From: P J P <ppandit@redhat.com>
To: Jason Wang <jasowang@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>, Li Qiang <liqiang6-s@360.cn>
Subject: Re: [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length
Date: Fri, 30 Sep 2016 11:06:01 +0530 (IST) [thread overview]
Message-ID: <alpine.LFD.2.20.1609301056160.5531@wniryva> (raw)
In-Reply-To: <4973cdac-2916-52a3-d23b-4e598347eb26@redhat.com>
Hello Jason,
+-- On Fri, 30 Sep 2016, Jason Wang wrote --+
| On 2016年09月30日 02:57, P J P wrote:
| > The AMD PC-Net II emulator has set of control and status(CSR)
| > registers. Of these, CSR76 and CSR78 hold receive and transmit
| > descriptor ring length respectively. This ring length could range
| > from 1 to 65535. Setting ring length to zero leads to an infinite
| > loop in pcnet_rdra_addr. Add check to avoid it.
|
| In this case, we only need to protect RCVRL I believe? (since XMTRL were not
| used).
XMTRL is not used in this case, but could be prone to similar issues. For
ex.
static void pcnet_transmit(PCNetState *s)
{
int count = CSR_XMTRL(s) - 1;
...
if (count--)
goto txagain;
}
If CSR_XMTRL is set to zero(0), 'count' would never reach zero and function
would continue to jump to 'txagain'.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
next prev parent reply other threads:[~2016-09-30 5:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-29 18:57 [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format P J P
2016-09-29 18:57 ` [Qemu-devel] [PATCH 1/2] net: pcnet: check rx/tx descriptor ring length P J P
2016-09-30 3:06 ` Jason Wang
2016-09-30 5:36 ` P J P [this message]
2016-10-20 2:03 ` Jason Wang
2016-09-29 18:57 ` [Qemu-devel] [PATCH 2/2] net: pcnet: fix source formatting and indentation P J P
2016-09-30 3:08 ` Jason Wang
2016-09-30 6:50 ` P J P
2016-09-29 19:08 ` [Qemu-devel] [PATCH 0/2] net: pcnet: fix infinite loop and source format no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LFD.2.20.1609301056160.5531@wniryva \
--to=ppandit@redhat.com \
--cc=jasowang@redhat.com \
--cc=liqiang6-s@360.cn \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.