The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite are affected. Upstream patch: http://git.qemu.org/?p=qemu.git;a=commit;h=a0d1cbdacff5df4ded16b753b38fdd9da6092968 CVE assignment: http://seclists.org/oss-sec/2016/q3/603
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1379299]
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1379298]