On Thu, Jan 10, 2013 at 10:51:57PM +0800, ak...@redhat.com wrote: > @@ -349,6 +351,13 @@ static int virtio_net_handle_mac(VirtIONet *n, uint8_t > cmd, > { > struct virtio_net_ctrl_mac mac_data; > > + if (cmd == VIRTIO_NET_CTRL_MAC_ADDR_SET && elem->out_num == 2) { > + /* Set MAC address */ > + memcpy(n->mac, elem->out_sg[1].iov_base, elem->out_sg[1].iov_len);
We cannot trust the guest's iov_len, it could overflow n->mac.