From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59019) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WUeA5-0004jl-PZ for qemu-devel@nongnu.org; Mon, 31 Mar 2014 11:30:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WUeA0-0001sN-Ti for qemu-devel@nongnu.org; Mon, 31 Mar 2014 11:30:09 -0400 Received: from mail-lb0-f178.google.com ([209.85.217.178]:65485) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WUeA0-0001pH-Nh for qemu-devel@nongnu.org; Mon, 31 Mar 2014 11:30:04 -0400 Received: by mail-lb0-f178.google.com with SMTP id s7so5888342lbd.37 for ; Mon, 31 Mar 2014 08:30:03 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <1396275242-10810-20-git-send-email-mst@redhat.com> References: <1396275242-10810-1-git-send-email-mst@redhat.com> <1396275242-10810-20-git-send-email-mst@redhat.com> From: Peter Maydell Date: Mon, 31 Mar 2014 16:29:43 +0100 Message-ID: Content-Type: text/plain; charset=UTF-8 Subject: Re: [Qemu-devel] [PATCH v4 19/30] pxa2xx: avoid buffer overrun on incoming migration List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Michael S. Tsirkin" Cc: Michael Roth , qemu-stable , QEMU Developers , Don Koch , Dave Gilbert On 31 March 2014 15:17, Michael S. Tsirkin wrote: > CVE-2013-4533 > > s->rx_level is read from the wire and used to determine how many bytes > to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the > length of s->rx_fifo[] the buffer can be overrun with arbitrary data > from the wire. > > Fix this by validating rx_level against the size of s->rx_fifo. > > Cc: Don Koch > Reported-by: Michael Roth > Signed-off-by: Michael S. Tsirkin Reviewed-by: Peter Maydell thanks -- PMM