2.6.16.8 release

diff --git a/2.6.16.8/IPV4-ip_route_input-panic-fix.patch b/2.6.16.8/IPV4-ip_route_input-panic-fix.patch
new file mode 100644 (file)
index 0000000..2393b85
--- /dev/null
+++ b/2.6.16.8/IPV4-ip_route_input-panic-fix.patch
@@ -0,0 +1,33 @@
+From nobody Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <shemminger@osdl.org>
+Date: Mon Apr 17 17:27:11 2006 -0700
+Subject: [PATCH] [IPV4]: ip_route_input panic fix (CVE-2006-1525)
+
+This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
+The bug is caused by ip_route_input dereferencing skb->nh.protocol of
+the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing
+it). It only happens if the route requested is for a multicast IP
+address.
+
+Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/route.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- linux-2.6.16.7.orig/net/ipv4/route.c
++++ linux-2.6.16.7/net/ipv4/route.c
+@@ -2750,7 +2750,10 @@ int inet_rtm_getroute(struct sk_buff *in
+       /* Reserve room for dummy headers, this skb can pass
+          through good chunk of routing engine.
+        */
+-      skb->mac.raw = skb->data;
++      skb->mac.raw = skb->nh.raw = skb->data;
++
++      /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
++      skb->nh.iph->protocol = IPPROTO_ICMP;
+       skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
+ 
+       if (rta[RTA_SRC - 1])