The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
will be affected.
Reported-by: chaojianhu
Signed-off-by: chaojianhu
--
The .receive callback of xlnx.xps-ethernetlite doesn't check the length
of data before calling memcpy. As a result, the NetClientState object in
heap will be overflowd. All versions of qemu with xlnx.xps-ethernetlite
will be affected.
Reported-by: chaojianhu
---
hw/net/xilinx_ethlite.
From: chaojianhu
Date: Tue, 2 Aug 2016 17:39:16 +0800
Subject: [PATCH] hw/ide: fix a writing to null pointer exception
In qemu less than v2.1.3, ide_flush_cache calls ide_flush_cb with s->bs == NULL,
and ide_flush_cb calls bdrv_acct_done without checking s->bs neither. Finally,
bdrv_acc
From: chaojianhu
Date: Tue, 2 Aug 2016 17:39:16 +0800
Subject: [PATCH] hw/ide: fix a writing to null pointer exception
In qemu less than v2.1.3, ide_flush_cache calls ide_flush_cb with s->bs == NULL,
and ide_flush_cb calls bdrv_acct_done without checking s->bs neither. Finally,
bdrv_acc
