From patchwork Thu May 8 11:53:01 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 29832 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-qa0-f72.google.com (mail-qa0-f72.google.com [209.85.216.72]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id C7BD520A67 for ; Thu, 8 May 2014 11:53:16 +0000 (UTC) Received: by mail-qa0-f72.google.com with SMTP id hw13sf6132203qab.7 for ; Thu, 08 May 2014 04:53:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject :date:message-id:in-reply-to:references:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-unsubscribe; bh=qJ2lWG62yvOj4FPLmpyMiH9hu83GnF4xKT56dEJgslI=; b=jACNl3upoVLJIzeILSkQqeb2gGXdd+QoXvbqYKDbjTVWj5h+GgXL/p83Da3/fgbFF5 2zGZir765FFqlZ0Qjz8xOTKuyk1rUlAKPNk4HEk775e6At2MnNxXcscI4U2y6NbbeuTW hPr0Dsj+DoN8iQN1duv6OAhyEZXkAV3QFhc/IyVv3cIr79xLz7jNJ2MSxboA9ydkjQZ0 Vk2lbJuz6tKM23dEZdszGu+icwkGP3cbcgBpevsUIGL2kqXKJ2FgLrZYTPZxzgD5iQ/s A1Qbm83/qy5LHSeNp4FA/DZ2TT+dZzmKBHpjhMpty6xPn2fVY/rgP9pVipZJY5eiPc0P w/Xw== X-Gm-Message-State: ALoCoQn5oZBWeH2zRWgTZpLfLRyQFfocf+WzMiPWnuLb/V8iys4YQLl3Mf1iHidjXV9F83SfyyWD X-Received: by 10.52.61.197 with SMTP id s5mr1313850vdr.8.1399549996454; Thu, 08 May 2014 04:53:16 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.98.229 with SMTP id o92ls3882222qge.95.gmail; Thu, 08 May 2014 04:53:16 -0700 (PDT) X-Received: by 10.52.137.74 with SMTP id qg10mr453252vdb.61.1399549996331; Thu, 08 May 2014 04:53:16 -0700 (PDT) Received: from mail-vc0-f178.google.com (mail-vc0-f178.google.com [209.85.220.178]) by mx.google.com with ESMTPS id b7si138151vev.40.2014.05.08.04.53.16 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 08 May 2014 04:53:16 -0700 (PDT) Received-SPF: none (google.com: patch+caf_=patchwork-forward=linaro.org@linaro.org does not designate permitted sender hosts) client-ip=209.85.220.178; Received: by mail-vc0-f178.google.com with SMTP id hq16so241605vcb.23 for ; Thu, 08 May 2014 04:53:16 -0700 (PDT) X-Received: by 10.220.191.134 with SMTP id dm6mr2516468vcb.16.1399549996260; Thu, 08 May 2014 04:53:16 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patches@linaro.org Received: by 10.220.221.72 with SMTP id ib8csp392512vcb; Thu, 8 May 2014 04:53:15 -0700 (PDT) X-Received: by 10.50.111.138 with SMTP id ii10mr7684432igb.34.1399549992217; Thu, 08 May 2014 04:53:12 -0700 (PDT) Received: from mnementh.archaic.org.uk (mnementh.archaic.org.uk. [2001:8b0:1d0::1]) by mx.google.com with ESMTPS id q8si2451961iga.2.2014.05.08.04.53.11 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Thu, 08 May 2014 04:53:12 -0700 (PDT) Received-SPF: none (google.com: pm215@archaic.org.uk does not designate permitted sender hosts) client-ip=2001:8b0:1d0::1; Received: from pm215 by mnementh.archaic.org.uk with local (Exim 4.80) (envelope-from ) id 1WiMst-0004sb-W8; Thu, 08 May 2014 12:53:08 +0100 From: Peter Maydell To: qemu-devel@nongnu.org Cc: patches@linaro.org, "Michael S. Tsirkin" , "Dr. David Alan Gilbert" Subject: [PATCH v4 1/7] hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun Date: Thu, 8 May 2014 12:53:01 +0100 Message-Id: <1399549987-18729-2-git-send-email-peter.maydell@linaro.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1399549987-18729-1-git-send-email-peter.maydell@linaro.org> References: <1399549987-18729-1-git-send-email-peter.maydell@linaro.org> X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: peter.maydell@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: patch+caf_=patchwork-forward=linaro.org@linaro.org does not designate permitted sender hosts) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Precedence: list Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org List-ID: X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , The current tx_fifo code has a corner case where the guest can overrun the fifo buffer: if automatic CRCs are disabled we allow the guest to write the CRC word even if there isn't actually space for it in the FIFO. The datasheet is unclear about exactly how the hardware deals with this situation; the most plausible answer seems to be that the CRC word is just lost. Implement this fix by separating the "can we stuff another word in the FIFO" logic from the "should we transmit the packet now" check. This also moves us closer to the real hardware, which has a number of ways it can be configured to trigger sending the packet, some of which we don't implement. Signed-off-by: Peter Maydell Reviewed-by: Dr. David Alan Gilbert Cc: qemu-stable@nongnu.org --- hw/net/stellaris_enet.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c index d04e6a4..bd844cd 100644 --- a/hw/net/stellaris_enet.c +++ b/hw/net/stellaris_enet.c @@ -253,10 +253,12 @@ static void stellaris_enet_write(void *opaque, hwaddr offset, s->tx_fifo[s->tx_fifo_len++] = value >> 24; } } else { - s->tx_fifo[s->tx_fifo_len++] = value; - s->tx_fifo[s->tx_fifo_len++] = value >> 8; - s->tx_fifo[s->tx_fifo_len++] = value >> 16; - s->tx_fifo[s->tx_fifo_len++] = value >> 24; + if (s->tx_fifo_len + 4 <= ARRAY_SIZE(s->tx_fifo)) { + s->tx_fifo[s->tx_fifo_len++] = value; + s->tx_fifo[s->tx_fifo_len++] = value >> 8; + s->tx_fifo[s->tx_fifo_len++] = value >> 16; + s->tx_fifo[s->tx_fifo_len++] = value >> 24; + } if (s->tx_fifo_len >= s->tx_frame_len) { /* We don't implement explicit CRC, so just chop it off. */ if ((s->tctl & SE_TCTL_CRC) == 0)