diff options
author | Mauro Matteo Cascella | 2020-11-24 10:24:45 +0100 |
---|---|---|
committer | Peter Maydell | 2020-12-01 11:34:08 +0100 |
commit | 915976bd98a9286efe6f2e573cb4f1360603adf9 (patch) | |
tree | dec1c5f564261a5ebec0ba12d7b28af9c4858178 /hw/net | |
parent | Merge remote-tracking branch 'remotes/elmarco/tags/libslirp-pull-request' int... (diff) | |
download | qemu-915976bd98a9286efe6f2e573cb4f1360603adf9.tar.gz qemu-915976bd98a9286efe6f2e573cb4f1360603adf9.tar.xz qemu-915976bd98a9286efe6f2e573cb4f1360603adf9.zip |
hw/net/dp8393x: fix integer underflow in dp8393x_do_transmit_packets()
An integer underflow could occur during packet transmission due to 'tx_len' not
being updated if SONIC_TFC register is set to zero. Check for negative 'tx_len'
when removing existing FCS.
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1899722
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Acked-by: Jason Wang <jasowang@redhat.com>
Message-id: 20201124092445.658647-1-mcascell@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/net')
-rw-r--r-- | hw/net/dp8393x.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c index 674b04b354..205c0decc5 100644 --- a/hw/net/dp8393x.c +++ b/hw/net/dp8393x.c @@ -495,6 +495,10 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) } else { /* Remove existing FCS */ tx_len -= 4; + if (tx_len < 0) { + SONIC_ERROR("tx_len is %d\n", tx_len); + break; + } } if (s->regs[SONIC_RCR] & (SONIC_RCR_LB1 | SONIC_RCR_LB0)) { |