From 3a8068f4ebb9f9500cf3d1805f5cfbd42e15ab12 Mon Sep 17 00:00:00 2001 From: Finn Thain Date: Wed, 29 Jan 2020 20:27:49 +1100 Subject: [PATCH] dp8393x: Implement packet size limit and RBAE interrupt Add a bounds check to prevent a large packet from causing a buffer overflow. This is defensive programming -- I haven't actually tried sending an oversized packet or a jumbo ethernet frame. The SONIC handles packets that are too big for the buffer by raising the RBAE interrupt and dropping them. Linux uses that interrupt to count dropped packets. Signed-off-by: Finn Thain Tested-by: Laurent Vivier Signed-off-by: Jason Wang (cherry picked from commit ada74315270d1dcabf4c9d4fece19df7ef5b9577) Signed-off-by: Michael Roth --- hw/net/dp8393x.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c index 04f58ee4e1f..ca8088c8392 100644 --- a/hw/net/dp8393x.c +++ b/hw/net/dp8393x.c @@ -137,6 +137,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0) #define SONIC_TCR_CRCI 0x2000 #define SONIC_TCR_PINT 0x8000 +#define SONIC_ISR_RBAE 0x0010 #define SONIC_ISR_RBE 0x0020 #define SONIC_ISR_RDE 0x0040 #define SONIC_ISR_TC 0x0080 @@ -770,6 +771,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER | SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC); + if (pkt_size + 4 > dp8393x_rbwc(s) * 2) { + DPRINTF("oversize packet, pkt_size is %d\n", pkt_size); + s->regs[SONIC_ISR] |= SONIC_ISR_RBAE; + dp8393x_update_irq(s); + dp8393x_do_read_rra(s); + return pkt_size; + } + packet_type = dp8393x_receive_filter(s, buf, pkt_size); if (packet_type < 0) { DPRINTF("packet not for netcard\n"); -- 2.39.5