[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 06/13] dp8393x: Implement packet size limit and RBAE interrupt
From: |
Finn Thain |
Subject: |
[PATCH v2 06/13] dp8393x: Implement packet size limit and RBAE interrupt |
Date: |
Fri, 20 Dec 2019 15:17:46 +1100 |
Add a bounds check to prevent a large packet from causing a buffer
overflow. This is defensive programming -- I haven't actually tried
sending an oversized packet or a jumbo ethernet frame.
The SONIC handles packets that are too big for the buffer by raising
the RBAE interrupt and dropping them. Linux uses that interrupt to
count dropped packets.
Signed-off-by: Finn Thain <address@hidden>
---
Changed since v1:
- Perform length check after Recieve Control Register initialization.
---
hw/net/dp8393x.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 593853244d..9d2c205dce 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -137,6 +137,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ##
__VA_ARGS__); } while (0)
#define SONIC_TCR_CRCI 0x2000
#define SONIC_TCR_PINT 0x8000
+#define SONIC_ISR_RBAE 0x0010
#define SONIC_ISR_RBE 0x0020
#define SONIC_ISR_RDE 0x0040
#define SONIC_ISR_TC 0x0080
@@ -759,6 +760,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const
uint8_t * buf,
s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
+ if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
+ DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
+ s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
+ dp8393x_update_irq(s);
+ dp8393x_do_read_rra(s);
+ return pkt_size;
+ }
+
packet_type = dp8393x_receive_filter(s, buf, pkt_size);
if (packet_type < 0) {
DPRINTF("packet not for netcard\n");
--
2.23.0
- [PATCH v2 00/13] Fixes for DP8393X SONIC device emulation, Finn Thain, 2019/12/19
- [PATCH v2 03/13] dp8393x: Have dp8393x_receive() return the packet size, Finn Thain, 2019/12/19
- [PATCH v2 05/13] dp8393x: Clear RRRA command register bit only when appropriate, Finn Thain, 2019/12/19
- [PATCH v2 04/13] dp8393x: Update LLFA and CRDA registers from rx descriptor, Finn Thain, 2019/12/19
- [PATCH v2 09/13] dp8393x: Use long-word-aligned RRA pointers in 32-bit mode, Finn Thain, 2019/12/19
- [PATCH v2 10/13] dp8393x: Pad frames to word or long word boundary, Finn Thain, 2019/12/19
- [PATCH v2 02/13] dp8393x: Clean up endianness hacks, Finn Thain, 2019/12/19
- [PATCH v2 08/13] dp8393x: Don't clobber packet checksum, Finn Thain, 2019/12/19
- [PATCH v2 06/13] dp8393x: Implement packet size limit and RBAE interrupt,
Finn Thain <=
- [PATCH v2 07/13] dp8393x: Don't stop reception upon RBE interrupt assertion, Finn Thain, 2019/12/19
- [PATCH v2 12/13] dp8393x: Always update RRA pointers and sequence numbers, Finn Thain, 2019/12/19
- [PATCH v2 11/13] dp8393x: Clear descriptor in_use field when necessary, Finn Thain, 2019/12/19
- [PATCH v2 13/13] dp8393x: Correctly advance RRP, Finn Thain, 2019/12/19
- [PATCH v2 01/13] dp8393x: Mask EOL bit from descriptor addresses, Finn Thain, 2019/12/19
- Re: [PATCH v2 00/13] Fixes for DP8393X SONIC device emulation, Laurent Vivier, 2019/12/20