| commit | a0d1cbdacff5df4ded16b753b38fdd9da6092968 | |
| author | chaojianhu <chaojianhu@hotmail.com> | |
| Tue, 9 Aug 2016 03:52:54 +0000 (9 11:52 +0800) | ||
| committer | Jason Wang <jasowang@redhat.com> | |
| Tue, 9 Aug 2016 07:27:18 +0000 (9 15:27 +0800) | ||
| tree | 6b8917d16c174baeb34e5dd8ceec838cdaf2dca2 | treesnapshot (tar.gz zip) |
| parent | 6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8 | commitdiff |
hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.
Reported-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.
Reported-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
| hw/net/xilinx_ethlite.c | diffblobblamehistory |