e1000: bounds packet size against buffer size

author Anthony Liguori <aliguori@us.ibm.com>

Mon, 23 Jan 2012 13:30:43 +0000 (07:30 -0600)

committer Justin M. Forbes <jforbes@redhat.com>

Mon, 23 Jan 2012 21:07:00 +0000 (15:07 -0600)
author Anthony Liguori <aliguori@us.ibm.com>
Mon, 23 Jan 2012 13:30:43 +0000 (07:30 -0600)
committer Justin M. Forbes <jforbes@redhat.com>
Mon, 23 Jan 2012 21:07:00 +0000 (15:07 -0600)
diff --git a/hw/e1000.c b/hw/e1000.c

index 986ed9cf79833eca4b6ed050a23585145cd10dcd..e164d79b8773efc92199ef2986c348579bf15f1d 100644 (file)
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -466,6 +466,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
              bytes = split_size;
              if (tp->size + bytes > msh)
                  bytes = msh - tp->size;
+
+            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
              pci_dma_read(&s->dev, addr, tp->data + tp->size, bytes);
              if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
                  memmove(tp->header, tp->data, hdr);
@@ -481,6 +483,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
          // context descriptor TSE is not set, while data descriptor TSE is set
          DBGOUT(TXERR, "TCP segmentaion Error\n");
      } else {
+        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
          pci_dma_read(&s->dev, addr, tp->data + tp->size, split_size);
          tp->size += split_size;
      }
author	Anthony Liguori <aliguori@us.ibm.com>
	Mon, 23 Jan 2012 13:30:43 +0000 (07:30 -0600)
committer	Justin M. Forbes <jforbes@redhat.com>
	Mon, 23 Jan 2012 21:07:00 +0000 (15:07 -0600)