On 2 June 2016 at 07:44, P J P <ppan...@redhat.com> wrote: > From: Prasad J Pandit <p...@fedoraproject.org> > > When processing MIPSnet I/O port write operation, it uses a > transmit buffer tx_buffer[MAX_ETH_FRAME_SIZE=1514]. Two indices > 's->tx_written' and 's->tx_count' are used to control data written > to this buffer. If the two were to be equal before writing, it'd > lead to an OOB write access beyond tx_buffer. Add check to avoid it. > > Reported-by: Li Qiang <liqiang...@360.cn> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > --- > hw/net/mipsnet.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c > index 740cd98..8d5e5bf 100644 > --- a/hw/net/mipsnet.c > +++ b/hw/net/mipsnet.c > @@ -158,7 +158,7 @@ static void mipsnet_ioport_write(void *opaque, hwaddr > addr, > trace_mipsnet_write(addr, val); > switch (addr) { > case MIPSNET_TX_DATA_COUNT: > - s->tx_count = (val <= MAX_ETH_FRAME_SIZE) ? val : 0; > + s->tx_count = (val < MAX_ETH_FRAME_SIZE) ? val : MAX_ETH_FRAME_SIZE; > s->tx_written = 0;
This is a behaviour change -- the register will now read back as MAX_ETH_FRAME_SIZE rather than 0 if written with an overlarge value. Do we have any documentation on how this (simulated) device is supposed to behave in this case? thanks -- PMM