On 3 December 2013 16:28, Michael S. Tsirkin <m...@redhat.com> wrote: > From: Michael Roth <mdr...@linux.vnet.ibm.com> > > CVE-2013-4532 > > s->tx_fifo_len is read from the wire and later used as an index into > s->tx_fifo[] when a DATA command is issued by the guest. If > s->tx_fifo_len is greater than the length of s->tx_fifo[], or less > than 0, the buffer can be overrun/underrun by arbitrary data written out > by the guest upon resuming it's execution.
"its". thanks -- PMM
