diff options
author | Michael S. Tsirkin <mst@redhat.com> | 2016-01-14 11:43:30 +0200 |
---|---|---|
committer | Jason Wang <jasowang@redhat.com> | 2016-02-04 13:22:06 +0800 |
commit | d7f053652fef48bee7c461c162c8d4d2c96ab157 (patch) | |
tree | 3f330b046e6102caf7fabb18ede347802630419e /gdb-xml/s390-fpr.xml | |
parent | 244381ec19ce1412b474f41b5f30fe1da846451b (diff) |
cadence_gem: fix buffer overflow
gem_transmit copies a packet from guest into an tx_packet[2048]
array on stack, with size limited by descriptor length set by guest. If
guest is malicious and specifies a descriptor length that is too large,
and should packet size exceed array size, this results in a buffer
overflow.
Reported-by: 刘令 <liuling-it@360.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Diffstat (limited to 'gdb-xml/s390-fpr.xml')
0 files changed, 0 insertions, 0 deletions