Pull up fix from Xen repository, fixing CVE-2012-0029:

Heap-based buffer overflow in the process_tx_desc function in the
e1000 emulation allows the guest to cause a denial of service (QEMU
crash) and possibly execute arbitrary code via crafted legacy mode
packets.

Bump PKGREVISION

3 files changed, 43 insertions, 3 deletions

diff --git a/sysutils/xentools33/Makefile b/sysutils/xentools33/Makefile
index 2134295d6f2..024b27aebb3 100644
--- a/sysutils/xentools33/Makefile
+++ b/sysutils/xentools33/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.28 2012/01/09 14:06:34 cegger Exp $
+# $NetBSD: Makefile,v 1.29 2012/02/03 17:00:24 bouyer Exp $
 #
 
 VERSION=		3.3.2
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools33-${VERSION}
-PKGREVISION=		9
+PKGREVISION=		10
 CATEGORIES=		sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 EXTRACT_SUFX=		.tar.gz
diff --git a/sysutils/xentools33/distinfo b/sysutils/xentools33/distinfo
index f708617548d..94606839205 100644
--- a/sysutils/xentools33/distinfo
+++ b/sysutils/xentools33/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.26 2012/01/09 14:06:34 cegger Exp $
+$NetBSD: distinfo,v 1.27 2012/02/03 17:00:24 bouyer Exp $
 
 SHA1 (xen-3.3.2.tar.gz) = 7f438e73ac81b25cf5e1570709e87001066bafe4
 RMD160 (xen-3.3.2.tar.gz) = 28faa56286f2a418e35dcba6079570ea871d6c7b
@@ -56,4 +56,5 @@ SHA1 (patch-fe) = 85d42672766fe8ce2dc7f745938722710c6ee5a3
 SHA1 (patch-ff) = 6ff97fa4f34f29c276e4aaab4b4db9ccf7b09957
 SHA1 (patch-fg) = 913295d341c1dd5bf4d1ef78f27520920f138d4c
 SHA1 (patch-io_ring_h) = 83b01462d5d2b48b4f97b3d9a7980aa3300ad0b3
+SHA1 (patch-qemu-e1000-CVSE-2012-0029) = 8628504e1dfd013254f816cb4feeb7548b9ad2ec
 SHA1 (patch-qemu-phy-devices) = 29790e45372ae16157e906dc39a667229e8a0ba5
diff --git a/sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029 b/sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029
new file mode 100644
index 00000000000..533f1503ceb
--- /dev/null
+++ b/sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029
@@ -0,0 +1,39 @@
+$NetBSD: patch-qemu-e1000-CVSE-2012-0029,v 1.1 2012/02/03 17:00:25 bouyer Exp $
+
+Backported from:
+From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <Ian.Campbell@citrix.com>
+Date: Thu, 2 Feb 2012 13:47:06 +0000
+Subject: [PATCH] e1000: bounds packet size against buffer size
+
+Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
+as CVE-2012-0029.
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+
+(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
+ by Ian Campbell.)
+
+Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
+(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
+
+
+--- ioemu/hw/e1000.c.orig	2009-08-06 14:56:34.000000000 +0200
++++ ioemu/hw/e1000.c	2012-02-03 14:51:56.000000000 +0100
+@@ -397,6 +401,8 @@
+             bytes = split_size;
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
++
++	    bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
+             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+                 memmove(tp->header, tp->data, hdr);
+@@ -412,6 +418,7 @@
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentaion Error\n");
+     } else {
++	split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
+         tp->size += split_size;
+     }