virtio: validate config_len on load
Malformed input can have config_len in migration stream exceed the array size allocated on destination, the result will be heap overflow. To fix, that config_len matches on both sides. CVE-2014-0182 Reported-by: N"Dr. David Alan Gilbert" <dgilbert@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NJuan Quintela <quintela@redhat.com> -- v2: use %ix and %zx to print config_len values Signed-off-by: NJuan Quintela <quintela@redhat.com> (cherry picked from commit a890a2f9) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Showing
想要评论请 注册 或 登录