diff options
| author | Prasad J Pandit | 2016-09-29 20:57:33 +0200 |
|---|---|---|
| committer | Jason Wang | 2016-10-26 03:57:59 +0200 |
| commit | 34e29ce754c02bb6b3bdd244fbb85033460feaff (patch) | |
| tree | fa2f1228043f4ea33ba3b7e9de9be0f65147fde2 | |
| parent | Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2016-10-25' into ... (diff) | |
| download | qemu-34e29ce754c02bb6b3bdd244fbb85033460feaff.tar.gz qemu-34e29ce754c02bb6b3bdd244fbb85033460feaff.tar.xz qemu-34e29ce754c02bb6b3bdd244fbb85033460feaff.zip | |
net: pcnet: check rx/tx descriptor ring length
The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
| -rw-r--r-- | hw/net/pcnet.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c index 198a01f92d..3078de8aba 100644 --- a/hw/net/pcnet.c +++ b/hw/net/pcnet.c @@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value) case 47: /* POLLINT */ case 72: case 74: + break; case 76: /* RCVRL */ case 78: /* XMTRL */ + val = (val > 0) ? val : 512; + break; case 112: if (CSR_STOP(s) || CSR_SPND(s)) break; |