From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39896)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1bpoA0-0006jz-2l
	for qemu-devel@nongnu.org; Thu, 29 Sep 2016 23:06:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1bpo9v-0004O8-PY
	for qemu-devel@nongnu.org; Thu, 29 Sep 2016 23:06:51 -0400
Received: from mx1.redhat.com ([209.132.183.28]:41054)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1bpo9v-0004JL-J1
	for qemu-devel@nongnu.org; Thu, 29 Sep 2016 23:06:47 -0400
References: <1475175454-3116-1-git-send-email-ppandit@redhat.com>
	<1475175454-3116-2-git-send-email-ppandit@redhat.com>
From: Jason Wang <jasowang@redhat.com>
Message-ID: <4973cdac-2916-52a3-d23b-4e598347eb26@redhat.com>
Date: Fri, 30 Sep 2016 11:06:40 +0800
MIME-Version: 1.0
In-Reply-To: <1475175454-3116-2-git-send-email-ppandit@redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor
 ring length
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: P J P <ppandit@redhat.com>, Qemu Developers <qemu-devel@nongnu.org>
Cc: Li Qiang <liqiang6-s@360.cn>, Prasad J Pandit <pjp@fedoraproject.org>



On 2016=E5=B9=B409=E6=9C=8830=E6=97=A5 02:57, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> The AMD PC-Net II emulator has set of control and status(CSR)
> registers. Of these, CSR76 and CSR78 hold receive and transmit
> descriptor ring length respectively. This ring length could range
> from 1 to 65535. Setting ring length to zero leads to an infinite
> loop in pcnet_rdra_addr. Add check to avoid it.

In this case, we only need to protect RCVRL I believe? (since XMTRL were=20
not used).

>
> Reported-by: Li Qiang <liqiang6-s@360.cn>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
>   hw/net/pcnet.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
> index 198a01f..3078de8 100644
> --- a/hw/net/pcnet.c
> +++ b/hw/net/pcnet.c
> @@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint=
32_t rap, uint32_t new_value)
>       case 47: /* POLLINT */
>       case 72:
>       case 74:
> +        break;
>       case 76: /* RCVRL */
>       case 78: /* XMTRL */
> +        val =3D (val > 0) ? val : 512;
> +        break;
>       case 112:
>          if (CSR_STOP(s) || CSR_SPND(s))
>              break;