On 1 April 2014 11:05, Peter Maydell wrote:
> But note that there seems to be a bug or two in
> the DATA read logic: our cutoff for tx frame too
> long is tx_frame_len > 2032, but for the limit
> case of 2032, if we add 14 for the ethernet header
> and 4 for explicit CRC then we get 2050, which is
On 1 April 2014 10:43, Dr. David Alan Gilbert wrote:
> * Michael S. Tsirkin (m...@redhat.com) wrote:
>> CVE-2013-4532
>> @@ -374,7 +374,13 @@ static int stellaris_enet_load(QEMUFile *f, void
>> *opaque, int version_id)
>> s->mrxd = qemu_get_be32(f);
>> s->np = qemu_get_be32(f);
>>
* Michael S. Tsirkin (m...@redhat.com) wrote:
> CVE-2013-4532
>
> s->tx_fifo_len is read from the wire and later used as an index into
> s->tx_fifo[] when a DATA command is issued by the guest. If
> s->tx_fifo_len is greater than the length of s->tx_fifo[], or less
> than 0, the buffer can be over
CVE-2013-4532
s->tx_fifo_len is read from the wire and later used as an index into
s->tx_fifo[] when a DATA command is issued by the guest. If
s->tx_fifo_len is greater than the length of s->tx_fifo[], or less
than 0, the buffer can be overrun/underrun by arbitrary data written out
by the guest up