~jderose/ubuntu/raring/qemu/vde-again

Tags: 1.3.0+dfsg-1~exp3ubuntu3

debian/patches/CVE-2012-6075.patch: Fix guest denial of service and
possible code execution in hw/e1000.c by dropping oversize packets.

added added

removed removed

Description: CVE-2012-6075 in hw/e1000.c

* debian/patches/CVE-2012-6075.patch: Fix guest denial of service and

possible code execution in hw/e1000.c by dropping oversize packets.

Author: Adam Conrad <adconrad@ubuntu.com>

Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=2c0331f4f7d241995452b99afaf0aab00493334a

Bug-Debian: http://bugs.debian.org/696051

--- qemu-1.3.0+dfsg.orig/hw/e1000.c

+++ qemu-1.3.0+dfsg/hw/e1000.c

@@ -61,6 +61,8 @@ static int debugflags = DBGBIT(TXERR) |

/* this is the size past which hardware will drop packets when setting LPE=0 */

#define MAXIMUM_ETHERNET_VLAN_SIZE 1522

+/* this is the size past which hardware will drop packets when setting LPE=1 */

+#define MAXIMUM_ETHERNET_LPE_SIZE 16384

* HW models:

@@ -809,8 +811,9 @@ e1000_receive(NetClientState *nc, const

}

/* Discard oversized packets if !LPE and !SBP. */

- if (size > MAXIMUM_ETHERNET_VLAN_SIZE

- && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)

+ if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||

+ (size > MAXIMUM_ETHERNET_VLAN_SIZE

+ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))

&& !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {

return size;

}