Pull up fix from Xen repository, fixing CVE-2012-0029:

Heap-based buffer overflow in the process_tx_desc function in the
e1000 emulation allows the guest to cause a denial of service (QEMU
crash) and possibly execute arbitrary code via crafted legacy mode
packets.

Bump PKGREVISION

3 files changed, 49 insertions, 3 deletions

diff --git a/sysutils/xentools41/Makefile b/sysutils/xentools41/Makefile
index cb6b1868ad2..09c4e3651d1 100644
--- a/sysutils/xentools41/Makefile
+++ b/sysutils/xentools41/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.14 2012/01/26 11:19:23 cegger Exp $
+# $NetBSD: Makefile,v 1.15 2012/02/03 17:00:25 bouyer Exp $
 #
 # VERSION is set in version.mk as it is shared with other packages
 .include		"version.mk"
 
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools41-${VERSION}
-PKGREVISION=		2
+PKGREVISION=		3
 CATEGORIES=		sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xentools41/distinfo b/sysutils/xentools41/distinfo
index ad0e97ee9c6..83162ae9fcd 100644
--- a/sysutils/xentools41/distinfo
+++ b/sysutils/xentools41/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2012/01/26 11:19:23 cegger Exp $
+$NetBSD: distinfo,v 1.17 2012/02/03 17:00:25 bouyer Exp $
 
 SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
@@ -37,5 +37,6 @@ SHA1 (patch-de) = fae94b61a430a1a7dd98c9a6a04e4513824c6d8d
 SHA1 (patch-df) = d20bf9d3fd05f5334f77c9154bf0fb9944c1292c
 SHA1 (patch-libxl_libxl_create.c) = 02b661ca684609939c6ef762c0ddd1c5e62ad4d0
 SHA1 (patch-ocaml-include-path) = 959df25b0aae78d525b25f223190203d3c1185a6
+SHA1 (patch-qemu-e1000-CVSE-2012-0029) = 064ba74795e7a1ceb863d1f7bc171f3841c81b8a
 SHA1 (patch-qemu-phy-devices) = fef90e50ef0a58db2f2b49b6c23218f371791de5
 SHA1 (patch-xenstore_Makefile) = 4fa0ed7b76a96011c3cca9c5017be4b5151489f7
diff --git a/sysutils/xentools41/patches/patch-qemu-e1000-CVSE-2012-0029 b/sysutils/xentools41/patches/patch-qemu-e1000-CVSE-2012-0029
new file mode 100644
index 00000000000..6bd160103c8
--- /dev/null
+++ b/sysutils/xentools41/patches/patch-qemu-e1000-CVSE-2012-0029
@@ -0,0 +1,45 @@
+$NetBSD: patch-qemu-e1000-CVSE-2012-0029,v 1.1 2012/02/03 17:00:25 bouyer Exp $
+
+From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <Ian.Campbell@citrix.com>
+Date: Thu, 2 Feb 2012 13:47:06 +0000
+Subject: [PATCH] e1000: bounds packet size against buffer size
+
+Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
+as CVE-2012-0029.
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+
+(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
+ by Ian Campbell.)
+
+Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
+(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
+---
+ hw/e1000.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index bb3689e..97104ed 100644
+--- ioemu-qemu-xen/hw/e1000.c.orig
++++ ioemu-qemu-xen/hw/e1000.c
+@@ -444,6 +444,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+             bytes = split_size;
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
++
++            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
+             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
+             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
+                 memmove(tp->header, tp->data, hdr);
+@@ -459,6 +461,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentaion Error\n");
+     } else {
++        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
+         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
+         tp->size += split_size;
+     }
+-- 
+1.7.2.5
+