[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-xen-4.2-testing] e1000: Discard packets that are too long if !SBP and !LPE
commit 48d332ba8ef0bd9754b9d16f9e5629b00f85d735 Author: Michael Contreras <michael@xxxxxxxxxxx> Date: Sun Dec 2 20:11:22 2012 -0800 e1000: Discard packets that are too long if !SBP and !LPE The e1000_receive function for the e1000 needs to discard packets longer than 1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes this behavior and allocates memory based on this assumption. Signed-off-by: Michael Contreras <michael@xxxxxxxxxxx> Signed-off-by: Anthony Liguori <aliguori@xxxxxxxxxx> [ This is a security vulnerability, CVE-2012-6075 / XSA-41. ] (cherry picked from commit 4c2cae2a882db4d2a231b27b3b31a5bbec6dacbf) --- hw/e1000.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/hw/e1000.c b/hw/e1000.c index 97104ed..f0673f0 100644 --- a/hw/e1000.c +++ b/hw/e1000.c @@ -55,6 +55,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL); #define REG_IOADDR 0x0 #define REG_IODATA 0x4 +/* this is the size past which hardware will drop packets when setting LPE=0 */ +#define MAXIMUM_ETHERNET_VLAN_SIZE 1522 + /* * HW models: * E1000_DEV_ID_82540EM works with Windows and Linux @@ -628,6 +631,13 @@ e1000_receive(void *opaque, const uint8_t *buf, int size) return; } + /* Discard oversized packets if !LPE and !SBP. */ + if (size > MAXIMUM_ETHERNET_VLAN_SIZE + && !(s->mac_reg[RCTL] & E1000_RCTL_LPE) + && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) { + return size; + } + if (!receive_filter(s, buf, size)) return; -- generated by git-patchbot for /home/xen/git/qemu-xen-4.2-testing.git _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |