linux/net, branch v2.6.19

[NETFILTER]: ipt_REJECT: fix memory corruption

2006-11-29T04:59:38Z

On devices with hard_header_len > LL_MAX_HEADER ip_route_me_harder() reallocates the skb, leading to memory corruption when using the stale tcph pointer to update the checksum. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: conntrack: fix refcount leak when finding expectation

2006-11-29T04:59:37Z

All users of __{ip,nf}_conntrack_expect_find() don't expect that it increments the reference count of expectation. Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: ctnetlink: fix reference count leak

2006-11-29T04:59:36Z

When NFA_NEST exceeds the skb size the protocol reference is leaked. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: nf_conntrack: fix the race on assign helper to new conntrack

2006-11-29T04:59:35Z

The found helper cannot be assigned to conntrack after unlocking nf_conntrack_lock. This tries to find helper to assign again. Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[NETFILTER]: nfctnetlink: assign helper to newly created conntrack

2006-11-29T04:59:34Z

This fixes the bug which doesn't assign helper to newly created conntrack via nf_conntrack_netlink. Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller

[PATCH] bridge: fix possible overflow in get_fdb_entries

2006-11-29T01:26:50Z

Make sure to properly clamp maxnum to avoid overflow Signed-off-by: Chris Wright Acked-by: Eugene Teo Acked-by: Marcel Holtmann Signed-off-by: Linus Torvalds

[XFRM] STATE: Fix to respond error to get operation if no matching entry exists.

2006-11-25T23:16:52Z

When application uses XFRM_MSG_GETSA to get state entry through netlink socket and kernel has no matching one, the application expects reply message with error status by kernel. Kernel doesn't send the message back in the case of Mobile IPv6 route optimization protocols (i.e. routing header or destination options header). This is caused by incorrect return code "0" from net/xfrm/xfrm_user.c(xfrm_user_state_lookup) and it makes kernel skip to acknowledge at net/netlink/af_netlink.c(netlink_rcv_skb). This patch fix to reply ESRCH to application. Signed-off-by: Masahide NAKAMURA Signed-off-by: TAKAMIYA Noriaki Signed-off-by: David S. Miller

[NET]: Fix kfifo_alloc() error check.

2006-11-25T23:16:49Z

The return value of kfifo_alloc() should be checked by IS_ERR(). Signed-off-by: Akinobu Mita Signed-off-by: David S. Miller

[UDP]: Make udp_encap_rcv use pskb_may_pull

2006-11-25T23:16:48Z

Make udp_encap_rcv use pskb_may_pull IPsec with NAT-T breaks on some notebooks using the latest e1000 chipset, when header split is enabled. When receiving sufficiently large packets, the driver puts everything up to and including the UDP header into the header portion of the skb, and the rest goes into the paged part. udp_encap_rcv forgets to use pskb_may_pull, and fails to decapsulate it. Instead, it passes it up it to the IKE daemon. Signed-off-by: Olaf Kirch Signed-off-by: Jean Delvare Signed-off-by: David S. Miller

[NETFILTER]: H.323 conntrack: fix crash with CONFIG_IP_NF_CT_ACCT

2006-11-25T23:16:47Z

H.323 connection tracking code calls ip_ct_refresh_acct() when processing RCFs and URQs but passes NULL as the skb. When CONFIG_IP_NF_CT_ACCT is enabled, the connection tracking core tries to derefence the skb, which results in an obvious panic. A similar fix was applied on the SIP connection tracking code some time ago. Signed-off-by: Faidon Liambotis Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller