From: Peter Maydell <peter.maydell@linaro.org>
To: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: "Andrew Jeffery" <andrew@aj.id.au>,
qemu-arm <qemu-arm@nongnu.org>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"ziming zhang" <ezrakiez@gmail.com>,
"Cédric Le Goater" <clg@kaod.org>
Subject: Re: [PATCH] hw/net/ftgmac100: Fix integer overflow in ftgmac100_do_tx()
Date: Fri, 10 Jul 2020 12:33:34 +0100 [thread overview]
Message-ID: <CAFEAcA-pRXOz5JVcwHa8=oaeogwaOK0YVXYQiJUpdM_rFZ+QTA@mail.gmail.com> (raw)
In-Reply-To: <20200710085417.638904-1-mcascell@redhat.com>
On Fri, 10 Jul 2020 at 09:56, Mauro Matteo Cascella <mcascell@redhat.com> wrote:
>
> An integer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
> occurs while inserting the VLAN tag in packets whose length is less than
> 12 bytes, as (len-12) is passed to memmove() without proper checking.
> This patch is intended to fix this issue by checking the minimum
> Ethernet frame size during packet transmission.
>
> Reported-by: Ziming Zhang <ezrakiez@gmail.com>
> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> ---
> hw/net/ftgmac100.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
> index 043ba61b86..bcf4d84aea 100644
> --- a/hw/net/ftgmac100.c
> +++ b/hw/net/ftgmac100.c
> @@ -238,6 +238,11 @@ typedef struct {
> */
> #define FTGMAC100_MAX_FRAME_SIZE 9220
>
> +/*
> + * Min frame size
> + */
> +#define FTGMAC100_MIN_FRAME_SIZE 64
> +
> /* Limits depending on the type of the frame
> *
> * 9216 for Jumbo frames (+ 4 for VLAN)
> @@ -507,6 +512,15 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint32_t tx_ring,
> }
>
> len = FTGMAC100_TXDES0_TXBUF_SIZE(bd.des0);
> +
> + /* drop small packets */
> + if (bd.des0 & FTGMAC100_TXDES0_FTS &&
> + len < FTGMAC100_MIN_FRAME_SIZE) {
> + qemu_log_mask(LOG_GUEST_ERROR, "%s: frame too small: %d bytes\n",
> + __func__, len);
> + break;
> + }
> +
Andrew, Cedric: do you have the datasheet for this devic? Do you
know if we should also be flagging the error back to the
guest somehow?
I think a 'break' here means we'll never update the
descriptor flags to hand it back to the guest, which
is probably not what the hardware does.
thanks
-- PMM
next prev parent reply other threads:[~2020-07-10 11:34 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-10 8:54 [PATCH] hw/net/ftgmac100: Fix integer overflow in ftgmac100_do_tx() Mauro Matteo Cascella
2020-07-10 11:33 ` Peter Maydell [this message]
2020-07-10 13:20 ` Mauro Matteo Cascella
2020-07-13 14:19 ` Cédric Le Goater
2020-07-13 16:15 ` Peter Maydell
2020-07-29 15:15 ` Cédric Le Goater
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFEAcA-pRXOz5JVcwHa8=oaeogwaOK0YVXYQiJUpdM_rFZ+QTA@mail.gmail.com' \
--to=peter.maydell@linaro.org \
--cc=andrew@aj.id.au \
--cc=clg@kaod.org \
--cc=ezrakiez@gmail.com \
--cc=mcascell@redhat.com \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.