@@ -59,6 +59,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
#define PNPMMIO_SIZE 0x20000
#define MIN_BUF_SIZE 60 /* Min. octets in an ethernet frame sans FCS */
+/* this is the size past which hardware will drop packets when setting LPE=0 */
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+
/*
* HW models:
* E1000_DEV_ID_82540EM works with Windows and Linux
@@ -805,6 +808,13 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
size = sizeof(min_buf);
}
+ /* Discard oversized packets if !LPE and !SBP. */
+ if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
+ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+ return size;
+ }
+
if (!receive_filter(s, buf, size))
return size;
The e1000_receive function for the e1000 needs to discard packets longer than 1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes this behavior and allocates memory based on this assumption. Signed-off-by: Michael Contreras <michael@inetric.com> --- Tested with linux guest. This error can potentially be exploited. At the very least it can cause a DoS to a guest system, and in the worse case it could allow remote code execution on the guest system with kernel level privilege. Risk seems low, as the network would need to be configured to allow large packets. hw/e1000.c | 10 ++++++++++ 1 file changed, 10 insertions(+)