+-- On Wed, 24 Feb 2016, Jason Wang wrote --+
| > - hw/net/virtio-net.c
| > if (size > 27 && size < 1500) &&
| > (buf[34] == 0 && buf[35] == 67)) {
|
| Are we sure size of buf is >= 35 here?No; I'm yet to see why it checks for > 27. If (27 < size < 34) then we have another OOB access there. | > + if (len < 14+20) | > + return; | | Ok. I have sent a revised v2 of this patch. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
