An integer underflow could occur during packet transmission due to 'tx_len' not being updated if SONIC_TFC register is set to zero. Check for negative 'tx_len' when removing existing FCS.
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1899722 Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com> Reported-by: Gaoning Pan <p...@zju.edu.cn> --- hw/net/dp8393x.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c index 674b04b354..205c0decc5 100644 --- a/hw/net/dp8393x.c +++ b/hw/net/dp8393x.c @@ -495,6 +495,10 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) } else { /* Remove existing FCS */ tx_len -= 4; + if (tx_len < 0) { + SONIC_ERROR("tx_len is %d\n", tx_len); + break; + } } if (s->regs[SONIC_RCR] & (SONIC_RCR_LB1 | SONIC_RCR_LB0)) { -- 2.28.0
