A stack-based buffer overflow flaw was found in QEMU's gem_transmit() function. The gem_transmit() function reads length of packet from physical memory then reads packet from physical memory to tx_packet[2048] with this length. This may result in a buffer overflow if the length of the packet is more than 2048. Acknowledgements: Red Hat would like to thank Ling Liu of Qihoo 360 Inc. for reporting this issue.
Created attachment 1113613 [details] proposed patch
This turned out to be a security non-issue. -> https://bugzilla.redhat.com/show_bug.cgi?id=1297427#c3