virtio: validate config_len on load - bwlp/qemu.git - Experimental fork of QEMU with video encoding patches

diff options

author	Michael S. Tsirkin	2014-04-28 15:08:23 +0200
committer	Juan Quintela	2014-05-05 22:15:03 +0200
commit	a890a2f9137ac3cf5b607649e66a6f3a5512d8dc (patch)
tree	f2556f0707b771bb328990b803c2a660dec88faa /include/exec
parent	virtio-net: out-of-bounds buffer write on load (diff)
download	qemu-a890a2f9137ac3cf5b607649e66a6f3a5512d8dc.tar.gz qemu-a890a2f9137ac3cf5b607649e66a6f3a5512d8dc.tar.xz qemu-a890a2f9137ac3cf5b607649e66a6f3a5512d8dc.zip

virtio: validate config_len on load

Malformed input can have config_len in migration stream exceed the array size allocated on destination, the result will be heap overflow. To fix, that config_len matches on both sides. CVE-2014-0182 Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> -- v2: use %ix and %zx to print config_len values Signed-off-by: Juan Quintela <quintela@redhat.com>

Diffstat (limited to 'include/exec')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: