[PATCH net-next 2/2] netfilter: nf_conntrack_amanda: reject port values above 65535

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net-next 2/2] netfilter: nf_conntrack_amanda: reject port values above 65535
@ 2026-04-30 16:15 HACKE-RC
  2026-04-30 16:21 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: HACKE-RC @ 2026-04-30 16:15 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Florian Westphal
  Cc: Phil Sutter, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Simon Horman, netfilter-devel, coreteam, netdev,
	linux-kernel, HACKE-RC

amanda_help() converts the result of simple_strtoul() to __be16 via
htons() without checking the parsed value fits in 16 bits. The
existing len > 5 guard limits strings to five digits, capping the
parseable range at 99999, but values 65536-99999 still silently
truncate on the htons() conversion.

Use an intermediate unsigned long and reject out-of-range values
before converting to network byte order.

Fixes: 16958900578b ("[NETFILTER]: nf_conntrack/nf_nat: add amanda helper port")
Signed-off-by: HACKE-RC <rc@rexion.ai>
---
 net/netfilter/nf_conntrack_amanda.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index d2c09e8dd..58d6c9f29 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -88,11 +88,12 @@ static int amanda_help(struct sk_buff *skb,
 	struct nf_conntrack_expect *exp;
 	struct nf_conntrack_tuple *tuple;
 	unsigned int dataoff, start, stop, off, i;
+	nf_nat_amanda_hook_fn *nf_nat_amanda;
 	char pbuf[sizeof("65535")], *tmp;
+	unsigned long parsed_port;
+	int ret = NF_ACCEPT;
 	u_int16_t len;
 	__be16 port;
-	int ret = NF_ACCEPT;
-	nf_nat_amanda_hook_fn *nf_nat_amanda;
 
 	/* Only look at packets from the Amanda server */
 	if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
@@ -132,10 +133,11 @@ static int amanda_help(struct sk_buff *skb,
 			break;
 		pbuf[len] = '\0';
 
-		port = htons(simple_strtoul(pbuf, &tmp, 10));
+		parsed_port = simple_strtoul(pbuf, &tmp, 10);
 		len = tmp - pbuf;
-		if (port == 0 || len > 5)
+		if (parsed_port == 0 || parsed_port > 65535 || len > 5)
 			break;
+		port = htons(parsed_port);
 
 		exp = nf_ct_expect_alloc(ct);
 		if (exp == NULL) {
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net-next 2/2] netfilter: nf_conntrack_amanda: reject port values above 65535
  2026-04-30 16:15 [PATCH net-next 2/2] netfilter: nf_conntrack_amanda: reject port values above 65535 HACKE-RC
@ 2026-04-30 16:21 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2026-04-30 16:21 UTC (permalink / raw)
  To: HACKE-RC
  Cc: Florian Westphal, Phil Sutter, David S . Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Simon Horman, netfilter-devel,
	coreteam, netdev, linux-kernel

Hi,

On Thu, Apr 30, 2026 at 09:45:15PM +0530, HACKE-RC wrote:
> amanda_help() converts the result of simple_strtoul() to __be16 via
> htons() without checking the parsed value fits in 16 bits. The
> existing len > 5 guard limits strings to five digits, capping the
> parseable range at 99999, but values 65536-99999 still silently
> truncate on the htons() conversion.
> 
> Use an intermediate unsigned long and reject out-of-range values
> before converting to network byte order.
> 
> Fixes: 16958900578b ("[NETFILTER]: nf_conntrack/nf_nat: add amanda helper port")
> Signed-off-by: HACKE-RC <rc@rexion.ai>
> ---
>  net/netfilter/nf_conntrack_amanda.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
> index d2c09e8dd..58d6c9f29 100644
> --- a/net/netfilter/nf_conntrack_amanda.c
> +++ b/net/netfilter/nf_conntrack_amanda.c
> @@ -88,11 +88,12 @@ static int amanda_help(struct sk_buff *skb,
>  	struct nf_conntrack_expect *exp;
>  	struct nf_conntrack_tuple *tuple;
>  	unsigned int dataoff, start, stop, off, i;
> +	nf_nat_amanda_hook_fn *nf_nat_amanda;
>  	char pbuf[sizeof("65535")], *tmp;
> +	unsigned long parsed_port;
> +	int ret = NF_ACCEPT;
>  	u_int16_t len;
>  	__be16 port;
> -	int ret = NF_ACCEPT;
> -	nf_nat_amanda_hook_fn *nf_nat_amanda;
>  
>  	/* Only look at packets from the Amanda server */
>  	if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
> @@ -132,10 +133,11 @@ static int amanda_help(struct sk_buff *skb,
>  			break;
>  		pbuf[len] = '\0';
>  
> -		port = htons(simple_strtoul(pbuf, &tmp, 10));
> +		parsed_port = simple_strtoul(pbuf, &tmp, 10);

While being here, I would replace this simple_strtoul by a parser
which does not rely on nul-terminated strings.

A similar patch went in for the sip helper recently, maybe you can
just take such function to parse ports, move it to the
nf_conntrack_helper core so it can be shared by helpers.

>  		len = tmp - pbuf;
> -		if (port == 0 || len > 5)
> +		if (parsed_port == 0 || parsed_port > 65535 || len > 5)
>  			break;
> +		port = htons(parsed_port);
>  
>  		exp = nf_ct_expect_alloc(ct);
>  		if (exp == NULL) {
> -- 
> 2.54.0
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-30 16:25 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-30 16:15 [PATCH net-next 2/2] netfilter: nf_conntrack_amanda: reject port values above 65535 HACKE-RC
2026-04-30 16:21 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox