On Fri, Nov 17, 2006 at 11:29:45AM +1100, herbert wrote:
>
> Since I haven't heard any objections, here is a patch to do just that.
In the interest of diffing things twice, here is a more complete
patch.
[QEMU] rtl8139: Disallow chaining above 64K
As it stands the 8139C+ TX chaining is only bounded by realloc failure.
This is contrary to how the real hardware operates. It also has DoS
potential when ioemu runs in dom0.
This patch makes any attempt to chain a frame beyond 64K fail immediately.
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
diff -r 5f7b5e5ca14b tools/ioemu/hw/rtl8139.c
--- a/tools/ioemu/hw/rtl8139.c Thu Nov 16 17:07:23 2006 +0000
+++ b/tools/ioemu/hw/rtl8139.c Fri Nov 17 11:24:34 2006 +1100
@@ -1999,12 +1999,12 @@ static int rtl8139_cplus_transmit_one(RT
DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer allocated space
%d\n", s->cplus_txbuffer_len));
}
- while (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >=
s->cplus_txbuffer_len)
- {
- s->cplus_txbuffer_len += CP_TX_BUFFER_SIZE;
- s->cplus_txbuffer = realloc(s->cplus_txbuffer, s->cplus_txbuffer_len);
-
- DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space changed
to %d\n", s->cplus_txbuffer_len));
+ if (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >=
s->cplus_txbuffer_len)
+ {
+ free(s->cplus_txbuffer);
+ s->cplus_txbuffer = NULL;
+
+ DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space exceeded:
%d\n", s->cplus_txbuffer_offset + txsize));
}
if (!s->cplus_txbuffer)
diff -r 5f7b5e5ca14b tools/ioemu/patches/qemu-rtl8139-max-frame-size
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/ioemu/patches/qemu-rtl8139-max-frame-size Fri Nov 17 11:43:14
2006 +1100
@@ -0,0 +1,22 @@
+diff -r 5f7b5e5ca14b tools/ioemu/hw/rtl8139.c
+--- ioemu/hw/rtl8139.c Thu Nov 16 17:07:23 2006 +0000
++++ ioemu/hw/rtl8139.c Fri Nov 17 11:24:34 2006 +1100
+@@ -1999,12 +1999,12 @@ static int rtl8139_cplus_transmit_one(RT
+ DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer allocated
space %d\n", s->cplus_txbuffer_len));
+ }
+
+- while (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >=
s->cplus_txbuffer_len)
+- {
+- s->cplus_txbuffer_len += CP_TX_BUFFER_SIZE;
+- s->cplus_txbuffer = realloc(s->cplus_txbuffer, s->cplus_txbuffer_len);
+-
+- DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space changed
to %d\n", s->cplus_txbuffer_len));
++ if (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >=
s->cplus_txbuffer_len)
++ {
++ free(s->cplus_txbuffer);
++ s->cplus_txbuffer = NULL;
++
++ DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space exceeded:
%d\n", s->cplus_txbuffer_offset + txsize));
+ }
+
+ if (!s->cplus_txbuffer)
diff -r 5f7b5e5ca14b tools/ioemu/patches/series
--- a/tools/ioemu/patches/series Thu Nov 16 17:07:23 2006 +0000
+++ b/tools/ioemu/patches/series Fri Nov 17 11:45:11 2006 +1100
@@ -53,3 +53,4 @@ hypervisor-rtc
hypervisor-rtc
ide-cd-dma
vnc-password
+qemu-rtl8139-max-frame-size
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home