netfilter: conntrack_irc: fix possible out-of-bounds read

When parsing fails after we've matched the command string we
should bail out instead of trying to match a different command.

This helper should be deprecated, given prevalence of TLS I doubt it has
any relevance in 2026.

Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
Closes: https://sashiko.dev/#/patchset/20260525182924.28456-1-fw%40strlen.de
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 522183b9a60465884a82f24429ac18e4fcf541b3..2ebe4cb47cf61375a42582ddb7b839b6b08bbcaa 100644 (file)
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -203,7 +203,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
                        if (parse_dcc(data, data_limit, &dcc_ip,
                                       &dcc_port, &addr_beg_p, &addr_end_p)) {
                                pr_debug("unable to parse dcc command\n");
-                               continue;
+                               goto out;
                        }
 
                        pr_debug("DCC bound ip/port: %pI4:%u\n",
@@ -217,7 +217,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
                                net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n",
                                                     &tuple->src.u3.ip,
                                                     &dcc_ip, dcc_port);
-                               continue;
+                               goto out;
                        }
 
                        exp = nf_ct_expect_alloc(ct);