On 04/26/2013 06:32 PM, Eric Blake wrote: > On 04/25/2013 11:06 PM, Jason Wang wrote: >>>> if (addr > (vdev->config_len - sizeof(val))) >>>> >>>> ^^^^^^^^^ quiz: spot a bug above if config_len is 0 :) >>> Then we need to fix these bugs and allocate a CVE. virtio-rng has >>> shipped. This code is also dumb. >> Ok, but since the discussion is in public list, no need for CVE then. > Wrong. CVEs are useful even for publicly disclosed bugs. It tells > people whether they need to upgrade in order to avoid a vulnerability. > > What we don't need is embargo. But we do need a CVE. >
True, thanks for the correction.
