On 01/18/2016 05:08 PM, Peter Crosthwaite wrote: > On Mon, Jan 18, 2016 at 12:12 AM, Jason Wang <jasow...@redhat.com> wrote: >> >> On 01/18/2016 03:04 PM, Peter Crosthwaite wrote: >>> On Sun, Jan 17, 2016 at 10:50 PM, Jason Wang <jasow...@redhat.com> wrote: >>>> On 01/14/2016 05:43 PM, Michael S. Tsirkin wrote: >>>>> gem_receive copies a packet received from network into an rxbuf[2048] >>>>> array on stack, with size limited by descriptor length set by guest. If >>>>> guest is malicious and specifies a descriptor length that is too large, >>>>> and should packet size exceed array size, this results in a buffer >>>>> overflow. >>>>> >>>>> Reported-by: 刘令 <liuling...@360.cn> >>>>> Signed-off-by: Michael S. Tsirkin <m...@redhat.com> >>>>> --- >>>>> hw/net/cadence_gem.c | 8 ++++++++ >>>>> 1 file changed, 8 insertions(+) >>>> Apply to my -net with tweak on commit log (changing receive to transmit >>>> as noticed). >>>> >>> As this is actually an unimplemented feature you should change the >>> message to a LOG_UNIMP rather than a debug printf. >>> >>> Regards, >>> Peter >> Thanks for the reminding. But we need know the whether real device could >> send packet whose length is greater than 2048. Do you know the link to >> the manual? (Haven't fond it in cadence page.) A hint is the linux > Xilinx UG585 has details: > > http://www.xilinx.com/support/documentation/user_guides/ug585-Zynq-7000-TRM.pdf > > Regards, > Peter > >
Thanks for the pointer. In section 16.1.5, it said "Jumbo frames are not supported." So it was in fact not an unimplemented feature?
