v4l-dvb-fix-samsung-tuner-frequency-ranges.patch
kconfig-video_decoder-must-select-fw_loader.patch
2.6.xx-sata_mv-another-critical-fix.patch
+tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 22 14:36:39 2006
+Date: Wed, 22 Mar 2006 14:34:42 -0800 (PST)
+From: "David S. Miller" <davem@davemloft.net>
+To: stable@kernel.org
+Cc:
+Subject: [PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)
+
+From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+
+
+The problem is in ip_push_pending_frames(), which uses:
+
+ if (!df) {
+ __ip_select_ident(iph, &rt->u.dst, 0);
+ } else {
+ iph->id = htons(inet->id++);
+ }
+
+instead of ip_select_ident().
+
+Right now I think the code is a nonsense. Most likely, I copied it from
+old ip_build_xmit(), where it was really special, we had to decide
+whether to generate unique ID when generating the first (well, the last)
+fragment.
+
+In ip_push_pending_frames() it does not make sense, it should use plain
+ip_select_ident() instead.
+
+Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/ipv4/ip_output.c | 6 +-----
+ 1 files changed, 1 insertion(+), 5 deletions(-)
+
+--- linux-2.6.16.orig/net/ipv4/ip_output.c
++++ linux-2.6.16/net/ipv4/ip_output.c
+@@ -1249,11 +1249,7 @@ int ip_push_pending_frames(struct sock *
+ iph->tos = inet->tos;
+ iph->tot_len = htons(skb->len);
+ iph->frag_off = df;
+- if (!df) {
+- __ip_select_ident(iph, &rt->u.dst, 0);
+- } else {
+- iph->id = htons(inet->id++);
+- }
++ ip_select_ident(iph, &rt->u.dst, sk);
+ iph->ttl = ttl;
+ iph->protocol = sk->sk_protocol;
+ iph->saddr = rt->rt_src;
compat-ifconf-fix-limits.patch
cramfs-mounts-provide-corrupted-content-since-2.6.15.patch
kconfig-video_decoder-must-select-fw_loader.patch
+tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Wed Mar 22 14:36:39 2006
+Date: Wed, 22 Mar 2006 14:34:42 -0800 (PST)
+From: "David S. Miller" <davem@davemloft.net>
+To: stable@kernel.org
+Cc:
+Subject: [PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)
+
+From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+
+
+The problem is in ip_push_pending_frames(), which uses:
+
+ if (!df) {
+ __ip_select_ident(iph, &rt->u.dst, 0);
+ } else {
+ iph->id = htons(inet->id++);
+ }
+
+instead of ip_select_ident().
+
+Right now I think the code is a nonsense. Most likely, I copied it from
+old ip_build_xmit(), where it was really special, we had to decide
+whether to generate unique ID when generating the first (well, the last)
+fragment.
+
+In ip_push_pending_frames() it does not make sense, it should use plain
+ip_select_ident() instead.
+
+Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ net/ipv4/ip_output.c | 6 +-----
+ 1 files changed, 1 insertion(+), 5 deletions(-)
+
+--- linux-2.6.15.6.orig/net/ipv4/ip_output.c
++++ linux-2.6.15.6/net/ipv4/ip_output.c
+@@ -1237,11 +1237,7 @@ int ip_push_pending_frames(struct sock *
+ iph->tos = inet->tos;
+ iph->tot_len = htons(skb->len);
+ iph->frag_off = df;
+- if (!df) {
+- __ip_select_ident(iph, &rt->u.dst, 0);
+- } else {
+- iph->id = htons(inet->id++);
+- }
++ ip_select_ident(iph, &rt->u.dst, sk);
+ iph->ttl = ttl;
+ iph->protocol = sk->sk_protocol;
+ iph->saddr = rt->rt_src;
projects / thirdparty / kernel / stable-queue.git / commitdiff
