git.ipfire.org Git - thirdparty/qemu.git/commit

author	Michael S. Tsirkin <mst@redhat.com>
	Thu, 3 Apr 2014 16:51:57 +0000 (19:51 +0300)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Thu, 26 Jun 2014 19:19:05 +0000 (14:19 -0500)
commit	d92a7683e8cc4d3daab1ae9197f9311a72c9d1e6
tree	ac545aa5d546185c2e8963465c9ca14076777317	tree
parent	68801b7be1ddabe3495f68145b1202049b1486c2	commit \| diff

pxa2xx: avoid buffer overrun on incoming migration

CVE-2013-4533

s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.

Fix this by validating rx_level against the size of s->rx_fifo.

Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit caa881abe0e01f9931125a0977ec33c5343e4aa7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>