Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 85c0a87c authored by Insu Yun's avatar Insu Yun Committed by David Vrabel
Browse files

xen: fix potential integer overflow in queue_reply 



When len is greater than UINT_MAX - sizeof(*rb), in next allocation,
it can overflow integer range and allocates small size of heap.
After that, memcpy will overflow the allocated heap.
Therefore, it needs to check the size of given length.

Signed-off-by: default avatarInsu Yun <wuninsu@gmail.com>
Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
parent 52ba0746
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment