From: Prasad J Pandit <pjp@fedoraproject.org>
i.MX Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set an upper limit to number of buffer descriptors.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
hw/net/imx_fec.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
Patch v2
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05554.html
- Restrict loop in 'imx_enet_do_tx' to IMX_MAX_DESC descriptors.
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index 50c7564..90e6ee3 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -55,6 +55,8 @@
} \
} while (0)
+#define IMX_MAX_DESC 1024
+
static const char *imx_default_reg_name(IMXFECState *s, uint32_t index)
{
static char tmp[20];
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
static void imx_fec_do_tx(IMXFECState *s)
{
- int frame_size = 0;
+ int frame_size = 0, descnt = 0;
uint8_t frame[ENET_MAX_FRAME_SIZE];
uint8_t *ptr = frame;
uint32_t addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < IMX_MAX_DESC) {
IMXFECBufDesc bd;
int len;
@@ -453,12 +455,12 @@ static void imx_fec_do_tx(IMXFECState *s)
static void imx_enet_do_tx(IMXFECState *s)
{
- int frame_size = 0;
+ int frame_size = 0, descnt = 0;
uint8_t frame[ENET_MAX_FRAME_SIZE];
uint8_t *ptr = frame;
uint32_t addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < IMX_MAX_DESC) {
IMXENETBufDesc bd;
int len;
--
2.9.3
On 2017年02月02日 18:46, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > i.MX Fast Ethernet Controller uses buffer descriptors to manage > data flow to/fro receive & transmit queues. While transmitting > packets, it could continue to read buffer descriptors if a buffer > descriptor has length of zero and has crafted values in bd.flags. > Set an upper limit to number of buffer descriptors. > > Reported-by: Li Qiang <liqiang6-s@360.cn> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/net/imx_fec.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > Patch v2 > -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05554.html > - Restrict loop in 'imx_enet_do_tx' to IMX_MAX_DESC descriptors. Applied, thanks. > > diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c > index 50c7564..90e6ee3 100644 > --- a/hw/net/imx_fec.c > +++ b/hw/net/imx_fec.c > @@ -55,6 +55,8 @@ > } \ > } while (0) > > +#define IMX_MAX_DESC 1024 > + > static const char *imx_default_reg_name(IMXFECState *s, uint32_t index) > { > static char tmp[20]; > @@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s) > > static void imx_fec_do_tx(IMXFECState *s) > { > - int frame_size = 0; > + int frame_size = 0, descnt = 0; > uint8_t frame[ENET_MAX_FRAME_SIZE]; > uint8_t *ptr = frame; > uint32_t addr = s->tx_descriptor; > > - while (1) { > + while (descnt++ < IMX_MAX_DESC) { > IMXFECBufDesc bd; > int len; > > @@ -453,12 +455,12 @@ static void imx_fec_do_tx(IMXFECState *s) > > static void imx_enet_do_tx(IMXFECState *s) > { > - int frame_size = 0; > + int frame_size = 0, descnt = 0; > uint8_t frame[ENET_MAX_FRAME_SIZE]; > uint8_t *ptr = frame; > uint32_t addr = s->tx_descriptor; > > - while (1) { > + while (descnt++ < IMX_MAX_DESC) { > IMXENETBufDesc bd; > int len; >
© 2016 - 2024 Red Hat, Inc.