In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_sip: don't use simple_strtoul
Replace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(), and ct_sip_parse_request() with a new sip_parse_port() helper that validates each digit against the buffer limit, eliminating the use of simple_strtoul() which assumes NUL-terminated strings.
The previous code dereferenced pointers without bounds checks after sip_parse_addr() and relied on simple_strtoul() on non-NUL-terminated skb data. A port that reaches the buffer limit without a trailing character is also rejected as malformed.
Also get rid of all simple_strtoul() usage in conntrack, prefer a stricter version instead. There are intentional changes:
- Bail out if number is > UINT_MAX and indicate a failure, same for
- Force base 10 in ct_sip_parse_numerical_param(). This is used to fetch
- In nf_nat_sip.c, only accept the parsed value if its within the 1k-64k
- epaddr_len now returns 0 if the port is invalid, as it already does
Based on an earlier patch from Jenny Guanni Qu .