On 09/01/2015 11:26 PM, Vladislav Yasevich wrote: > rtl8139_do_receive() tries to check for the overflow condition > by making sure that packet_size + 8 does not exceed the > available buffer space. The issue here is that RxBuffAddr, > used to calculate available buffer space, is aligned to a > a 4 byte boundry after every update. So it is possible that > every packet ends up being slightly padded when written > to the receive buffer. This padding is not taken into > account when checking for overflow and we may end up missing > the overflow condition can causing buffer overwrite. > > This patch takes alignment into consideration when > checking for overflow condition. > > Signed-off-by: Vladislav Yasevich <vyase...@redhat.com> > --- > hw/net/rtl8139.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c > index edbb61c..8a33466 100644 > --- a/hw/net/rtl8139.c > +++ b/hw/net/rtl8139.c > @@ -1148,7 +1148,9 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, > const uint8_t *buf, size_t > > /* if receiver buffer is empty then avail == 0 */ > > - if (avail != 0 && size + 8 >= avail) > +#define RX_ALIGN(x) (((x) + 3) & ~0x3) > + > + if (avail != 0 && RX_ALIGN(size + 8) >= avail) > { > DPRINTF("rx overflow: rx buffer length %d head 0x%04x " > "read 0x%04x === available 0x%04x need 0x%04x\n", > @@ -1176,7 +1178,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, > const uint8_t *buf, size_t > rtl8139_write_buffer(s, (uint8_t *)&val, 4); > > /* correct buffer write pointer */ > - s->RxBufAddr = MOD2((s->RxBufAddr + 3) & ~0x3, s->RxBufferSize); > + s->RxBufAddr = MOD2(RX_ALIGN(s->RxBufAddr), s->RxBufferSize); > > /* now we can signal we have received something */ >
Reviewed-by: Jason Wang <jasow...@redhat.com>