ssi-sd: fix buffer overrun on invalid state load
CVE-2013-4537 s->arglen is taken from wire and used as idx in ssi_sd_transfer(). Validate it before access. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com>
This commit is contained in:
parent
767adce2d9
commit
a9c380db3b
@ -230,8 +230,17 @@ static int ssi_sd_load(QEMUFile *f, void *opaque, int version_id)
|
||||
for (i = 0; i < 5; i++)
|
||||
s->response[i] = qemu_get_be32(f);
|
||||
s->arglen = qemu_get_be32(f);
|
||||
if (s->mode == SSI_SD_CMDARG &&
|
||||
(s->arglen < 0 || s->arglen >= ARRAY_SIZE(s->cmdarg))) {
|
||||
return -EINVAL;
|
||||
}
|
||||
s->response_pos = qemu_get_be32(f);
|
||||
s->stopping = qemu_get_be32(f);
|
||||
if (s->mode == SSI_SD_RESPONSE &&
|
||||
(s->response_pos < 0 || s->response_pos >= ARRAY_SIZE(s->response) ||
|
||||
(!s->stopping && s->arglen > ARRAY_SIZE(s->response)))) {
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
ss->cs = qemu_get_be32(f);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user