diff options
| author | Prasad J Pandit <pjp@fedoraproject.org> | 2016-09-30 00:27:33 +0530 |
|---|---|---|
| committer | Jason Wang <jasowang@redhat.com> | 2016-10-26 09:57:59 +0800 |
| commit | 34e29ce754c02bb6b3bdd244fbb85033460feaff (patch) | |
| tree | fa2f1228043f4ea33ba3b7e9de9be0f65147fde2 /hw/net/pcnet.c | |
| parent | ede0cbeb7892bdf4a19128853a3a3c61a17fb068 (diff) | |
| download | qemu-34e29ce754c02bb6b3bdd244fbb85033460feaff.zip qemu-34e29ce754c02bb6b3bdd244fbb85033460feaff.tar.gz qemu-34e29ce754c02bb6b3bdd244fbb85033460feaff.tar.bz2 | |
net: pcnet: check rx/tx descriptor ring length
The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Diffstat (limited to 'hw/net/pcnet.c')
| -rw-r--r-- | hw/net/pcnet.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c index 198a01f..3078de8 100644 --- a/hw/net/pcnet.c +++ b/hw/net/pcnet.c @@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value) case 47: /* POLLINT */ case 72: case 74: + break; case 76: /* RCVRL */ case 78: /* XMTRL */ + val = (val > 0) ? val : 512; + break; case 112: if (CSR_STOP(s) || CSR_SPND(s)) break; |