diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2016-08-09 10:44:27 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2016-08-09 10:44:27 +0100 |
| commit | ab861f3915e8667927cf18ad97f71cae7ccf8818 (patch) | |
| tree | 6b8917d16c174baeb34e5dd8ceec838cdaf2dca2 | |
| parent | 53279c76cf071fed07a336948d37c72e3613e0b7 (diff) | |
| parent | a0d1cbdacff5df4ded16b753b38fdd9da6092968 (diff) | |
| download | focaccia-qemu-ab861f3915e8667927cf18ad97f71cae7ccf8818.tar.gz focaccia-qemu-ab861f3915e8667927cf18ad97f71cae7ccf8818.zip | |
Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging
# gpg: Signature made Tue 09 Aug 2016 08:28:39 BST # gpg: using RSA key 0xEF04965B398D6211 # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) <jasowang@redhat.com>" # gpg: WARNING: This key is not certified with sufficiently trusted signatures! # gpg: It is not certain that the signature belongs to the owner. # Primary key fingerprint: 215D 46F4 8246 689E C77F 3562 EF04 965B 398D 6211 * remotes/jasowang/tags/net-pull-request: hw/net: Fix a heap overflow in xlnx.xps-ethernetlite net: vmxnet3: check for device_active before write net: check fragment length during fragmentation Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| -rw-r--r-- | hw/net/net_tx_pkt.c | 2 | ||||
| -rw-r--r-- | hw/net/vmxnet3.c | 4 | ||||
| -rw-r--r-- | hw/net/xilinx_ethlite.c | 4 |
3 files changed, 9 insertions, 1 deletions
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c index efd43b47b8..53dfaa292c 100644 --- a/hw/net/net_tx_pkt.c +++ b/hw/net/net_tx_pkt.c @@ -590,7 +590,7 @@ static bool net_tx_pkt_do_sw_fragmentation(struct NetTxPkt *pkt, fragment_offset += fragment_len; - } while (more_frags); + } while (fragment_len && more_frags); return true; } diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c index bbf44adbcc..90f6943668 100644 --- a/hw/net/vmxnet3.c +++ b/hw/net/vmxnet3.c @@ -1167,6 +1167,10 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr, { VMXNET3State *s = opaque; + if (!s->device_active) { + return; + } + if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD, VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) { int tx_queue_idx = diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c index 54db2b83bd..35de353b7c 100644 --- a/hw/net/xilinx_ethlite.c +++ b/hw/net/xilinx_ethlite.c @@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size) } D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase)); + if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) { + D(qemu_log("ethlite packet is too big, size=%x\n", size)); + return -1; + } memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size); s->regs[rxbase + R_RX_CTRL0] |= CTRL_S; |