I've started to port the PPTP conntrack and NAT helper to the 2.6.11-and-later API changes. Obviously that forced me to look at the code deeper than I did for quite some time. That in turn led me to the discovery of a bug. Obviously, the bug was not hit in most installations, because it's only a bug in the error path.
Expectations used to be kmalloc()ed, so the helper could directly kfree() them without a problem. Some time ago, we introduced a slab cache for expectations, so that would no longer work. Now the code in svn was changed to use ip_conntrack_expect_free().