git.ipfire.org Git - thirdparty/qemu.git/commit

author	Michael Roth <mdroth@linux.vnet.ibm.com>
	Mon, 28 Apr 2014 13:08:17 +0000 (16:08 +0300)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 26 Jun 2014 19:18:27 +0000 (14:18 -0500)
commit	609f5bf6fecb78ada914b88598ae8ba43e304e36
tree	1959cd0cbe7d165e068f061c21db23ed07d04be4	tree
parent	8f0e369a52ff0b5e0642bda47e2ead3c7e273fe1	commit \| diff

openpic: avoid buffer overrun on incoming migration

CVE-2013-4534

opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.

Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>