From: Peter Maydell <peter.maydell@linaro.org>
To: Richard Henderson <richard.henderson@linaro.org>
Cc: Helge Deller <deller@gmx.de>,
Sven Schnelle <svens@stackframe.org>,
QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [PULL v3 02/11] hppa: Add support for LASI chip with i82596 NIC
Date: Mon, 17 Feb 2020 17:56:18 +0000 [thread overview]
Message-ID: <CAFEAcA_aA1jNkkgmdxLqUhSbAz7JL2chAU1+s475HSoqKQiukg@mail.gmail.com> (raw)
In-Reply-To: <20200124232009.12928-3-richard.henderson@linaro.org>
On Fri, 24 Jan 2020 at 23:20, Richard Henderson
<richard.henderson@linaro.org> wrote:
>
> From: Helge Deller <deller@gmx.de>
>
> LASI is a built-in multi-I/O chip which supports serial, parallel,
> network (Intel i82596 Apricot), sound and other functionalities.
> LASI has been used in many HP PARISC machines.
> This patch adds the necessary parts to allow Linux and HP-UX to detect
> LASI and the network card.
>
> Signed-off-by: Helge Deller <deller@gmx.de>
> Signed-off-by: Sven Schnelle <svens@stackframe.org>
> Message-Id: <20191220211512.3289-3-svens@stackframe.org>
> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Hi; Coverity has an issue with this code (CID 1419396):
> +#define ETHER_TYPE_LEN 2
> +#define VLAN_TCI_LEN 2
> +#define VLAN_HLEN (ETHER_TYPE_LEN + VLAN_TCI_LEN)
> +#define MIN_BUF_SIZE 60
> +
> +ssize_t i82596_receive(NetClientState *nc, const uint8_t *buf, size_t sz)
> +{
> + I82596State *s = qemu_get_nic_opaque(nc);
> + uint32_t rfd_p;
> + uint32_t rbd;
> + uint16_t is_broadcast = 0;
> + size_t len = sz;
> + uint32_t crc;
> + uint8_t *crc_ptr;
> + uint8_t buf1[MIN_BUF_SIZE + VLAN_HLEN];
This buffer is 60 + 2 + 2 == 64 bytes large...
> + /* if too small buffer, then expand it */
> + if (len < MIN_BUF_SIZE + VLAN_HLEN) {
> + memcpy(buf1, buf, len);
> + memset(buf1 + len, 0, MIN_BUF_SIZE + VLAN_HLEN - len);
> + buf = buf1;
> + if (len < MIN_BUF_SIZE) {
> + len = MIN_BUF_SIZE;
> + }
...here if we're using the buf1[] buffer then len must
be >= MIN_BUF_SIZE (60) and < MIN_BUF_SIZE + VLAN_HLEN (64),
so it's in the range 60 to 63...
> + }
> +
> + /* Calculate the ethernet checksum (4 bytes) */
> + len += 4;
> + crc = cpu_to_be32(crc32(~0, buf, sz));
> + crc_ptr = (uint8_t *) &crc;
...but then we add 4 to len here, so it's now 64 to 67...
> + while (len) {
> + num = buffer_size & SIZE_MASK;
> + if (num > len) {
> + num = len;
> + }
...before using len as the cap on how many bytes we write...
> + rba = get_uint32(rbd + 8);
> + /* printf("rba is 0x%x\n", rba); */
> + address_space_rw(&address_space_memory, rba,
> + MEMTXATTRS_UNSPECIFIED, (void *)buf, num, 1);
...from the buffer into guest memory here.
So we could be reading off the end of the buffer.
I don't know whether the buffer should be 4 bytes
larger to allow for the checksum, or if the len calculation
is wrong.
PS: I think calling address_space_write() with a constant
final argument is confusing;
"address_space_rw(as, addr, attrs, buf, len, 1)"
is equivalent to
"address_space_write(as, addr, attrs, buf, len)",
except that it's more obvious that it's a write rather
than a read, and it avoids an extra layer of function
call. We do seem to have a surprisingly large number of
places in the codebase that call address_space_rw() with a
constant final argument, though...
thanks
-- PMM
next prev parent reply other threads:[~2020-02-17 18:15 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-24 23:19 [PULL v3 00/11] target/hppa patch queue Richard Henderson
2020-01-24 23:19 ` [PULL v3 01/11] hw/hppa/dino.c: Improve emulation of Dino PCI chip Richard Henderson
2020-01-24 23:20 ` [PULL v3 02/11] hppa: Add support for LASI chip with i82596 NIC Richard Henderson
2020-02-17 17:56 ` Peter Maydell [this message]
2020-03-02 19:23 ` Helge Deller
2020-03-02 19:31 ` Peter Maydell
2020-03-02 20:34 ` Helge Deller
2020-03-02 23:25 ` Philippe Mathieu-Daudé
2020-03-05 13:05 ` Philippe Mathieu-Daudé
2020-01-24 23:20 ` [PULL v3 03/11] ps2: accept 'Set Key Make and Break' commands Richard Henderson
2020-01-24 23:20 ` [PULL v3 04/11] hppa: add emulation of LASI PS2 controllers Richard Henderson
2020-02-18 8:29 ` Philippe Mathieu-Daudé
2020-01-24 23:20 ` [PULL v3 05/11] hppa: Switch to tulip NIC by default Richard Henderson
2020-01-24 23:20 ` [PULL v3 06/11] seabios-hppa: update to latest version Richard Henderson
2020-01-24 23:20 ` [PULL v3 07/11] hppa: Add emulation of Artist graphics Richard Henderson
2020-01-24 23:20 ` [PULL v3 08/11] hw/hppa/machine: Correctly check the firmware is in PDC range Richard Henderson
2020-01-24 23:20 ` [PULL v3 09/11] hw/hppa/machine: Restrict the total memory size to 3GB Richard Henderson
2020-01-24 23:20 ` [PULL v3 10/11] hw/hppa/machine: Map the PDC memory region with higher priority Richard Henderson
2020-01-24 23:20 ` [PULL v3 11/11] target/hppa: Allow, but diagnose, LDCW aligned only mod 4 Richard Henderson
2020-01-27 11:23 ` [PULL v3 00/11] target/hppa patch queue Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFEAcA_aA1jNkkgmdxLqUhSbAz7JL2chAU1+s475HSoqKQiukg@mail.gmail.com \
--to=peter.maydell@linaro.org \
--cc=deller@gmx.de \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=svens@stackframe.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).