Re: [PATCH nf] netfilter: nf_conntrack_sip: fix OOB read in epaddr_len and ct_sip_parse_header_uri

Next message: David Sterba: "[GIT PULL] AFFS fix for 7.1"
Previous message: Jakub Kicinski: "Re: [PATCH net-next v6 0/2] net: mana: add ethtool private flag for full-page RX buffers"
In reply to: Florian Westphal: "Re: [PATCH nf] netfilter: nf_conntrack_sip: fix OOB read in epaddr_len and ct_sip_parse_header_uri"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Weiming Shi

Date: Thu Apr 09 2026 - 21:36:36 EST

On 26-04-09 17:22, Florian Westphal wrote:
> Weiming Shi <bestswngs@xxxxxxxxx> wrote:
> > In epaddr_len() and ct_sip_parse_header_uri(), after sip_parse_addr()
> > successfully parses an IP address, the code checks whether the next
> > character is ':' to determine if a port number follows. However,
> > neither function verifies that the pointer is still within bounds
> > before dereferencing it.
>
> I already queued up:
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20260313195256.2783257-1-qguanni@xxxxxxxxx/
>
> for nf-next (I already sent the 'last' PR for 7.0).
>
> Could you check if that resolves the problem you're reporting?
>
> > p = simple_strtoul(c, (char **)&c, 10);
>
> All of these functions require a c-string, which we usually
> don't have with network packet parsing.
>
> IOW, sip helper needs to be audited for these problems
> but I don't know when I can get to it.

Tested-by: Weiming Shi <bestswngs@xxxxxxxxx>