50 lines
2.6 KiB
C
50 lines
2.6 KiB
C
Index: qemu/hw/eepro100.c
|
|
@@ -729,6 +729,7 @@
|
|
logout
|
|
("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
|
|
tx_buffer_address, tx_buffer_size);
|
|
+ assert(size + tx_buffer_size <= sizeof(buf));
|
|
cpu_physical_memory_read(tx_buffer_address, &buf[size],
|
|
tx_buffer_size);
|
|
size += tx_buffer_size;
|
|
@@ -749,9 +750,13 @@
|
|
logout
|
|
("TBD (extended mode): buffer address 0x%08x, size 0x%04x\n",
|
|
tx_buffer_address, tx_buffer_size);
|
|
- cpu_physical_memory_read(tx_buffer_address, &buf[size],
|
|
- tx_buffer_size);
|
|
- size += tx_buffer_size;
|
|
+ if (size + tx_buffer_size > sizeof(buf)) {
|
|
+ logout("bad extended TCB with size 0x%04x\n", tx_buffer_size);
|
|
+ } else {
|
|
+ cpu_physical_memory_read(tx_buffer_address, &buf[size],
|
|
+ tx_buffer_size);
|
|
+ size += tx_buffer_size;
|
|
+ }
|
|
if (tx_buffer_el & 1) {
|
|
break;
|
|
}
|
|
@@ -766,14 +771,20 @@
|
|
logout
|
|
("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n",
|
|
tx_buffer_address, tx_buffer_size);
|
|
- cpu_physical_memory_read(tx_buffer_address, &buf[size],
|
|
- tx_buffer_size);
|
|
- size += tx_buffer_size;
|
|
+ if (size + tx_buffer_size > sizeof(buf)) {
|
|
+ logout("bad flexible TCB with size 0x%04x\n", tx_buffer_size);
|
|
+ } else {
|
|
+ cpu_physical_memory_read(tx_buffer_address, &buf[size],
|
|
+ tx_buffer_size);
|
|
+ size += tx_buffer_size;
|
|
+ }
|
|
if (tx_buffer_el & 1) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
+ logout("%p sending frame, len=%d,%s\n", s, size, nic_dump(buf, size));
|
|
+ assert(size <= sizeof(buf));
|
|
qemu_send_packet(s->vc, buf, size);
|
|
s->statistics.tx_good_frames++;
|
|
/* Transmit with bad status would raise an CX/TNO interrupt.
|