Add a bounds check to prevent a large packet from causing a buffer
overflow. This is defensive programming -- I haven't actually tried
sending an oversized packet or a jumbo ethernet frame.
The SONIC handles packets that are too big for the buffer by raising
the RBAE interrupt and dropping them. Linux uses that interrupt to
count dropped packets.
Signed-off-by: Finn Thain <fth...@telegraphics.com.au>
Tested-by: Laurent Vivier <laur...@vivier.eu>
---
Changed since v1:
- Perform length check after Recieve Control Register initialization.
---
hw/net/dp8393x.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 2e976781e2..0309365fda 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -137,6 +137,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ##
__VA_ARGS__); } while (0)
#define SONIC_TCR_CRCI 0x2000
#define SONIC_TCR_PINT 0x8000
+#define SONIC_ISR_RBAE 0x0010
#define SONIC_ISR_RBE 0x0020
#define SONIC_ISR_RDE 0x0040
#define SONIC_ISR_TC 0x0080
@@ -770,6 +771,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const
uint8_t * buf,
s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
+ if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
+ DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
+ s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
+ dp8393x_update_irq(s);
+ dp8393x_do_read_rra(s);
+ return pkt_size;
+ }
+
packet_type = dp8393x_receive_filter(s, buf, pkt_size);
if (packet_type < 0) {
DPRINTF("packet not for netcard\n");
--
2.24.1
