On 2 June 2016 at 07:44, P J P <ppan...@redhat.com> wrote:
> From: Prasad J Pandit <p...@fedoraproject.org>
>
> When processing MIPSnet I/O port write operation, it uses a
> transmit buffer tx_buffer[MAX_ETH_FRAME_SIZE=1514]. Two indices
> 's->tx_written' and 's->tx_count' are used to control data written
> to this buffer. If the two were to be equal before writing, it'd
> lead to an OOB write access beyond tx_buffer. Add check to avoid it.
>
> Reported-by: Li Qiang <liqiang...@360.cn>
> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> ---
> hw/net/mipsnet.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
> index 740cd98..8d5e5bf 100644
> --- a/hw/net/mipsnet.c
> +++ b/hw/net/mipsnet.c
> @@ -158,7 +158,7 @@ static void mipsnet_ioport_write(void *opaque, hwaddr
> addr,
> trace_mipsnet_write(addr, val);
> switch (addr) {
> case MIPSNET_TX_DATA_COUNT:
> - s->tx_count = (val <= MAX_ETH_FRAME_SIZE) ? val : 0;
> + s->tx_count = (val < MAX_ETH_FRAME_SIZE) ? val : MAX_ETH_FRAME_SIZE;
> s->tx_written = 0;
This is a behaviour change -- the register will now read
back as MAX_ETH_FRAME_SIZE rather than 0 if written with
an overlarge value.
Do we have any documentation on how this (simulated)
device is supposed to behave in this case?
thanks
-- PMM
