Hello Jason,
+-- On Mon, 13 Jun 2016, Jason Wang wrote --+
| > case MIPSNET_TX_DATA_BUFFER:
| > s->tx_buffer[s->tx_written++] = val;
|
| I believe we may still have a buffer overflow here, no?
No, this is the overflow that the patch is meant to fix.
| > - if (s->tx_written == s->tx_count) {
| > + if ((s->tx_written >= MAX_ETH_FRAME_SIZE)
| > + || (s->tx_written == s->tx_count)) {
| > /* Send buffer. */
Earlier, send buffer would occur when if 'tx_written' reached 'tx_count'.
With this patch, it'll also occur when 'tx_written' reaches maximum frame
size.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
