pxa2xx: avoid buffer overrun on incoming migration
commitcaa881abe0e01f9931125a0977ec33c5343e4aa7
authorMichael S. Tsirkin <mst@redhat.com>
Thu, 3 Apr 2014 16:51:57 +0000 (3 19:51 +0300)
committerJuan Quintela <quintela@redhat.com>
Mon, 5 May 2014 20:15:02 +0000 (5 22:15 +0200)
tree6938ea78f83cc1373a55f59da1f69febbf96862f
parent36cf2a37132c7f01fa9adb5f95f5312b27742fd4
pxa2xx: avoid buffer overrun on incoming migration

CVE-2013-4533

s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.

Fix this by validating rx_level against the size of s->rx_fifo.

Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
hw/arm/pxa2xx.c