aboutsummaryrefslogtreecommitdiff
path: root/hw
diff options
context:
space:
mode:
authorbellard <bellard@c046a42c-6fe2-441c-8c8c-71466251a162>2005-04-10 14:51:41 +0000
committerbellard <bellard@c046a42c-6fe2-441c-8c8c-71466251a162>2005-04-10 14:51:41 +0000
commit40545f84cfcbe4b73cca040b3043a1c2de935762 (patch)
treeca199d3951319939d41c0c91a585e4c0c9de9518 /hw
parentd39c0b990a243fba280eb4222daf685491431a5b (diff)
downloadqemu-40545f84cfcbe4b73cca040b3043a1c2de935762.zip
qemu-40545f84cfcbe4b73cca040b3043a1c2de935762.tar.gz
qemu-40545f84cfcbe4b73cca040b3043a1c2de935762.tar.bz2
packet fix for for netware 3.11 (initial patch by Mark Jonckheere) - security bug fix
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@1363 c046a42c-6fe2-441c-8c8c-71466251a162
Diffstat (limited to 'hw')
-rw-r--r--hw/ne2000.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/hw/ne2000.c b/hw/ne2000.c
index 79d3026..e1b656e 100644
--- a/hw/ne2000.c
+++ b/hw/ne2000.c
@@ -246,7 +246,7 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size)
static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
{
NE2000State *s = opaque;
- int offset, page;
+ int offset, page, index;
addr &= 0xf;
#ifdef DEBUG_NE2000
@@ -264,10 +264,18 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
ne2000_update_irq(s);
}
if (val & E8390_TRANS) {
- qemu_send_packet(s->nd, s->mem + (s->tpsr << 8), s->tcnt);
+ index = (s->tpsr << 8);
+ /* XXX: next 2 lines are a hack to make netware 3.11 work */
+ if (index >= NE2000_PMEM_END)
+ index -= NE2000_PMEM_SIZE;
+ /* fail safe: check range on the transmitted length */
+ if (index + s->tcnt <= NE2000_PMEM_END) {
+ qemu_send_packet(s->nd, s->mem + index, s->tcnt);
+ }
/* signal end of transfert */
s->tsr = ENTSR_PTX;
s->isr |= ENISR_TX;
+ s->cmd &= ~E8390_TRANS;
ne2000_update_irq(s);
}
}