blob: e45763e53308a98bdcd8b16070469d0d33aa4db2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
$NetBSD: patch-CVE-2012-6075,v 1.1 2013/01/17 19:37:55 drochner Exp $
see http://lists.xen.org/archives/html/xen-devel/2013-01/msg01070.html
--- tools/ioemu-qemu-xen/hw/e1000.c.orig 2012-11-13 18:25:17.000000000 +0000
+++ tools/ioemu-qemu-xen/hw/e1000.c
@@ -55,6 +55,11 @@ static int debugflags = DBGBIT(TXERR) |
#define REG_IOADDR 0x0
#define REG_IODATA 0x4
+/* this is the size past which hardware will drop packets when setting LPE=0 */
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+/* this is the size past which hardware will drop packets when setting LPE=1 */
+#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+
/*
* HW models:
* E1000_DEV_ID_82540EM works with Windows and Linux
@@ -628,6 +633,15 @@ e1000_receive(void *opaque, const uint8_
return;
}
+ /* Discard oversized packets if !LPE and !SBP. */
+ if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
+ (size > MAXIMUM_ETHERNET_VLAN_SIZE
+ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+ DBGOUT(RX, "packet too large for applicable LPE/VLAN size\n");
+ return;
+ }
+
if (!receive_filter(s, buf, size))
return;
|