motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-02 15:23:53 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

Avoid buffer overflow when sending slirp packets.

Browse source 
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@1744 c046a42c-6fe2-441c-8c8c-71466251a162
This commit is contained in:
pbrook 2006-02-04 22:15:28 +00:00
parent 191abaa2f0
commit d861b05ea3
5 changed files with 68 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

7
hw/lance.c
View file

@ -283,6 +283,11 @@ static CPUWriteMemoryFunc *lance_mem_write[3] = {
#define MIN_BUF_SIZE 60
static void lance_can_receive(void *opaque)
{
return 1;
}
static void lance_receive(void *opaque, const uint8_t *buf, int size)
{
LANCEState *s = opaque;
@ -440,7 +445,7 @@ void lance_init(NICInfo *nd, int irq, uint32_t leaddr, uint32_t ledaddr)
lance_reset(s);
s->vc = qemu_new_vlan_client(nd->vlan, lance_receive, s);
s->vc = qemu_new_vlan_client(nd->vlan, lance_receive, lance_can_receive, s);
snprintf(s->vc->info_str, sizeof(s->vc->info_str),
"lance macaddr=%02x:%02x:%02x:%02x:%02x:%02x",

29
hw/ne2000.c
View file

@ -200,14 +200,10 @@ static int compute_mcast_idx(const uint8_t *ep)
return (crc >> 26);
}
/* return the max buffer size if the NE2000 can receive more data */
static int ne2000_can_receive(void *opaque)
static int ne2000_buffer_full(NE2000State *s)
{
NE2000State *s = opaque;
int avail, index, boundary;
if (s->cmd & E8390_STOP)
return 0;
index = s->curpag << 8;
boundary = s->boundary << 8;
if (index < boundary)
@ -215,8 +211,17 @@ static int ne2000_can_receive(void *opaque)
else
avail = (s->stop - s->start) - (index - boundary);
if (avail < (MAX_ETH_FRAME_SIZE + 4))
return 0;
return MAX_ETH_FRAME_SIZE;
return 1;
return 0;
}
static int ne2000_can_receive(void *opaque)
{
NE2000State *s = opaque;
if (s->cmd & E8390_STOP)
return 1;
return !ne2000_buffer_full(s);
}
#define MIN_BUF_SIZE 60
@ -234,7 +239,7 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size)
printf("NE2000: received len=%d\n", size);
#endif
if (!ne2000_can_receive(s))
if (s->cmd & E8390_STOP || ne2000_buffer_full(s))
return;
/* XXX: check this */
@ -722,7 +727,8 @@ void isa_ne2000_init(int base, int irq, NICInfo *nd)
ne2000_reset(s);
s->vc = qemu_new_vlan_client(nd->vlan, ne2000_receive, s);
s->vc = qemu_new_vlan_client(nd->vlan, ne2000_receive,
ne2000_can_receive, s);
snprintf(s->vc->info_str, sizeof(s->vc->info_str),
"ne2000 macaddr=%02x:%02x:%02x:%02x:%02x:%02x",
@ -791,7 +797,8 @@ void pci_ne2000_init(PCIBus *bus, NICInfo *nd)
s->pci_dev = (PCIDevice *)d;
memcpy(s->macaddr, nd->macaddr, 6);
ne2000_reset(s);
s->vc = qemu_new_vlan_client(nd->vlan, ne2000_receive, s);
s->vc = qemu_new_vlan_client(nd->vlan, ne2000_receive,
ne2000_can_receive, s);
snprintf(s->vc->info_str, sizeof(s->vc->info_str),
"ne2000 pci macaddr=%02x:%02x:%02x:%02x:%02x:%02x",

14
hw/smc91c111.c
View file

@ -593,6 +593,17 @@ static uint32_t smc91c111_readl(void *opaque, target_phys_addr_t offset)
return val;
}
static int smc91c111_can_receive(void *opaque)
{
smc91c111_state *s = (smc91c111_state *)opaque;
if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST))
return 1;
if (s->allocated == (1 << NUM_PACKETS) - 1)
return 0;
return 1;
}
static void smc91c111_receive(void *opaque, const uint8_t *buf, int size)
{
smc91c111_state *s = (smc91c111_state *)opaque;
@ -697,6 +708,7 @@ void smc91c111_init(NICInfo *nd, uint32_t base, void *pic, int irq)
smc91c111_reset(s);
s->vc = qemu_new_vlan_client(nd->vlan, smc91c111_receive, s);
s->vc = qemu_new_vlan_client(nd->vlan, smc91c111_receive,
smc91c111_can_receive, s);
/* ??? Save/restore. */
}