[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 001/108] hw/net/stellaris_enet: Restructure tx_fifo
From: |
Michael Roth |
Subject: |
[Qemu-stable] [PATCH 001/108] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun |
Date: |
Wed, 6 Aug 2014 15:38:11 -0500 |
From: Peter Maydell <address@hidden>
The current tx_fifo code has a corner case where the guest can overrun
the fifo buffer: if automatic CRCs are disabled we allow the guest to write
the CRC word even if there isn't actually space for it in the FIFO.
The datasheet is unclear about exactly how the hardware deals with this
situation; the most plausible answer seems to be that the CRC word is
just lost.
Implement this fix by separating the "can we stuff another word in the
FIFO" logic from the "should we transmit the packet now" check. This
also moves us closer to the real hardware, which has a number of ways
it can be configured to trigger sending the packet, some of which we
don't implement.
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Cc: address@hidden
(cherry picked from commit 5c10495ab1546d5d12b51a97817051e9ec98d0f6)
Signed-off-by: Michael Roth <address@hidden>
---
hw/net/stellaris_enet.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
index d04e6a4..bd844cd 100644
--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
@@ -253,10 +253,12 @@ static void stellaris_enet_write(void *opaque, hwaddr
offset,
s->tx_fifo[s->tx_fifo_len++] = value >> 24;
}
} else {
- s->tx_fifo[s->tx_fifo_len++] = value;
- s->tx_fifo[s->tx_fifo_len++] = value >> 8;
- s->tx_fifo[s->tx_fifo_len++] = value >> 16;
- s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+ if (s->tx_fifo_len + 4 <= ARRAY_SIZE(s->tx_fifo)) {
+ s->tx_fifo[s->tx_fifo_len++] = value;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 8;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 16;
+ s->tx_fifo[s->tx_fifo_len++] = value >> 24;
+ }
if (s->tx_fifo_len >= s->tx_frame_len) {
/* We don't implement explicit CRC, so just chop it off. */
if ((s->tctl & SE_TCTL_CRC) == 0)
--
1.9.1
- [Qemu-stable] [000/108] Patch Round-up for stable 2.0.1, freeze on 2014-08-12, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 002/108] hw/net/stellaris_enet: Correct handling of packet padding, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 001/108] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun,
Michael Roth <=
- [Qemu-stable] [PATCH 004/108] vmstate: add VMS_MUST_EXIST, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 003/108] vmstate: reduce code duplication, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 009/108] ahci: fix buffer overrun on invalid state load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 006/108] virtio-net: fix buffer overflow on invalid state load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 007/108] virtio-net: out-of-bounds buffer write on invalid state load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 005/108] vmstate: add VMSTATE_VALIDATE, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 011/108] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 010/108] hpet: fix buffer overrun on invalid state load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 008/108] virtio-net: out-of-bounds buffer write on load, Michael Roth, 2014/08/06
- [Qemu-stable] [PATCH 013/108] vmstate: fix buffer overflow in target-arm/machine.c, Michael Roth, 2014/08/06