From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48086) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bD6Ul-0001OQ-GI for qemu-devel@nongnu.org; Wed, 15 Jun 2016 04:48:23 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bD6Uf-0004qd-Io for qemu-devel@nongnu.org; Wed, 15 Jun 2016 04:48:18 -0400 Received: from mx1.redhat.com ([209.132.183.28]:50525) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bD6Uf-0004pz-DY for qemu-devel@nongnu.org; Wed, 15 Jun 2016 04:48:13 -0400 References: <1465382224-6791-1-git-send-email-ppandit@redhat.com> <575E2226.5010004@redhat.com> From: Jason Wang Message-ID: <57611644.40607@redhat.com> Date: Wed, 15 Jun 2016 16:48:04 +0800 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH v2] net: mipsnet: check transmit buffer size before sending List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: P J P Cc: Peter Maydell , Leon Alrae , Li Qiang , Qemu Developers , Aurelien Jarno On 2016=E5=B9=B406=E6=9C=8813=E6=97=A5 15:17, P J P wrote: > Hello Jason, > > +-- On Mon, 13 Jun 2016, Jason Wang wrote --+ > | > case MIPSNET_TX_DATA_BUFFER: > | > s->tx_buffer[s->tx_written++] =3D val; > | > | I believe we may still have a buffer overflow here, no? > > No, this is the overflow that the patch is meant to fix. > =20 > | > - if (s->tx_written =3D=3D s->tx_count) { > | > + if ((s->tx_written >=3D MAX_ETH_FRAME_SIZE) > | > + || (s->tx_written =3D=3D s->tx_count)) { > | > /* Send buffer. */ > > Earlier, send buffer would occur when if 'tx_written' reached 'tx_co= unt'. > With this patch, it'll also occur when 'tx_written' reaches maximum fra= me > size. > > Thank you. Ok, applied. I tend to remove mipsnet in the future (maybe 2.8). Thanks > -- > Prasad J Pandit / Red Hat Product Security Team > 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F >