| 1 | # HG changeset patch |
|---|
| 2 | # User kfraser@localhost.localdomain |
|---|
| 3 | # Node ID 075f4ffdbbce5527ba525a515abe320703d17a0e |
|---|
| 4 | # Parent 51edd3c6a4d861db6ce1c9a02251ed49213c3002 |
|---|
| 5 | [QEMU] rtl8139: Disallow chaining above 64K |
|---|
| 6 | |
|---|
| 7 | As it stands the 8139C+ TX chaining is only bounded by realloc failure. |
|---|
| 8 | This is contrary to how the real hardware operates. It also has DoS |
|---|
| 9 | potential when ioemu runs in dom0. |
|---|
| 10 | |
|---|
| 11 | This patch makes any attempt to chain a frame beyond 64K fail |
|---|
| 12 | immediately. |
|---|
| 13 | |
|---|
| 14 | Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
|---|
| 15 | |
|---|
| 16 | Index: ioemu/hw/rtl8139.c |
|---|
| 17 | =================================================================== |
|---|
| 18 | --- ioemu.orig/hw/rtl8139.c 2006-12-08 18:21:36.000000000 +0000 |
|---|
| 19 | +++ ioemu/hw/rtl8139.c 2006-12-08 18:22:22.000000000 +0000 |
|---|
| 20 | @@ -1999,12 +1999,12 @@ |
|---|
| 21 | DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer allocated space %d\n", s->cplus_txbuffer_len)); |
|---|
| 22 | } |
|---|
| 23 | |
|---|
| 24 | - while (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >= s->cplus_txbuffer_len) |
|---|
| 25 | + if (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >= s->cplus_txbuffer_len) |
|---|
| 26 | { |
|---|
| 27 | - s->cplus_txbuffer_len += CP_TX_BUFFER_SIZE; |
|---|
| 28 | - s->cplus_txbuffer = realloc(s->cplus_txbuffer, s->cplus_txbuffer_len); |
|---|
| 29 | + free(s->cplus_txbuffer); |
|---|
| 30 | + s->cplus_txbuffer = NULL; |
|---|
| 31 | |
|---|
| 32 | - DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space changed to %d\n", s->cplus_txbuffer_len)); |
|---|
| 33 | + DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space exceeded: %d\n", s->cplus_txbuffer_offset + txsize)); |
|---|
| 34 | } |
|---|
| 35 | |
|---|
| 36 | if (!s->cplus_txbuffer) |
|---|
