diff options
| author | Michael S. Tsirkin <mst@redhat.com> | 2014-04-28 16:08:21 +0300 |
|---|---|---|
| committer | Juan Quintela <quintela@redhat.com> | 2014-05-05 22:15:03 +0200 |
| commit | 98f93ddd84800f207889491e0b5d851386b459cf (patch) | |
| tree | 085acc36e1693aca021848f1b2de9d2bbe0c5dda /hw/virtio/virtio.c | |
| parent | 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e (diff) | |
| download | qemu-98f93ddd84800f207889491e0b5d851386b459cf.tar.gz | |
virtio-net: out-of-bounds buffer write on load
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Diffstat (limited to 'hw/virtio/virtio.c')
0 files changed, 0 insertions, 0 deletions