On Wed, Jun 03, 2026 at 02:21:38PM +0800, [email protected] wrote: > From: GuoHan Zhao <[email protected]> > > The vfio-user protocol makes the VERSION payload optional, so a > reply may legally stop after the major and minor fields. > > vfio_user_validate_version() currently assumes a capabilities string is > always present and NUL-terminated. When the server replies without > version data, QEMU ends up reusing the request-side capabilities buffer > and the terminating-NUL check underflows. Replies shorter than the fixed > VERSION header are also accessed before they are validated. > > Reject replies shorter than the fixed VERSION header and only parse > capabilities when the reply actually carries version data. > > Fixes: 36227628d824 (vfio-user: implement message send infrastructure) > Signed-off-by: GuoHan Zhao <[email protected]>
Thanks! Reviewed-by: John Levon <[email protected]> regards john
