From 20ea41e302650ec05c24b8b3c7c8a96c4d32d56a Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 7 May 2008 18:44:26 +0100 Subject: [PATCH] merge from in xen-unstable tip (17318:b5fea3aeb04b): hw/rtl8139.c merge this changeset from xen-unstable: changeset: 12482:075f4ffdbbce5527ba525a515abe320703d17a0e user: kfraser@localhost.localdomain date: Fri Nov 17 10:34:08 2006 +0000 files: tools/ioemu/hw/rtl8139.c description: [QEMU] rtl8139: Disallow chaining above 64K As it stands the 8139C+ TX chaining is only bounded by realloc failure. This is contrary to how the real hardware operates. It also has DoS potential when ioemu runs in dom0. This patch makes any attempt to chain a frame beyond 64K fail immediately. Signed-off-by: Herbert Xu --- hw/rtl8139.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hw/rtl8139.c b/hw/rtl8139.c index fee12c45..823f1bc5 100644 --- a/hw/rtl8139.c +++ b/hw/rtl8139.c @@ -1998,12 +1998,12 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer allocated space %d\n", s->cplus_txbuffer_len)); } - while (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >= s->cplus_txbuffer_len) + if (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >= s->cplus_txbuffer_len) { - s->cplus_txbuffer_len += CP_TX_BUFFER_SIZE; - s->cplus_txbuffer = realloc(s->cplus_txbuffer, s->cplus_txbuffer_len); + free(s->cplus_txbuffer); + s->cplus_txbuffer = NULL; - DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space changed to %d\n", s->cplus_txbuffer_len)); + DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space exceeded: %d\n", s->cplus_txbuffer_offset + txsize)); } if (!s->cplus_txbuffer) -- 2.39.5