Problem Description:
The e1000 network adapters permit a variety of modifications
to an Ethernet packet when it is being transmitted. These
include the insertion of IP and TCP checksums, insertion
of an Ethernet VLAN header, and TCP segmentation offload
("TSO"). The e1000 device model uses an on-stack buffer to
generate the modified packet header when simulating these
modifications on transmitted packets.
When TCP segmentation offload is requested for a transmitted
packet, the e1000 device model used a guest-provided value
to determine the size of the on-stack buffer without
validation. The subsequent header generation could overflow
an incorrectly sized buffer or indirect a pointer composed
of stack garbage.
Impact:
A misbehaving bhyve guest could overwrite memory in the
bhyve process on the host.