--- /dev/null
+From stable-bounces@linux.kernel.org Tue Jun 5 05:17:17 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Tue, 05 Jun 2007 14:14:22 +0200
+Subject: NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)
+To: "David S. Miller" <davem@davemloft.net>
+Cc: security@kernel.org, Adrian Bunk <bunk@stusta.de>, Kiran Kumar Immidi <immidi_kiran@yahoo.com>, stable@kernel.org, Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
+Message-ID: <4665539E.9040005@trash.net>
+
+From: Patrick McHardy <kaber@trash.net>
+
+When creating a new connection by sending an unknown chunk type, we
+don't transition to a valid state, causing a NULL pointer dereference in
+sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
+
+Fix by don't creating new conntrack entry if initial state is invalid.
+
+Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
+
+CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/ip_conntrack_proto_sctp.c | 3 ++-
+ net/netfilter/nf_conntrack_proto_sctp.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -460,7 +460,8 @@ static int sctp_new(struct ip_conntrack
+ SCTP_CONNTRACK_NONE, sch->type);
+
+ /* Invalid: delete conntrack */
+- if (newconntrack == SCTP_CONNTRACK_MAX) {
++ if (newconntrack == SCTP_CONNTRACK_NONE ||
++ newconntrack == SCTP_CONNTRACK_MAX) {
+ DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
+ return 0;
+ }
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -469,7 +469,8 @@ static int sctp_new(struct nf_conn *conn
+ SCTP_CONNTRACK_NONE, sch->type);
+
+ /* Invalid: delete conntrack */
+- if (newconntrack == SCTP_CONNTRACK_MAX) {
++ if (newconntrack == SCTP_CONNTRACK_NONE ||
++ newconntrack == SCTP_CONNTRACK_MAX) {
+ DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
+ return 0;
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Jun 1 01:04:33 2007
+From: Tim Gardner <tim.gardner@ubuntu.com>
+Date: Fri, 01 Jun 2007 00:46:40 -0700
+Subject: Work around Dell E520 BIOS reboot bug
+To: torvalds@linux-foundation.org
+Cc: tim.gardner@ubuntu.com, akpm@linux-foundation.org, Matt_Domsch@dell.com, stable@kernel.org, ak@suse.de
+Message-ID: <200706010746.l517kdxp005490@shell0.pdx.osdl.net>
+
+
+From: Tim Gardner <tim.gardner@ubuntu.com>
+
+Force Dell E520 to use the BIOS to shutdown/reboot.
+
+I have at least one report that this patch fixes shutdown/reboot
+problems on the Dell E520 platform.
+
+(Andi says: People can always set the boot option. It hardly seems like a
+critical issue needing a backport.)
+
+Signed-off-by: Tim Gardner <tim.gardner@ubuntu.com>
+Acked-by: Andi Kleen <ak@suse.de>
+Acked-by: Matt Domsch <Matt_Domsch@dell.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ arch/i386/kernel/reboot.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/i386/kernel/reboot.c
++++ b/arch/i386/kernel/reboot.c
+@@ -88,6 +88,14 @@ static int __init set_bios_reboot(struct
+ }
+
+ static struct dmi_system_id __initdata reboot_dmi_table[] = {
++ { /* Handle problems with rebooting on Dell E520's */
++ .callback = set_bios_reboot,
++ .ident = "Dell E520",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Dell DM061"),
++ },
++ },
+ { /* Handle problems with rebooting on Dell 1300's */
+ .callback = set_bios_reboot,
+ .ident = "Dell PowerEdge 1300",
projects / thirdparty / kernel / stable-queue.git / commitdiff
