Commit a890a2f9 authored Apr 28, 2014 by Michael S. Tsirkin Committed by Juan Quintela May 05, 2014

virtio: validate config_len on load



Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.

To fix, that config_len matches on both sides.

CVE-2014-0182

Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>

--

v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>

parent 98f93ddd

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 2003205f
· Dec 16, 2019

mentioned in commit 2003205f

mentioned in commit 2003205fd2799fdeebe56a6c700d34555d114142

Toggle commit list
mirror @mirror
mentioned in commit 3bb84a6c
· Dec 16, 2019

mentioned in commit 3bb84a6c

mentioned in commit 3bb84a6c988e59892b0ca2a143805f92eb4b04ba

Toggle commit list

Please register or to comment