From 40545f84cfcbe4b73cca040b3043a1c2de935762 Mon Sep 17 00:00:00 2001 From: bellard Date: Sun, 10 Apr 2005 14:51:41 +0000 Subject: [PATCH] packet fix for for netware 3.11 (initial patch by Mark Jonckheere) - security bug fix git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@1363 c046a42c-6fe2-441c-8c8c-71466251a162 --- hw/ne2000.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/hw/ne2000.c b/hw/ne2000.c index 79d3026c01..e1b656e1b4 100644 --- a/hw/ne2000.c +++ b/hw/ne2000.c @@ -246,7 +246,7 @@ static void ne2000_receive(void *opaque, const uint8_t *buf, int size) static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) { NE2000State *s = opaque; - int offset, page; + int offset, page, index; addr &= 0xf; #ifdef DEBUG_NE2000 @@ -264,10 +264,18 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) ne2000_update_irq(s); } if (val & E8390_TRANS) { - qemu_send_packet(s->nd, s->mem + (s->tpsr << 8), s->tcnt); + index = (s->tpsr << 8); + /* XXX: next 2 lines are a hack to make netware 3.11 work */ + if (index >= NE2000_PMEM_END) + index -= NE2000_PMEM_SIZE; + /* fail safe: check range on the transmitted length */ + if (index + s->tcnt <= NE2000_PMEM_END) { + qemu_send_packet(s->nd, s->mem + index, s->tcnt); + } /* signal end of transfert */ s->tsr = ENTSR_PTX; s->isr |= ENISR_TX; + s->cmd &= ~E8390_TRANS; ne2000_update_irq(s); } }