Description of problem: If INIT-ACK is received with SupportedExtensions parameter which indicates that the peer does not support AUTH, the packet will be silently ignore, and sctp_process_init() do cleanup all of the transports in the association. When T1-Init timer is expires, OOPS happen while we try to choose a different init transport. The solution is to only clean up the non-active transports, i.e the ones that the peer added. However, that introduces a problem with sctp_connectx(), because we don't mark the proper state for the transports provided by the user. So, we'll simply mark user-provided transports as ACTIVE. That will allow INIT retransmissions to work properly in the sctp_connectx() context and prevent the crash.
Proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=add52379dde2e5300e2d574b172e62c6cf43b3d3
Reference: http://article.gmane.org/gmane.comp.security.oss.general/1039
Created attachment 319734 [details] Proposed backport patch for realtime kernel
kernel-2.6.26.6-49.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
MRG patch added to -90
This was addressed via: Red Hat Enterprise Linux version 5 (RHSA-2008:1017) MRG Realtime for RHEL 5 Server (RHSA-2009:0009)