aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2014-02-26 17:19:59 +0000
committerPeter Maydell <peter.maydell@linaro.org>2014-02-26 17:19:59 +0000
commitcf143ad35018c5fc1da6365b45acda2b34aba90a (patch)
tree37fed48f1990a0973a6ba32701e29d644b061096
parentfce0a826083e0416981e2ea9518ce5faa75b81a3 (diff)
downloadqemu-arm-cf143ad35018c5fc1da6365b45acda2b34aba90a.tar.gz
hw/arm/musicpal: Remove nonexistent CDTP2, CDTP3 registers
The ethernet device in the musicpal only has two tx queues, but we modelled it with four CTDP registers, presumably a cut and paste from the rx queue registers. Since the tx_queue[] array is only 2 entries long this allowed a guest to overrun this buffer. Remove the nonexistent registers. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1392737293-10073-1-git-send-email-peter.maydell@linaro.org Acked-by: Jan Kiszka <jan.kiszka@web.de> Cc: qemu-stable@nongnu.org
-rw-r--r--hw/arm/musicpal.c6
1 files changed, 2 insertions, 4 deletions
diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
index 50a3b8fe4f..cce7127598 100644
--- a/hw/arm/musicpal.c
+++ b/hw/arm/musicpal.c
@@ -92,8 +92,6 @@
#define MP_ETH_CRDP3 0x4AC
#define MP_ETH_CTDP0 0x4E0
#define MP_ETH_CTDP1 0x4E4
-#define MP_ETH_CTDP2 0x4E8
-#define MP_ETH_CTDP3 0x4EC
/* MII PHY access */
#define MP_ETH_SMIR_DATA 0x0000FFFF
@@ -308,7 +306,7 @@ static uint64_t mv88w8618_eth_read(void *opaque, hwaddr offset,
case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
return s->rx_queue[(offset - MP_ETH_CRDP0)/4];
- case MP_ETH_CTDP0 ... MP_ETH_CTDP3:
+ case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
return s->tx_queue[(offset - MP_ETH_CTDP0)/4];
default:
@@ -362,7 +360,7 @@ static void mv88w8618_eth_write(void *opaque, hwaddr offset,
s->cur_rx[(offset - MP_ETH_CRDP0)/4] = value;
break;
- case MP_ETH_CTDP0 ... MP_ETH_CTDP3:
+ case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
s->tx_queue[(offset - MP_ETH_CTDP0)/4] = value;
break;
}