diff -urN linux-2.4.31-hf3/Makefile linux-2.4.31-hf4/Makefile --- linux-2.4.31-hf3/Makefile Sat Aug 20 14:53:48 2005 +++ linux-2.4.31-hf4/Makefile Sat Aug 20 14:54:11 2005 @@ -1,7 +1,7 @@ VERSION = 2 PATCHLEVEL = 4 SUBLEVEL = 31 -EXTRAVERSION = -hf3 +EXTRAVERSION = -hf4 KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION) diff -urN linux-2.4.31-hf3/arch/alpha/kernel/Makefile linux-2.4.31-hf4/arch/alpha/kernel/Makefile --- linux-2.4.31-hf3/arch/alpha/kernel/Makefile Sat Dec 6 08:14:41 2003 +++ linux-2.4.31-hf4/arch/alpha/kernel/Makefile Sat Aug 20 14:54:11 2005 @@ -76,7 +76,7 @@ obj-y += sys_alcor.o endif ifneq ($(CONFIG_ALPHA_CABRIOLET)$(CONFIG_ALPHA_EB164)$(CONFIG_ALPHA_EB66P)$(CONFIG_ALPHA_LX164)$(CONFIG_ALPHA_PC164),) -obj-y += sys_cabriolet.o +obj-y += sys_cabriolet.o ns87312.o endif obj-$(CONFIG_ALPHA_DP264) += sys_dp264.o diff -urN linux-2.4.31-hf3/arch/ppc/boot/lib/zlib.c linux-2.4.31-hf4/arch/ppc/boot/lib/zlib.c --- linux-2.4.31-hf3/arch/ppc/boot/lib/zlib.c Sat Aug 20 14:53:48 2005 +++ linux-2.4.31-hf4/arch/ppc/boot/lib/zlib.c Sat Aug 20 14:54:11 2005 @@ -1278,7 +1278,7 @@ { *t = (inflate_huft *)Z_NULL; *m = 0; - return Z_DATA_ERROR; + return Z_OK; } diff -urN linux-2.4.31-hf3/arch/ppc64/boot/zlib.c linux-2.4.31-hf4/arch/ppc64/boot/zlib.c --- linux-2.4.31-hf3/arch/ppc64/boot/zlib.c Sat Aug 20 14:53:48 2005 +++ linux-2.4.31-hf4/arch/ppc64/boot/zlib.c Sat Aug 20 14:54:11 2005 @@ -1294,7 +1294,7 @@ { *t = (inflate_huft *)Z_NULL; *m = 0; - return Z_DATA_ERROR; + return Z_OK; } diff -urN linux-2.4.31-hf3/fs/isofs/compress.c linux-2.4.31-hf4/fs/isofs/compress.c --- linux-2.4.31-hf3/fs/isofs/compress.c Sun Jan 26 10:12:46 2003 +++ linux-2.4.31-hf4/fs/isofs/compress.c Sat Aug 20 14:54:11 2005 @@ -147,7 +147,13 @@ cend = le32_to_cpu(*(u32 *)(bh->b_data + (blockendptr & bufmask))); brelse(bh); + if (cstart > cend) + goto eio; + csize = cend-cstart; + + if (csize > deflateBound(1UL << zisofs_block_shift)) + goto eio; /* Now page[] contains an array of pages, any of which can be NULL, and the locks on which we hold. We should now read the data and diff -urN linux-2.4.31-hf3/fs/isofs/inode.c linux-2.4.31-hf4/fs/isofs/inode.c --- linux-2.4.31-hf3/fs/isofs/inode.c Sun Apr 17 15:32:23 2005 +++ linux-2.4.31-hf4/fs/isofs/inode.c Sat Aug 20 14:54:11 2005 @@ -335,16 +335,16 @@ else if (!strcmp(value,"acorn")) popt->map = 'a'; else return 0; } - if (!strcmp(this_char,"session") && value) { + else if (!strcmp(this_char,"session") && value) { char * vpnt = value; unsigned int ivalue = simple_strtoul(vpnt, &vpnt, 0); - if(ivalue < 0 || ivalue >99) return 0; + if (ivalue > 99) return 0; popt->session=ivalue+1; } - if (!strcmp(this_char,"sbsector") && value) { + else if (!strcmp(this_char,"sbsector") && value) { char * vpnt = value; unsigned int ivalue = simple_strtoul(vpnt, &vpnt, 0); - if(ivalue < 0 || ivalue >660*512) return 0; + if (ivalue > 660*512) return 0; popt->sbsector=ivalue; } else if (!strcmp(this_char,"check") && value) { diff -urN linux-2.4.31-hf3/include/linux/zlib.h linux-2.4.31-hf4/include/linux/zlib.h --- linux-2.4.31-hf3/include/linux/zlib.h Wed Aug 3 22:23:21 2005 +++ linux-2.4.31-hf4/include/linux/zlib.h Sat Aug 20 14:58:51 2005 @@ -516,6 +516,11 @@ stream state was inconsistent (such as zalloc or state being NULL). */ +static inline unsigned long deflateBound(unsigned long s) +{ + return s + ((s + 7) >> 3) + ((s + 63) >> 6) + 11; +} + ZEXTERN int ZEXPORT zlib_deflateParams OF((z_streamp strm, int level, int strategy)); diff -urN linux-2.4.31-hf3/lib/rbtree.c linux-2.4.31-hf4/lib/rbtree.c --- linux-2.4.31-hf3/lib/rbtree.c Sun Sep 12 18:31:03 2004 +++ linux-2.4.31-hf4/lib/rbtree.c Sat Aug 20 14:54:11 2005 @@ -332,6 +332,7 @@ node = node->rb_right; while (node->rb_left) node = node->rb_left; + return node; } /* No right-hand children. Everything down and left is @@ -355,6 +356,7 @@ node = node->rb_left; while (node->rb_right) node = node->rb_right; + return node; } /* No left-hand children. Go up till we find an ancestor which diff -urN linux-2.4.31-hf3/lib/zlib_inflate/inftrees.c linux-2.4.31-hf4/lib/zlib_inflate/inftrees.c --- linux-2.4.31-hf3/lib/zlib_inflate/inftrees.c Sat Aug 20 14:53:48 2005 +++ linux-2.4.31-hf4/lib/zlib_inflate/inftrees.c Sun Jan 26 10:12:50 2003 @@ -140,7 +140,7 @@ { *t = (inflate_huft *)Z_NULL; *m = 0; - return Z_DATA_ERROR; + return Z_OK; } diff -urN linux-2.4.31-hf3/net/ipv4/netfilter/ip_nat_proto_tcp.c linux-2.4.31-hf4/net/ipv4/netfilter/ip_nat_proto_tcp.c --- linux-2.4.31-hf3/net/ipv4/netfilter/ip_nat_proto_tcp.c Sun Jan 26 10:12:51 2003 +++ linux-2.4.31-hf4/net/ipv4/netfilter/ip_nat_proto_tcp.c Sat Aug 20 14:54:11 2005 @@ -31,7 +31,8 @@ enum ip_nat_manip_type maniptype, const struct ip_conntrack *conntrack) { - static u_int16_t port = 0, *portptr; + static u_int16_t port = 0; + u_int16_t *portptr; unsigned int range_size, min, i; if (maniptype == IP_NAT_MANIP_SRC) diff -urN linux-2.4.31-hf3/net/ipv4/netfilter/ip_nat_proto_udp.c linux-2.4.31-hf4/net/ipv4/netfilter/ip_nat_proto_udp.c --- linux-2.4.31-hf3/net/ipv4/netfilter/ip_nat_proto_udp.c Sat Dec 1 18:27:13 2001 +++ linux-2.4.31-hf4/net/ipv4/netfilter/ip_nat_proto_udp.c Sat Aug 20 14:54:11 2005 @@ -32,7 +32,8 @@ enum ip_nat_manip_type maniptype, const struct ip_conntrack *conntrack) { - static u_int16_t port = 0, *portptr; + static u_int16_t port = 0; + u_int16_t *portptr; unsigned int range_size, min, i; if (maniptype == IP_NAT_MANIP_SRC) diff -urN linux-2.4.31-hf3/net/ipv4/netfilter/ipt_unclean.c linux-2.4.31-hf4/net/ipv4/netfilter/ipt_unclean.c --- linux-2.4.31-hf3/net/ipv4/netfilter/ipt_unclean.c Sat Jul 31 18:45:19 2004 +++ linux-2.4.31-hf4/net/ipv4/netfilter/ipt_unclean.c Sat Aug 20 14:54:11 2005 @@ -264,6 +264,7 @@ { [TH_SYN] = 1, [TH_SYN|TH_ACK] = 1, + [TH_SYN|TH_ACK|TH_PUSH] = 1, [TH_RST] = 1, [TH_RST|TH_ACK] = 1, [TH_RST|TH_ACK|TH_PUSH] = 1,