From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
<netfilter-devel@vger.kernel.org>,
pablo@netfilter.org
Subject: [PATCH net-next 11/11] netfilter: nf_conntrack_ftp: avoid u16 overflows
Date: Mon, 25 May 2026 20:29:24 +0200 [thread overview]
Message-ID: <20260525182924.28456-12-fw@strlen.de> (raw)
In-Reply-To: <20260525182924.28456-1-fw@strlen.de>
From: Giuseppe Caruso <giuseppecaruso0990@gmail.com>
get_port and try_number() parse comma-separated decimal values from FTP PORT
and EPRT commands into a u_int32_t array, but does not validate that each
value fits in a single octet. RFC 959 specifies that PORT parameters
are decimal integers in the range 0-255, representing the four octets
of an IP address followed by two octets encoding the port number.
Values exceeding 255 are silently accepted. In try_rfc959(), the raw
u32 values are combined via shift-and-OR to form the IP and port:
cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) |
(array[2] << 8) | array[3]);
cmd->u.tcp.port = htons((array[4] << 8) | array[5]);
When array elements exceed 255, bits from one field bleed into adjacent
fields after shifting, producing IP addresses and port numbers that
differ from what the text representation suggests. For example,
"PORT 10,0,1,2,256,22" yields port (256<<8)|22 = 65558, truncated to
u16 = 22. This mismatch between the textual and computed values can
confuse network monitoring tools that parse FTP commands independently.
Ignore the command by returning 0 (no match) when any accumulated
value exceeds 255 so that no expectation is created.
Signed-off-by: Giuseppe Caruso <giuseppecaruso0990@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_conntrack_ftp.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index de83bf9e6c61..dc6f0017ca6b 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -120,6 +120,8 @@ static int try_number(const char *data, size_t dlen, u_int32_t array[],
for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) {
if (*data >= '0' && *data <= '9') {
array[i] = array[i]*10 + *data - '0';
+ if (array[i] > 255)
+ return 0;
}
else if (*data == sep)
i++;
@@ -189,7 +191,7 @@ static int try_rfc1123(const char *data, size_t dlen,
static int get_port(const char *data, int start, size_t dlen, char delim,
__be16 *port)
{
- u_int16_t tmp_port = 0;
+ u32 tmp_port = 0;
int i;
for (i = start; i < dlen; i++) {
@@ -200,10 +202,11 @@ static int get_port(const char *data, int start, size_t dlen, char delim,
*port = htons(tmp_port);
pr_debug("get_port: return %d\n", tmp_port);
return i + 1;
- }
- else if (data[i] >= '0' && data[i] <= '9')
+ } else if (data[i] >= '0' && data[i] <= '9') {
tmp_port = tmp_port*10 + data[i] - '0';
- else { /* Some other crap */
+ if (tmp_port > 65535)
+ break;
+ } else { /* Some other crap */
pr_debug("get_port: invalid char.\n");
break;
}
--
2.53.0
prev parent reply other threads:[~2026-05-25 18:30 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 18:29 [PATCH net-next 00/11] netfilter: updates for net-next Florian Westphal
2026-05-25 18:29 ` [PATCH net-next 01/11] netfilter: x_tables: disable 32bit compat interface in user namespaces Florian Westphal
2026-05-25 18:29 ` [PATCH net-next 02/11] netfilter: add option for GCOV profiling Florian Westphal
2026-05-25 18:29 ` [PATCH net-next 03/11] netfilter: allow nfnetlink built-in only Florian Westphal
2026-05-25 18:29 ` [PATCH net-next 04/11] netfilter: nf_conncount: use per-rule hash initval Florian Westphal
2026-05-25 18:29 ` [PATCH net-next 05/11] netfilter: ctnetlink: use nf_ct_exp_net() in expectation dump Florian Westphal
2026-05-25 18:29 ` [PATCH net-next 06/11] netfilter: nft_set_rbtree: remove dead conditional Florian Westphal
2026-05-25 18:29 ` [PATCH net-next 07/11] netfilter: nfnl_cthelper: apply per-class values when updating policies Florian Westphal
2026-05-25 18:29 ` [PATCH net-next 08/11] netfilter: nf_conntrack_irc: fix parse_dcc() off-by-one OOB read Florian Westphal
2026-05-25 18:29 ` [PATCH net-next 09/11] netfilter: nf_conntrack_proto_tcp: fix typos in comments Florian Westphal
2026-05-25 18:29 ` [PATCH net-next 10/11] netfilter: nft_set_pipapo_avx2: restore performance optimization Florian Westphal
2026-05-25 18:29 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525182924.28456-12-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox