Files · a0d1cbdacff5df4ded16b753b38fdd9da6092968 · Anton / libtcg

hw/net: Fix a heap overflow in xlnx.xps-ethernetlite

chaojianhu authored 8 years ago

The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.

Reported-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>

a0d1cbda

History

a0d1cbda 8 years ago

History

Name	Last commit	Last update
audio
backends
block
bsd-user
contrib
crypto
default-configs
disas
docs
fpu
fsdev
gdb-xml
hw
include
io
libdecnumber
linux-headers
linux-user
migration
nbd
net
pc-bios
po
qapi
qga
qobject
qom
replay
roms
scripts
slirp
stubs
target-alpha
target-arm
target-cris
target-i386
target-lm32
target-m68k
target-microblaze
target-mips
target-moxie
target-openrisc
target-ppc
target-s390x
target-sh4
target-sparc
target-tilegx
target-tricore
target-unicore32
target-xtensa
tcg
tests
trace
ui
util
.dir-locals.el
.exrc
.gitignore
.gitmodules
.mailmap
.travis.yml
CODING_STYLE
COPYING
COPYING.LIB
Changelog
HACKING
LICENSE
MAINTAINERS
Makefile
Makefile.objs
Makefile.target
README
VERSION
accel.c
aio-posix.c
aio-win32.c
arch_init.c
async.c
balloon.c
block.c
blockdev-nbd.c
blockdev.c
blockjob.c
bootdevice.c
bt-host.c
bt-vhci.c
configure
cpu-exec-common.c
cpu-exec.c
cpus.c
cputlb.c
device-hotplug.c
device_tree.c
disas.c
dma-helpers.c
dump.c
exec.c
gdbstub.c
hmp-commands-info.hx
hmp-commands.hx

README