gwj / at91sam9263 · Commits

Commit 40545f84cfcbe4b73cca040b3043a1c2de935762

Authored by bellard
1 parent d39c0b99

packet fix for for netware 3.11 (initial patch by Mark Jonckheere) - security bug fix 


git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@1363 c046a42c-6fe2-441c-8c8c-71466251a162
Inline Side-by-side
Showing 1 changed file with 10 additions and 2 deletions
hw/ne2000.c
  View file @40545f8
@@ -246,7 +246,7 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size) @@ -246,7 +246,7 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size)
246 static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) 246 static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
247 { 247 {
248 NE2000State *s = opaque; 248 NE2000State *s = opaque;
249 - int offset, page; 249 + int offset, page, index;
250 250
251 addr &= 0xf; 251 addr &= 0xf;
252 #ifdef DEBUG_NE2000 252 #ifdef DEBUG_NE2000
@@ -264,10 +264,18 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) @@ -264,10 +264,18 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
264 ne2000_update_irq(s); 264 ne2000_update_irq(s);
265 } 265 }
266 if (val & E8390_TRANS) { 266 if (val & E8390_TRANS) {
267 - qemu_send_packet(s->nd, s->mem + (s->tpsr << 8), s->tcnt); 267 + index = (s->tpsr << 8);
  268 + /* XXX: next 2 lines are a hack to make netware 3.11 work */
  269 + if (index >= NE2000_PMEM_END)
  270 + index -= NE2000_PMEM_SIZE;
  271 + /* fail safe: check range on the transmitted length */
  272 + if (index + s->tcnt <= NE2000_PMEM_END) {
  273 + qemu_send_packet(s->nd, s->mem + index, s->tcnt);
  274 + }
268 /* signal end of transfert */ 275 /* signal end of transfert */
269 s->tsr = ENTSR_PTX; 276 s->tsr = ENTSR_PTX;
270 s->isr |= ENISR_TX; 277 s->isr |= ENISR_TX;
  278 + s->cmd &= ~E8390_TRANS;
271 ne2000_update_irq(s); 279 ne2000_update_irq(s);
272 } 280 }
273 } 281 }