Re: [Qemu-devel] [PATCH v4 17/30] openpic: avoid buffer overrun on incoming migration

On 31 March 2014 15:17, Michael S. Tsirkin wrote: > From: Michael Roth > > CVE-2013-4534 > > opp->nb_cpus is read from the wire and used to determine how many > IRQDest elements to read into opp->dst[]. If the value exceeds the > length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbit

[Qemu-devel] [PATCH v4 17/30] openpic: avoid buffer overrun on incoming migration

From: Michael Roth CVE-2013-4534 opp->nb_cpus is read from the wire and used to determine how many IRQDest elements to read into opp->dst[]. If the value exceeds the length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary data from the wire. Fix this by failing migration if the