aboutsummaryrefslogtreecommitdiff
path: root/hw/net/rtl8139.c
AgeCommit message (Collapse)AuthorFilesLines
2015-08-04rtl8139: check TCP Data Offset field (CVE-2015-5165)Stefan Hajnoczi1-0/+5
The TCP Data Offset field contains the length of the header. Make sure it is valid and does not exceed the IP data length. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 8357946b15f0a31f73dd691b7da95f29318ed310) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2015-08-04rtl8139: skip offload on short TCP header (CVE-2015-5165)Stefan Hajnoczi1-0/+5
TCP Large Segment Offload accesses the TCP header in the packet. If the packet is too short we must not attempt to access header fields: tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 4240be45632db7831129f124bcf53c1223825b0f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2015-08-04rtl8139: check IP Total Length field (CVE-2015-5165)Stefan Hajnoczi1-1/+6
The IP Total Length field includes the IP header and data. Make sure it is valid and does not exceed the Ethernet payload size. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit c6296ea88df040054ccd781f3945fe103f8c7c17) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2015-08-04rtl8139: check IP Header Length field (CVE-2015-5165)Stefan Hajnoczi1-11/+8
The IP Header Length field was only checked in the IP checksum case, but is used in other cases too. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 03247d43c577dfea8181cd40177ad5ba77c8db76) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2015-08-04rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)Stefan Hajnoczi1-0/+5
Transmit offload features access Ethernet and IP headers the packet. If the packet is too short we must not attempt to access header fields: int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); ... eth_payload_data = saved_buffer + ETH_HLEN; ... ip = (ip_header*)eth_payload_data; if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit e1c120a9c54872f8a538ff9129d928de4e865cbd) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2015-08-04rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)Stefan Hajnoczi1-154/+151
The previous patch stopped using the ip pointer as an indicator that the IP header is present. When we reach the if (ip) {...} statement we know ip is always non-NULL. Remove the if statement to reduce nesting. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit d6812d60e7932de3cd0f602c0ee63dd3d09f1847) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2015-08-04rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)Stefan Hajnoczi1-19/+22
Transmit offload needs to parse packet headers. If header fields have unexpected values the offload processing is skipped. The code currently uses nested ifs because there is relatively little input validation. The next patches will add missing input validation and a goto label is more appropriate to avoid deep if statement nesting. Reported-by: 朱东海(启路) <donghai.zdh@alibaba-inc.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 39b8e7dcaf04cbdb926b478f825b160d852752b5) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2015-02-26pci: Trivial device model conversions to realizeMarkus Armbruster1-4/+2
Convert the device models where initialization obviously can't fail. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Gonglei <arei.gonglei@huawei.com>
2015-02-10rtl8139: g_malloc() can't fail, bury dead error handlingMarkus Armbruster1-14/+0
Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-02-06rtl8139: simplify timer logicPaolo Bonzini1-50/+27
Pavel Dovgalyuk reports that TimerExpire and the timer are not restored correctly on the receiving end of migration. It is not clear to me whether this is really the case, but we can take the occasion to get rid of the complicated code that computes PCSTimeout on the fly upon changes to IntrStatus/IntrMask. Just always keep a timer running, it will fire every ~130 seconds at most if the interrupt is masked with TimerInt != 0. This makes rtl8139_set_next_tctr_time idempotent (when the virtual clock is stopped between two calls, as is the case during migration). Tested with Frediano's qtest. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-id: 1421765099-26190-1-git-send-email-pbonzini@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-01-12net: remove all cleanup methods from NIC NetClientInfosPaolo Bonzini1-8/+0
All NICs have a cleanup function that, in most cases, zeroes the pointer to the NICState. In some cases, it frees data belonging to the NIC. However, this function is never called except when exiting from QEMU. It is not necessary to NULL pointers and free data here; the right place to do that would be in the device's unrealize function, after calling qemu_del_nic. Zeroing the NIC multiple times is also wrong for multiqueue devices. This cleanup function gets in the way of making the NetClientStates for the NIC hold an object_ref reference to the object, so get rid of it. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-11-21rtl8139: fix Pointer to local outside scopeGonglei1-0/+4
Coverity spot: Assigning: iov = struct iovec [3]({{buf, 12UL}, {(void *)dot1q_buf, 4UL}, {buf + 12, size - 12}}) (address of temporary variable of type struct iovec [3]). out_of_scope: Temporary variable of type struct iovec [3] goes out of scope. Pointer to local outside scope (RETURN_LOCAL) use_invalid: Using iov, which points to an out-of-scope temporary variable of type struct iovec [3]. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2014-10-15bootindex: move calling add_boot_device_patch to bootindex setter functionGonglei1-2/+0
On this way, we can assure the new bootindex take effect during vm rebooting. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-10-15rtl8139: add bootindex to qom propertyGonglei1-0/+10
Add a qom property with the same name 'bootindex', when we remove it form qdev property, things will continue to work just fine, and we can use qom features which are not supported by qdev property. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2014-08-18memory: remove memory_region_destroyPaolo Bonzini1-2/+0
The function is empty after the previous patch, so remove it. Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-06-16savevm: Remove all the unneeded version_minimum_id_old (x86)Juan Quintela1-6/+3
After previous Peter patch, they are redundant. This way we don't assign them except when needed. Once there, there were lots of case where the ".fields" indentation was wrong: .fields = (VMStateField []) { and .fields = (VMStateField []) { Change all the combinations to: .fields = (VMStateField[]){ The biggest problem (appart from aesthetics) was that checkpatch complained when we copy&pasted the code from one place to another. Signed-off-by: Juan Quintela <quintela@redhat.com> Acked-by: Alexey Kardashevskiy <aik@ozlabs.ru> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
2013-11-21Revert "e1000/rtl8139: update HMP NIC when every bit is written"Michael S. Tsirkin1-1/+4
This reverts commit cd5be5829c1ce87aa6b3a7806524fac07ac9a757. Digging into hardware specs shows this does not actually make QEMU behave more like hardware: There are valid arguments backed by the spec to indicate why the version of e1000 prior to cd5be582 was more correct: the high byte actually includes a valid bit, this is why all guests write it last. For rtl8139 there's actually a separate undocumented valid bit, but we don't implement it yet. To summarize all the drivers we know about behave in one way that allows us to make an assumption about write order and avoid spurious, incorrect mac address updates to the monitor. Let's stick to the tried heuristic for 1.7 and possibly revisit for 1.8. Reported-by: Vlad Yasevich <vyasevic@redhat.com> Reviewed-by: Vlad Yasevich <vyasevic@redhat.com> Cc: Amos Kong <akong@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2013-11-06e1000/rtl8139: update HMP NIC when every bit is writtenAmos Kong1-4/+1
We currently just update the HMP NIC info when the last bit of macaddr is written. This assumes that guest driver will write all the macaddr from bit 0 to bit 5 when it changes the macaddr, this is the current behavior of linux driver (e1000/rtl8139cp), but we can't do this assumption. The macaddr that is used for rx-filter will be updated when every bit is changed. This patch updates the e1000/rtl8139 nic to update HMP NIC info when every bit is changed. It will be same as virtio-net. Signed-off-by: Amos Kong <akong@redhat.com> Reviewed-by: Alex Williamson <alex.williamson@redhat.com> Message-id: 1383650238-16015-1-git-send-email-akong@redhat.com Signed-off-by: Anthony Liguori <aliguori@amazon.com>
2013-10-31Merge remote-tracking branch 'mst/tags/for_anthony' into stagingAnthony Liguori1-1/+1
pci, pc, acpi fixes, enhancements This includes some pretty big changes: - pci master abort support by Marcel - pci IRQ API rework by Marcel - acpi generation support by myself Everything has gone through several revisions, latest versions have been on list for a while without any more comments, tested by several people. Please pull for 1.7. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Tue 15 Oct 2013 07:33:48 AM CEST using RSA key ID D28D5469 # gpg: Can't check signature: public key not found * mst/tags/for_anthony: (39 commits) ssdt-proc: update generated file ssdt: fix PBLK length i386: ACPI table generation code from seabios pc: use new api to add builtin tables acpi: add interface to access user-installed tables hpet: add API to find it pvpanic: add API to access io port ich9: APIs for pc guest info piix: APIs for pc guest info acpi/piix: add macros for acpi property names i386: define pc guest info loader: allow adding ROMs in done callbacks i386: add bios linker/loader loader: use file path size from fw_cfg.h acpi: ssdt pcihp: updat generated file acpi: pre-compiled ASL files acpi: add rules to compile ASL source i386: add ACPI table files from seabios q35: expose mmcfg size as a property q35: use macro for MCFG property name ... Message-id: 1381818560-18367-1-git-send-email-mst@redhat.com Signed-off-by: Anthony Liguori <anthony@codemonkey.ws>
2013-10-18net/rtl8139: update network information when macaddr is changed in guestAmos Kong1-1/+5
rtl8139 has same problem as e1000, nic info isn't updated when macaddr is changed in guest. This patch updates the nic info when the last bit of macaddr is written. Signed-off-by: Amos Kong <akong@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-10-18net: update nic info during device resetAmos Kong1-0/+1
macaddr is reset during device reset, but nic info isn't updated, this problem exists in e1000 & rtl8139 Signed-off-by: Amos Kong <akong@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-10-14hw: set interrupts using pci irq wrappersMarcel Apfelbaum1-1/+1
pci_set_irq and the other pci irq wrappers use PCI_INTERRUPT_PIN config register to compute device INTx pin to assert/deassert. An irq is allocated using pci_allocate_irq wrapper only if is needed by non pci devices. Removed irq related fields from state if not used anymore. Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2013-08-22aio / timers: Switch entire codebase to the new timer APIAlex Bligh1-14/+14
This is an autogenerated patch using scripts/switch-timer-api. Switch the entire code base to using the new timer API. Note this patch may introduce some line length issues. Signed-off-by: Alex Bligh <alex@alex.org.uk> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-07-29devices: Associate devices to their logical categoryMarcel Apfelbaum1-0/+1
The category will be used to sort the devices displayed in the command line help. Signed-off-by: Marcel Apfelbaum <marcel.a@redhat.com> Message-id: 1375107465-25767-4-git-send-email-marcel.a@redhat.com Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-07-23net/rtl8139: QOM parent field cleanupAndreas Färber1-39/+49
Replace direct uses of RTL8139State::dev with QOM casts and rename it to parent_obj. Acked-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-23net/rtl8139: QOM Upcast SweepPeter Crosthwaite1-8/+18
Define and use standard QOM cast macro. Remove usages of DO_UPCAST() and direct -> style upcasting. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Andreas Färber <afaerber@suse.de>
2013-07-04hw/n*: pass owner to memory_region_init* functionsPaolo Bonzini1-2/+4
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-07-04memory: add owner argument to initialization functionsPaolo Bonzini1-2/+2
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2013-05-24rtl8139: flush queued packets when RxBufPtr is writtenStefan Hajnoczi1-0/+3
Net queues support efficient "receive disable". For example, tap's file descriptor will not be polled while its peer has receive disabled. This saves CPU cycles for needlessly copying and then dropping packets which the peer cannot receive. rtl8139 is missing the qemu_flush_queued_packets() call that wakes the queue up when receive becomes possible again. As a result, the Windows 7 guest driver reaches a state where the rtl8139 cannot receive packets. The driver has actually refilled the receive buffer but we never resume reception. The bug can be reproduced by running a large FTP 'get' inside a Windows 7 guest: $ qemu -netdev tap,id=tap0,... -device rtl8139,netdev=tap0 The Linux guest driver does not trigger the bug, probably due to a different buffer management strategy. Reported-by: Oliver Francke <oliver.francke@filoo.de> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-04-08hw: move target-independent files to subdirectoriesPaolo Bonzini1-0/+3555
This patch tackles all files that are compiled once, moving them to subdirectories of hw/. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>