Candidate: CVE-2007-2172
References: 
 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a979101106f549f4ed80d6dcbc35077be34d4346
 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a0ee18b9b7d3847976c6fb315c06a34fb296de0e
Description: 
 A typo in Linux kernel 2.6 before 2.6.21-rc6 causes RTA_MAX to be
 used as an array size instead of RTN_MAX, which leads to an "out of
 bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2)
 fib_props (fib_semantics.c, IPv4) functions.
Ubuntu-Description: 
 The IPv4 and DECnet network protocol handlers misdeclared an array
 variable so that it became smaller than intended. By sending crafted
 packets over a netlink socket, a local attacker could exploit this
 to crash the kernel.
Notes: 
 dannf> Debian kernels currently only have the decnet patch - ipv4 patch
        is still needed
Bugs: 
upstream: released (2.4.34.3, 2.6.21)
linux-2.6: released (2.6.21-1)
2.6.18-etch-security: released (2.6.18.dfsg.1-13etch2) [bugfix/dn_fib-out-of-bounds.patch, bugfix/ipv4-fib_props-out-of-bounds.patch]
2.6.8-sarge-security: released (2.6.8-17sarge1) [dn_fib-out-of-bounds.dpatch, ipv4-fib_props-out-of-bounds.dpatch]
2.4.27-sarge-security: released (2.4.27-10sarge6) [246_dn_fib-out-of-bounds.diff, 266_ipv4-fib_props-out-of-bounds.diff]
2.6.15-dapper-security: released (2.6.15-28.54)
2.6.17-edgy-security: released (2.6.17.1-11.38)
2.6.20-feisty-security: released (2.6.20-16.28)