From: Hangbin Liu <liuhangbin@gmail.com>
To: Donald Hunter <donald.hunter@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Andrew Lunn <andrew@lunn.ch>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Hangbin Liu <liuhangbin@gmail.com>
Subject: [PATCH net-next v2 4/5] netlink: add a nla_nest_end_safe() helper
Date: Wed, 08 Apr 2026 15:08:52 +0800 [thread overview]
Message-ID: <20260408-b4-ynl_ethtool-v2-4-7623a5e8f70b@gmail.com> (raw)
In-Reply-To: <20260408-b4-ynl_ethtool-v2-0-7623a5e8f70b@gmail.com>
The nla_len field in struct nlattr is a __u16, which can only hold
values up to 65535. If a nested attribute grows beyond this limit,
nla_nest_end() silently truncates the length, producing a corrupted
netlink message with no indication of the problem.
Since nla_nest_end() is used everywhere and this issue rarely happens,
let's add a new helper to check the length.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
---
include/net/netlink.h | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/include/net/netlink.h b/include/net/netlink.h
index 1a8356ca4b78..546d10586576 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -2264,6 +2264,25 @@ static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start)
return skb->len;
}
+/**
+ * nla_nest_end_safe - Validate and finalize nesting of attributes
+ * @skb: socket buffer the attributes are stored in
+ * @start: container attribute
+ *
+ * Corrects the container attribute header to include all appended
+ * attributes.
+ *
+ * Returns: the total data length of the skb, or -EMSGSIZE if the
+ * nested attribute length exceeds U16_MAX.
+ */
+static inline int nla_nest_end_safe(struct sk_buff *skb, struct nlattr *start)
+{
+ if (skb_tail_pointer(skb) - (unsigned char *)start > U16_MAX)
+ return -EMSGSIZE;
+
+ return nla_nest_end(skb, start);
+}
+
/**
* nla_nest_cancel - Cancel nesting of attributes
* @skb: socket buffer the message is stored in
--
Git-155)
next prev parent reply other threads:[~2026-04-08 7:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 7:08 [PATCH net-next v2 0/5] ynl/ethtool/netlink: fix nla_len overflow for large string sets Hangbin Liu
2026-04-08 7:08 ` [PATCH net-next v2 1/5] tools: ynl: move ethtool.py to selftest Hangbin Liu
2026-04-08 16:42 ` Stanislav Fomichev
2026-04-08 7:08 ` [PATCH net-next v2 2/5] tools: ynl: ethtool: use doit instead of dumpit for per-device GET Hangbin Liu
2026-04-08 7:08 ` [PATCH net-next v2 3/5] tools: ynl: ethtool: add --dbg-small-recv option Hangbin Liu
2026-04-08 7:08 ` Hangbin Liu [this message]
2026-04-08 7:08 ` [PATCH net-next v2 5/5] ethtool: strset: check nla_len overflow Hangbin Liu
2026-04-08 16:43 ` Stanislav Fomichev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260408-b4-ynl_ethtool-v2-4-7623a5e8f70b@gmail.com \
--to=liuhangbin@gmail.com \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox