Searched hist:d7f05365 (Results 1 – 1 of 1) sorted by relevance
| /qemu/hw/net/ |
| H A D | cadence_gem.c | d7f05365 Thu Jan 14 09:43:30 GMT 2016 Michael S. Tsirkin <mst@redhat.com> cadence_gem: fix buffer overflow
gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest. If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.
Reported-by: 刘令 <liuling-it@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
|