[{"id":3676969,"web_url":"http://patchwork.ozlabs.org/comment/3676969/","msgid":"<ad159SsCudLkYKLW@chamomile>","list_archive_url":null,"date":"2026-04-13T23:19:17","subject":"Re: [PATCH 1/2] netfilter fix u16 overflow in get_port()","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"Patch subject should be:\n\n  [PATCH nf-next] netfilter: nf_conntrack_ftp: fix u16 overflow in get_port()\n\nOn Fri, Apr 10, 2026 at 09:57:33AM -0400, Cyber-JA wrote:\n> From: Giuseppe Caruso <giuseppecaruso0990@gmail.com>\n> \n> try_number() parses comma-separated decimal values from FTP PORT and\n> EPRT commands into a u_int32_t array, but does not validate that each\n> value fits in a single octet. RFC 959 specifies that PORT parameters\n> are decimal integers in the range 0-255, representing the four octets\n> of an IP address followed by two octets encoding the port number.\n>\n> Values exceeding 255 are silently accepted. In try_rfc959(), the raw\n> u32 values are combined via shift-and-OR to form the IP and port:\n> \n>   cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) |\n>                      (array[2] << 8) | array[3]);\n>   cmd->u.tcp.port = htons((array[4] << 8) | array[5]);\n> \n> When array elements exceed 255, bits from one field bleed into adjacent\n> fields after shifting, producing IP addresses and port numbers that\n> differ from what the text representation suggests. For example,\n> \"PORT 10,0,1,2,256,22\" yields port (256<<8)|22 = 65558, truncated to\n> u16 = 22. This mismatch between the textual and computed values can\n> confuse network monitoring tools that parse FTP commands independently.\n\nFair enough. But stricter parser is better, of course.\n\n> Reject the command by returning 0 (no match) when any accumulated\n> value exceeds 255.\n\nThis can probably be expanded to say that \"returning 0 (no match)\nresults in no expectation is being created\".\n\nNothing is really \"rejected\" (that happens by returning -1), no\npackets are dropped, just to clarify.\n\n> Signed-off-by: Giuseppe Caruso <giuseppecaruso0990@gmail.com>\n> ---\n>  net/netfilter/nf_conntrack_ftp.c | 10 ++++++++--\n>  1 file changed, 8 insertions(+), 2 deletions(-)\n> \n> diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c\n> index 5e00f9123c38..680dd7560ebc 100644\n> --- a/net/netfilter/nf_conntrack_ftp.c\n> +++ b/net/netfilter/nf_conntrack_ftp.c\n> @@ -195,7 +195,7 @@ static int try_rfc1123(const char *data, size_t dlen,\n>  static int get_port(const char *data, int start, size_t dlen, char delim,\n>  \t\t    __be16 *port)\n>  {\n> -\tu_int16_t tmp_port = 0;\n> +\tu_int32_t tmp_port = 0;\n>  \tint i;\n>  \n>  \tfor (i = start; i < dlen; i++) {\n> @@ -207,8 +207,14 @@ static int get_port(const char *data, int start, size_t dlen, char delim,\n>  \t\t\tpr_debug(\"get_port: return %d\\n\", tmp_port);\n>  \t\t\treturn i + 1;\n>  \t\t}\n> -\t\telse if (data[i] >= '0' && data[i] <= '9')\n> +\t\telse if (data[i] >= '0' && data[i] <= '9'){\n>  \t\t\ttmp_port = tmp_port*10 + data[i] - '0';\n> +\t\t\tif (tmp_port > 65535) {\n> +\t\t\t\tpr_debug(\"get_port: port %u out of range.\\n\",\n> +\t\t\t\t\t tmp_port);\n> +\t\t\t\tbreak;\n> +\t\t\t}\n> +\t\t}\n>  \t\telse { /* Some other crap */\n>  \t\t\tpr_debug(\"get_port: invalid char.\\n\");\n>  \t\t\tbreak;\n> -- \n> 2.53.0\n> \n>","headers":{"Return-Path":"\n <netfilter-devel+bounces-11853-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=TJRkmfVW;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11853-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"TJRkmfVW\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvjzX0pGxz1yD4\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2026 09:19:36 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id C01F53035AA5\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 13 Apr 2026 23:19:25 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id C264E348896;\n\tMon, 13 Apr 2026 23:19:24 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 24D0627713\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 13 Apr 2026 23:19:21 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id A61E160177;\n\tTue, 14 Apr 2026 01:19:19 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776122364; cv=none;\n b=RyfFo1qOnS6E7NPAOQMJzYv8d1njGQ8GCZvRWpjxPS2iDMrbtFZKNwC68XNu77/yn8DLYgZyoqhF3vVWJVKWoq2LNSDR4iGRn4FmRR2Rlt60Cwv9DPuUGOTIqEYs1yVLzwLrGnTR0YHgKIjdBJo+iz1ut601UHmdRD/USHY4yuM=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776122364; c=relaxed/simple;\n\tbh=rIggTXd3xPvh0+qtxk4q9eAS4L6p9O3C/rvir+/t7Mo=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=taZyG0EaaHqrWkGCMKU2lCPmgcj20R69FyGiKN0PKk7NaUm07hF+JfljeDtxUyNSFgU3n0k6bb6GPorfaM/QMM2dD4GMrBsHPK6BRbEhPPse4rRIiAm8ncOxRgfIaMSztQ3st9jwH6jolObKNXx/bDdj30bGiTtGcH9faFiNBmg=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=TJRkmfVW; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776122359;\n\tbh=i0x70cD3FGHUMmY+CwHEnSJm4Pgpv1dz163BxeFmcU4=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=TJRkmfVWW8HLeXQ0LhfZj5Kn2jXt2EVP+vl7c2zCjuwbdznGKqxp5sQNnY9txVH6r\n\t Y8UWM0Sx/wmiRGNsiUa2ie7xD7jldTplvRgrHPz0KmjlfZHIYsqXYljUg1gixMJ8IR\n\t s94n2TZbLOQzToTZhnaNJ1jW8nuuWIA2+QwleHnWg31owh+EznSGLpMxzM4kbclHBs\n\t IrrxvdEtg8Pg/+x307ShPf0dSG+V3ERvYFxApxX5qHXCCNFc2IiKpRhkGUceG9h+S4\n\t sTdD9dfLuZCZ1zjpQ4Ly/HM0hYDDxBMTiimy/1zXGCs6qLvNHfQ/5Kq47L5HQ8Q//e\n\t YpF51cxxCV3AQ==","Date":"Tue, 14 Apr 2026 01:19:17 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"Cyber-JA <giuseppecaruso0990@gmail.com>","Cc":"netfilter-devel@vger.kernel.org","Subject":"Re: [PATCH 1/2] netfilter fix u16 overflow in get_port()","Message-ID":"<ad159SsCudLkYKLW@chamomile>","References":"<20260410135733.46391-1-giuseppecaruso0990@gmail.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260410135733.46391-1-giuseppecaruso0990@gmail.com>"}}]