summaryrefslogtreecommitdiffstats
path: root/hw/net
diff options
context:
space:
mode:
authorMauro Matteo Cascella2020-11-24 10:24:45 +0100
committerPeter Maydell2020-12-01 11:34:08 +0100
commit915976bd98a9286efe6f2e573cb4f1360603adf9 (patch)
treedec1c5f564261a5ebec0ba12d7b28af9c4858178 /hw/net
parentMerge remote-tracking branch 'remotes/elmarco/tags/libslirp-pull-request' int... (diff)
downloadqemu-915976bd98a9286efe6f2e573cb4f1360603adf9.tar.gz
qemu-915976bd98a9286efe6f2e573cb4f1360603adf9.tar.xz
qemu-915976bd98a9286efe6f2e573cb4f1360603adf9.zip
hw/net/dp8393x: fix integer underflow in dp8393x_do_transmit_packets()
An integer underflow could occur during packet transmission due to 'tx_len' not being updated if SONIC_TFC register is set to zero. Check for negative 'tx_len' when removing existing FCS. RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1899722 Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Reported-by: Gaoning Pan <pgn@zju.edu.cn> Acked-by: Jason Wang <jasowang@redhat.com> Message-id: 20201124092445.658647-1-mcascell@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw/net')
-rw-r--r--hw/net/dp8393x.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 674b04b354..205c0decc5 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -495,6 +495,10 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
} else {
/* Remove existing FCS */
tx_len -= 4;
+ if (tx_len < 0) {
+ SONIC_ERROR("tx_len is %d\n", tx_len);
+ break;
+ }
}
if (s->regs[SONIC_RCR] & (SONIC_RCR_LB1 | SONIC_RCR_LB0)) {