git.ipfire.org Git - thirdparty/qemu.git/commit

author	Peter Maydell <peter.maydell@linaro.org>
	Fri, 7 Feb 2025 15:11:57 +0000 (15:11 +0000)
committer	Michael Tokarev <mjt@tls.msk.ru>
	Mon, 17 Feb 2025 12:50:29 +0000 (15:50 +0300)
commit	aead95c7fafdac3fe8380c1e9f1be38122eb1b7e
tree	640a1f486d0c434aa31f0ac7b392aff99dc92c44	tree
parent	4b1b34c1e7a9ff1fbdb3bdaf49e3868f6ea82f4d	commit \| diff

hw/net/smc91c111: Ignore attempt to pop from empty RX fifo

The SMC91C111 includes an MMU Command register which permits
the guest to remove entries from the RX FIFO. The datasheet
does not specify what happens if the guest tries to do this
when the FIFO is already empty; there are no status registers
containing error bits which might be applicable.

Currently we don't guard at all against pop of an empty
RX FIFO, with the result that we allow the guest to drive
the rx_fifo_len index to negative values, which will cause
smc91c111_receive() to write to the rx_fifo[] array out of
bounds when we receive the next packet.

Instead ignore attempts to pop an empty RX FIFO.

Cc: qemu-stable@nongnu.org
Fixes: 80337b66a8e7 ("NIC emulation for qemu arm-softmmu")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2780
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250207151157.3151776-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit 937df81af6757638a7f1908747560dd342947213)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>