peter/qemu - QEMU hacking for Peter

diff options

author	Michael S. Tsirkin <mst@redhat.com>	2014-04-03 19:51:57 +0300
committer	Michael Roth <mdroth@linux.vnet.ibm.com>	2014-07-20 22:05:55 -0500
commit	eb55958e189aecc2c52b08e1aeb11715b668a5ab (patch)
tree	9f778362cbc3fcb2d757b394ba2186c148de01d0 /blockjob.c
parent	1124696193a6247f24a69cc2547d7ad80098833c (diff)
download	qemu-eb55958e189aecc2c52b08e1aeb11715b668a5ab.tar.gz

pxa2xx: avoid buffer overrun on incoming migration

CVE-2013-4533 s->rx_level is read from the wire and used to determine how many bytes to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the length of s->rx_fifo[] the buffer can be overrun with arbitrary data from the wire. Fix this by validating rx_level against the size of s->rx_fifo. Cc: Don Koch <dkoch@verizon.com> Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Don Koch <dkoch@verizon.com> Signed-off-by: Juan Quintela <quintela@redhat.com> (cherry picked from commit caa881abe0e01f9931125a0977ec33c5343e4aa7) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Diffstat (limited to 'blockjob.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: