From: Cédric Le Goater <clg@kaod.org>
Date: Tue, 1 Sep 2020 12:21:50 +0000 (+0200)
Subject: ftgmac100: Check for invalid len and address before doing a DMA transfer
X-Git-Tag: v5.2.0-rc0~140^2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=af6d66e23557a36491a06857a447d016f6cf9f33;p=thirdparty%2Fqemu.git

ftgmac100: Check for invalid len and address before doing a DMA transfer

According to the Aspeed specs, no interrupts are raised in that case
but a "Tx-packets lost" status seems like a good modeling choice for
all implementations. It is covered by the Linux kernel.

Cc: Frederic Konrad <konrad.frederic@yahoo.fr>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-Id: <20200819100956.2216690-14-clg@kaod.org>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
---

diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
index 014980d30ac..280aa3d3a1e 100644
--- a/hw/net/ftgmac100.c
+++ b/hw/net/ftgmac100.c
@@ -507,6 +507,15 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint32_t tx_ring,
         }
 
         len = FTGMAC100_TXDES0_TXBUF_SIZE(bd.des0);
+        if (!len) {
+            /*
+             * 0 is an invalid size, however the HW does not raise any
+             * interrupt. Flag an error because the guest is buggy.
+             */
+            qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid segment size\n",
+                          __func__);
+        }
+
         if (frame_size + len > sizeof(s->frame)) {
             qemu_log_mask(LOG_GUEST_ERROR, "%s: frame too big : %d bytes\n",
                           __func__, len);