On 31 March 2014 15:17, Michael S. Tsirkin <m...@redhat.com> wrote: > CVE-2013-4533 > > s->rx_level is read from the wire and used to determine how many bytes > to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the > length of s->rx_fifo[] the buffer can be overrun with arbitrary data > from the wire. > > Fix this by validating rx_level against the size of s->rx_fifo. > > Cc: Don Koch <dk...@verizon.com> > Reported-by: Michael Roth <mdr...@linux.vnet.ibm.com> > Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
Reviewed-by: Peter Maydell <peter.mayd...@linaro.org> thanks -- PMM