 > =CA=D5=BC=FE=C8=CB: P J P; Qemu Developers > =B3=AD=CB=CD: yanghongke; Prasad J Pandit > =D6=F7=CC=E2: Re: [PATCH v2] net: ne2000: check ring buffer control reg= isters > > > > On 02/24/2016 02:11 PM, P J P wrote: >> From: Prasad J Pandit >> >> Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) bytes to process= =20 >> network packets. Registers PSTART & PSTOP define ring buffer size &=20 >> location. Setting these registers to invalid values could lead to=20 >> infinite loop or OOB r/w access issues. Add check to avoid it. >> >> Reported-by: Yang Hongke >> Signed-off-by: Prasad J Pandit >> --- >> hw/net/ne2000.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> Update per review: >> ->=20 >> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05522.html >> >> diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c index b032212..ced4666=20 >> 100644 >> --- a/hw/net/ne2000.c >> +++ b/hw/net/ne2000.c >> @@ -154,6 +154,10 @@ static int ne2000_buffer_full(NE2000State *s) { >> int avail, index, boundary; >> =20 >> + if (s->stop <=3D s->start) { >> + return 1; >> + } >> + >> index =3D s->curpag << 8; >> boundary =3D s->boundary << 8; >> if (index < boundary) > Hongke, would you mind to test this patch to see if it fixes your issue= and add a "Tested-by" tag? > > Thanks