The tr_rx function in ibmtr.c for Linux kernel 2.6.19 assigns the wrong flag to the ip_summed field, which allows remote attackers to cause a denial of service (memory corruption) via crafted packets that cause the kernel to interpret another field as an offset.
secunia.com/advisories/23254
www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=blobdiff%3Bh=0d97e10ccac580e16d3dffbe4a9a88144360e64a%3Bhp=bfe59865b1dd50e5c4dbd4cefe506a31e1495a1a%3Bhb=ee28b0da1069ced1688aa9d0b7b378353b988321%3Bf=drivers/net/tokenring/ibmtr.c
www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ee28b0da1069ced1688aa9d0b7b378353b988321
www.securityfocus.com/bid/21490
www.vupen.com/english/advisories/2006/4907