[PATCH net-next v2 0/3] netfilter: conntrack: add shared port parser and use it in IRC and Amanda helpers

[PATCH net-next v2 0/3] netfilter: conntrack: add shared port parser and use it in IRC and Amanda helpers

[HACKE-RC]

Both nf_conntrack_irc and nf_conntrack_amanda parse port numbers
from application-layer protocol data using simple_strtoul(), which
relies on nul-terminated strings and returns unsigned long without
range checking. Port values above 65535 silently truncate when
stored in u16.

This v2 adds a shared nf_ct_helper_parse_port() function to the
conntrack helper core, modeled after the approach in 8cf6809cddcb
("netfilter: nf_conntrack_sip: don't use simple_strtoul"), then
converts both helpers to use it.

Changes since v1:
  - Added shared nf_ct_helper_parse_port() in the helper core
    instead of open-coding range checks in each helper (Pablo)
  - Parser does not rely on nul-terminated strings
  - Dropped simple_strtoul usage entirely for port parsing

HACKE-RC (3):
  netfilter: conntrack: add shared port parser for helpers
  netfilter: nf_conntrack_irc: use nf_ct_helper_parse_port()
  netfilter: nf_conntrack_amanda: use nf_ct_helper_parse_port()

 include/net/netfilter/nf_conntrack_helper.h |  3 +++
 net/netfilter/nf_conntrack_amanda.c         | 11 ++++----
 net/netfilter/nf_conntrack_helper.c         | 28 +++++++++++++++++++++
 net/netfilter/nf_conntrack_irc.c            |  4 ++-
 4 files changed, 40 insertions(+), 6 deletions(-)

-- 
2.54.0

[PATCH net-next v2 1/3] netfilter: conntrack: add shared port parser for helpers

[HACKE-RC]

Add nf_ct_helper_parse_port() to the conntrack helper core. This
provides a port parser that does not rely on nul-terminated strings,
taking an explicit length parameter and validating the result fits
in the 1-65535 range.

Modeled after the approach in 8cf6809cddcb ("netfilter:
nf_conntrack_sip: don't use simple_strtoul") but as a shared
function so IRC, Amanda, and other helpers can use it instead of
open-coding simple_strtoul calls with ad-hoc range checks.

Signed-off-by: HACKE-RC <rc@rexion.ai>
---
 include/net/netfilter/nf_conntrack_helper.h |  3 +++
 net/netfilter/nf_conntrack_helper.c         | 28 +++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index de2f956ab..db19fe25f 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -160,6 +160,9 @@ nf_ct_helper_expectfn_find_by_name(const char *name);
 struct nf_ct_helper_expectfn *
 nf_ct_helper_expectfn_find_by_symbol(const void *symbol);
 
+int nf_ct_helper_parse_port(const char *cp, unsigned int len,
+			    u16 *port, char **endp);
+
 extern struct hlist_head *nf_ct_helper_hash;
 extern unsigned int nf_ct_helper_hsize;
 
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index a715304a5..12f51670d 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -499,6 +499,34 @@ void nf_nat_helper_unregister(struct nf_conntrack_nat_helper *nat)
 }
 EXPORT_SYMBOL_GPL(nf_nat_helper_unregister);
 
+int nf_ct_helper_parse_port(const char *cp, unsigned int len,
+			    u16 *port, char **endp)
+{
+	unsigned long result = 0;
+	const char *start = cp;
+
+	while (len > 0 && *cp >= '0' && *cp <= '9') {
+		result = result * 10 + (*cp - '0');
+		if (result > 65535)
+			return -1;
+		cp++;
+		len--;
+	}
+
+	if (cp == start)
+		return -1;
+
+	if (result == 0)
+		return -1;
+
+	*port = result;
+	if (endp)
+		*endp = (char *)cp;
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(nf_ct_helper_parse_port);
+
 int nf_conntrack_helper_init(void)
 {
 	nf_ct_helper_hsize = 1; /* gets rounded up to use one page */
-- 
2.54.0

Re: [PATCH net-next v2 1/3] netfilter: conntrack: add shared port parser for helpers

[Phil Sutter]

Hi,

On Fri, May 01, 2026 at 12:01:54PM +0530, HACKE-RC wrote:
> Add nf_ct_helper_parse_port() to the conntrack helper core. This
> provides a port parser that does not rely on nul-terminated strings,
> taking an explicit length parameter and validating the result fits
> in the 1-65535 range.
> 
> Modeled after the approach in 8cf6809cddcb ("netfilter:
> nf_conntrack_sip: don't use simple_strtoul") but as a shared
> function so IRC, Amanda, and other helpers can use it instead of
> open-coding simple_strtoul calls with ad-hoc range checks.
> 
> Signed-off-by: HACKE-RC <rc@rexion.ai>
> ---
>  include/net/netfilter/nf_conntrack_helper.h |  3 +++
>  net/netfilter/nf_conntrack_helper.c         | 28 +++++++++++++++++++++
>  2 files changed, 31 insertions(+)
> 
> diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
> index de2f956ab..db19fe25f 100644
> --- a/include/net/netfilter/nf_conntrack_helper.h
> +++ b/include/net/netfilter/nf_conntrack_helper.h
> @@ -160,6 +160,9 @@ nf_ct_helper_expectfn_find_by_name(const char *name);
>  struct nf_ct_helper_expectfn *
>  nf_ct_helper_expectfn_find_by_symbol(const void *symbol);
>  
> +int nf_ct_helper_parse_port(const char *cp, unsigned int len,
> +			    u16 *port, char **endp);
> +
>  extern struct hlist_head *nf_ct_helper_hash;
>  extern unsigned int nf_ct_helper_hsize;
>  
> diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
> index a715304a5..12f51670d 100644
> --- a/net/netfilter/nf_conntrack_helper.c
> +++ b/net/netfilter/nf_conntrack_helper.c
> @@ -499,6 +499,34 @@ void nf_nat_helper_unregister(struct nf_conntrack_nat_helper *nat)
>  }
>  EXPORT_SYMBOL_GPL(nf_nat_helper_unregister);
>  
> +int nf_ct_helper_parse_port(const char *cp, unsigned int len,
> +			    u16 *port, char **endp)
> +{
> +	unsigned long result = 0;
> +	const char *start = cp;
> +
> +	while (len > 0 && *cp >= '0' && *cp <= '9') {
> +		result = result * 10 + (*cp - '0');
> +		if (result > 65535)
> +			return -1;
> +		cp++;
> +		len--;
> +	}
> +
> +	if (cp == start)
> +		return -1;

This check is redundant wrt. the following one: If the loop didn't
increment 'cp', result must be zero. So you may just drop it entirely.

Cheers, Phil

> +
> +	if (result == 0)
> +		return -1;
> +
> +	*port = result;
> +	if (endp)
> +		*endp = (char *)cp;
> +
> +	return 0;
> +}
> +EXPORT_SYMBOL_GPL(nf_ct_helper_parse_port);
> +
>  int nf_conntrack_helper_init(void)
>  {
>  	nf_ct_helper_hsize = 1; /* gets rounded up to use one page */
> -- 
> 2.54.0
> 
> 

[PATCH net-next v2 2/3] netfilter: nf_conntrack_irc: use nf_ct_helper_parse_port()

[HACKE-RC]

Replace the bare simple_strtoul() call for port parsing with the
shared nf_ct_helper_parse_port(). This avoids reliance on the
nul-terminated string guarantee (currently provided by the newline
scan earlier in parse_dcc) and validates the port fits in u16.

The simple_strtoul() for the IP address field is left as-is since
it returns unsigned long for a __be32 conversion, which is a
separate concern.

Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
Signed-off-by: HACKE-RC <rc@rexion.ai>
---
 net/netfilter/nf_conntrack_irc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 522183b9a..1b51f5a6a 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -93,7 +93,9 @@ static int parse_dcc(char *data, const char *data_end, __be32 *ip,
 		data++;
 	}
 
-	*port = simple_strtoul(data, &data, 10);
+	if (nf_ct_helper_parse_port(data, data_end - data, port, &data))
+		return -1;
+
 	*ad_end_p = data;
 
 	return 0;
-- 
2.54.0

[PATCH net-next v2 3/3] netfilter: nf_conntrack_amanda: use nf_ct_helper_parse_port()

[HACKE-RC]

Replace the bare simple_strtoul() call with the shared
nf_ct_helper_parse_port(). This removes reliance on the
nul-terminated pbuf string for parsing and validates the port
range in a single call.

The len > 5 guard and port == 0 check are now handled by the
shared parser, which rejects zero and values above 65535.

Reorder local variable declarations to reverse christmas tree.

Fixes: 16958900578b ("[NETFILTER]: nf_conntrack/nf_nat: add amanda helper port")
Signed-off-by: HACKE-RC <rc@rexion.ai>
---
 net/netfilter/nf_conntrack_amanda.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index d2c09e8dd..30b5c4b84 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -88,11 +88,12 @@ static int amanda_help(struct sk_buff *skb,
 	struct nf_conntrack_expect *exp;
 	struct nf_conntrack_tuple *tuple;
 	unsigned int dataoff, start, stop, off, i;
+	nf_nat_amanda_hook_fn *nf_nat_amanda;
 	char pbuf[sizeof("65535")], *tmp;
+	int ret = NF_ACCEPT;
 	u_int16_t len;
+	u16 parsed_port;
 	__be16 port;
-	int ret = NF_ACCEPT;
-	nf_nat_amanda_hook_fn *nf_nat_amanda;
 
 	/* Only look at packets from the Amanda server */
 	if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
@@ -132,10 +133,10 @@ static int amanda_help(struct sk_buff *skb,
 			break;
 		pbuf[len] = '\0';
 
-		port = htons(simple_strtoul(pbuf, &tmp, 10));
-		len = tmp - pbuf;
-		if (port == 0 || len > 5)
+		if (nf_ct_helper_parse_port(pbuf, len, &parsed_port, &tmp))
 			break;
+		port = htons(parsed_port);
+		len = tmp - pbuf;
 
 		exp = nf_ct_expect_alloc(ct);
 		if (exp == NULL) {
-- 
2.54.0

Re: [PATCH net-next v2 0/3] netfilter: conntrack: add shared port parser and use it in IRC and Amanda helpers

[Phil Sutter]

On Fri, May 01, 2026 at 12:01:53PM +0530, HACKE-RC wrote:
> Both nf_conntrack_irc and nf_conntrack_amanda parse port numbers
> from application-layer protocol data using simple_strtoul(), which
> relies on nul-terminated strings and returns unsigned long without
> range checking. Port values above 65535 silently truncate when
> stored in u16.
> 
> This v2 adds a shared nf_ct_helper_parse_port() function to the
> conntrack helper core, modeled after the approach in 8cf6809cddcb
> ("netfilter: nf_conntrack_sip: don't use simple_strtoul"), then
> converts both helpers to use it.

Looking at Florian's patch, how about going the extra mile of
implementing a shared nf_ct_helper_parse_uint() which is called by the
new nf_ct_helper_parse_port(), then drop sip_strtouint() for the former
and have sip_parse_port() call the latter (wrapped by the colon and min
port value checks) in a fourth patch?

Cheers, Phil
> 
> Changes since v1:
>   - Added shared nf_ct_helper_parse_port() in the helper core
>     instead of open-coding range checks in each helper (Pablo)
>   - Parser does not rely on nul-terminated strings
>   - Dropped simple_strtoul usage entirely for port parsing
> 
> HACKE-RC (3):
>   netfilter: conntrack: add shared port parser for helpers
>   netfilter: nf_conntrack_irc: use nf_ct_helper_parse_port()
>   netfilter: nf_conntrack_amanda: use nf_ct_helper_parse_port()
> 
>  include/net/netfilter/nf_conntrack_helper.h |  3 +++
>  net/netfilter/nf_conntrack_amanda.c         | 11 ++++----
>  net/netfilter/nf_conntrack_helper.c         | 28 +++++++++++++++++++++
>  net/netfilter/nf_conntrack_irc.c            |  4 ++-
>  4 files changed, 40 insertions(+), 6 deletions(-)
> 
> -- 
> 2.54.0
> 
> 

[PATCH net-next v3 0/4] netfilter: conntrack: shared port parser for helpers

[HACKE-RC]

Both nf_conntrack_irc and nf_conntrack_amanda parse port numbers from
application-layer data using simple_strtoul(), which requires
NUL-terminated input and returns unsigned long without range validation.

This series introduces two shared helpers in the conntrack core:

  nf_ct_helper_parse_uint() -- generic bounded integer parser that
    operates on a length-delimited buffer without requiring NUL
    termination.

  nf_ct_helper_parse_port() -- calls nf_ct_helper_parse_uint() with
    max=65535 and rejects port zero.

Patches 2 and 3 convert IRC and Amanda to use nf_ct_helper_parse_port().
Patch 4 converts the two port-parsing sites in nf_conntrack_sip to use
nf_ct_helper_parse_port() as well, retaining the SIP-specific minimum
port check (>= 1024).

v3: add nf_ct_helper_parse_uint() as the generic base; nf_ct_helper_parse_port()
    is now a thin wrapper; extend the series with a fourth patch converting
    nf_conntrack_sip (Phil Sutter)
v2: replace simple_strtoul() with a shared nf_ct_helper_parse_port()
    in the conntrack helper core, modelled on 8cf6809cddcb (Florian Westphal)
v1: inline range checks in IRC and Amanda

HACKE-RC (4):
  netfilter: conntrack: add shared port and uint parsers for helpers
  netfilter: nf_conntrack_irc: use nf_ct_helper_parse_port()
  netfilter: nf_conntrack_amanda: use nf_ct_helper_parse_port()
  netfilter: nf_conntrack_sip: use nf_ct_helper_parse_port()

 include/net/netfilter/nf_conntrack_helper.h |  5 +++
 net/netfilter/nf_conntrack_amanda.c         | 11 +++---
 net/netfilter/nf_conntrack_helper.c         | 39 +++++++++++++++++++++
 net/netfilter/nf_conntrack_irc.c            |  4 ++-
 net/netfilter/nf_conntrack_sip.c            | 14 ++++----
 5 files changed, 61 insertions(+), 12 deletions(-)

-- 
2.54.0

[PATCH net-next v3 1/4] netfilter: conntrack: add shared port and uint parsers for helpers

[HACKE-RC]

Add nf_ct_helper_parse_uint() for bounded unsigned integer parsing
from an unterminated buffer, and nf_ct_helper_parse_port() which calls
it with max=65535 and rejects port zero.  Both helpers are exported so
conntrack protocol helpers can replace ad-hoc simple_strtoul() usage.

Signed-off-by: HACKE-RC <rc@rexion.ai>
---
 include/net/netfilter/nf_conntrack_helper.h |  5 +++
 net/netfilter/nf_conntrack_helper.c         | 39 +++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index de2f956ab..ab145fcd9 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -160,6 +160,11 @@ nf_ct_helper_expectfn_find_by_name(const char *name);
 struct nf_ct_helper_expectfn *
 nf_ct_helper_expectfn_find_by_symbol(const void *symbol);
 
+int nf_ct_helper_parse_uint(const char *cp, unsigned int len,
+			    unsigned long max, unsigned long *val, char **endp);
+int nf_ct_helper_parse_port(const char *cp, unsigned int len,
+			    u16 *port, char **endp);
+
 extern struct hlist_head *nf_ct_helper_hash;
 extern unsigned int nf_ct_helper_hsize;
 
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index a715304a5..f6229957c 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -499,6 +499,45 @@ void nf_nat_helper_unregister(struct nf_conntrack_nat_helper *nat)
 }
 EXPORT_SYMBOL_GPL(nf_nat_helper_unregister);
 
+int nf_ct_helper_parse_uint(const char *cp, unsigned int len,
+			    unsigned long max, unsigned long *val, char **endp)
+{
+	unsigned long result = 0;
+
+	if (!len || *cp < '0' || *cp > '9')
+		return -1;
+
+	while (len > 0 && *cp >= '0' && *cp <= '9') {
+		result = result * 10 + (*cp - '0');
+		if (result > max)
+			return -1;
+		cp++;
+		len--;
+	}
+
+	*val = result;
+	if (endp)
+		*endp = (char *)cp;
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(nf_ct_helper_parse_uint);
+
+int nf_ct_helper_parse_port(const char *cp, unsigned int len,
+			    u16 *port, char **endp)
+{
+	unsigned long val;
+
+	if (nf_ct_helper_parse_uint(cp, len, 65535, &val, endp))
+		return -1;
+	if (val == 0)
+		return -1;
+
+	*port = val;
+	return 0;
+}
+EXPORT_SYMBOL_GPL(nf_ct_helper_parse_port);
+
 int nf_conntrack_helper_init(void)
 {
 	nf_ct_helper_hsize = 1; /* gets rounded up to use one page */
-- 
2.54.0

[PATCH net-next v3 2/4] netfilter: nf_conntrack_irc: use nf_ct_helper_parse_port()

[HACKE-RC]

Replace simple_strtoul() with the new nf_ct_helper_parse_port() helper.
This removes the dependency on NUL-terminated strings and adds an
explicit port range check, rejecting port 0 and values above 65535.

Fixes: 869f37d8e48f ("netfilter: nf_conntrack_irc - Fix uninitialised variable warning")
Signed-off-by: HACKE-RC <rc@rexion.ai>
---
 net/netfilter/nf_conntrack_irc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 522183b9a..1b51f5a6a 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -93,7 +93,9 @@ static int parse_dcc(char *data, const char *data_end, __be32 *ip,
 		data++;
 	}
 
-	*port = simple_strtoul(data, &data, 10);
+	if (nf_ct_helper_parse_port(data, data_end - data, port, &data))
+		return -1;
+
 	*ad_end_p = data;
 
 	return 0;
-- 
2.54.0

[PATCH net-next v3 3/4] netfilter: nf_conntrack_amanda: use nf_ct_helper_parse_port()

[HACKE-RC]

Replace simple_strtoul() with the new nf_ct_helper_parse_port() helper.
This removes the dependency on NUL-terminated strings and adds an
explicit port range check, rejecting port 0 and values above 65535.

Fixes: 16958900578b ("netfilter: nf_conntrack_amanda: the match is called 'amanda', not 'AMANDA'")
Signed-off-by: HACKE-RC <rc@rexion.ai>
---
 net/netfilter/nf_conntrack_amanda.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index d2c09e8dd..30b5c4b84 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -88,11 +88,12 @@ static int amanda_help(struct sk_buff *skb,
 	struct nf_conntrack_expect *exp;
 	struct nf_conntrack_tuple *tuple;
 	unsigned int dataoff, start, stop, off, i;
+	nf_nat_amanda_hook_fn *nf_nat_amanda;
 	char pbuf[sizeof("65535")], *tmp;
+	int ret = NF_ACCEPT;
 	u_int16_t len;
+	u16 parsed_port;
 	__be16 port;
-	int ret = NF_ACCEPT;
-	nf_nat_amanda_hook_fn *nf_nat_amanda;
 
 	/* Only look at packets from the Amanda server */
 	if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
@@ -132,10 +133,10 @@ static int amanda_help(struct sk_buff *skb,
 			break;
 		pbuf[len] = '\0';
 
-		port = htons(simple_strtoul(pbuf, &tmp, 10));
-		len = tmp - pbuf;
-		if (port == 0 || len > 5)
+		if (nf_ct_helper_parse_port(pbuf, len, &parsed_port, &tmp))
 			break;
+		port = htons(parsed_port);
+		len = tmp - pbuf;
 
 		exp = nf_ct_expect_alloc(ct);
 		if (exp == NULL) {
-- 
2.54.0

[PATCH net-next v3 4/4] netfilter: nf_conntrack_sip: use nf_ct_helper_parse_port()

[HACKE-RC]

Replace simple_strtoul() based port parsing in ct_sip_parse_request()
and ct_sip_parse_header_uri() with nf_ct_helper_parse_port(), which
handles the bounded parse without requiring NUL-termination.  The
SIP-specific minimum port check (>= 1024) is retained as before.

Signed-off-by: HACKE-RC <rc@rexion.ai>
---
 net/netfilter/nf_conntrack_sip.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 182cfb119..ac29f0762 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -241,7 +241,7 @@ int ct_sip_parse_request(const struct nf_conn *ct,
 {
 	const char *start = dptr, *limit = dptr + datalen, *end;
 	unsigned int mlen;
-	unsigned int p;
+	u16 p;
 	int shift = 0;
 
 	/* Skip method and following whitespace */
@@ -269,8 +269,9 @@ int ct_sip_parse_request(const struct nf_conn *ct,
 		return -1;
 	if (end < limit && *end == ':') {
 		end++;
-		p = simple_strtoul(end, (char **)&end, 10);
-		if (p < 1024 || p > 65535)
+		if (nf_ct_helper_parse_port(end, limit - end, &p, (char **)&end))
+			return -1;
+		if (p < 1024)
 			return -1;
 		*port = htons(p);
 	} else
@@ -509,7 +510,7 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
 			    union nf_inet_addr *addr, __be16 *port)
 {
 	const char *c, *limit = dptr + datalen;
-	unsigned int p;
+	u16 p;
 	int ret;
 
 	ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
@@ -522,8 +523,9 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
 		return -1;
 	if (*c == ':') {
 		c++;
-		p = simple_strtoul(c, (char **)&c, 10);
-		if (p < 1024 || p > 65535)
+		if (nf_ct_helper_parse_port(c, limit - c, &p, (char **)&c))
+			return -1;
+		if (p < 1024)
 			return -1;
 		*port = htons(p);
 	} else
-- 
2.54.0

[PATCH net-next v2 0/3] netfilter: conntrack: add shared port parser and use it in IRC and Amanda helpers

[HACKE-RC]

Both nf_conntrack_irc and nf_conntrack_amanda parse port numbers
from application-layer protocol data using simple_strtoul(), which
relies on nul-terminated strings and returns unsigned long without
range checking. Port values above 65535 silently truncate when
stored in u16.

This v2 adds a shared nf_ct_helper_parse_port() function to the
conntrack helper core, modeled after the approach in 8cf6809cddcb
("netfilter: nf_conntrack_sip: don't use simple_strtoul"), then
converts both helpers to use it.

Changes since v1:
  - Added shared nf_ct_helper_parse_port() in the helper core
    instead of open-coding range checks in each helper (Pablo)
  - Parser does not rely on nul-terminated strings
  - Dropped simple_strtoul usage entirely for port parsing

HACKE-RC (3):
  netfilter: conntrack: add shared port parser for helpers
  netfilter: nf_conntrack_irc: use nf_ct_helper_parse_port()
  netfilter: nf_conntrack_amanda: use nf_ct_helper_parse_port()

 include/net/netfilter/nf_conntrack_helper.h |  3 +++
 net/netfilter/nf_conntrack_amanda.c         | 11 ++++----
 net/netfilter/nf_conntrack_helper.c         | 28 +++++++++++++++++++++
 net/netfilter/nf_conntrack_irc.c            |  4 ++-
 4 files changed, 40 insertions(+), 6 deletions(-)

-- 
2.54.0