From edbbb8a4929a3c2001e6c57a3c1d461137909513 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Wed, 6 Jun 2007 20:57:17 -0700
Subject: [PATCH] 2 more stable patches

---
 ...ely-triggerable-null-ptr-dereference.patch | 52 +++++++++++++++++++
 queue-2.6.21/series                           |  2 +
 ...ork-around-dell-e520-bios-reboot-bug.patch | 47 +++++++++++++++++
 3 files changed, 101 insertions(+)
 create mode 100644 queue-2.6.21/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch
 create mode 100644 queue-2.6.21/work-around-dell-e520-bios-reboot-bug.patch

diff --git a/queue-2.6.21/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch b/queue-2.6.21/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch
new file mode 100644
index 00000000000..e7998289241
--- /dev/null
+++ b/queue-2.6.21/netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch
@@ -0,0 +1,52 @@
+From stable-bounces@linux.kernel.org Tue Jun  5 05:17:17 2007
+From: Patrick McHardy <kaber@trash.net>
+Date: Tue, 05 Jun 2007 14:14:22 +0200
+Subject: NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)
+To: "David S. Miller" <davem@davemloft.net>
+Cc: security@kernel.org, Adrian Bunk <bunk@stusta.de>, Kiran Kumar Immidi <immidi_kiran@yahoo.com>, stable@kernel.org, Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
+Message-ID: <4665539E.9040005@trash.net>
+
+From: Patrick McHardy <kaber@trash.net>
+
+When creating a new connection by sending an unknown chunk type, we
+don't transition to a valid state, causing a NULL pointer dereference in
+sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
+
+Fix by don't creating new conntrack entry if initial state is invalid.
+
+Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
+
+CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/ip_conntrack_proto_sctp.c |    3 ++-
+ net/netfilter/nf_conntrack_proto_sctp.c      |    3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -460,7 +460,8 @@ static int sctp_new(struct ip_conntrack 
+ 						SCTP_CONNTRACK_NONE, sch->type);
+ 
+ 		/* Invalid: delete conntrack */
+-		if (newconntrack == SCTP_CONNTRACK_MAX) {
++		if (newconntrack == SCTP_CONNTRACK_NONE ||
++		    newconntrack == SCTP_CONNTRACK_MAX) {
+ 			DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
+ 			return 0;
+ 		}
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -469,7 +469,8 @@ static int sctp_new(struct nf_conn *conn
+ 					 SCTP_CONNTRACK_NONE, sch->type);
+ 
+ 		/* Invalid: delete conntrack */
+-		if (newconntrack == SCTP_CONNTRACK_MAX) {
++		if (newconntrack == SCTP_CONNTRACK_NONE ||
++		    newconntrack == SCTP_CONNTRACK_MAX) {
+ 			DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
+ 			return 0;
+ 		}
diff --git a/queue-2.6.21/series b/queue-2.6.21/series
index 1c68e2ac3fb..a14dce61db6 100644
--- a/queue-2.6.21/series
+++ b/queue-2.6.21/series
@@ -37,3 +37,5 @@ acpi-fix-potential-call-to-a-freed-memory-section.patch
 aacraid-correct-sa-platform-support.patch
 cciss-fix-pci_driver.shutdown-while-device-is-still-active.patch
 sysfs-store-sysfs-inode-nrs-in-s_ino-to-avoid-readdir-oopses.patch
+work-around-dell-e520-bios-reboot-bug.patch
+netfilter-ip-nf-_conntrack_sctp-fix-remotely-triggerable-null-ptr-dereference.patch
diff --git a/queue-2.6.21/work-around-dell-e520-bios-reboot-bug.patch b/queue-2.6.21/work-around-dell-e520-bios-reboot-bug.patch
new file mode 100644
index 00000000000..c0e40998406
--- /dev/null
+++ b/queue-2.6.21/work-around-dell-e520-bios-reboot-bug.patch
@@ -0,0 +1,47 @@
+From stable-bounces@linux.kernel.org Fri Jun  1 01:04:33 2007
+From: Tim Gardner <tim.gardner@ubuntu.com>
+Date: Fri, 01 Jun 2007 00:46:40 -0700
+Subject: Work around Dell E520 BIOS reboot bug
+To: torvalds@linux-foundation.org
+Cc: tim.gardner@ubuntu.com, akpm@linux-foundation.org, Matt_Domsch@dell.com, stable@kernel.org, ak@suse.de
+Message-ID: <200706010746.l517kdxp005490@shell0.pdx.osdl.net>
+
+
+From: Tim Gardner <tim.gardner@ubuntu.com>
+
+Force Dell E520 to use the BIOS to shutdown/reboot.
+
+I have at least one report that this patch fixes shutdown/reboot
+problems on the Dell E520 platform.
+
+(Andi says: People can always set the boot option.  It hardly seems like a
+critical issue needing a backport.)
+
+Signed-off-by: Tim Gardner <tim.gardner@ubuntu.com>
+Acked-by: Andi Kleen <ak@suse.de>
+Acked-by: Matt Domsch <Matt_Domsch@dell.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ arch/i386/kernel/reboot.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/i386/kernel/reboot.c
++++ b/arch/i386/kernel/reboot.c
+@@ -88,6 +88,14 @@ static int __init set_bios_reboot(struct
+ }
+ 
+ static struct dmi_system_id __initdata reboot_dmi_table[] = {
++	{	/* Handle problems with rebooting on Dell E520's */
++		.callback = set_bios_reboot,
++		.ident = "Dell E520",
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Dell DM061"),
++		},
++	},
+ 	{	/* Handle problems with rebooting on Dell 1300's */
+ 		.callback = set_bios_reboot,
+ 		.ident = "Dell PowerEdge 1300",
-- 
2.47.3