On Sun, 9 Mar 2025 at 19:01, Philippe Mathieu-Daudé wrote:
> On 28/2/25 18:48, Peter Maydell wrote:
> > --- a/hw/net/smc91c111.c
> > +++ b/hw/net/smc91c111.c
> > @@ -22,6 +22,13 @@
> >
> > /* Number of 2k memory pages available. */
> > #define NUM_PACKETS 4
> > +/*
> > + * Maximum size of a d
On 10/3/25 12:06, Peter Maydell wrote:
On Sun, 9 Mar 2025 at 19:01, Philippe Mathieu-Daudé wrote:
On 28/2/25 18:48, Peter Maydell wrote:
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -22,6 +22,13 @@
/* Number of 2k memory pages available. */
#define NUM_PACKETS 4
+/*
+ * Maximum
Hi Peter,
On 28/2/25 18:48, Peter Maydell wrote:
When the smc91c111 transmits a packet, it must read a control byte
which is at the end of the data area and CRC. However, we don't
sanitize the length field in the packet buffer, so if the guest sets
the length field to something large we will tr
When the smc91c111 transmits a packet, it must read a control byte
which is at the end of the data area and CRC. However, we don't
sanitize the length field in the packet buffer, so if the guest sets
the length field to something large we will try to read past the end
of the packet data buffer whe
