Candidate: CVE-2007-3642
References: 
 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=25845b5155b55cd77e42655ec24161ba3feffa47
 http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=499
Description:
 The decode_choice function in net/netfilter/nf_conntrack_h323_asn1.c
 in the Linux kernel before 2.6.20.15, 2.6.21.x before 2.6.21.6, and
 before 2.6.22 allows remote attackers to cause a denial of service
 (crash) via an encoded, out-of-range index value for a choice field,
 which triggers a NULL pointer dereference.
Ubuntu-Description: 
 Zhongling Wen discovered that the h323 conntrack handler did not correctly
 handle certain bitfields.  A remote attacker could send a specially crafted
 packet and cause a denial of service.
Notes: 
 pkl> [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
 dannf> file got renamed between 2.6.18 & 2.6.21
Bugs: 
upstream: 
linux-2.6: released (2.6.21-6) [bugfix/all/stable/2.6.21.6.patch]
2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/nf_conntrack_h323-bounds-checking.patch]
2.6.8-sarge-security: N/A
2.4.27-sarge-security: N/A
2.6.15-dapper-security:  N/A - code doesn't seem to exist
2.6.17-edgy-security: N/A - code doesn't seem to exist
2.6.20-feisty-security: released (2.6.20-16.31) [c411287f75b34e8cbeba8e7832c4cf1c235e8568]