On 09.03.2026 22:01, Paolo Bonzini wrote:
If cpu_physical_memory_map() returns a length shorter than the one
that was passed into the function, writing the full out_len bytes
causes an access beyond the memory allocated to the guest; or in
the case of the MMIO bounce buffer, an out-of-bounds access in a
heap-allocated object.
Add a check similar to the one already in handle_send_msg(),
and take the occasion to remove repeated computations of
recv_byte_count + UDP_PKT_HEADER_SIZE and clarify that the
code does not write past out_len bytes.
Reported-by: Oleh Konko <https://github.com/1seal>
Reviewed-by: Daniel P. Berrangé <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
I'm picking this up for qemu stable series.
Please let me know if I shouldn't :)
Thanks,
/mjt
