From patchwork Sun Jan 19 22:59:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Finn Thain X-Patchwork-Id: 11340765 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2A92214B7 for ; Sun, 19 Jan 2020 23:09:17 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0B807206B7 for ; Sun, 19 Jan 2020 23:09:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0B807206B7 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=telegraphics.com.au Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Received: from localhost ([::1]:54810 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1itJgx-00063r-HY for patchwork-qemu-devel@patchwork.kernel.org; Sun, 19 Jan 2020 18:09:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:55897) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1itJfi-00049h-H4 for qemu-devel@nongnu.org; Sun, 19 Jan 2020 18:07:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1itJfh-0003la-42 for qemu-devel@nongnu.org; Sun, 19 Jan 2020 18:07:58 -0500 Received: from kvm5.telegraphics.com.au ([98.124.60.144]:54732) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1itJfh-0003l4-0C; Sun, 19 Jan 2020 18:07:57 -0500 Received: by kvm5.telegraphics.com.au (Postfix, from userid 502) id 45CEB29970; Sun, 19 Jan 2020 18:07:55 -0500 (EST) To: Jason Wang , qemu-devel@nongnu.org Message-Id: <8b743099e180360402c7362cca7f30c47abe49e1.1579474761.git.fthain@telegraphics.com.au> In-Reply-To: References: From: Finn Thain Subject: [PATCH v3 07/14] dp8393x: Implement packet size limit and RBAE interrupt Date: Mon, 20 Jan 2020 09:59:21 +1100 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 98.124.60.144 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Aleksandar Rikalo , =?utf-8?q?Herv=C3=A9_Po?= =?utf-8?q?ussineau?= , Laurent Vivier , qemu-stable@nongnu.org Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" Add a bounds check to prevent a large packet from causing a buffer overflow. This is defensive programming -- I haven't actually tried sending an oversized packet or a jumbo ethernet frame. The SONIC handles packets that are too big for the buffer by raising the RBAE interrupt and dropping them. Linux uses that interrupt to count dropped packets. Signed-off-by: Finn Thain Tested-by: Laurent Vivier --- Changed since v1: - Perform length check after Recieve Control Register initialization. --- hw/net/dp8393x.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c index 2e976781e2..0309365fda 100644 --- a/hw/net/dp8393x.c +++ b/hw/net/dp8393x.c @@ -137,6 +137,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0) #define SONIC_TCR_CRCI 0x2000 #define SONIC_TCR_PINT 0x8000 +#define SONIC_ISR_RBAE 0x0010 #define SONIC_ISR_RBE 0x0020 #define SONIC_ISR_RDE 0x0040 #define SONIC_ISR_TC 0x0080 @@ -770,6 +771,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER | SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC); + if (pkt_size + 4 > dp8393x_rbwc(s) * 2) { + DPRINTF("oversize packet, pkt_size is %d\n", pkt_size); + s->regs[SONIC_ISR] |= SONIC_ISR_RBAE; + dp8393x_update_irq(s); + dp8393x_do_read_rra(s); + return pkt_size; + } + packet_type = dp8393x_receive_filter(s, buf, pkt_size); if (packet_type < 0) { DPRINTF("packet not for netcard\n");