[PATCH net-next 0/2] netfilter: conntrack: validate parsed port values in IRC and Amanda helpers

[PATCH net-next 0/2] netfilter: conntrack: validate parsed port values in IRC and Amanda helpers

[HACKE-RC]

Both nf_conntrack_irc and nf_conntrack_amanda parse port numbers from
application-layer protocol data using simple_strtoul(), which returns
unsigned long. The results are stored in u16 variables without range
checks, silently truncating values above 65535.

This series adds explicit upper-bound validation in both helpers.

Note: checkpatch warns about simple_strtoul being obsolete. Both
call sites use the endptr output parameter to advance the parse
position, which kstrtoul does not provide. Converting to kstrtoul
would require restructuring the parsers, which is out of scope for
this fix.

HACKE-RC (2):
  netfilter: nf_conntrack_irc: reject DCC port values above 65535
  netfilter: nf_conntrack_amanda: reject port values above 65535

 net/netfilter/nf_conntrack_amanda.c | 10 ++++++----
 net/netfilter/nf_conntrack_irc.c    |  7 ++++++-
 2 files changed, 12 insertions(+), 5 deletions(-)

-- 
2.54.0

[PATCH net-next 1/2] netfilter: nf_conntrack_irc: reject DCC port values above 65535

[HACKE-RC]

parse_dcc() stores the return value of simple_strtoul() directly into
a u_int16_t pointer. simple_strtoul() returns unsigned long, so values
above 65535 are silently truncated when assigned to the u16 output
parameter.

Use an intermediate unsigned long variable and reject out-of-range
values by returning -1, which causes the caller in help() to skip
the DCC command via the existing error path.

The dcc_port == 0 check in help() already rejects port 0, so this
change only adds the upper-bound check in the parser.

Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
Signed-off-by: HACKE-RC <rc@rexion.ai>
---
 net/netfilter/nf_conntrack_irc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 522183b9a..ffaa7ab84 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -68,6 +68,7 @@ static const char *const dccprotos[] = {
 static int parse_dcc(char *data, const char *data_end, __be32 *ip,
 		     u_int16_t *port, char **ad_beg_p, char **ad_end_p)
 {
+	unsigned long parsed_port;
 	char *tmp;
 
 	/* at least 12: "AAAAAAAA P\1\n" */
@@ -93,7 +94,11 @@ static int parse_dcc(char *data, const char *data_end, __be32 *ip,
 		data++;
 	}
 
-	*port = simple_strtoul(data, &data, 10);
+	parsed_port = simple_strtoul(data, &data, 10);
+	if (parsed_port > 65535)
+		return -1;
+
+	*port = parsed_port;
 	*ad_end_p = data;
 
 	return 0;
-- 
2.54.0

Re: [PATCH net-next 0/2] netfilter: conntrack: validate parsed port values in IRC and Amanda helpers

[Pablo Neira Ayuso]

On Thu, Apr 30, 2026 at 09:42:28PM +0530, HACKE-RC wrote:
> Both nf_conntrack_irc and nf_conntrack_amanda parse port numbers from
> application-layer protocol data using simple_strtoul(), which returns
> unsigned long. The results are stored in u16 variables without range
> checks, silently truncating values above 65535.
> 
> This series adds explicit upper-bound validation in both helpers.
> 
> Note: checkpatch warns about simple_strtoul being obsolete. Both
> call sites use the endptr output parameter to advance the parse
> position, which kstrtoul does not provide. Converting to kstrtoul
> would require restructuring the parsers, which is out of scope for
> this fix.
> 
> HACKE-RC (2):

HAHA, this nickname is funny, it is making my day here. Thanks!

>   netfilter: nf_conntrack_irc: reject DCC port values above 65535
>   netfilter: nf_conntrack_amanda: reject port values above 65535
> 
>  net/netfilter/nf_conntrack_amanda.c | 10 ++++++----
>  net/netfilter/nf_conntrack_irc.c    |  7 ++++++-
>  2 files changed, 12 insertions(+), 5 deletions(-)
> 
> -- 
> 2.54.0
>