From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Thu, 23 Sep 2010 19:38:30 +0000 (-0700)
Subject: .35 patches
X-Git-Tag: v2.6.35.6~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=198a8cbc782a20599d673e5596ed2d70206f88d2;p=thirdparty%2Fkernel%2Fstable-queue.git

.35 patches
---

diff --git a/queue-2.6.35/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch b/queue-2.6.35/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
new file mode 100644
index 00000000000..c88c12aad60
--- /dev/null
+++ b/queue-2.6.35/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch
@@ -0,0 +1,34 @@
+From 4bdab43323b459900578b200a4b8cf9713ac8fab Mon Sep 17 00:00:00 2001
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+Date: Wed, 15 Sep 2010 10:00:26 -0400
+Subject: sctp: Do not reset the packet during sctp_packet_config().
+
+From: Vlad Yasevich <vladislav.yasevich@hp.com>
+
+commit 4bdab43323b459900578b200a4b8cf9713ac8fab upstream.
+
+sctp_packet_config() is called when getting the packet ready
+for appending of chunks.  The function should not touch the
+current state, since it's possible to ping-pong between two
+transports when sending, and that can result packet corruption
+followed by skb overlfow crash.
+
+Reported-by: Thomas Dreibholz <dreibh@iem.uni-due.de>
+Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sctp/output.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/sctp/output.c
++++ b/net/sctp/output.c
+@@ -92,7 +92,6 @@ struct sctp_packet *sctp_packet_config(s
+ 	SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__,
+ 			  packet, vtag);
+ 
+-	sctp_packet_reset(packet);
+ 	packet->vtag = vtag;
+ 
+ 	if (ecn_capable && sctp_packet_empty(packet)) {
diff --git a/queue-2.6.35/series b/queue-2.6.35/series
index c6181a70136..1d6d63a835e 100644
--- a/queue-2.6.35/series
+++ b/queue-2.6.35/series
@@ -75,3 +75,4 @@ mm-page-allocator-calculate-a-better-estimate-of-nr_free_pages-when-memory-is-lo
 mm-page-allocator-update-free-page-counters-after-pages-are-placed-on-the-free-list.patch
 guard-page-for-stacks-that-grow-upwards.patch
 fix-unprotected-access-to-task-credentials-in-waitid.patch
+sctp-do-not-reset-the-packet-during-sctp_packet_config.patch