hw/arm/musicpal: Remove nonexistent CDTP2, CDTP3 registers

The ethernet device in the musicpal only has two tx queues, but we modelled it with four CTDP registers, presumably a cut and paste from the rx queue registers. Since the tx_queue[] array is only 2 entries long this allowed a guest to overrun this buffer. Remove the nonexistent registers. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1392737293-10073-1-git-send-email-peter.maydell@linaro.org Acked-by: Jan Kiszka <jan.kiszka@web.de> Cc: qemu-stable@nongnu.org (cherry picked from commit cf143ad) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
qemu · Feb 27, 2014 · fa98e47 · fa98e47
1 parent ff51a1d
commit fa98e47
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
@@ -92,8 +92,6 @@
 #define MP_ETH_CRDP3            0x4AC
 #define MP_ETH_CTDP0            0x4E0
 #define MP_ETH_CTDP1            0x4E4
-#define MP_ETH_CTDP2            0x4E8
-#define MP_ETH_CTDP3            0x4EC
 
 /* MII PHY access */
 #define MP_ETH_SMIR_DATA        0x0000FFFF
@@ -308,7 +306,7 @@ static uint64_t mv88w8618_eth_read(void *opaque, hwaddr offset,
     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
         return s->rx_queue[(offset - MP_ETH_CRDP0)/4];
 
-    case MP_ETH_CTDP0 ... MP_ETH_CTDP3:
+    case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
         return s->tx_queue[(offset - MP_ETH_CTDP0)/4];
 
     default:
@@ -362,7 +360,7 @@ static void mv88w8618_eth_write(void *opaque, hwaddr offset,
             s->cur_rx[(offset - MP_ETH_CRDP0)/4] = value;
         break;
 
-    case MP_ETH_CTDP0 ... MP_ETH_CTDP3:
+    case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
         s->tx_queue[(offset - MP_ETH_CTDP0)/4] = value;
         break;
     }