CVE-2022-2663: Linux netfilter: nf_conntrack_irc message handling

[David Leadbeater <dgl () dgl cx>]

Description:

I've found an issue in nf_conntrack_irc where the message handling can
be confused and it incorrectly matches on the message.

Impact:

A firewall may be able to be bypassed when users are using unencrypted
IRC with nf_conntrack_irc configured.

Mitigations:

Linux: Disable nf_conntrack_irc (remove any --helper irc rules, and/or
unload the kernel module)
MikroTik: Remove IRC from the service ports list (/ip
firewall/service-port/disable irc)

Fix is posted here:
https://lore.kernel.org/netfilter-devel/20220826045658.100360-1-dgl () dgl cx/T/
It will be making its way into upstream Linux soon.

I'll update in a couple of days with complete details.

David