On Mon, Mar 05, 2012 at 11:08:24AM +0800, Jason Wang wrote:
> The tx buffer would be re-allocated for tx descriptor with big size
> and without LS bit set, this would make guest driver could easily let
> qemu to allocate unlimited.
>
> In linux host, a glib failure were easy to be triggered:
>
> GLib-ERROR **: gmem.c:176: failed to allocate 18446744071562067968 bytes
>
> This patch fix this by adding a limit. As the spec didn't tell the maximum
> size
> of buffer allowed, stick it to current CP_TX_BUFFER_SIZE (65536).
>
> Signed-off-by: Jason Wang <jasow...@redhat.com>
> ---
> hw/rtl8139.c | 9 ++++-----
> 1 files changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/hw/rtl8139.c b/hw/rtl8139.c
> index 05b8e1e..d9e742c 100644
> --- a/hw/rtl8139.c
> +++ b/hw/rtl8139.c
> @@ -2063,11 +2063,10 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
>
> while (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >=
> s->cplus_txbuffer_len)
> {
> - s->cplus_txbuffer_len += CP_TX_BUFFER_SIZE;
> - s->cplus_txbuffer = g_realloc(s->cplus_txbuffer,
> s->cplus_txbuffer_len);
> -
> - DPRINTF("+++ C+ mode transmission buffer space changed to %d\n",
> - s->cplus_txbuffer_len);
> + /* The spec didn't tell the maximum size, stick to CP_TX_BUFFER_SIZE
> */
> + txsize = s->cplus_txbuffer_len - s->cplus_txbuffer_offset;
> + DPRINTF("+++ C+ mode transmission buffer overrun, truncated
> descriptor"
> + "length to %d\n", txsize);
This makes sense to me since a 64 KB MTU is not possible - it's a safe
upper limit that will not impact guests.
Please change this while statement to an if statement and drop the
s->cplus_txbuffer check (which is always true since we allocate
immediately prior, if it is not already allocated).
Stefan
