From: Stanislav Fomichev <sdf.kernel@gmail.com>
To: Hangbin Liu <liuhangbin@gmail.com>
Cc: Donald Hunter <donald.hunter@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Andrew Lunn <andrew@lunn.ch>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next v2 5/5] ethtool: strset: check nla_len overflow
Date: Wed, 8 Apr 2026 09:43:35 -0700 [thread overview]
Message-ID: <adaFjwkOrPoBgzoc@devvm17672.vll0.facebook.com> (raw)
In-Reply-To: <20260408-b4-ynl_ethtool-v2-5-7623a5e8f70b@gmail.com>
On 04/08, Hangbin Liu wrote:
> The netlink attribute length field nla_len is a __u16, which can only
> represent values up to 65535 bytes. NICs with a large number of
> statistics strings (e.g. mlx5_core with thousands of ETH_SS_STATS
> entries) can produce a ETHTOOL_A_STRINGSET_STRINGS nest that exceeds
> this limit.
>
> When nla_nest_end() writes the actual nest size back to nla_len, the
> value is silently truncated. This results in a corrupted netlink message
> being sent to userspace: the parser reads a wrong (truncated) attribute
> length and misaligns all subsequent attribute boundaries, causing decode
> errors.
>
> Fix this by using the new helper nla_nest_end_safe and error out if
> the size exceeds U16_MAX.
Not sure that's the user supposed to do? Does it mean there is no way
to retrieve ETHTOOL_A_STRINGSET_STRINGS for those devices with too
many strings?
prev parent reply other threads:[~2026-04-08 16:43 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 7:08 [PATCH net-next v2 0/5] ynl/ethtool/netlink: fix nla_len overflow for large string sets Hangbin Liu
2026-04-08 7:08 ` [PATCH net-next v2 1/5] tools: ynl: move ethtool.py to selftest Hangbin Liu
2026-04-08 16:42 ` Stanislav Fomichev
2026-04-08 7:08 ` [PATCH net-next v2 2/5] tools: ynl: ethtool: use doit instead of dumpit for per-device GET Hangbin Liu
2026-04-08 7:08 ` [PATCH net-next v2 3/5] tools: ynl: ethtool: add --dbg-small-recv option Hangbin Liu
2026-04-08 7:08 ` [PATCH net-next v2 4/5] netlink: add a nla_nest_end_safe() helper Hangbin Liu
2026-04-08 7:08 ` [PATCH net-next v2 5/5] ethtool: strset: check nla_len overflow Hangbin Liu
2026-04-08 16:43 ` Stanislav Fomichev [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adaFjwkOrPoBgzoc@devvm17672.vll0.facebook.com \
--to=sdf.kernel@gmail.com \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liuhangbin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox