From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40723)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1bx2hX-0008QO-Fu
	for qemu-devel@nongnu.org; Wed, 19 Oct 2016 22:03:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1bx2hS-00019M-L5
	for qemu-devel@nongnu.org; Wed, 19 Oct 2016 22:03:23 -0400
Received: from mx1.redhat.com ([209.132.183.28]:50836)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <jasowang@redhat.com>) id 1bx2hS-00018u-Fg
	for qemu-devel@nongnu.org; Wed, 19 Oct 2016 22:03:18 -0400
References: <1475175454-3116-1-git-send-email-ppandit@redhat.com>
	<1475175454-3116-2-git-send-email-ppandit@redhat.com>
	<4973cdac-2916-52a3-d23b-4e598347eb26@redhat.com>
	<alpine.LFD.2.20.1609301056160.5531@wniryva>
From: Jason Wang <jasowang@redhat.com>
Message-ID: <0315e8a3-c46e-b1b2-f1ad-b721ecd5f278@redhat.com>
Date: Thu, 20 Oct 2016 10:03:07 +0800
MIME-Version: 1.0
In-Reply-To: <alpine.LFD.2.20.1609301056160.5531@wniryva>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor
 ring length
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>
Cc: Li Qiang <liqiang6-s@360.cn>, Qemu Developers <qemu-devel@nongnu.org>



On 2016=E5=B9=B409=E6=9C=8830=E6=97=A5 13:36, P J P wrote:
>    Hello Jason,
>
> +-- On Fri, 30 Sep 2016, Jason Wang wrote --+
> | On 2016=E5=B9=B409=E6=9C=8830=E6=97=A5 02:57, P J P wrote:
> | > The AMD PC-Net II emulator has set of control and status(CSR)
> | > registers. Of these, CSR76 and CSR78 hold receive and transmit
> | > descriptor ring length respectively. This ring length could range
> | > from 1 to 65535. Setting ring length to zero leads to an infinite
> | > loop in pcnet_rdra_addr. Add check to avoid it.
> |
> | In this case, we only need to protect RCVRL I believe? (since XMTRL w=
ere not
> | used).
>
>    XMTRL is not used in this case, but could be prone to similar issues=
. For
> ex.
>
>      static void pcnet_transmit(PCNetState *s)
>      {
>          int count =3D CSR_XMTRL(s) - 1;
>          ...
>          if (count--)
>              goto txagain;
>      }
>
> If CSR_XMTRL is set to zero(0), 'count' would never reach zero and func=
tion
> would continue to jump to 'txagain'.

Applied and tweak the commit log by mentioning pcnet_transmit() too.

Thanks

>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F