From 4c2cae2a882db4d2a231b27b3b31a5bbec6dacbf Mon Sep 17 00:00:00 2001
From: Michael Contreras <michael@inetric.com>
Date: Sun, 2 Dec 2012 20:11:22 -0800
Subject: [PATCH] e1000: Discard packets that are too long if !SBP and !LPE

The e1000_receive function for the e1000 needs to discard packets longer than
1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
this behavior and allocates memory based on this assumption.

Signed-off-by: Michael Contreras <michael@inetric.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

[ This is a security vulnerability, CVE-2012-6075 / XSA-41. ]
---
 hw/e1000.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hw/e1000.c b/hw/e1000.c
index 97104edaf..f0673f004 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -55,6 +55,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
 #define REG_IOADDR 0x0
 #define REG_IODATA 0x4
 
+/* this is the size past which hardware will drop packets when setting LPE=0 */
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+
 /*
  * HW models:
  *  E1000_DEV_ID_82540EM works with Windows and Linux
@@ -628,6 +631,13 @@ e1000_receive(void *opaque, const uint8_t *buf, int size)
         return;
     }
 
+    /* Discard oversized packets if !LPE and !SBP. */
+    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
+        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+        return size;
+    }
+
     if (!receive_filter(s, buf, size))
         return;
 
-- 
2.39.5