1 files changed, 67 insertions, 0 deletions
diff --git a/main/xen/xsa41b.patch b/main/xen/xsa41b.patch
new file mode 100644
index 0000000000..b599c2a5d5
--- /dev/null
+++ b/main/xen/xsa41b.patch
@@ -0,0 +1,67 @@
+From 70454385eeee6f0b3f7a9eddca9f7340b5060824 Mon Sep 17 00:00:00 2001
+From: Michael Contreras <michael@inetric.com>
+Date: Thu, 17 Jan 2013 11:49:37 +0000
+Subject: [PATCH] e1000: Discard oversized packets based on SBP|LPE
+
+Discard packets longer than 16384 when !SBP to match the hardware behavior.
+
+upstream-commit-id: 2c0331f4f7d241995452b99afaf0aab00493334a
+security-tags: XSA-41, CVE-2012-6075
+This is the second of two security fixes for XSA-41.
+
+Signed-off-by: Michael Contreras <michael@inetric.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+diff --git a/tools/qemu-xen/hw/e1000.c b/tools/qemu-xen/hw/e1000.c
+index 37d207e..a5e67a8 100644
+--- a/tools/qemu-xen/hw/e1000.c
++++ b/tools/qemu-xen/hw/e1000.c
+@@ -61,6 +61,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ 
+ /* this is the size past which hardware will drop packets when setting LPE=0 */
+ #define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++/* this is the size past which hardware will drop packets when setting LPE=1 */
++#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+ 
+ /*
+  * HW models:
+@@ -697,8 +699,9 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
+     }
+ 
+     /* Discard oversized packets if !LPE and !SBP. */
+-    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+-        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++    if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
++        (size > MAXIMUM_ETHERNET_VLAN_SIZE
++        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+         && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+         return size;
+     }
+diff --git a/tools/qemu-xen-traditional/hw/e1000.c b/tools/qemu-xen-traditional/hw/e1000.c
+index 37d207e..a5e67a8 100644
+--- a/tools/qemu-xen-traditional/hw/e1000.c
++++ b/tools/qemu-xen-traditional/hw/e1000.c
+@@ -61,6 +61,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ 
+ /* this is the size past which hardware will drop packets when setting LPE=0 */
+ #define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++/* this is the size past which hardware will drop packets when setting LPE=1 */
++#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+ 
+ /*
+  * HW models:
+@@ -697,8 +699,9 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
+     }
+ 
+     /* Discard oversized packets if !LPE and !SBP. */
+-    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+-        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++    if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
++        (size > MAXIMUM_ETHERNET_VLAN_SIZE
++        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+         && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+         return size;
+     }
+-- 
+1.7.2.5
+