35 lines
1.3 KiB
Diff
35 lines
1.3 KiB
Diff
From 0d3ac427e34f12b1a33646d47ef3dc390a9b569d Mon Sep 17 00:00:00 2001
|
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Wed, 12 Oct 2016 14:40:55 +0530
|
|
Subject: [PATCH 1/2] net: rocker: set limit to DMA buffer size
|
|
|
|
Rocker network switch emulator has test registers to help debug
|
|
DMA operations. While testing host DMA access, a buffer address
|
|
is written to register 'TEST_DMA_ADDR' and its size is written to
|
|
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
|
|
test, if DMA buffer size was greater than 'INT_MAX', it leads to
|
|
an invalid buffer access. Limit the DMA buffer size to avoid it.
|
|
|
|
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
---
|
|
hw/net/rocker/rocker.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
|
index 30f2ce4..e9d215a 100644
|
|
--- a/hw/net/rocker/rocker.c
|
|
+++ b/hw/net/rocker/rocker.c
|
|
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
|
|
rocker_msix_irq(r, val);
|
|
break;
|
|
case ROCKER_TEST_DMA_SIZE:
|
|
- r->test_dma_size = val;
|
|
+ r->test_dma_size = val & 0xFFFF;
|
|
break;
|
|
case ROCKER_TEST_DMA_ADDR + 4:
|
|
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
|
|
--
|
|
2.1.4
|
|
|