[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 07/23] dp8393x: Implement packet size limit and RBAE interrupt
From: |
Jason Wang |
Subject: |
[PULL 07/23] dp8393x: Implement packet size limit and RBAE interrupt |
Date: |
Mon, 2 Mar 2020 15:40:20 +0800 |
From: Finn Thain <address@hidden>
Add a bounds check to prevent a large packet from causing a buffer
overflow. This is defensive programming -- I haven't actually tried
sending an oversized packet or a jumbo ethernet frame.
The SONIC handles packets that are too big for the buffer by raising
the RBAE interrupt and dropping them. Linux uses that interrupt to
count dropped packets.
Signed-off-by: Finn Thain <address@hidden>
Tested-by: Laurent Vivier <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
---
hw/net/dp8393x.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index b5a9c6a..911f59e 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -137,6 +137,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ##
__VA_ARGS__); } while (0)
#define SONIC_TCR_CRCI 0x2000
#define SONIC_TCR_PINT 0x8000
+#define SONIC_ISR_RBAE 0x0010
#define SONIC_ISR_RBE 0x0020
#define SONIC_ISR_RDE 0x0040
#define SONIC_ISR_TC 0x0080
@@ -772,6 +773,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const
uint8_t * buf,
s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
+ if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
+ DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
+ s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
+ dp8393x_update_irq(s);
+ dp8393x_do_read_rra(s);
+ return pkt_size;
+ }
+
packet_type = dp8393x_receive_filter(s, buf, pkt_size);
if (packet_type < 0) {
DPRINTF("packet not for netcard\n");
--
2.5.0
- [PULL 00/23] Net patches, Jason Wang, 2020/03/02
- [PULL 00/23] Net patches, Jason Wang, 2020/03/02
- [PULL 01/23] dp8393x: Mask EOL bit from descriptor addresses, Jason Wang, 2020/03/02
- [PULL 03/23] dp8393x: Clean up endianness hacks, Jason Wang, 2020/03/02
- [PULL 02/23] dp8393x: Always use 32-bit accesses, Jason Wang, 2020/03/02
- [PULL 07/23] dp8393x: Implement packet size limit and RBAE interrupt,
Jason Wang <=
- [PULL 04/23] dp8393x: Have dp8393x_receive() return the packet size, Jason Wang, 2020/03/02
- [PULL 05/23] dp8393x: Update LLFA and CRDA registers from rx descriptor, Jason Wang, 2020/03/02
- [PULL 08/23] dp8393x: Don't clobber packet checksum, Jason Wang, 2020/03/02
- [PULL 06/23] dp8393x: Clear RRRA command register bit only when appropriate, Jason Wang, 2020/03/02
- [PULL 11/23] dp8393x: Clear descriptor in_use field to release packet, Jason Wang, 2020/03/02
- [PULL 10/23] dp8393x: Pad frames to word or long word boundary, Jason Wang, 2020/03/02
- [PULL 13/23] dp8393x: Don't reset Silicon Revision register, Jason Wang, 2020/03/02
- [PULL 16/23] NetRxPkt: Introduce support for additional hash types, Jason Wang, 2020/03/02
- [PULL 18/23] hw: net: cadence_gem: Fix build errors in DB_PRINT(), Jason Wang, 2020/03/02
- [PULL 09/23] dp8393x: Use long-word-aligned RRA pointers in 32-bit mode, Jason Wang, 2020/03/02