@@ -139,6 +139,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0)
#define SONIC_TCR_CRCI 0x2000
#define SONIC_TCR_PINT 0x8000
+#define SONIC_ISR_RBAE 0x0010
#define SONIC_ISR_RBE 0x0020
#define SONIC_ISR_RDE 0x0040
#define SONIC_ISR_TC 0x0080
@@ -751,6 +752,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
uint32_t checksum;
int size;
+ if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
+ DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
+ s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
+ dp8393x_update_irq(s);
+ dp8393x_do_read_rra(s);
+ return pkt_size;
+ }
+
width = (s->regs[SONIC_DCR] & SONIC_DCR_DW) ? 2 : 1;
s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
Add a bounds check to prevent a large packet from causing a buffer overflow. This is defensive programming -- I haven't actually tried sending an oversized packet or a jumbo ethernet frame. The SONIC handles packets that are too big for the buffer by raising the RBAE interrupt and dropping them. Linux uses that interrupt to count dropped packets. Signed-off-by: Finn Thain <fthain@telegraphics.com.au> --- QEMU passes short packets to dp8393x_receive(). But a real SONIC rejects packets shorter than 64 bytes. For dp8393x, the effective limit is 60 bytes because packets passed to dp8393x_receive() lack a frame checksum. However, even 60 bytes proved too high and blocked ARP packets when I tried it. So the SONIC's mechanism for detecting runt packets (the RNT bit in the RCR register) remains unimplemented in dp8393x (i.e. they are still accepted). This packet length issue may have implications for guests that depend on the chip honouring the packet length threshold set in the EOBC register. --- hw/net/dp8393x.c | 9 +++++++++ 1 file changed, 9 insertions(+)