This bug was fixed in http://sourceforge.net/projects/e1000 since release 7.5.5 (2007-04-25 22:15), but not in upstream kernel.

http://sourceforge.net/project/shownotes.php?release_id=504022&group_id=42302
Notes:
 * fix panic on changing MTU under stress

Patch to fix bad length checking in e1000.  E1000 by default does two things:

1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
2) Strips the crc from a frame by subtracting 4 bytes from the length prior to doing an skb_put

Since the e1000 driver isn't written to support receiving packets that span multiple rx buffers, it checks the End of Packet bit of every frame, and discards it if its not set.  This places us in a situation where, if we have a spanning packet, the first part is discarded, but the second part is not (since it is the end of packet, and it passes the EOP bit test).  If the second part of the frame is small (4 bytes or less), we subtract 4 from it to remove its crc, underflow the length, and wind up in skb_over_panic, when we try to skb_put a huge number of bytes into the skb.  This amounts to a remote DOS attack through careful selection of frame size in relation to interface MTU.  The fix for this is already in the e1000e driver, as well as the e1000 sourceforge driver, but no one ever pushed it to e1000.  This is lifted straight from e1000e, and prevents small frames from causing the underflow described above.

Upstream commit:
http://git.kernel.org/linus/ea30e11970a96cfe5e32c03a29332554573b4a10

This bug was fixed in http://sourceforge.net/projects/e1000 since release 7.5.5
(2007-04-25 22:15), but not in upstream kernel.

http://sourceforge.net/project/shownotes.php?release_id=504022&group_id=42302
Notes:
 * fix panic on changing MTU under stress

Upstream 2.4 patch:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commit;h=4871441ddf930f5e5651af50f6b42645fbbf9638

kernel-2.6.27.25-78.2.56.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/kernel-2.6.27.25-78.2.56.fc9

kernel-2.6.27.25-170.2.72.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.25-170.2.72.fc10

kernel-2.6.27.25-170.2.72.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

kernel-2.6.29.5-191.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

kernel-2.6.27.25-78.2.56.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1132 https://rhn.redhat.com/errata/RHSA-2009-1132.html

This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1157 https://rhn.redhat.com/errata/RHSA-2009-1157.html

I reproduce the bug on kernel-2.6.18-128.2.1.el5.x86_64,
and verify that kernel-2.6.18-128.4.1.el5.x86_64 can fix the bug.
my test environment:  cisco 3550 switch, 2 intel 82541PI GE NIC, 2 devices.

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1193 https://rhn.redhat.com/errata/RHSA-2009-1193.html

This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1550 https://rhn.redhat.com/errata/RHSA-2009-1550.html

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2010:0079 https://rhn.redhat.com/errata/RHSA-2010-0079.html

This seems to have been entirely covered by the errata.  

All bugs for specific bugs for tracking releases seem to have been shipped. I'm closing this as errata.  Please re-open if you believe i have missed anything.