merge from in xen-unstable tip (17318:b5fea3aeb04b): hw/rtl8139.c

merge this changeset from xen-unstable:

changeset:   12482:075f4ffdbbce5527ba525a515abe320703d17a0e
user:        kfraser@localhost.localdomain
date:        Fri Nov 17 10:34:08 2006 +0000
files:       tools/ioemu/hw/rtl8139.c
description:
[QEMU] rtl8139: Disallow chaining above 64K

As it stands the 8139C+ TX chaining is only bounded by realloc failure.
This is contrary to how the real hardware operates.  It also has DoS
potential when ioemu runs in dom0.

This patch makes any attempt to chain a frame beyond 64K fail
immediately.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index fee12c452db12ac9ee281c06cbf672f91ff67bcf..823f1bc54cb8bff45e3c034a2f8e85f8fbd419d1 100644 (file)
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -1998,12 +1998,12 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
         DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer allocated space %d\n", s->cplus_txbuffer_len));
     }
 
-    while (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >= s->cplus_txbuffer_len)
+    if (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >= s->cplus_txbuffer_len)
     {
-        s->cplus_txbuffer_len += CP_TX_BUFFER_SIZE;
-        s->cplus_txbuffer = realloc(s->cplus_txbuffer, s->cplus_txbuffer_len);
+       free(s->cplus_txbuffer);
+       s->cplus_txbuffer = NULL;
 
-        DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space changed to %d\n", s->cplus_txbuffer_len));
+       DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space exceeded: %d\n", s->cplus_txbuffer_offset + txsize));
     }
 
     if (!s->cplus_txbuffer)