Candidate: CVE-2009-2903
Description:
 The check for the ipddpN device in the handle_ip_over_ddp() function 
 returns -NODEV to the atalk_rcv() function when the device does not 
 exist. The atalk_rcv() function then directly returns that value to its 
 caller. There is a missing call to kfree_skb() in these unaccepted 
 IP-DDP datagram that can exhaust the kernel memory eventually. It 
 affects Linux hosts with appletalk and ipddp modules loaded, that are 
 attached to the same link. Thanks to Mark Smith for reporting this issue 
 to us.
References:
 http://git.kernel.org/?p=linux/kernel/git/davem/net-next-2.6.git;a=commit;h=ffcfb8db540ff879c2a85bf7e404954281443414
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2903#c3
 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/networking/ipddp.txt;h=661a5558dd8e928f15771c07ef34b3ee9cb81e57;hb=HEAD
 http://www.openwall.com/lists/oss-security/2009/08/30/1
 https://bugzilla.redhat.com/CVE-2009-2903#c0 and
 http://kbase.redhat.com/faq/docs/DOC-19069
Ubuntu-Description:
Notes:
Bugs:
upstream: released (2.6.32-rc1) [ffcfb8db540ff879c2a85bf7e404954281443414], released (2.6.31.4) [fb0e8709eef2d06ec5d5b1f30e043432a477c1fe]
linux-2.6: released (2.6.31-1)
2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1)
2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch, bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch]
2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch, bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch]