[PATCH net-next v2 00/10] net: Introduce nlmsg_payload helper

[PATCH net-next v2 00/10] net: Introduce nlmsg_payload helper

[Breno Leitao]

In the current codebase, there are multiple instances where the
structure size is checked before assigning it to a Netlink message. This
check is crucial for ensuring that the structure is correctly mapped
onto the Netlink message, providing a layer of security.

To streamline this process, Jakub Kicinski suggested creating a helper
function, `nlmsg_payload`, which verifies if the structure fits within
the message. If it does, the function returns the data; otherwise, it
returns NULL. This approach simplifies the code and reduces redundancy.

This patchset introduces the `nlmsg_payload` helper and updates several
parts of the code to use it. Further updates will follow in subsequent
patchsets.

Signed-off-by: Breno Leitao <leitao@debian.org>
---
Changes in v2:
- Add the "Return" kdoc entry for nlmsg_payload() (Jakub)
- Use the same function in some other places (Kuniyuki Iwashima)
- Link to v1: https://lore.kernel.org/r/20250411-nlmsg-v1-0-ddd4e065cb15@debian.org

---
Breno Leitao (10):
      netlink: Introduce nlmsg_payload helper
      neighbour: Use nlmsg_payload in neightbl_valid_dump_info
      neighbour: Use nlmsg_payload in neigh_valid_get_req
      rtnetlink: Use nlmsg_payload in valid_fdb_dump_strict
      mpls: Use nlmsg_payload in mpls_valid_fib_dump_req
      ipv6: Use nlmsg_payload in inet6_valid_dump_ifaddr_req
      ipv6: Use nlmsg_payload in inet6_rtm_valid_getaddr_req
      mpls: Use nlmsg_payload in mpls_valid_getroute_req
      net: fib_rules: Use nlmsg_payload in fib_valid_dumprule_req
      net: fib_rules: Use nlmsg_payload in fib_{new,del}rule()

 include/net/netlink.h | 16 ++++++++++++++++
 net/core/fib_rules.c  | 14 ++++++++------
 net/core/neighbour.c  |  8 ++++----
 net/core/rtnetlink.c  |  4 ++--
 net/ipv6/addrconf.c   |  8 ++++----
 net/mpls/af_mpls.c    |  8 ++++----
 6 files changed, 38 insertions(+), 20 deletions(-)
---
base-commit: 6a325aed130bb68790e765f923e76ec5669d2da7
change-id: 20250411-nlmsg-2dd8c30ba35c

Best regards,
-- 
Breno Leitao <leitao@debian.org>

[PATCH net-next v2 01/10] netlink: Introduce nlmsg_payload helper

[Breno Leitao]

Create a new helper function, nlmsg_payload(), to simplify checking and
retrieving Netlink message payloads.

This reduces boilerplate code for users who need to verify the message
length before accessing its data.

Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 include/net/netlink.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/include/net/netlink.h b/include/net/netlink.h
index 29e0db9403820..82e07e272290a 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -611,6 +611,22 @@ static inline int nlmsg_len(const struct nlmsghdr *nlh)
 	return nlh->nlmsg_len - NLMSG_HDRLEN;
 }
 
+/**
+ * nlmsg_payload - message payload if the data fits in the len
+ * @nlh: netlink message header
+ * @len: struct length
+ *
+ * Returns: The netlink message payload/data if the length is sufficient,
+ * otherwise NULL.
+ */
+static inline void *nlmsg_payload(const struct nlmsghdr *nlh, size_t len)
+{
+	if (nlh->nlmsg_len < nlmsg_msg_size(len))
+		return NULL;
+
+	return nlmsg_data(nlh);
+}
+
 /**
  * nlmsg_attrdata - head of attributes data
  * @nlh: netlink message header

-- 
2.47.1

[PATCH net-next v2 02/10] neighbour: Use nlmsg_payload in neightbl_valid_dump_info

[Breno Leitao]

Update neightbl_valid_dump_info function to utilize the new
nlmsg_payload() helper function.

This change improves code clarity and safety by ensuring that the
Netlink message payload is properly validated before accessing its data.

Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 net/core/neighbour.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index a07249b59ae1e..b6bc4836c6e45 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2430,12 +2430,12 @@ static int neightbl_valid_dump_info(const struct nlmsghdr *nlh,
 {
 	struct ndtmsg *ndtm;
 
-	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*ndtm))) {
+	ndtm = nlmsg_payload(nlh, sizeof(*ndtm));
+	if (!ndtm) {
 		NL_SET_ERR_MSG(extack, "Invalid header for neighbor table dump request");
 		return -EINVAL;
 	}
 
-	ndtm = nlmsg_data(nlh);
 	if (ndtm->ndtm_pad1  || ndtm->ndtm_pad2) {
 		NL_SET_ERR_MSG(extack, "Invalid values in header for neighbor table dump request");
 		return -EINVAL;

-- 
2.47.1

[PATCH net-next v2 03/10] neighbour: Use nlmsg_payload in neigh_valid_get_req

[Breno Leitao]

Update neigh_valid_get_req function to utilize the new nlmsg_payload()
helper function.

This change improves code clarity and safety by ensuring that the
Netlink message payload is properly validated before accessing its data.

Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 net/core/neighbour.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index b6bc4836c6e45..65cf582b5dacd 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2855,12 +2855,12 @@ static int neigh_valid_get_req(const struct nlmsghdr *nlh,
 	struct ndmsg *ndm;
 	int err, i;
 
-	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*ndm))) {
+	ndm = nlmsg_payload(nlh, sizeof(*ndm));
+	if (!ndm) {
 		NL_SET_ERR_MSG(extack, "Invalid header for neighbor get request");
 		return -EINVAL;
 	}
 
-	ndm = nlmsg_data(nlh);
 	if (ndm->ndm_pad1  || ndm->ndm_pad2  || ndm->ndm_state ||
 	    ndm->ndm_type) {
 		NL_SET_ERR_MSG(extack, "Invalid values in header for neighbor get request");

-- 
2.47.1

[PATCH net-next v2 04/10] rtnetlink: Use nlmsg_payload in valid_fdb_dump_strict

[Breno Leitao]

Leverage the new nlmsg_payload() helper to avoid checking for message
size and then reading the nlmsg data.

Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 net/core/rtnetlink.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 39a5b72e861f6..31addd26b5570 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -4886,12 +4886,12 @@ static int valid_fdb_dump_strict(const struct nlmsghdr *nlh,
 	struct ndmsg *ndm;
 	int err, i;
 
-	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*ndm))) {
+	ndm = nlmsg_payload(nlh, sizeof(*ndm));
+	if (!ndm) {
 		NL_SET_ERR_MSG(extack, "Invalid header for fdb dump request");
 		return -EINVAL;
 	}
 
-	ndm = nlmsg_data(nlh);
 	if (ndm->ndm_pad1  || ndm->ndm_pad2  || ndm->ndm_state ||
 	    ndm->ndm_flags || ndm->ndm_type) {
 		NL_SET_ERR_MSG(extack, "Invalid values in header for fdb dump request");

-- 
2.47.1

[PATCH net-next v2 05/10] mpls: Use nlmsg_payload in mpls_valid_fib_dump_req

[Breno Leitao]

Leverage the new nlmsg_payload() helper to avoid checking for message
size and then reading the nlmsg data.

Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 net/mpls/af_mpls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index 1f63b32d76d67..bf7cd290c2369 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -2095,12 +2095,12 @@ static int mpls_valid_fib_dump_req(struct net *net, const struct nlmsghdr *nlh,
 	struct rtmsg *rtm;
 	int err, i;
 
-	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*rtm))) {
+	rtm = nlmsg_payload(nlh, sizeof(*rtm));
+	if (!rtm) {
 		NL_SET_ERR_MSG_MOD(extack, "Invalid header for FIB dump request");
 		return -EINVAL;
 	}
 
-	rtm = nlmsg_data(nlh);
 	if (rtm->rtm_dst_len || rtm->rtm_src_len  || rtm->rtm_tos   ||
 	    rtm->rtm_table   || rtm->rtm_scope    || rtm->rtm_type  ||
 	    rtm->rtm_flags) {

-- 
2.47.1

[PATCH net-next v2 06/10] ipv6: Use nlmsg_payload in inet6_valid_dump_ifaddr_req

[Breno Leitao]

Leverage the new nlmsg_payload() helper to avoid checking for message
size and then reading the nlmsg data.

Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 net/ipv6/addrconf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 9ba83f0c99283..a9aeb949d9c8e 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -5346,12 +5346,12 @@ static int inet6_valid_dump_ifaddr_req(const struct nlmsghdr *nlh,
 	struct ifaddrmsg *ifm;
 	int err, i;
 
-	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*ifm))) {
+	ifm = nlmsg_payload(nlh, sizeof(*ifm));
+	if (!ifm) {
 		NL_SET_ERR_MSG_MOD(extack, "Invalid header for address dump request");
 		return -EINVAL;
 	}
 
-	ifm = nlmsg_data(nlh);
 	if (ifm->ifa_prefixlen || ifm->ifa_flags || ifm->ifa_scope) {
 		NL_SET_ERR_MSG_MOD(extack, "Invalid values in header for address dump request");
 		return -EINVAL;

-- 
2.47.1

[PATCH net-next v2 07/10] ipv6: Use nlmsg_payload in inet6_rtm_valid_getaddr_req

[Breno Leitao]

Leverage the new nlmsg_payload() helper to avoid checking for message
size and then reading the nlmsg data.

Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 net/ipv6/addrconf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index a9aeb949d9c8e..4af2761795428 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -5484,7 +5484,8 @@ static int inet6_rtm_valid_getaddr_req(struct sk_buff *skb,
 	struct ifaddrmsg *ifm;
 	int i, err;
 
-	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*ifm))) {
+	ifm = nlmsg_payload(nlh, sizeof(*ifm));
+	if (!ifm) {
 		NL_SET_ERR_MSG_MOD(extack, "Invalid header for get address request");
 		return -EINVAL;
 	}
@@ -5493,7 +5494,6 @@ static int inet6_rtm_valid_getaddr_req(struct sk_buff *skb,
 		return nlmsg_parse_deprecated(nlh, sizeof(*ifm), tb, IFA_MAX,
 					      ifa_ipv6_policy, extack);
 
-	ifm = nlmsg_data(nlh);
 	if (ifm->ifa_prefixlen || ifm->ifa_flags || ifm->ifa_scope) {
 		NL_SET_ERR_MSG_MOD(extack, "Invalid values in header for get address request");
 		return -EINVAL;

-- 
2.47.1

[PATCH net-next v2 08/10] mpls: Use nlmsg_payload in mpls_valid_getroute_req

[Breno Leitao]

Leverage the new nlmsg_payload() helper to avoid checking for message
size and then reading the nlmsg data.

Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 net/mpls/af_mpls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index bf7cd290c2369..d536c97144e9d 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -2288,7 +2288,8 @@ static int mpls_valid_getroute_req(struct sk_buff *skb,
 	struct rtmsg *rtm;
 	int i, err;
 
-	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*rtm))) {
+	rtm = nlmsg_payload(nlh, sizeof(*rtm));
+	if (!rtm) {
 		NL_SET_ERR_MSG_MOD(extack,
 				   "Invalid header for get route request");
 		return -EINVAL;
@@ -2298,7 +2299,6 @@ static int mpls_valid_getroute_req(struct sk_buff *skb,
 		return nlmsg_parse_deprecated(nlh, sizeof(*rtm), tb, RTA_MAX,
 					      rtm_mpls_policy, extack);
 
-	rtm = nlmsg_data(nlh);
 	if ((rtm->rtm_dst_len && rtm->rtm_dst_len != 20) ||
 	    rtm->rtm_src_len || rtm->rtm_tos || rtm->rtm_table ||
 	    rtm->rtm_protocol || rtm->rtm_scope || rtm->rtm_type) {

-- 
2.47.1

[PATCH net-next v2 09/10] net: fib_rules: Use nlmsg_payload in fib_valid_dumprule_req

[Breno Leitao]

Leverage the new nlmsg_payload() helper to avoid checking for message
size and then reading the nlmsg data.

Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 net/core/fib_rules.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 4bc64d912a1c0..6a7a28bf631c2 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -1238,12 +1238,12 @@ static int fib_valid_dumprule_req(const struct nlmsghdr *nlh,
 {
 	struct fib_rule_hdr *frh;
 
-	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) {
+	frh = nlmsg_payload(nlh, sizeof(*frh));
+	if (!frh) {
 		NL_SET_ERR_MSG(extack, "Invalid header for fib rule dump request");
 		return -EINVAL;
 	}
 
-	frh = nlmsg_data(nlh);
 	if (frh->dst_len || frh->src_len || frh->tos || frh->table ||
 	    frh->res1 || frh->res2 || frh->action || frh->flags) {
 		NL_SET_ERR_MSG(extack,

-- 
2.47.1

[PATCH net-next v2 10/10] net: fib_rules: Use nlmsg_payload in fib_{new,del}rule()

[Breno Leitao]

Leverage the new nlmsg_payload() helper to avoid checking for message
size and then reading the nlmsg data.

Suggested-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Breno Leitao <leitao@debian.org>
---
 net/core/fib_rules.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 6a7a28bf631c2..06052b6c946b9 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -852,13 +852,14 @@ int fib_newrule(struct net *net, struct sk_buff *skb, struct nlmsghdr *nlh,
 		struct netlink_ext_ack *extack, bool rtnl_held)
 {
 	struct fib_rule *rule = NULL, *r, *last = NULL;
-	struct fib_rule_hdr *frh = nlmsg_data(nlh);
 	int err = -EINVAL, unresolved = 0;
 	struct fib_rules_ops *ops = NULL;
 	struct nlattr *tb[FRA_MAX + 1];
 	bool user_priority = false;
+	struct fib_rule_hdr *frh;
 
-	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) {
+	frh = nlmsg_payload(nlh, sizeof(*frh));
+	if (!frh) {
 		NL_SET_ERR_MSG(extack, "Invalid msg length");
 		goto errout;
 	}
@@ -980,13 +981,14 @@ int fib_delrule(struct net *net, struct sk_buff *skb, struct nlmsghdr *nlh,
 		struct netlink_ext_ack *extack, bool rtnl_held)
 {
 	struct fib_rule *rule = NULL, *nlrule = NULL;
-	struct fib_rule_hdr *frh = nlmsg_data(nlh);
 	struct fib_rules_ops *ops = NULL;
 	struct nlattr *tb[FRA_MAX+1];
 	bool user_priority = false;
+	struct fib_rule_hdr *frh;
 	int err = -EINVAL;
 
-	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) {
+	frh = nlmsg_payload(nlh, sizeof(*frh));
+	if (!frh) {
 		NL_SET_ERR_MSG(extack, "Invalid msg length");
 		goto errout;
 	}

-- 
2.47.1

Re: [PATCH net-next v2 10/10] net: fib_rules: Use nlmsg_payload in fib_{new,del}rule()

[Kuniyuki Iwashima]

From: Breno Leitao <leitao@debian.org>
Date: Mon, 14 Apr 2025 06:24:16 -0700
> Leverage the new nlmsg_payload() helper to avoid checking for message
> size and then reading the nlmsg data.
> 
> Suggested-by: Kuniyuki Iwashima <kuniyu@amazon.com>
> Signed-off-by: Breno Leitao <leitao@debian.org>

Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>

Re: [PATCH net-next v2 00/10] net: Introduce nlmsg_payload helper

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Mon, 14 Apr 2025 06:24:06 -0700 you wrote:
> In the current codebase, there are multiple instances where the
> structure size is checked before assigning it to a Netlink message. This
> check is crucial for ensuring that the structure is correctly mapped
> onto the Netlink message, providing a layer of security.
> 
> To streamline this process, Jakub Kicinski suggested creating a helper
> function, `nlmsg_payload`, which verifies if the structure fits within
> the message. If it does, the function returns the data; otherwise, it
> returns NULL. This approach simplifies the code and reduces redundancy.
> 
> [...]

Here is the summary with links:
  - [net-next,v2,01/10] netlink: Introduce nlmsg_payload helper
    https://git.kernel.org/netdev/net-next/c/95d06e92a401
  - [net-next,v2,02/10] neighbour: Use nlmsg_payload in neightbl_valid_dump_info
    https://git.kernel.org/netdev/net-next/c/7527efe8a416
  - [net-next,v2,03/10] neighbour: Use nlmsg_payload in neigh_valid_get_req
    https://git.kernel.org/netdev/net-next/c/2d1f827f0642
  - [net-next,v2,04/10] rtnetlink: Use nlmsg_payload in valid_fdb_dump_strict
    https://git.kernel.org/netdev/net-next/c/77d02290366f
  - [net-next,v2,05/10] mpls: Use nlmsg_payload in mpls_valid_fib_dump_req
    https://git.kernel.org/netdev/net-next/c/72be72bea9dc
  - [net-next,v2,06/10] ipv6: Use nlmsg_payload in inet6_valid_dump_ifaddr_req
    https://git.kernel.org/netdev/net-next/c/e87187dfbb9f
  - [net-next,v2,07/10] ipv6: Use nlmsg_payload in inet6_rtm_valid_getaddr_req
    https://git.kernel.org/netdev/net-next/c/8cf1e30907de
  - [net-next,v2,08/10] mpls: Use nlmsg_payload in mpls_valid_getroute_req
    https://git.kernel.org/netdev/net-next/c/69a1ecfe47f0
  - [net-next,v2,09/10] net: fib_rules: Use nlmsg_payload in fib_valid_dumprule_req
    https://git.kernel.org/netdev/net-next/c/4c113c803fdc
  - [net-next,v2,10/10] net: fib_rules: Use nlmsg_payload in fib_{new,del}rule()
    https://git.kernel.org/netdev/net-next/c/8ff953036110

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html