Description: e1000: Discard packets that are too long if !SBP and !LPE
 The e1000_receive function for the e1000 needs to discard packets longer than
 1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
 this behavior and allocates memory based on this assumption.
 From: Michael Contreras <michael@inetric.com>
Origin: upstream
Id: CVE-2012-6075
---
--- a/qemu/hw/e1000.c
+++ b/qemu/hw/e1000.c
@@ -55,6 +55,9 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
 #define REG_IOADDR 0x0
 #define REG_IODATA 0x4
 
+/* this is the size past which hardware will drop packets when setting LPE=0 */
+#define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+
 /*
  * HW models:
  *  E1000_DEV_ID_82540EM works with Windows and Linux
@@ -628,6 +631,14 @@ e1000_receive(void *opaque, const uint8_t *buf, int size)
         return;
     }
 
+    /* Discard oversized packets if !LPE and !SBP. */
+    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
+        && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+        DBGOUT(RX, "packet too large for applicable LPE/VLAN size\n");
+        return;
+    }
+
     if (!receive_filter(s, buf, size))
         return;
 
