git.ipfire.org Git - thirdparty/qemu.git/commit

author	Michael S. Tsirkin <mst@redhat.com>
	Mon, 28 Apr 2014 13:08:23 +0000 (16:08 +0300)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 26 Jun 2014 19:31:48 +0000 (14:31 -0500)
commit	2003205fd2799fdeebe56a6c700d34555d114142
tree	3dcfffdc853fd563e13faa8110ba96f27c16f8bc	tree
parent	7abee6c9883f242b680736b4d9c730b1556498e5	commit \| diff

virtio: validate config_len on load

Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.

To fix, that config_len matches on both sides.

CVE-2014-0182

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
--

v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>