summaryrefslogtreecommitdiff
path: root/docs/qapi-code-gen.txt
diff options
context:
space:
mode:
authorWolfgang Bumiller <w.bumiller@proxmox.com>2016-01-13 09:09:58 +0100
committerMarkus Armbruster <armbru@redhat.com>2016-02-03 10:13:06 +0100
commit64ffbe04eaafebf4045a3ace52a360c14959d196 (patch)
tree57ccddbc02a6c706c89ff44f78ee62f65f9d397c /docs/qapi-code-gen.txt
parentc65db7705b7926f4a084b93778e4bd5dd3990aad (diff)
downloadqemu-64ffbe04eaafebf4045a3ace52a360c14959d196.tar.gz
qemu-64ffbe04eaafebf4045a3ace52a360c14959d196.tar.bz2
qemu-64ffbe04eaafebf4045a3ace52a360c14959d196.zip
hmp: fix sendkey out of bounds write (CVE-2015-8619)
When processing 'sendkey' command, hmp_sendkey routine null terminates the 'keyname_buf' array. This results in an OOB write issue, if 'keyname_len' was to fall outside of 'keyname_buf' array. Since the keyname's length is known the keyname_buf can be removed altogether by adding a length parameter to index_from_key() and using it for the error output as well. Reported-by: Ling Liu <liuling-it@360.cn> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Message-Id: <20160113080958.GA18934@olga> [Comparison with "<" dumbed down, test for junk after strtoul() tweaked] Signed-off-by: Markus Armbruster <armbru@redhat.com>
Diffstat (limited to 'docs/qapi-code-gen.txt')
0 files changed, 0 insertions, 0 deletions