On Mon, 31 Mar 2014 17:17:08 +0300 "Michael S. Tsirkin" <m...@redhat.com> wrote:
> CVE-2013-4533 > > s->rx_level is read from the wire and used to determine how many bytes > to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the > length of s->rx_fifo[] the buffer can be overrun with arbitrary data > from the wire. > > Fix this by validating rx_level against the size of s->rx_fifo. > > Cc: Don Koch <dk...@verizon.com> > Reported-by: Michael Roth <mdr...@linux.vnet.ibm.com> > Signed-off-by: Michael S. Tsirkin <m...@redhat.com> Reviewed-by: Don Koch <dk...@verizon.com> -d
