From: Michael Contreras <michael@inetric.com>
Date: Thu, 17 Jan 2013 11:49:37 +0000 (+0000)
Subject: e1000: Discard oversized packets based on SBP|LPE
X-Git-Tag: qemu-xen-4.2.2-rc1~7
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=70454385eeee6f0b3f7a9eddca9f7340b5060824;p=qemu-upstream-4.2-testing.git

e1000: Discard oversized packets based on SBP|LPE

Discard packets longer than 16384 when !SBP to match the hardware behavior.

upstream-commit-id: 2c0331f4f7d241995452b99afaf0aab00493334a
security-tags: XSA-41, CVE-2012-6075
This is the second of two security fixes for XSA-41.

Signed-off-by: Michael Contreras <michael@inetric.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---

diff --git a/hw/e1000.c b/hw/e1000.c
index 37d207eac..a5e67a881 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -61,6 +61,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
 
 /* this is the size past which hardware will drop packets when setting LPE=0 */
 #define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+/* this is the size past which hardware will drop packets when setting LPE=1 */
+#define MAXIMUM_ETHERNET_LPE_SIZE 16384
 
 /*
  * HW models:
@@ -697,8 +699,9 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
     }
 
     /* Discard oversized packets if !LPE and !SBP. */
-    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
-        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
+    if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
+        (size > MAXIMUM_ETHERNET_VLAN_SIZE
+        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
         && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
         return size;
     }