[PATCH net-next 1/2] netfilter: nf_conntrack_irc: reject DCC port values above 65535

Next message: Hans Zhang: "[PATCH 00/16] PCI: Use FIELD_MODIFY() to simplify bitfield operations"
Previous message: Manivannan Sadhasivam: "Re: [PATCH v14 0/7] PCI: endpoint: pci-ep-msi: Add embedded doorbell fallback"
In reply to: Pablo Neira Ayuso: "Re: [PATCH net-next 0/2] netfilter: conntrack: validate parsed port values in IRC and Amanda helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: HACKE-RC

Date: Thu Apr 30 2026 - 12:20:40 EST

parse_dcc() stores the return value of simple_strtoul() directly into
a u_int16_t pointer. simple_strtoul() returns unsigned long, so values
above 65535 are silently truncated when assigned to the u16 output
parameter.

Use an intermediate unsigned long variable and reject out-of-range
values by returning -1, which causes the caller in help() to skip
the DCC command via the existing error path.

The dcc_port == 0 check in help() already rejects port 0, so this
change only adds the upper-bound check in the parser.

Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
Signed-off-by: HACKE-RC <rc@xxxxxxxxx>
---
net/netfilter/nf_conntrack_irc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 522183b9a..ffaa7ab84 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -68,6 +68,7 @@ static const char *const dccprotos[] = {
static int parse_dcc(char *data, const char *data_end, __be32 *ip,
u_int16_t *port, char **ad_beg_p, char **ad_end_p)
{
+ unsigned long parsed_port;
char *tmp;

/* at least 12: "AAAAAAAA P\1\n" */
@@ -93,7 +94,11 @@ static int parse_dcc(char *data, const char *data_end, __be32 *ip,
data++;
}

- *port = simple_strtoul(data, &data, 10);
+ parsed_port = simple_strtoul(data, &data, 10);
+ if (parsed_port > 65535)
+ return -1;
+
+ *port = parsed_port;
*ad_end_p = data;

return 0;
--
2.54.0