--- /dev/null
+From stable-bounces@linux.kernel.org Tue Nov 15 04:33:16 2005
+Date: Tue, 15 Nov 2005 13:32:36 +0100
+From: Harald Welte <laforge@netfilter.org>
+To: Stable Kernel <stable@kernel.org>
+Cc:
+Subject: [PATCH] [NETFILTER] ctnetlink: check if protoinfo is present
+
+This fixes an oops triggered from userspace. If we don't pass information
+about the private protocol info, the reference to attr will be NULL. This is
+likely to happen in update messages.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Harald Welte <laforge@netfilter.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 5 +++++
+ 1 files changed, 5 insertions(+)
+
+Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+===================================================================
+--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+@@ -362,6 +362,11 @@ static int nfattr_to_tcp(struct nfattr *
+ struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1];
+ struct nfattr *tb[CTA_PROTOINFO_TCP_MAX];
+
++ /* updates could not contain anything about the private
++ * protocol info, in that case skip the parsing */
++ if (!attr)
++ return 0;
++
+ if (nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr) < 0)
+ goto nfattr_failure;
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Nov 15 04:33:12 2005
+Date: Tue, 15 Nov 2005 13:32:36 +0100
+From: Harald Welte <laforge@netfilter.org>
+To: Stable Kernel <stable@kernel.org>
+Cc:
+Subject: [PATCH] [NETFILTER] ctnetlink: Fix oops when no ICMP ID info in message
+
+From: Krzysztof Piotr Oledzki <ole@ans.pl>
+
+This patch fixes an userspace triggered oops. If there is no ICMP_ID
+info the reference to attr will be NULL.
+
+Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Harald Welte <laforge@netfilter.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_conntrack_proto_icmp.c | 13 +++++++------
+ 1 files changed, 7 insertions(+), 6 deletions(-)
+
+Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+===================================================================
+--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+@@ -151,13 +151,13 @@ icmp_error_message(struct sk_buff *skb,
+ /* Not enough header? */
+ inside = skb_header_pointer(skb, skb->nh.iph->ihl*4, sizeof(_in), &_in);
+ if (inside == NULL)
+- return NF_ACCEPT;
++ return -NF_ACCEPT;
+
+ /* Ignore ICMP's containing fragments (shouldn't happen) */
+ if (inside->ip.frag_off & htons(IP_OFFSET)) {
+ DEBUGP("icmp_error_track: fragment of proto %u\n",
+ inside->ip.protocol);
+- return NF_ACCEPT;
++ return -NF_ACCEPT;
+ }
+
+ innerproto = ip_conntrack_proto_find_get(inside->ip.protocol);
+@@ -166,7 +166,7 @@ icmp_error_message(struct sk_buff *skb,
+ if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, innerproto)) {
+ DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol);
+ ip_conntrack_proto_put(innerproto);
+- return NF_ACCEPT;
++ return -NF_ACCEPT;
+ }
+
+ /* Ordinarily, we'd expect the inverted tupleproto, but it's
+@@ -174,7 +174,7 @@ icmp_error_message(struct sk_buff *skb,
+ if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) {
+ DEBUGP("icmp_error_track: Can't invert tuple\n");
+ ip_conntrack_proto_put(innerproto);
+- return NF_ACCEPT;
++ return -NF_ACCEPT;
+ }
+ ip_conntrack_proto_put(innerproto);
+
+@@ -190,7 +190,7 @@ icmp_error_message(struct sk_buff *skb,
+
+ if (!h) {
+ DEBUGP("icmp_error_track: no match\n");
+- return NF_ACCEPT;
++ return -NF_ACCEPT;
+ }
+ /* Reverse direction from that found */
+ if (DIRECTION(h) != IP_CT_DIR_REPLY)
+@@ -296,7 +296,8 @@ static int icmp_nfattr_to_tuple(struct n
+ struct ip_conntrack_tuple *tuple)
+ {
+ if (!tb[CTA_PROTO_ICMP_TYPE-1]
+- || !tb[CTA_PROTO_ICMP_CODE-1])
++ || !tb[CTA_PROTO_ICMP_CODE-1]
++ || !tb[CTA_PROTO_ICMP_ID-1])
+ return -1;
+
+ tuple->dst.u.icmp.type =
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Nov 15 04:33:08 2005
+Date: Tue, 15 Nov 2005 13:32:36 +0100
+From: Harald Welte <laforge@netfilter.org>
+To: Stable Kernel <stable@kernel.org>
+Cc:
+Subject: [PATCH] [NETFILTER] ip_conntrack: fix ftp/irc/tftp helpers on ports >= 32768
+
+Since we've converted the ftp/irc/tftp helpers to use the new
+module_parm_array() some time ago, we ware accidentially using signed data
+types - thus preventing those modules from being used on ports >= 32768.
+
+This patch fixes it by using 'ushort' module parameters.
+
+Thanks to Jan Nijs for reporting this bug.
+
+Signed-off-by: Harald Welte <laforge@netfilter.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_conntrack_ftp.c | 4 ++--
+ net/ipv4/netfilter/ip_conntrack_irc.c | 4 ++--
+ net/ipv4/netfilter/ip_conntrack_tftp.c | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_ftp.c
+===================================================================
+--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_ftp.c
++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_ftp.c
+@@ -29,9 +29,9 @@ static char *ftp_buffer;
+ static DEFINE_SPINLOCK(ip_ftp_lock);
+
+ #define MAX_PORTS 8
+-static short ports[MAX_PORTS];
++static unsigned short ports[MAX_PORTS];
+ static int ports_c;
+-module_param_array(ports, short, &ports_c, 0400);
++module_param_array(ports, ushort, &ports_c, 0400);
+
+ static int loose;
+ module_param(loose, int, 0600);
+Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_irc.c
+===================================================================
+--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_irc.c
++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_irc.c
+@@ -34,7 +34,7 @@
+ #include <linux/moduleparam.h>
+
+ #define MAX_PORTS 8
+-static short ports[MAX_PORTS];
++static unsigned short ports[MAX_PORTS];
+ static int ports_c;
+ static int max_dcc_channels = 8;
+ static unsigned int dcc_timeout = 300;
+@@ -52,7 +52,7 @@ EXPORT_SYMBOL_GPL(ip_nat_irc_hook);
+ MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
+ MODULE_DESCRIPTION("IRC (DCC) connection tracking helper");
+ MODULE_LICENSE("GPL");
+-module_param_array(ports, short, &ports_c, 0400);
++module_param_array(ports, ushort, &ports_c, 0400);
+ MODULE_PARM_DESC(ports, "port numbers of IRC servers");
+ module_param(max_dcc_channels, int, 0400);
+ MODULE_PARM_DESC(max_dcc_channels, "max number of expected DCC channels per IRC session");
+Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_tftp.c
+===================================================================
+--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_tftp.c
++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_tftp.c
+@@ -26,9 +26,9 @@ MODULE_DESCRIPTION("tftp connection trac
+ MODULE_LICENSE("GPL");
+
+ #define MAX_PORTS 8
+-static short ports[MAX_PORTS];
++static unsigned short ports[MAX_PORTS];
+ static int ports_c;
+-module_param_array(ports, short, &ports_c, 0400);
++module_param_array(ports, ushort, &ports_c, 0400);
+ MODULE_PARM_DESC(ports, "port numbers of tftp servers");
+
+ #if 0
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Nov 15 04:32:49 2005
+Date: Tue, 15 Nov 2005 13:32:36 +0100
+From: Harald Welte <laforge@netfilter.org>
+To: Stable Kernel <stable@kernel.org>
+Cc:
+Subject: [PATCH] [NETFILTER] ip_conntrack TCP: Accept SYN+PUSH like SYN
+
+From: Vlad Drukker <vlad@storewiz.com>
+
+Some devices (e.g. Qlogic iSCSI HBA hardware like QLA4010 up to firmware
+3.0.0.4) initiates TCP with SYN and PUSH flags set.
+
+The Linux TCP/IP stack deals fine with that, but the connection tracking
+code doesn't.
+
+This patch alters TCP connection tracking to accept SYN+PUSH as a valid
+flag combination.
+
+Signed-off-by: Vlad Drukker <vlad@storewiz.com>
+Signed-off-by: Harald Welte <laforge@netfilter.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 1 +
+ 1 files changed, 1 insertion(+)
+
+Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+===================================================================
+--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+@@ -818,6 +818,7 @@ static u8 tcp_valid_flags[(TH_FIN|TH_SYN
+ {
+ [TH_SYN] = 1,
+ [TH_SYN|TH_ACK] = 1,
++ [TH_SYN|TH_PUSH] = 1,
+ [TH_SYN|TH_ACK|TH_PUSH] = 1,
+ [TH_RST] = 1,
+ [TH_RST|TH_ACK] = 1,
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Nov 15 04:33:04 2005
+Date: Tue, 15 Nov 2005 13:32:36 +0100
+From: Harald Welte <laforge@netfilter.org>
+To: Stable Kernel <stable@kernel.org>
+Cc:
+Subject: [PATCH] [NETFILTER] NAT: Fix module refcount dropping too far
+
+From: Rusty Rusty <rusty@rustcorp.com.au>
+
+The unknown protocol is used as a fallback when a protocol isn't known.
+Hence we cannot handle it failing, so don't set ".me". It's OK, since we
+only grab a reference from within the same module (iptable_nat.ko), so we
+never take the module refcount from 0 to 1.
+
+Also, remove the "protocol is NULL" test: it's never NULL.
+
+Signed-off-by: Rusty Rusty <rusty@rustcorp.com.au>
+Signed-off-by: Harald Welte <laforge@netfilter.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_nat_core.c | 6 ++----
+ net/ipv4/netfilter/ip_nat_proto_unknown.c | 2 +-
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+Index: linux-2.6.14.y/net/ipv4/netfilter/ip_nat_core.c
+===================================================================
+--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_nat_core.c
++++ linux-2.6.14.y/net/ipv4/netfilter/ip_nat_core.c
+@@ -66,10 +66,8 @@ ip_nat_proto_find_get(u_int8_t protonum)
+ * removed until we've grabbed the reference */
+ preempt_disable();
+ p = __ip_nat_proto_find(protonum);
+- if (p) {
+- if (!try_module_get(p->me))
+- p = &ip_nat_unknown_protocol;
+- }
++ if (!try_module_get(p->me))
++ p = &ip_nat_unknown_protocol;
+ preempt_enable();
+
+ return p;
+Index: linux-2.6.14.y/net/ipv4/netfilter/ip_nat_proto_unknown.c
+===================================================================
+--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_nat_proto_unknown.c
++++ linux-2.6.14.y/net/ipv4/netfilter/ip_nat_proto_unknown.c
+@@ -62,7 +62,7 @@ unknown_print_range(char *buffer, const
+
+ struct ip_nat_protocol ip_nat_unknown_protocol = {
+ .name = "unknown",
+- .me = THIS_MODULE,
++ /* .me isn't set: getting a ref to this cannot fail. */
+ .manip_pkt = unknown_manip_pkt,
+ .in_range = unknown_in_range,
+ .unique_tuple = unknown_unique_tuple,
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Nov 15 04:32:49 2005
+Date: Tue, 15 Nov 2005 13:32:36 +0100
+From: Harald Welte <laforge@netfilter.org>
+To: Stable Kernel <stable@kernel.org>
+Cc:
+Subject: [PATCH] [NETFILTER] nf_queue: Fix Ooops when no queue handler registered
+
+With the new nf_queue generalization in 2.6.14, we've introduced a bug
+that causes an oops as soon as a packet is queued but no queue handler
+registered. This patch fixes it.
+
+Signed-off-by: Harald Welte <laforge@netfilter.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/netfilter/nf_queue.c | 2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+Index: linux-2.6.14.y/net/netfilter/nf_queue.c
+===================================================================
+--- linux-2.6.14.y.orig/net/netfilter/nf_queue.c
++++ linux-2.6.14.y/net/netfilter/nf_queue.c
+@@ -117,7 +117,7 @@ int nf_queue(struct sk_buff **skb,
+
+ /* QUEUE == DROP if noone is waiting, to be safe. */
+ read_lock(&queue_handler_lock);
+- if (!queue_handler[pf]->outfn) {
++ if (!queue_handler[pf] || !queue_handler[pf]->outfn) {
+ read_unlock(&queue_handler_lock);
+ kfree_skb(*skb);
+ return 1;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Nov 15 04:32:56 2005
+Date: Tue, 15 Nov 2005 13:32:36 +0100
+From: Harald Welte <laforge@netfilter.org>
+To: Stable Kernel <stable@kernel.org>
+Cc:
+Subject: [PATCH] [NETFILTER] PPTP helper: Fix endianness bug in GRE key / CallID NAT
+Return-Path: stable-bounces@linux.kernel.org
+Received: from smtp.osdl.org (smtp.osdl.org [65.172.181.4])
+ by shell0.pdx.osdl.net (8.13.1/8.11.6) with ESMTP id jAFCWur6030796;
+ Tue, 15 Nov 2005 04:32:56 -0800
+Received: from hera.kernel.org (hera.kernel.org [140.211.167.34])
+ by smtp.osdl.org (8.12.8/8.12.8) with ESMTP id jAFCWtnO007694
+ (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
+ Tue, 15 Nov 2005 04:32:55 -0800
+Received: from hera.kernel.org (localhost [127.0.0.1])
+ by hera.kernel.org (8.13.1/8.13.1) with ESMTP id jAFCWkDU006315;
+ Tue, 15 Nov 2005 04:32:46 -0800
+Received: from ganesha.gnumonks.org (ganesha.gnumonks.org [213.95.27.120])
+ by hera.kernel.org (8.13.1/8.13.1) with ESMTP id jAFCWefT006262
+ for <stable@kernel.org>; Tue, 15 Nov 2005 04:32:42 -0800
+Received: from berligate.hmw-consulting.de ([83.236.178.202]
+ helo=sunbeam.hmw-consulting.de)
+ by ganesha.gnumonks.org with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
+ (Exim 4.50) id 1EbzzJ-0001uc-Og; Tue, 15 Nov 2005 13:32:39 +0100
+Received: from hanuman.de.gnumonks.org ([192.168.100.10] ident=Debian-exim)
+ by sunbeam.hmw-consulting.de with esmtp (Exim 4.54)
+ id 1EbzzJ-0001T0-1y; Tue, 15 Nov 2005 13:32:37 +0100
+Received: from laforge by hanuman.de.gnumonks.org with local (Exim 4.54)
+ id 1EbzzI-0006B3-OL; Tue, 15 Nov 2005 13:32:36 +0100
+Message-ID: <20051115133236.610397000@hanuman.de.gnumonks.org>
+User-Agent: davem-sendpatch.sh v0.2
+X-Spam-Score: 0.0 (/)
+X-Virus-Scanned: ClamAV version 0.85, clamav-milter version 0.85 on localhost
+X-Virus-Scanned: ClamAV version 0.85, clamav-milter version 0.85 on localhost
+X-Virus-Status: Clean
+X-BeenThere: stable@linux.kernel.org
+X-Mailman-Version: 2.1.5
+Precedence: list
+List-Id: For maintainers of the stable Linux series <stable.linux.kernel.org>
+List-Unsubscribe: <http://linux.kernel.org/mailman/listinfo/stable>,
+ <mailto:stable-request@linux.kernel.org?subject=unsubscribe>
+List-Archive: <http://linux.kernel.org/mailman/private/stable>
+List-Post: <mailto:stable@linux.kernel.org>
+List-Help: <mailto:stable-request@linux.kernel.org?subject=help>
+List-Subscribe: <http://linux.kernel.org/mailman/listinfo/stable>,
+ <mailto:stable-request@linux.kernel.org?subject=subscribe>
+Sender: stable-bounces@linux.kernel.org
+Errors-To: stable-bounces@linux.kernel.org
+Received-SPF: none (domain of stable-bounces@linux.kernel.org does not designate permitted sender hosts)
+X-Spam-Status: No, hits=0 required=5 tests=
+X-Spam-Checker-Version: SpamAssassin 2.63-osdl_revision__1.55__
+X-MIMEDefang-Filter: osdl$Revision: 1.127 $
+X-Scanned-By: MIMEDefang 2.36
+Status: RO
+Content-Length: 1847
+Lines: 46
+
+This endianness bug slipped through while changing the 'gre.key' field in
+the conntrack tuple from 32bit to 16bit.
+
+None of my tests caught the problem, since the linux pptp client always has
+'0' as call id / gre key. Only windows clients actually trigger the bug.
+
+Signed-off-by: Harald Welte <laforge@netfilter.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_nat_proto_gre.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.14.y/net/ipv4/netfilter/ip_nat_proto_gre.c
+===================================================================
+--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_nat_proto_gre.c
++++ linux-2.6.14.y/net/ipv4/netfilter/ip_nat_proto_gre.c
+@@ -139,8 +139,8 @@ gre_manip_pkt(struct sk_buff **pskb,
+ break;
+ case GRE_VERSION_PPTP:
+ DEBUGP("call_id -> 0x%04x\n",
+- ntohl(tuple->dst.u.gre.key));
+- pgreh->call_id = htons(ntohl(tuple->dst.u.gre.key));
++ ntohs(tuple->dst.u.gre.key));
++ pgreh->call_id = tuple->dst.u.gre.key;
+ break;
+ default:
+ DEBUGP("can't nat unknown GRE version\n");
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Nov 15 04:33:00 2005
+Date: Tue, 15 Nov 2005 13:32:36 +0100
+From: Harald Welte <laforge@netfilter.org>
+To: Stable Kernel <stable@kernel.org>
+Cc:
+Subject: [PATCH] [NETFILTER] PPTP helper: fix PNS-PAC expectation call id
+
+From: Philip Craig <philipc@snapgear.com>
+
+The reply tuple of the PNS->PAC expectation was using the wrong call id.
+
+So we had the following situation:
+- PNS behind NAT firewall
+- PNS call id requires NATing
+- PNS->PAC gre packet arrives first
+
+then the PNS->PAC expectation is matched, and the other expectation
+is deleted, but the PAC->PNS gre packets do not match the gre conntrack
+because the call id is wrong.
+
+We also cannot use ip_nat_follow_master().
+
+Signed-off-by: Philip Craig <philipc@snapgear.com>
+Signed-off-by: Harald Welte <laforge@netfilter.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_nat_helper_pptp.c | 28 ++++++++++++++++++++++++++--
+ 1 files changed, 26 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.14.y/net/ipv4/netfilter/ip_nat_helper_pptp.c
+===================================================================
+--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c
++++ linux-2.6.14.y/net/ipv4/netfilter/ip_nat_helper_pptp.c
+@@ -73,6 +73,7 @@ static void pptp_nat_expected(struct ip_
+ struct ip_conntrack_tuple t;
+ struct ip_ct_pptp_master *ct_pptp_info;
+ struct ip_nat_pptp *nat_pptp_info;
++ struct ip_nat_range range;
+
+ ct_pptp_info = &master->help.ct_pptp_info;
+ nat_pptp_info = &master->nat.help.nat_pptp_info;
+@@ -110,7 +111,30 @@ static void pptp_nat_expected(struct ip_
+ DEBUGP("not found!\n");
+ }
+
+- ip_nat_follow_master(ct, exp);
++ /* This must be a fresh one. */
++ BUG_ON(ct->status & IPS_NAT_DONE_MASK);
++
++ /* Change src to where master sends to */
++ range.flags = IP_NAT_RANGE_MAP_IPS;
++ range.min_ip = range.max_ip
++ = ct->master->tuplehash[!exp->dir].tuple.dst.ip;
++ if (exp->dir == IP_CT_DIR_ORIGINAL) {
++ range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
++ range.min = range.max = exp->saved_proto;
++ }
++ /* hook doesn't matter, but it has to do source manip */
++ ip_nat_setup_info(ct, &range, NF_IP_POST_ROUTING);
++
++ /* For DST manip, map port here to where it's expected. */
++ range.flags = IP_NAT_RANGE_MAP_IPS;
++ range.min_ip = range.max_ip
++ = ct->master->tuplehash[!exp->dir].tuple.src.ip;
++ if (exp->dir == IP_CT_DIR_REPLY) {
++ range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
++ range.min = range.max = exp->saved_proto;
++ }
++ /* hook doesn't matter, but it has to do destination manip */
++ ip_nat_setup_info(ct, &range, NF_IP_PRE_ROUTING);
+ }
+
+ /* outbound packets == from PNS to PAC */
+@@ -213,7 +237,7 @@ pptp_exp_gre(struct ip_conntrack_expect
+
+ /* alter expectation for PNS->PAC direction */
+ invert_tuplepr(&inv_t, &expect_orig->tuple);
+- expect_orig->saved_proto.gre.key = htons(nat_pptp_info->pac_call_id);
++ expect_orig->saved_proto.gre.key = htons(ct_pptp_info->pns_call_id);
+ expect_orig->tuple.src.u.gre.key = htons(nat_pptp_info->pns_call_id);
+ expect_orig->tuple.dst.u.gre.key = htons(ct_pptp_info->pac_call_id);
+ inv_t.src.ip = reply_t->src.ip;
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Nov 15 04:32:52 2005
+Date: Tue, 15 Nov 2005 13:32:36 +0100
+From: Harald Welte <laforge@netfilter.org>
+To: Stable Kernel <stable@kernel.org>
+Cc:
+Subject: [PATCH] [NETFILTER] refcount leak of proto when ctnetlink dumping tuple
+
+From: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
+
+Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
+Signed-off-by: Harald Welte <laforge@netfilter.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ net/ipv4/netfilter/ip_conntrack_netlink.c | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+Index: linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_netlink.c
+===================================================================
+--- linux-2.6.14.y.orig/net/ipv4/netfilter/ip_conntrack_netlink.c
++++ linux-2.6.14.y/net/ipv4/netfilter/ip_conntrack_netlink.c
+@@ -58,14 +58,17 @@ ctnetlink_dump_tuples_proto(struct sk_bu
+ const struct ip_conntrack_tuple *tuple)
+ {
+ struct ip_conntrack_protocol *proto;
++ int ret = 0;
+
+ NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
+
+ proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
+- if (proto && proto->tuple_to_nfattr)
+- return proto->tuple_to_nfattr(skb, tuple);
++ if (likely(proto && proto->tuple_to_nfattr)) {
++ ret = proto->tuple_to_nfattr(skb, tuple);
++ ip_conntrack_proto_put(proto);
++ }
+
+- return 0;
++ return ret;
+
+ nfattr_failure:
+ return -1;
packet-writing-oops-fix.patch
fix-memory-leak-with-file-leases.patch
generic-hdlc-wan-drivers-disable-netif_carrier_off.patch
+pptp-helper-fix-endianness-bug-in-gre-key-callid-nat.patch
+nat-fix-module-refcount-droppoing-too-far.patch
+nf_queue-fix-oops-when-no-queue-handler-registered.patch
+recount-leak-of-proto-when-ctnetlink-dumping-tuple.patch
+ctnetlink-check-if-protoinfo-is-present.patch
+pptp-helper-fix-pns-pac-expectation-call-id.patch
+ctnetlink-fix-oops-when-no-icpm-id-info-in-message.patch
+ip_conntrack-tcp-accept-syn+push-like-syn.patch
+ip_conntrack-fix-ftp-irc-tftp-helpers-on-large-ports.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
