[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] qemu/rtl8139: Max transmit frame size
Hi: I noticed a bug in the realloc error checking code in the QEMU backend for RealTek8139. However, what's worse is that there is no cap on the total size of the transmit buffer at all. So a guest can keep extending it until memory runs out. CP_TX_BUFFER_SIZE is already 64K. So it seems to me that we don't need the while loop to extend the buffer at all since no transmitted packet should be anywhere near this size. Are there any objections to getting rid of the following while loop altogether and replacing it with a straight failure? Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- diff -r f026d4091322 tools/ioemu/hw/rtl8139.c --- a/tools/ioemu/hw/rtl8139.c Tue Nov 14 18:52:58 2006 +0000 +++ b/tools/ioemu/hw/rtl8139.c Wed Nov 15 15:35:24 2006 +1100 @@ -2001,8 +2001,13 @@ static int rtl8139_cplus_transmit_one(RT while (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >= s->cplus_txbuffer_len) { + void *txbuffer; + s->cplus_txbuffer_len += CP_TX_BUFFER_SIZE; - s->cplus_txbuffer = realloc(s->cplus_txbuffer, s->cplus_txbuffer_len); + txbuffer = realloc(s->cplus_txbuffer, s->cplus_txbuffer_len); + if (!txbuffer) + free(s->cplus_txbuffer); + s->cplus_txbuffer = txbuffer; DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space changed to %d\n", s->cplus_txbuffer_len)); } _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |