From nobody Sun Jun 14 07:35:50 2026 Received: from out-06.smtp.spacemail.com (out-06.smtp.spacemail.com [66.29.159.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA6BF231835; Fri, 1 May 2026 06:32:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.29.159.77 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777617138; cv=none; b=awEF+VTfeN7gYoe1K8OC4r+XOD0vMfc2MZQVfcUIj1s5fEu2vhL6c0dgWP7xOEOu8bErWr1KJ39b+BO689esqxk4equMTqQkIWTrrmQbA/h7v+l9o9MpNZtjaWhQkO9btJROOtZVpHoTriHEwNSnRdKAjrZazq5kqC+hF7OKbCA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777617138; c=relaxed/simple; bh=AQd2sw1EZKQtxF/RoAKXgzvPNwc2JS7cbKhPcFoLW+I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tfiqEHRazlRaoFpXeJihL7vx0irn7tD0KujIokhOKJCfuuC2E+KN6Fr9Vi8q0HAz74Hi5zKrOiXO93+Sp7If4yFSxXveFyXbqOVOCGfvaayu75Sqy1XV5P/oapigQefqK1KCVUB14AY4eIVkTCa21f4/h+44qifEn2bR2n7dZqc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai; spf=pass smtp.mailfrom=rexion.ai; dkim=fail (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b=ge14SECc reason="key not found in DNS"; arc=none smtp.client-ip=66.29.159.77 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rexion.ai Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="key not found in DNS" (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b="ge14SECc" Received: from Kyren (unknown [49.207.224.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.spacemail.com (Postfix) with ESMTPSA id 4g6Lmq2CCHz8sX2; Fri, 01 May 2026 06:32:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rexion.ai; s=spacemail; t=1777617135; bh=ykvFs84X9ifnNLgl1nKjZZCGpsIMTr1LlOqri6Q6e/A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ge14SECc/2b+qcGuGlmiqa+I7WmH5Lm3VGj4K+f8oNo4Pu06xlYq+Fn3l43ndfQOd zVbJqfPX4Q/Do7qT6NFFrA5kM9XV8FVi/cmhAlgycDQzyb25zMO+MHa6yEzFkiz63Z sKCHTCPpLqBlz+7okFx5RnTE618hUNbzVTvxEZhLH0atCo3acsoNYXKS9Ax+pQ7JYh DM0GR+SvuRX7JyK64tXcSuqH7/EIhw5qIfpiLVI4TI82K2ylgzCkhsexDCCZN4LaiA p2Ap3W8WILphjPzCPWORGXix9CNuuqJ1GR6G+8NAbJHsW/RfVxxsBkfWnpsjFWoYrw QOtnkNBSUBWAg== From: HACKE-RC To: Pablo Neira Ayuso , Florian Westphal Cc: Phil Sutter , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, HACKE-RC Subject: [PATCH net-next v2 1/3] netfilter: conntrack: add shared port parser for helpers Date: Fri, 1 May 2026 12:01:54 +0530 Message-ID: <20260501063156.2520780-2-rc@rexion.ai> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260501063156.2520780-1-rc@rexion.ai> References: <20260501063156.2520780-1-rc@rexion.ai> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Envelope-From: rc@rexion.ai Content-Type: text/plain; charset="utf-8" Add nf_ct_helper_parse_port() to the conntrack helper core. This provides a port parser that does not rely on nul-terminated strings, taking an explicit length parameter and validating the result fits in the 1-65535 range. Modeled after the approach in 8cf6809cddcb ("netfilter: nf_conntrack_sip: don't use simple_strtoul") but as a shared function so IRC, Amanda, and other helpers can use it instead of open-coding simple_strtoul calls with ad-hoc range checks. Signed-off-by: HACKE-RC --- include/net/netfilter/nf_conntrack_helper.h | 3 +++ net/netfilter/nf_conntrack_helper.c | 28 +++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netf= ilter/nf_conntrack_helper.h index de2f956ab..db19fe25f 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h @@ -160,6 +160,9 @@ nf_ct_helper_expectfn_find_by_name(const char *name); struct nf_ct_helper_expectfn * nf_ct_helper_expectfn_find_by_symbol(const void *symbol); =20 +int nf_ct_helper_parse_port(const char *cp, unsigned int len, + u16 *port, char **endp); + extern struct hlist_head *nf_ct_helper_hash; extern unsigned int nf_ct_helper_hsize; =20 diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntra= ck_helper.c index a715304a5..12f51670d 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -499,6 +499,34 @@ void nf_nat_helper_unregister(struct nf_conntrack_nat_= helper *nat) } EXPORT_SYMBOL_GPL(nf_nat_helper_unregister); =20 +int nf_ct_helper_parse_port(const char *cp, unsigned int len, + u16 *port, char **endp) +{ + unsigned long result =3D 0; + const char *start =3D cp; + + while (len > 0 && *cp >=3D '0' && *cp <=3D '9') { + result =3D result * 10 + (*cp - '0'); + if (result > 65535) + return -1; + cp++; + len--; + } + + if (cp =3D=3D start) + return -1; + + if (result =3D=3D 0) + return -1; + + *port =3D result; + if (endp) + *endp =3D (char *)cp; + + return 0; +} +EXPORT_SYMBOL_GPL(nf_ct_helper_parse_port); + int nf_conntrack_helper_init(void) { nf_ct_helper_hsize =3D 1; /* gets rounded up to use one page */ --=20 2.54.0 From nobody Sun Jun 14 07:35:50 2026 Received: from out-03.smtp.spacemail.com (out-03.smtp.spacemail.com [63.250.43.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C55EA218EB1; Fri, 1 May 2026 06:32:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=63.250.43.88 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777617144; cv=none; b=SMMaxcy+Y/sBA1/HdGbkiwsRaxIdWe3V0krY1N/fqBcZ4HvLSakMunmpIzQNk15c1HTksz/n3FCbBTdCDc8aJvn3NjKlq7/ii8La6YukBwXSIJm3N2VV59BjWki3i0MNz6KVSw2Sgoyh4aymSwt1HBarcIzcL5RjVoX0WxyX854= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777617144; c=relaxed/simple; bh=nLWDjCYG2VJb/niqMQC2v2WrYtWZ4BxwIhZ+B8UKc9g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=R1roywhBZpgra4bXjTsoGOMyFwMTZ33/TvdpRkZRv/JHqWny2ZFfh6c3/ZdCUs4a0m4nsRmDClKtO1hdRV16fkwyUFIKwi5prP1uYemCJbDteZ3mK4JCNtpqx++cE0VBWB1oMoqeBTYutRaBdA1dbimikmyDZqycqvqihCrruPM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai; spf=pass smtp.mailfrom=rexion.ai; dkim=fail (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b=VN6omrF+ reason="key not found in DNS"; arc=none smtp.client-ip=63.250.43.88 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rexion.ai Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="key not found in DNS" (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b="VN6omrF+" Received: from Kyren (unknown [49.207.224.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.spacemail.com (Postfix) with ESMTPSA id 4g6Lmy3PK4z8sX2; Fri, 01 May 2026 06:32:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rexion.ai; s=spacemail; t=1777617142; bh=tq9jLvGxcCHzQiNF7PIsLncsroNls5TdwyWf8VNvfHA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VN6omrF+AAUctom6MwiH1anKSomMA6DLWvOsiRpgtKA7rPmtuRtQ9jTI1rnn05yNV oV/dnFN1ARm1kQOJvVV/VvQhx4MWbGbyj8ccOC4Ro7vHQpcaFgYAK5Vr/7TPQtqHHM I+1vwS7APJNnNu7gKdUqFgalFpAUh2bSp2SCYsI4q4mDuVhsymN8KdIefP6hm2k2Pr tlcsfl5Qht8bk+eec8HsMgyGzxcJrD8ayuFW6+oHEo2duGftxtMgICQKeNCCwNAS4H 8/l8auvcaGLR2vPRNNFT7FkSlJXww6i08GjYMrmBXBlsYzh4MA5+YA8nJzEHrBoZhr 7khA/BuTfygzw== From: HACKE-RC To: Pablo Neira Ayuso , Florian Westphal Cc: Phil Sutter , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, HACKE-RC Subject: [PATCH net-next v2 2/3] netfilter: nf_conntrack_irc: use nf_ct_helper_parse_port() Date: Fri, 1 May 2026 12:01:55 +0530 Message-ID: <20260501063156.2520780-3-rc@rexion.ai> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260501063156.2520780-1-rc@rexion.ai> References: <20260501063156.2520780-1-rc@rexion.ai> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Envelope-From: rc@rexion.ai Content-Type: text/plain; charset="utf-8" Replace the bare simple_strtoul() call for port parsing with the shared nf_ct_helper_parse_port(). This avoids reliance on the nul-terminated string guarantee (currently provided by the newline scan earlier in parse_dcc) and validates the port fits in u16. The simple_strtoul() for the IP address field is left as-is since it returns unsigned long for a __be32 conversion, which is a separate concern. Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port= ") Signed-off-by: HACKE-RC --- net/netfilter/nf_conntrack_irc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_= irc.c index 522183b9a..1b51f5a6a 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c @@ -93,7 +93,9 @@ static int parse_dcc(char *data, const char *data_end, __= be32 *ip, data++; } =20 - *port =3D simple_strtoul(data, &data, 10); + if (nf_ct_helper_parse_port(data, data_end - data, port, &data)) + return -1; + *ad_end_p =3D data; =20 return 0; --=20 2.54.0 From nobody Sun Jun 14 07:35:50 2026 Received: from out-03.smtp.spacemail.com (out-03.smtp.spacemail.com [63.250.43.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2625135E929; Fri, 1 May 2026 06:32:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=63.250.43.88 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777617151; cv=none; b=RktgO/fmN48tspzVeDibbE2/wLtqGe3LdHsXBtMhZSsccx2CdZaQpFiNhrRi0pYlrUbyGvOqto9geSZJBThr4KLXIkmDFtwkFsx78/TkgChRSCorAWEQiW2pwtElK093j3aBWvVjc7GfWpRphfzUX9CrdWiwBY+Ut9UcCLUqLwE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777617151; c=relaxed/simple; bh=9yyUUs2BXIToAhIyi6W6MlHL2Q0Rkg+H4tfy95uVAzs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=r9zS7QnrXvyAOoKFufg5Uawr7u5q+VwhbCOxbXwajV52DJF/l0Llm6JlH3W6NuWmEt9/f52aqd9nrlpFfCl7sjkALwD0ZhjPMsvEjHIenCma4zttG7GKBDsgjlX3B2iNiYFOKC0N+OEijJQQpgHQ0ZdZJUOUP5Zk/gmXfDwQNmk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai; spf=pass smtp.mailfrom=rexion.ai; dkim=fail (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b=Ib+pTAst reason="key not found in DNS"; arc=none smtp.client-ip=63.250.43.88 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rexion.ai Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rexion.ai Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="key not found in DNS" (0-bit key) header.d=rexion.ai header.i=@rexion.ai header.b="Ib+pTAst" Received: from Kyren (unknown [49.207.224.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.spacemail.com (Postfix) with ESMTPSA id 4g6Ln43LsBz8sXL; Fri, 01 May 2026 06:32:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rexion.ai; s=spacemail; t=1777617148; bh=aCT15It8ZbWGI5T3TU+l8UKx6cl6pDrHxcHnymDFNhk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ib+pTAsth7IQOrfFTNDXw30uB8zqgJMkRWvhnSIH90ZWP841Y26W/RmHMcPS5AxhY +W1Um0CSiSsF+rjpzBR8yZ5RE0IU2EDMRP2ryBf+Q77hgYMDXSKcN71dQt8/8lAj6E ov85mcVTwtCmzhnp0v1/UDMHJ0lrzJQaVIDdmPyGzx6/BfnssjBDjTugLjOMHyjGE3 gI6xcTC8Pj37+q9XfbcadMwVBg0hbXv9hDcypoReBy3uUFnBmqwgcf/pkCn5o8F+wt HGLaYm1Va8d7ExldKoYoFHSSG/AdsvluczejyxSZJMaKvTfjza3wPr5akCnLNG4b/5 8y2cakY7yI3Kw== From: HACKE-RC To: Pablo Neira Ayuso , Florian Westphal Cc: Phil Sutter , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, HACKE-RC Subject: [PATCH net-next v2 3/3] netfilter: nf_conntrack_amanda: use nf_ct_helper_parse_port() Date: Fri, 1 May 2026 12:01:56 +0530 Message-ID: <20260501063156.2520780-4-rc@rexion.ai> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260501063156.2520780-1-rc@rexion.ai> References: <20260501063156.2520780-1-rc@rexion.ai> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Envelope-From: rc@rexion.ai Content-Type: text/plain; charset="utf-8" Replace the bare simple_strtoul() call with the shared nf_ct_helper_parse_port(). This removes reliance on the nul-terminated pbuf string for parsing and validates the port range in a single call. The len > 5 guard and port =3D=3D 0 check are now handled by the shared parser, which rejects zero and values above 65535. Reorder local variable declarations to reverse christmas tree. Fixes: 16958900578b ("[NETFILTER]: nf_conntrack/nf_nat: add amanda helper p= ort") Signed-off-by: HACKE-RC --- net/netfilter/nf_conntrack_amanda.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntra= ck_amanda.c index d2c09e8dd..30b5c4b84 100644 --- a/net/netfilter/nf_conntrack_amanda.c +++ b/net/netfilter/nf_conntrack_amanda.c @@ -88,11 +88,12 @@ static int amanda_help(struct sk_buff *skb, struct nf_conntrack_expect *exp; struct nf_conntrack_tuple *tuple; unsigned int dataoff, start, stop, off, i; + nf_nat_amanda_hook_fn *nf_nat_amanda; char pbuf[sizeof("65535")], *tmp; + int ret =3D NF_ACCEPT; u_int16_t len; + u16 parsed_port; __be16 port; - int ret =3D NF_ACCEPT; - nf_nat_amanda_hook_fn *nf_nat_amanda; =20 /* Only look at packets from the Amanda server */ if (CTINFO2DIR(ctinfo) =3D=3D IP_CT_DIR_ORIGINAL) @@ -132,10 +133,10 @@ static int amanda_help(struct sk_buff *skb, break; pbuf[len] =3D '\0'; =20 - port =3D htons(simple_strtoul(pbuf, &tmp, 10)); - len =3D tmp - pbuf; - if (port =3D=3D 0 || len > 5) + if (nf_ct_helper_parse_port(pbuf, len, &parsed_port, &tmp)) break; + port =3D htons(parsed_port); + len =3D tmp - pbuf; =20 exp =3D nf_ct_expect_alloc(ct); if (exp =3D=3D NULL) { --=20 2.54.0