commit 90a03936acb1c3400a5833cc7b5c58e01b6106b8
Author: Chris Wright <chrisw@sous-sol.org>
Date:   Tue May 9 12:53:30 2006 -0700

    Linux 2.6.16.15

commit 25958c671804a3829d822fc3ccc3eff534b1aaa0
Author: Vladislav Yasevich <vladsilav.yasevich@hp.com>
Date:   Fri May 5 17:03:49 2006 -0700

    [PATCH] SCTP: Prevent possible infinite recursion with multiple bundled DATA. (CVE-2006-2274)
    
    There is a rare situation that causes lksctp to go into infinite recursion
    and crash the system.  The trigger is a packet that contains at least the
    first two DATA fragments of a message bundled together. The recursion is
    triggered when the user data buffer is smaller that the full data message.
    The problem is that we clone the skb for every fragment in the message.
    When reassembling the full message, we try to link skbs from the "first
    fragment" clone using the frag_list. However, since the frag_list is shared
    between two clones in this rare situation, we end up setting the frag_list
    pointer of the second fragment to point to itself.  This causes
    sctp_skb_pull() to potentially recurse indefinitely.
    
    Proposed solution is to make a copy of the skb when attempting to link
    things using frag_list.
    
    Signed-off-by: Vladislav Yasevich <vladsilav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>

commit 2e2a2cd09dd7b3fbc99a1879a54090fd6db16f0c
Author: Neil Horman <nhorman@tuxdriver.com>
Date:   Fri May 5 17:02:09 2006 -0700

    [PATCH] SCTP: Allow spillover of receive buffer to avoid deadlock. (CVE-2006-2275)
    
    This patch fixes a deadlock situation in the receive path by allowing
    temporary spillover of the receive buffer.
    
    - If the chunk we receive has a tsn that immediately follows the ctsn,
      accept it even if we run out of receive buffer space and renege data with
      higher TSNs.
    - Once we accept one chunk in a packet, accept all the remaining chunks
      even if we run out of receive buffer space.
    
    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Mark Butler <butlerm@middle.net>
    Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>

commit cb19baa0bb7a4064e6d0c99e8f479673120a9f28
Author: Sridhar Samudrala <sri@us.ibm.com>
Date:   Fri May 5 17:05:23 2006 -0700

    [PATCH] SCTP: Fix state table entries for chunks received in CLOSED state. (CVE-2006-2271)
    
    Discard an unexpected chunk in CLOSED state rather can calling BUG().
    
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>

commit 40885c13b394cd1b74acc196f1d7990a3e0a484d
Author: Sridhar Samudrala <sri@us.ibm.com>
Date:   Fri May 5 17:04:43 2006 -0700

    [PATCH] SCTP: Fix panic's when receiving fragmented SCTP control chunks. (CVE-2006-2272)
    
    Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that
    are received as skb's with fragment list.
    
    Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>