]>
Commit | Line | Data |
---|---|---|
282838af WB |
1 | From 0d3ac427e34f12b1a33646d47ef3dc390a9b569d Mon Sep 17 00:00:00 2001 |
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | |
3 | Date: Wed, 12 Oct 2016 14:40:55 +0530 | |
4 | Subject: [PATCH 1/2] net: rocker: set limit to DMA buffer size | |
5 | ||
6 | Rocker network switch emulator has test registers to help debug | |
7 | DMA operations. While testing host DMA access, a buffer address | |
8 | is written to register 'TEST_DMA_ADDR' and its size is written to | |
9 | register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT | |
10 | test, if DMA buffer size was greater than 'INT_MAX', it leads to | |
11 | an invalid buffer access. Limit the DMA buffer size to avoid it. | |
12 | ||
13 | Reported-by: Huawei PSIRT <psirt@huawei.com> | |
14 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | |
15 | --- | |
16 | hw/net/rocker/rocker.c | 2 +- | |
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
18 | ||
19 | diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c | |
20 | index 30f2ce4..e9d215a 100644 | |
21 | --- a/hw/net/rocker/rocker.c | |
22 | +++ b/hw/net/rocker/rocker.c | |
23 | @@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val) | |
24 | rocker_msix_irq(r, val); | |
25 | break; | |
26 | case ROCKER_TEST_DMA_SIZE: | |
27 | - r->test_dma_size = val; | |
28 | + r->test_dma_size = val & 0xFFFF; | |
29 | break; | |
30 | case ROCKER_TEST_DMA_ADDR + 4: | |
31 | r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32; | |
32 | -- | |
33 | 2.1.4 | |
34 |