Searched hist:d7f05365 (Results 1 – 1 of 1) sorted by relevance
/qemu/hw/net/ |
H A D | cadence_gem.c | d7f05365 Thu Jan 14 09:43:30 GMT 2016 Michael S. Tsirkin <mst@redhat.com> cadence_gem: fix buffer overflow
gem_transmit copies a packet from guest into an tx_packet[2048] array on stack, with size limited by descriptor length set by guest. If guest is malicious and specifies a descriptor length that is too large, and should packet size exceed array size, this results in a buffer overflow.
Reported-by: 刘令 <liuling-it@360.cn> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
|