git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 14 Apr 2026 17:13:46 +0000 (19:13 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 20 Apr 2026 21:27:46 +0000 (23:27 +0200)
commit	6e7066bdb481a87fe88c4fa563e348c03b2d373d
tree	66cf5dbdf9d6204506247d4da764780b5c8fd1fa	tree \| snapshot
parent	2195574dc6d9017d32ac346987e12659f931d932	commit \| diff

netfilter: conntrack: remove sprintf usage

Replace it with scnprintf, the buffer sizes are expected to be large enough
to hold the result, no need for snprintf+overflow check.

Increase buffer size in mangle_content_len() while at it.

BUG: KASAN: stack-out-of-bounds in vsnprintf+0xea5/0x1270
Write of size 1 at addr [..]
vsnprintf+0xea5/0x1270
sprintf+0xb1/0xe0
mangle_content_len+0x1ac/0x280
nf_nat_sdp_session+0x1cc/0x240
process_sdp+0x8f8/0xb80
process_invite_request+0x108/0x2b0
process_sip_msg+0x5da/0xf50
sip_help_tcp+0x45e/0x780
nf_confirm+0x34d/0x990
[..]

Fixes: 9fafcd7b2032 ("[NETFILTER]: nf_conntrack/nf_nat: add SIP helper port")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/netfilter/nf_nat_amanda.c		diff \| blob \| blame \| history
net/netfilter/nf_nat_sip.c		diff \| blob \| blame \| history