From f460c5b44257ca7a4674edcba2ab9739837be487 Mon Sep 17 00:00:00 2001
From: Clemens Famulla-Conrad <cfamullaconrad@suse.com>
Date: Mon, 13 Apr 2026 16:53:06 +0200
Subject: [PATCH] [CVE-2026-34956] conntrack: Fix replace_substring to handle
 larger packets.

Patch 7c31be6d6c34fc8432a93e2e184fe8bb71907d22 without tests!

There is a buffer size calculation issue in replace_string that can
result in a heap overflow with a specially crafted FTP packet.  This
is a result of integer truncation when downscaling from size_t into
uint8_t size.  Correct this by setting the types to size_t until the
underlying memmove to keep the sizes intact.

The total_size, substr_size, and rep_str_size are expected to all be
sane values for the memmove, and modify_packet also expects this, so
document that as well.  In the case of FTP, those are enforced in
repl_ftp_v*_addr at the checks for MAX_FTP_V*_NAT_DELTA, and the
packet data itself should be sanitized by the ovs_strlcpy that runs
early to extract a string of appropriate length.

Fixes: bd5e81a0e596 ("Userspace Datapath: Add ALG infra and FTP.")
---
 AUTHORS.rst     |    1 +
 lib/conntrack.c |    9 ++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -699,6 +699,7 @@
 Sean Brady                      sbrady@gtfservices.com
 Sebastian Andrzej Siewior       sebastian@breakpoint.cc
 Sébastien RICCIO                sr@swisscenter.com
+Seiji Sakurai                   Seiji.Sakurai@outlook.com
 Shweta Seth                     shwseth@cisco.com
 Simon Jouet                     simon.jouet@gmail.com
 Spiro Kourtessis                spiro@vmware.com
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -2832,9 +2832,9 @@
 }
 
 static void
-replace_substring(char *substr, uint8_t substr_size,
-                  uint8_t total_size, char *rep_str,
-                  uint8_t rep_str_size)
+replace_substring(char *substr, size_t substr_size,
+                  size_t total_size, char *rep_str,
+                  size_t rep_str_size)
 {
     memmove(substr + rep_str_size, substr + substr_size,
             total_size - substr_size);
@@ -2852,6 +2852,9 @@
     }
 }
 
+/* Replaces a substring in the packet and rewrites the packet
+ * size to match.  This function assumes the caller has verified
+ * the lengths to prevent under/over flow. */
 static void
 modify_packet(struct dp_packet *pkt, char *pkt_str, size_t size,
               char *repl_str, size_t repl_size,