8 files changed, 45 insertions, 25 deletions

diff --git a/MAINTAINERS b/MAINTAINERS
index 1446cc41c12f..a275f72ed5f7 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2288,7 +2288,7 @@ P:	Jozsef Kadlecsik
 P:      Patrick McHardy
 M:      kaber@trash.net
 L:      netfilter-devel@lists.netfilter.org
-L:      netfilter@lists.netfilter.org
+L:      netfilter@lists.netfilter.org (subscribers-only)
 L:      coreteam@netfilter.org
 W:      http://www.netfilter.org/
 W:      http://www.iptables.org/
diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c
index 3a26d63eed88..11c588a10e6b 100644
--- a/net/ipv4/netfilter/ip_conntrack_sip.c
+++ b/net/ipv4/netfilter/ip_conntrack_sip.c
@@ -283,10 +283,16 @@ static int skp_epaddr_len(const char *dptr, const char *limit, int *shift)
 {
         int s = *shift;
 
-        for (; dptr <= limit && *dptr != '@'; dptr++)
+        /* Search for @, but stop at the end of the line.
+         * We are inside a sip: URI, so we don't need to worry about
+         * continuation lines. */
+        while (dptr <= limit &&
+               *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
                 (*shift)++;
+                dptr++;
+        }
 
-        if (*dptr == '@') {
+        if (dptr <= limit && *dptr == '@') {
                 dptr++;
                 (*shift)++;
         } else
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 2a7e4618f526..e3854696988d 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3393,7 +3393,7 @@ static void inline ipv6_store_devconf(struct ipv6_devconf *cnf,
 #ifdef CONFIG_IPV6_ROUTER_PREF
         array[DEVCONF_ACCEPT_RA_RTR_PREF] = cnf->accept_ra_rtr_pref;
         array[DEVCONF_RTR_PROBE_INTERVAL] = cnf->rtr_probe_interval;
-#ifdef CONFIV_IPV6_ROUTE_INFO
+#ifdef CONFIG_IPV6_ROUTE_INFO
         array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] = cnf->accept_ra_rt_info_max_plen;
 #endif
 #endif
@@ -3898,7 +3898,7 @@ static struct addrconf_sysctl_table
                         .proc_handler   =       &proc_dointvec_jiffies,
                         .strategy       =       &sysctl_jiffies,
                 },
-#ifdef CONFIV_IPV6_ROUTE_INFO
+#ifdef CONFIG_IPV6_ROUTE_INFO
                 {
                         .ctl_name       =       NET_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN,
                         .procname       =       "accept_ra_rt_info_max_plen",
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 6a9f616de37d..39bb658f3c44 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1413,6 +1413,13 @@ void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh,
                 return;
         }
 
+        if (!ipv6_addr_equal(&skb->nh.ipv6h->daddr, target) &&
+            !(ipv6_addr_type(target) & IPV6_ADDR_LINKLOCAL)) {
+                ND_PRINTK2(KERN_WARNING
+                        "ICMPv6 Redirect: target address is not link-local.\n");
+                return;
+        }
+
         ndisc_flow_init(&fl, NDISC_REDIRECT, &saddr_buf, &skb->nh.ipv6h->saddr,
                         dev->ifindex);
 
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index cd10e44db015..2a2bcb303bfa 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -628,7 +628,7 @@ config NETFILTER_XT_MATCH_TCPMSS
 
 config NETFILTER_XT_MATCH_HASHLIMIT
         tristate '"hashlimit" match support'
-        depends on NETFILTER_XTABLES
+        depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
         help
           This option adds a `hashlimit' match.
 
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index eb2a2411f97b..9dec11534678 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -303,10 +303,16 @@ static int skp_epaddr_len(struct nf_conn *ct, const char *dptr,
 {
         int s = *shift;
 
-        for (; dptr <= limit && *dptr != '@'; dptr++)
+        /* Search for @, but stop at the end of the line.
+         * We are inside a sip: URI, so we don't need to worry about
+         * continuation lines. */
+        while (dptr <= limit &&
+               *dptr != '@' && *dptr != '\r' && *dptr != '\n') {
                 (*shift)++;
+                dptr++;
+        }
 
-        if (*dptr == '@') {
+        if (dptr <= limit && *dptr == '@') {
                 dptr++;
                 (*shift)++;
         } else
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index d93cb096a675..5e32dfa2668b 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -52,6 +52,8 @@ match(const struct sk_buff *skb,
 {
         const struct xt_connbytes_info *sinfo = matchinfo;
         u_int64_t what = 0;     /* initialize to make gcc happy */
+        u_int64_t bytes = 0;
+        u_int64_t pkts = 0;
         const struct ip_conntrack_counter *counters;
 
         if (!(counters = nf_ct_get_counters(skb)))
@@ -89,29 +91,22 @@ match(const struct sk_buff *skb,
         case XT_CONNBYTES_AVGPKT:
                 switch (sinfo->direction) {
                 case XT_CONNBYTES_DIR_ORIGINAL:
-                        what = div64_64(counters[IP_CT_DIR_ORIGINAL].bytes,
-                                        counters[IP_CT_DIR_ORIGINAL].packets);
+                        bytes = counters[IP_CT_DIR_ORIGINAL].bytes;
+                        pkts  = counters[IP_CT_DIR_ORIGINAL].packets;
                         break;
                 case XT_CONNBYTES_DIR_REPLY:
-                        what = div64_64(counters[IP_CT_DIR_REPLY].bytes,
-                                        counters[IP_CT_DIR_REPLY].packets);
+                        bytes = counters[IP_CT_DIR_REPLY].bytes;
+                        pkts  = counters[IP_CT_DIR_REPLY].packets;
                         break;
                 case XT_CONNBYTES_DIR_BOTH:
-                        {
-                                u_int64_t bytes;
-                                u_int64_t pkts;
-                                bytes = counters[IP_CT_DIR_ORIGINAL].bytes +
-                                        counters[IP_CT_DIR_REPLY].bytes;
-                                pkts = counters[IP_CT_DIR_ORIGINAL].packets+
-                                        counters[IP_CT_DIR_REPLY].packets;
-
-                                /* FIXME_THEORETICAL: what to do if sum
-                                 * overflows ? */
-
-                                what = div64_64(bytes, pkts);
-                        }
+                        bytes = counters[IP_CT_DIR_ORIGINAL].bytes +
+                                counters[IP_CT_DIR_REPLY].bytes;
+                        pkts  = counters[IP_CT_DIR_ORIGINAL].packets +
+                                counters[IP_CT_DIR_REPLY].packets;
                         break;
                 }
+                if (pkts != 0)
+                        what = div64_64(bytes, pkts);
                 break;
         }
 
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 8bd30976cdee..6db77d1329f7 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -621,7 +621,13 @@ static void sctp_cmd_transport_on(sctp_cmd_seq_t *cmds,
         /* The receiver of the HEARTBEAT ACK should also perform an
          * RTT measurement for that destination transport address
          * using the time value carried in the HEARTBEAT ACK chunk.
+         * If the transport's rto_pending variable has been cleared,
+         * it was most likely due to a retransmit.  However, we want
+         * to re-enable it to properly update the rto.
          */
+        if (t->rto_pending == 0)
+                t->rto_pending = 1;
+
         hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
         sctp_transport_update_rto(t, (jiffies - hbinfo->sent_at));