From nobody Sat Jun 20 14:13:59 2026 Received: from out-13.smtp.spacemail.com (out-13.smtp.spacemail.com [63.250.43.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DFCFD39D6DE; Thu, 30 Apr 2026 18:26:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=63.250.43.96 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777573566; cv=none; b=XY8JW1/FnqWtgBPM+IvbaILcNANVBnF5hpRwFVuLG5Si4vjLAw8CifrTaIyotsReMgFNE8IL2/8d/ibv8EFFDdy95Yr68LYoh51DGBRocib2hMr4RzPp7brnANMDdMkvoc9SW/S3vDhqz38MTtwdTVlDZaPARZYKkf1BEuEr3EI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777573566; c=relaxed/simple; bh=AQd2sw1EZKQtxF/RoAKXgzvPNwc2JS7cbKhPcFoLW+I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ldEyxirZ9fwZMxpItRE+fvTGiBox1+1YWAqRB1bzm8ri7WwleJ0BybTt0y0LD+yx6ieUVPk9cYD+tbznbw33RPOfbrdKv85Hsh6omPOtGmYdB/Rll3OUq5meIsBMGz30HykejeurwHjBSd7sai2dlv+3L/UUmjNU9VNAvSPcrXE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai; spf=pass smtp.mailfrom=rexion.ai; dkim=fail (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b=kpOLI+0V reason="key not found in DNS"; arc=none smtp.client-ip=63.250.43.96 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rexion.ai Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="key not found in DNS" (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b="kpOLI+0V" Received: from Kyren (unknown [49.207.224.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.spacemail.com (Postfix) with ESMTPSA id 4g62ft5vZwz8sd8; Thu, 30 Apr 2026 18:25:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rexion.ai; s=spacemail; t=1777573563; bh=ykvFs84X9ifnNLgl1nKjZZCGpsIMTr1LlOqri6Q6e/A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kpOLI+0VVSya8bQzyfaImZyg6+4oDmG63xnMd9DyNi6uzjE9lUkkaRt1mAoHZhfwz VAuZ/xE7i7h+Lge5xmZsmFVmnnihngd1dDH+INaTO7iZHB7vBjxkvBEqIU7VKjbLJ6 kh8P0Z3hpjErc8C+rPN/kpL3Tucdiu+0rQWCigRt9K3nO1jToNEePFDnFinWPHi3vs XCfR9pdeV2unojl/m5YJCgP5EzhgmZkfpE/PgyUQZ/04ZuueTNiBLLGTuY6g4/sXJC Tqh/JfiUq4qeZXypVx9OftYZ6N2J/ctmedG/xHp23qPrUNFD2GQxA228PiYcFoGWRY bStee+cUngbZA== From: HACKE-RC To: Pablo Neira Ayuso , Florian Westphal Cc: Phil Sutter , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, HACKE-RC Subject: [PATCH net-next v2 1/3] netfilter: conntrack: add shared port parser for helpers Date: Thu, 30 Apr 2026 23:55:41 +0530 Message-ID: <20260430182543.3931718-2-rc@rexion.ai> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260430182543.3931718-1-rc@rexion.ai> References: <20260430182543.3931718-1-rc@rexion.ai> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Envelope-From: rc@rexion.ai Content-Type: text/plain; charset="utf-8" Add nf_ct_helper_parse_port() to the conntrack helper core. This provides a port parser that does not rely on nul-terminated strings, taking an explicit length parameter and validating the result fits in the 1-65535 range. Modeled after the approach in 8cf6809cddcb ("netfilter: nf_conntrack_sip: don't use simple_strtoul") but as a shared function so IRC, Amanda, and other helpers can use it instead of open-coding simple_strtoul calls with ad-hoc range checks. Signed-off-by: HACKE-RC --- include/net/netfilter/nf_conntrack_helper.h | 3 +++ net/netfilter/nf_conntrack_helper.c | 28 +++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netf= ilter/nf_conntrack_helper.h index de2f956ab..db19fe25f 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h @@ -160,6 +160,9 @@ nf_ct_helper_expectfn_find_by_name(const char *name); struct nf_ct_helper_expectfn * nf_ct_helper_expectfn_find_by_symbol(const void *symbol); =20 +int nf_ct_helper_parse_port(const char *cp, unsigned int len, + u16 *port, char **endp); + extern struct hlist_head *nf_ct_helper_hash; extern unsigned int nf_ct_helper_hsize; =20 diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntra= ck_helper.c index a715304a5..12f51670d 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -499,6 +499,34 @@ void nf_nat_helper_unregister(struct nf_conntrack_nat_= helper *nat) } EXPORT_SYMBOL_GPL(nf_nat_helper_unregister); =20 +int nf_ct_helper_parse_port(const char *cp, unsigned int len, + u16 *port, char **endp) +{ + unsigned long result =3D 0; + const char *start =3D cp; + + while (len > 0 && *cp >=3D '0' && *cp <=3D '9') { + result =3D result * 10 + (*cp - '0'); + if (result > 65535) + return -1; + cp++; + len--; + } + + if (cp =3D=3D start) + return -1; + + if (result =3D=3D 0) + return -1; + + *port =3D result; + if (endp) + *endp =3D (char *)cp; + + return 0; +} +EXPORT_SYMBOL_GPL(nf_ct_helper_parse_port); + int nf_conntrack_helper_init(void) { nf_ct_helper_hsize =3D 1; /* gets rounded up to use one page */ --=20 2.54.0 From nobody Sat Jun 20 14:13:59 2026 Received: from out-03.smtp.spacemail.com (out-03.smtp.spacemail.com [63.250.43.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1EBA04779A4; Thu, 30 Apr 2026 18:35:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=63.250.43.88 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777574102; cv=none; b=l7oZvfOGczqJS+8u5eeBMhfqjMG+96nZlFLGDJ1KIVcmZNX741rS96EwCkolR66KBSbCvZceWLBQoZjrkcJDImzOrOSlTcAOQQc4hxW0w+MDFOJRyDSWyS67XGvsn0q7nStNtx2cB97zRgzFuZeGjwLnmamXyuvoaEZSQ7pgwEQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777574102; c=relaxed/simple; bh=nLWDjCYG2VJb/niqMQC2v2WrYtWZ4BxwIhZ+B8UKc9g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=R8AwfQXPbNR6II4AtJfWnBC4FhKIv1Z02FtkWj0BSPxsNPZ50xMB0D9UUBcAQtl22JIXq8gvitnXa5YfPA06235YzT9R2gciHDE4JZMOIr81nvhzrsAYqsApb8lv/pDHBEwZSjtdH+dtnSBDXhscD1JthXQDCkilSB1dEktHLuM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai; spf=pass smtp.mailfrom=rexion.ai; dkim=fail (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b=iCc8hK9k reason="key not found in DNS"; arc=none smtp.client-ip=63.250.43.88 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rexion.ai Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="key not found in DNS" (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b="iCc8hK9k" Received: from Kyren (unknown [49.207.224.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.spacemail.com (Postfix) with ESMTPSA id 4g62g33chZz8sWt; Thu, 30 Apr 2026 18:26:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rexion.ai; s=spacemail; t=1777573571; bh=tq9jLvGxcCHzQiNF7PIsLncsroNls5TdwyWf8VNvfHA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iCc8hK9kBpcsuU+8KWElc+BIxDQopM1oB1hXU70FPdacdlzueVsHQYtTy0Mysm4jU RkmISs9xNYGt8ceGTZ5q4n8EigCo78PS2aA7xnm6YEVOXdJHEtjn+hxOTj2XbXxudv HjXoGihG23TpEfSKJt2ekNyA6X6f+kCqdMc9JP15M0nUeBldeO4aE7uu5Vk9q83wj2 dykXPa5V99DOS/SGjxX3sKrspqAIhdRNo7/cqJiToYHRbzqsopVbjpSOW67hB597FV bNUt1QneiHkA4OWLyv1CFV4Vbko2BfxbwnHLpD4H+3rbayPwOX2evvK8tDhLH8bG4u 5qlRvI0IhNV6g== From: HACKE-RC To: Pablo Neira Ayuso , Florian Westphal Cc: Phil Sutter , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, HACKE-RC Subject: [PATCH net-next v2 2/3] netfilter: nf_conntrack_irc: use nf_ct_helper_parse_port() Date: Thu, 30 Apr 2026 23:55:42 +0530 Message-ID: <20260430182543.3931718-3-rc@rexion.ai> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260430182543.3931718-1-rc@rexion.ai> References: <20260430182543.3931718-1-rc@rexion.ai> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Envelope-From: rc@rexion.ai Content-Type: text/plain; charset="utf-8" Replace the bare simple_strtoul() call for port parsing with the shared nf_ct_helper_parse_port(). This avoids reliance on the nul-terminated string guarantee (currently provided by the newline scan earlier in parse_dcc) and validates the port fits in u16. The simple_strtoul() for the IP address field is left as-is since it returns unsigned long for a __be32 conversion, which is a separate concern. Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port= ") Signed-off-by: HACKE-RC --- net/netfilter/nf_conntrack_irc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_= irc.c index 522183b9a..1b51f5a6a 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c @@ -93,7 +93,9 @@ static int parse_dcc(char *data, const char *data_end, __= be32 *ip, data++; } =20 - *port =3D simple_strtoul(data, &data, 10); + if (nf_ct_helper_parse_port(data, data_end - data, port, &data)) + return -1; + *ad_end_p =3D data; =20 return 0; --=20 2.54.0 From nobody Sat Jun 20 14:13:59 2026 Received: from out-13.smtp.spacemail.com (out-13.smtp.spacemail.com [63.250.43.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0C67A39D6DE; Thu, 30 Apr 2026 18:26:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=63.250.43.96 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777573592; cv=none; b=JdG1STQ0ayTxbbACqBf4QAB51W5RXhMtJpcs9cLNXPAX+H5Mj2XgxktOnRlz5cg/PL3IHoO2CTj9Bdp7nQO4mvDThPBZArm0B5f36MgFn8/mgwYioSUw0fNTMtBX9Oo4Xp04Q9rJaC4BxjRnZEBPGgVonHuaQAphxJT8qFhpMQM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777573592; c=relaxed/simple; bh=9yyUUs2BXIToAhIyi6W6MlHL2Q0Rkg+H4tfy95uVAzs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EKyGWPpV8weTkrLA+s91U+UA3cPNhJ9Ou2D+h5nhVUePNpI4ufAhPW5prLHh6UH92mLvQHbHNY+C92Ooyo9mlZJXDsf3lQXWnzHddBu4gmrXDpc0O8bTci+EY7+ZD/9RsgCDdD15ysCuk+cgR54rywfIHFczERH92Nus1VERMM0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai; spf=pass smtp.mailfrom=rexion.ai; dkim=fail (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b=btA5f6cx reason="key not found in DNS"; arc=none smtp.client-ip=63.250.43.96 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rexion.ai Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="key not found in DNS" (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b="btA5f6cx" Received: from Kyren (unknown [49.207.224.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.spacemail.com (Postfix) with ESMTPSA id 4g62gP5PlPz8sXN; Thu, 30 Apr 2026 18:26:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rexion.ai; s=spacemail; t=1777573590; bh=aCT15It8ZbWGI5T3TU+l8UKx6cl6pDrHxcHnymDFNhk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=btA5f6cxO7/UPYYBJdlAzt3hu6DUQPvM9rOl5iAYVEx8HxzCuhlg7Qk9UJpEiqPCG NFpr8Vk7c0XWoyCNjKyr1E3CiNdxrI3Rz0L/jCQ/gUnAX11EnK0FZC/9X39hDwB3QW m4v76vaB5R6QM5CvNtgbPWgXnivKNadp03fGqZmjbWnkDJHfP4mB5aNKbo/9UBVNSt vg3i0BmfkKKkkc0YwSD66d56j/fmMCXLQD+XYDLcpbJmLkGLUPEdsS9oSWJpGHbu1F QKEB2dXqS77/UE4EsdRkmtMcy5evWNAC+1hOlTyF9F+MaL43OGNP+7BxOtJc72xTLE ggd6NV0uulXnA== From: HACKE-RC To: Pablo Neira Ayuso , Florian Westphal Cc: Phil Sutter , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, HACKE-RC Subject: [PATCH net-next v2 3/3] netfilter: nf_conntrack_amanda: use nf_ct_helper_parse_port() Date: Thu, 30 Apr 2026 23:55:43 +0530 Message-ID: <20260430182543.3931718-4-rc@rexion.ai> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260430182543.3931718-1-rc@rexion.ai> References: <20260430182543.3931718-1-rc@rexion.ai> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Envelope-From: rc@rexion.ai Content-Type: text/plain; charset="utf-8" Replace the bare simple_strtoul() call with the shared nf_ct_helper_parse_port(). This removes reliance on the nul-terminated pbuf string for parsing and validates the port range in a single call. The len > 5 guard and port =3D=3D 0 check are now handled by the shared parser, which rejects zero and values above 65535. Reorder local variable declarations to reverse christmas tree. Fixes: 16958900578b ("[NETFILTER]: nf_conntrack/nf_nat: add amanda helper p= ort") Signed-off-by: HACKE-RC --- net/netfilter/nf_conntrack_amanda.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntra= ck_amanda.c index d2c09e8dd..30b5c4b84 100644 --- a/net/netfilter/nf_conntrack_amanda.c +++ b/net/netfilter/nf_conntrack_amanda.c @@ -88,11 +88,12 @@ static int amanda_help(struct sk_buff *skb, struct nf_conntrack_expect *exp; struct nf_conntrack_tuple *tuple; unsigned int dataoff, start, stop, off, i; + nf_nat_amanda_hook_fn *nf_nat_amanda; char pbuf[sizeof("65535")], *tmp; + int ret =3D NF_ACCEPT; u_int16_t len; + u16 parsed_port; __be16 port; - int ret =3D NF_ACCEPT; - nf_nat_amanda_hook_fn *nf_nat_amanda; =20 /* Only look at packets from the Amanda server */ if (CTINFO2DIR(ctinfo) =3D=3D IP_CT_DIR_ORIGINAL) @@ -132,10 +133,10 @@ static int amanda_help(struct sk_buff *skb, break; pbuf[len] =3D '\0'; =20 - port =3D htons(simple_strtoul(pbuf, &tmp, 10)); - len =3D tmp - pbuf; - if (port =3D=3D 0 || len > 5) + if (nf_ct_helper_parse_port(pbuf, len, &parsed_port, &tmp)) break; + port =3D htons(parsed_port); + len =3D tmp - pbuf; =20 exp =3D nf_ct_expect_alloc(ct); if (exp =3D=3D NULL) { --=20 2.54.0