| commit | a890a2f9137ac3cf5b607649e66a6f3a5512d8dc | |
| author | Michael S. Tsirkin <mst@redhat.com> | |
| Mon, 28 Apr 2014 13:08:23 +0000 (28 16:08 +0300) | ||
| committer | Juan Quintela <quintela@redhat.com> | |
| Mon, 5 May 2014 20:15:03 +0000 (5 22:15 +0200) | ||
| tree | f2556f0707b771bb328990b803c2a660dec88faa | treesnapshot (tar.gz zip) |
| parent | 98f93ddd84800f207889491e0b5d851386b459cf | commitdiff |
virtio: validate config_len on load
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
| hw/virtio/virtio.c | diffblobblamehistory |