From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44311) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bCM8Q-00084w-Bt for qemu-devel@nongnu.org; Mon, 13 Jun 2016 03:18:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bCM8L-00056j-CQ for qemu-devel@nongnu.org; Mon, 13 Jun 2016 03:18:09 -0400 Received: from mx1.redhat.com ([209.132.183.28]:48442) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bCM8L-00056R-6t for qemu-devel@nongnu.org; Mon, 13 Jun 2016 03:18:05 -0400 Date: Mon, 13 Jun 2016 12:47:55 +0530 (IST) From: P J P In-Reply-To: <575E2226.5010004@redhat.com> Message-ID: References: <1465382224-6791-1-git-send-email-ppandit@redhat.com> <575E2226.5010004@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Subject: Re: [Qemu-devel] [PATCH v2] net: mipsnet: check transmit buffer size before sending List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Jason Wang Cc: Peter Maydell , Li Qiang , Qemu Developers , Leon Alrae , Aurelien Jarno Hello Jason, +-- On Mon, 13 Jun 2016, Jason Wang wrote --+ | > case MIPSNET_TX_DATA_BUFFER: | > s->tx_buffer[s->tx_written++] = val; | | I believe we may still have a buffer overflow here, no? No, this is the overflow that the patch is meant to fix. | > - if (s->tx_written == s->tx_count) { | > + if ((s->tx_written >= MAX_ETH_FRAME_SIZE) | > + || (s->tx_written == s->tx_count)) { | > /* Send buffer. */ Earlier, send buffer would occur when if 'tx_written' reached 'tx_count'. With this patch, it'll also occur when 'tx_written' reaches maximum frame size. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F