Skip to content
Commit 3bb84a6c authored by Michael S. Tsirkin's avatar Michael S. Tsirkin Committed by Michael Roth
Browse files

virtio: validate config_len on load 



Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.

To fix, that config_len matches on both sides.

CVE-2014-0182

Reported-by: default avatar"Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarJuan Quintela <quintela@redhat.com>

--

v2: use %ix and %zx to print config_len values
Signed-off-by: default avatarJuan Quintela <quintela@redhat.com>
(cherry picked from commit a890a2f9)
Signed-off-by: default avatarMichael Roth <mdroth@linux.vnet.ibm.com>
parent 48935f02
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment