1
Description: CVE-2012-6075 in hw/e1000.c
2
* debian/patches/CVE-2012-6075.patch: Fix guest denial of service and
3
possible code execution in hw/e1000.c by dropping oversize packets.
4
Author: Adam Conrad <adconrad@ubuntu.com>
5
Origin: upstream, http://git.qemu.org/?p=qemu.git;a=commit;h=2c0331f4f7d241995452b99afaf0aab00493334a
6
Bug-Debian: http://bugs.debian.org/696051
8
--- qemu-1.3.0+dfsg.orig/hw/e1000.c
9
+++ qemu-1.3.0+dfsg/hw/e1000.c
10
@@ -61,6 +61,8 @@ static int debugflags = DBGBIT(TXERR) |
12
/* this is the size past which hardware will drop packets when setting LPE=0 */
13
#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
14
+/* this is the size past which hardware will drop packets when setting LPE=1 */
15
+#define MAXIMUM_ETHERNET_LPE_SIZE 16384
19
@@ -809,8 +811,9 @@ e1000_receive(NetClientState *nc, const
22
/* Discard oversized packets if !LPE and !SBP. */
23
- if (size > MAXIMUM_ETHERNET_VLAN_SIZE
24
- && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
25
+ if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
26
+ (size > MAXIMUM_ETHERNET_VLAN_SIZE
27
+ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
28
&& !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {