eb55958e18
CVE-2013-4533
s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level against the size of s->rx_fifo.
Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| Makefile.objs | ||
| allwinner-a10.c | ||
| armv7m.c | ||
| boot.c | ||
| collie.c | ||
| cubieboard.c | ||
| digic.c | ||
| digic_boards.c | ||
| exynos4_boards.c | ||
| exynos4210.c | ||
| gumstix.c | ||
| highbank.c | ||
| integratorcp.c | ||
| kzm.c | ||
| mainstone.c | ||
| musicpal.c | ||
| nseries.c | ||
| omap1.c | ||
| omap2.c | ||
| omap_sx1.c | ||
| palm.c | ||
| pxa2xx.c | ||
| pxa2xx_gpio.c | ||
| pxa2xx_pic.c | ||
| realview.c | ||
| spitz.c | ||
| stellaris.c | ||
| strongarm.c | ||
| strongarm.h | ||
| tosa.c | ||
| versatilepb.c | ||
| vexpress.c | ||
| virt.c | ||
| xilinx_zynq.c | ||
| z2.c | ||