Tree - rpms/qemu - src.fedoraproject.org

Blob History Raw

		4d7edd7	`From: Prasad J Pandit <pjp@fedoraproject.org>`
		4d7edd7	`Date: Fri, 30 Sep 2016 00:27:33 +0530`
		4d7edd7	`Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length`
		4d7edd7
		4d7edd7	`The AMD PC-Net II emulator has set of control and status(CSR)`
		4d7edd7	`registers. Of these, CSR76 and CSR78 hold receive and transmit`
		4d7edd7	`descriptor ring length respectively. This ring length could range`
		4d7edd7	`from 1 to 65535. Setting ring length to zero leads to an infinite`
		4d7edd7	`loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.`
		4d7edd7
		4d7edd7	`Reported-by: Li Qiang <liqiang6-s@360.cn>`
		4d7edd7	`Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>`
		4d7edd7	`Signed-off-by: Jason Wang <jasowang@redhat.com>`
		4d7edd7	`(cherry picked from commit 34e29ce754c02bb6b3bdd244fbb85033460feaff)`
		4d7edd7	`---`
		4d7edd7	`hw/net/pcnet.c \| 3 +++`
		4d7edd7	`1 file changed, 3 insertions(+)`
		4d7edd7
		4d7edd7	`diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c`
		4d7edd7	`index 198a01f..3078de8 100644`
		4d7edd7	`--- a/hw/net/pcnet.c`
		4d7edd7	`+++ b/hw/net/pcnet.c`
		4d7edd7	`@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)`
		4d7edd7	`case 47: /* POLLINT */`
		4d7edd7	`case 72:`
		4d7edd7	`case 74:`
		4d7edd7	`+ break;`
		4d7edd7	`case 76: /* RCVRL */`
		4d7edd7	`case 78: /* XMTRL */`
		4d7edd7	`+ val = (val > 0) ? val : 512;`
		4d7edd7	`+ break;`
		4d7edd7	`case 112:`
		4d7edd7	`if (CSR_STOP(s) \|\| CSR_SPND(s))`
		4d7edd7	`break;`