[QEMU] rtl8139: Disallow chaining above 64K

As it stands the 8139C+ TX chaining is only bounded by realloc failure.
This is contrary to how the real hardware operates.  It also has DoS
potential when ioemu runs in dom0.

This patch makes any attempt to chain a frame beyond 64K fail
immediately.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/tools/ioemu/hw/rtl8139.c b/tools/ioemu/hw/rtl8139.c
index c704ab83607b6bb33b53e33e82a425be7b9b2b78..77e3c6d9fbb666c46ca4f9faa0a09510764300a6 100644 (file)
--- a/tools/ioemu/hw/rtl8139.c
+++ b/tools/ioemu/hw/rtl8139.c
@@ -1999,12 +1999,12 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
         DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer allocated space %d\n", s->cplus_txbuffer_len));
     }
 
-    while (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >= s->cplus_txbuffer_len)
+    if (s->cplus_txbuffer && s->cplus_txbuffer_offset + txsize >= s->cplus_txbuffer_len)
     {
-        s->cplus_txbuffer_len += CP_TX_BUFFER_SIZE;
-        s->cplus_txbuffer = realloc(s->cplus_txbuffer, s->cplus_txbuffer_len);
+       free(s->cplus_txbuffer);
+       s->cplus_txbuffer = NULL;
 
-        DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space changed to %d\n", s->cplus_txbuffer_len));
+       DEBUG_PRINT(("RTL8139: +++ C+ mode transmission buffer space exceeded: %d\n", s->cplus_txbuffer_offset + txsize));
     }
 
     if (!s->cplus_txbuffer)