Description: e1000: Discard oversized packets based on SBP|LPE
 Discard packets longer than 16384 when !SBP to match the hardware behavior.
From: Michael Contreras <michael@inetric.com>
Id: CVE-2012-6075
---
--- a/qemu/hw/e1000.c
+++ b/qemu/hw/e1000.c
@@ -57,6 +57,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
 
 /* this is the size past which hardware will drop packets when setting LPE=0 */
 #define MAXIMUM_ETHERNET_VLAN_SIZE 1522
+/* this is the size past which hardware will drop packets when setting LPE=1 */
+#define MAXIMUM_ETHERNET_LPE_SIZE 16384
 
 /*
  * HW models:
@@ -632,8 +634,9 @@ e1000_receive(void *opaque, const uint8_t *buf, int size)
     }
 
     /* Discard oversized packets if !LPE and !SBP. */
-    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
-        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
+    if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
+        (size > MAXIMUM_ETHERNET_VLAN_SIZE
+        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
         && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
         DBGOUT(RX, "packet too large for applicable LPE/VLAN size\n");
         return;
