* [PATCH net-next 1/2] netfilter: nf_conntrack_irc: reject DCC port values above 65535
2026-04-30 16:12 [PATCH net-next 0/2] netfilter: conntrack: validate parsed port values in IRC and Amanda helpers HACKE-RC
@ 2026-04-30 16:12 ` HACKE-RC
2026-04-30 16:18 ` [PATCH net-next 0/2] netfilter: conntrack: validate parsed port values in IRC and Amanda helpers Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: HACKE-RC @ 2026-04-30 16:12 UTC (permalink / raw)
To: Pablo Neira Ayuso, Florian Westphal
Cc: Phil Sutter, David S . Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Simon Horman, netfilter-devel, coreteam, netdev,
linux-kernel, HACKE-RC
parse_dcc() stores the return value of simple_strtoul() directly into
a u_int16_t pointer. simple_strtoul() returns unsigned long, so values
above 65535 are silently truncated when assigned to the u16 output
parameter.
Use an intermediate unsigned long variable and reject out-of-range
values by returning -1, which causes the caller in help() to skip
the DCC command via the existing error path.
The dcc_port == 0 check in help() already rejects port 0, so this
change only adds the upper-bound check in the parser.
Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
Signed-off-by: HACKE-RC <rc@rexion.ai>
---
net/netfilter/nf_conntrack_irc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 522183b9a..ffaa7ab84 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -68,6 +68,7 @@ static const char *const dccprotos[] = {
static int parse_dcc(char *data, const char *data_end, __be32 *ip,
u_int16_t *port, char **ad_beg_p, char **ad_end_p)
{
+ unsigned long parsed_port;
char *tmp;
/* at least 12: "AAAAAAAA P\1\n" */
@@ -93,7 +94,11 @@ static int parse_dcc(char *data, const char *data_end, __be32 *ip,
data++;
}
- *port = simple_strtoul(data, &data, 10);
+ parsed_port = simple_strtoul(data, &data, 10);
+ if (parsed_port > 65535)
+ return -1;
+
+ *port = parsed_port;
*ad_end_p = data;
return 0;
--
2.54.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH net-next 0/2] netfilter: conntrack: validate parsed port values in IRC and Amanda helpers
2026-04-30 16:12 [PATCH net-next 0/2] netfilter: conntrack: validate parsed port values in IRC and Amanda helpers HACKE-RC
2026-04-30 16:12 ` [PATCH net-next 1/2] netfilter: nf_conntrack_irc: reject DCC port values above 65535 HACKE-RC
@ 2026-04-30 16:18 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2026-04-30 16:18 UTC (permalink / raw)
To: HACKE-RC
Cc: Florian Westphal, Phil Sutter, David S . Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, netfilter-devel,
coreteam, netdev, linux-kernel
On Thu, Apr 30, 2026 at 09:42:28PM +0530, HACKE-RC wrote:
> Both nf_conntrack_irc and nf_conntrack_amanda parse port numbers from
> application-layer protocol data using simple_strtoul(), which returns
> unsigned long. The results are stored in u16 variables without range
> checks, silently truncating values above 65535.
>
> This series adds explicit upper-bound validation in both helpers.
>
> Note: checkpatch warns about simple_strtoul being obsolete. Both
> call sites use the endptr output parameter to advance the parse
> position, which kstrtoul does not provide. Converting to kstrtoul
> would require restructuring the parsers, which is out of scope for
> this fix.
>
> HACKE-RC (2):
HAHA, this nickname is funny, it is making my day here. Thanks!
> netfilter: nf_conntrack_irc: reject DCC port values above 65535
> netfilter: nf_conntrack_amanda: reject port values above 65535
>
> net/netfilter/nf_conntrack_amanda.c | 10 ++++++----
> net/netfilter/nf_conntrack_irc.c | 7 ++++++-
> 2 files changed, 12 insertions(+), 5 deletions(-)
>
> --
> 2.54.0
>
^ permalink raw reply [flat|nested] 3+ messages in thread