git.ipfire.org Git - thirdparty/qemu.git/commit

author	Michael S. Tsirkin <mst@redhat.com>
	Mon, 28 Apr 2014 13:08:23 +0000 (16:08 +0300)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Wed, 6 Aug 2014 19:55:48 +0000 (14:55 -0500)
commit	3bb84a6c988e59892b0ca2a143805f92eb4b04ba
tree	824aa377397974b25ee496fb42f9a23ce4c1f952	tree
parent	48935f029f5ae7f6bd6f01b2c942a7f2f1a7bc9a	commit \| diff

virtio: validate config_len on load

Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.

To fix, that config_len matches on both sides.

CVE-2014-0182

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
--

v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>