[{"id":3675368,"web_url":"http://patchwork.ozlabs.org/comment/3675368/","msgid":"<adfEUtiiLzjtKd8m@strlen.de>","list_archive_url":null,"date":"2026-04-09T15:22:58","subject":"Re: [PATCH nf] netfilter: nf_conntrack_sip: fix OOB read in\n epaddr_len and ct_sip_parse_header_uri","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Weiming Shi <bestswngs@gmail.com> wrote:\n> In epaddr_len() and ct_sip_parse_header_uri(), after sip_parse_addr()\n> successfully parses an IP address, the code checks whether the next\n> character is ':' to determine if a port number follows. However,\n> neither function verifies that the pointer is still within bounds\n> before dereferencing it.\n\nI already queued up:\nhttps://patchwork.ozlabs.org/project/netfilter-devel/patch/20260313195256.2783257-1-qguanni@gmail.com/\n\nfor nf-next (I already sent the 'last' PR for 7.0).\n\nCould you check if that resolves the problem you're reporting?\n\n>  \t\tp = simple_strtoul(c, (char **)&c, 10);\n\nAll of these functions require a c-string, which we usually\ndon't have with network packet parsing.\n\nIOW, sip helper needs to be audited for these problems\nbut I don't know when I can get to it.","headers":{"Return-Path":"\n <netfilter-devel+bounces-11776-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11776-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fs3jS6B2mz1yD3\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 10 Apr 2026 01:28:12 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id D8D23308019B\n\tfor <incoming@patchwork.ozlabs.org>; Thu,  9 Apr 2026 15:23:04 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id AD1103DEFE1;\n\tThu,  9 Apr 2026 15:23:03 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CA9C3BBA0B;\n\tThu,  9 Apr 2026 15:23:01 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 0D77B60640; Thu, 09 Apr 2026 17:22:58 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775748183; cv=none;\n b=kLpLsZ2nbvYrUTrVRg7sJH6O29bf6vwKqqi/v1Hs1p7w2LEGVzbIe/vqH0cTuh3Iiod1Lp45WZ5/Lyp7YZX+K3f+s54zCx6XaA2lCUx2On/0lgqRrKokCE9F3udASRdOqQeQ5Jh152qta5cXMoPoA1LFbRbRMaC1hITw+kPx82E=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775748183; c=relaxed/simple;\n\tbh=8/jykii4ONZsNxIPmPDh82fKjzULUq2Qfn/VCvywlZg=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=dtbvWbiQHdAyemdU7tX1jLAxTPrzblNY7Mi4VZKKbVTqxgEGoPPAF9kGKZRc7Ubs0+yW4IrhT0fIzhGfrMqPh+axQ+QJGXjAGiEQYRsNLes6Q9lAQdY5whUTmdos74HU72+R2iRkbIV0UQCVKJJyuH57Fq8seAhzZz83GKGzydI=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Thu, 9 Apr 2026 17:22:58 +0200","From":"Florian Westphal <fw@strlen.de>","To":"Weiming Shi <bestswngs@gmail.com>","Cc":"Pablo Neira Ayuso <pablo@netfilter.org>,\n\t\"David S . Miller\" <davem@davemloft.net>,\n\tEric Dumazet <edumazet@google.com>,\n\tJakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,\n\tPhil Sutter <phil@nwl.cc>, Simon Horman <horms@kernel.org>,\n\tPatrick McHardy <kaber@trash.net>, netfilter-devel@vger.kernel.org,\n\tcoreteam@netfilter.org, netdev@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org, Xiang Mei <xmei5@asu.edu>","Subject":"Re: [PATCH nf] netfilter: nf_conntrack_sip: fix OOB read in\n epaddr_len and ct_sip_parse_header_uri","Message-ID":"<adfEUtiiLzjtKd8m@strlen.de>","References":"<20260409095056.706441-2-bestswngs@gmail.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260409095056.706441-2-bestswngs@gmail.com>"}}]