diff options
| author | Giuseppe Caruso <giuseppecaruso0990@gmail.com> | 2026-04-10 09:57:33 -0400 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2026-05-25 20:00:04 +0200 |
| commit | 2b413fc689ba890348db13a4daa5adf42846ebca (patch) | |
| tree | 9644ffb7100dc438f35e457c4bbd4340fa3e9742 /include/linux | |
| parent | e928ab085d8ab775fe0cb8bad15340081b201f52 (diff) | |
netfilter: nf_conntrack_ftp: avoid u16 overflows
get_port and try_number() parse comma-separated decimal values from FTP PORT
and EPRT commands into a u_int32_t array, but does not validate that each
value fits in a single octet. RFC 959 specifies that PORT parameters
are decimal integers in the range 0-255, representing the four octets
of an IP address followed by two octets encoding the port number.
Values exceeding 255 are silently accepted. In try_rfc959(), the raw
u32 values are combined via shift-and-OR to form the IP and port:
cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) |
(array[2] << 8) | array[3]);
cmd->u.tcp.port = htons((array[4] << 8) | array[5]);
When array elements exceed 255, bits from one field bleed into adjacent
fields after shifting, producing IP addresses and port numbers that
differ from what the text representation suggests. For example,
"PORT 10,0,1,2,256,22" yields port (256<<8)|22 = 65558, truncated to
u16 = 22. This mismatch between the textual and computed values can
confuse network monitoring tools that parse FTP commands independently.
Ignore the command by returning 0 (no match) when any accumulated
value exceeds 255 so that no expectation is created.
Signed-off-by: Giuseppe Caruso <giuseppecaruso0990@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions