Searched hist:"98 f93ddd84800f207889491e0b5d851386b459cf" (Results 1 – 1 of 1) sorted by relevance
| /openbmc/qemu/hw/net/ |
| H A D | virtio-net.c | diff 98f93ddd84800f207889491e0b5d851386b459cf Mon Apr 28 08:08:21 CDT 2014 Michael S. Tsirkin <mst@redhat.com> virtio-net: out-of-bounds buffer write on load
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
|