rtnetlink: use nla_nest_end_safe() in rtnl_fill_prop_list()

Avoid corrupting a netlink message and confuse user space in the very unlikely case rtnl_fill_prop_list was able to produce a very big nested element. This is extremely unlikely, because rtnl_prop_list_size() provisions nla_total_size(ALTIFNAMSIZ) per altname. Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260525083542.1565964-2-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
author: Eric Dumazet <edumazet@google.com> 2026-05-25 11:35:38 +0300
committer: Jakub Kicinski <kuba@kernel.org> 2026-05-27 05:20:15 +0300
commit: 73a7c8fb2302ae78920b210c098b752b9caa6bf6 (patch)
tree: ea53efff95ba894f61afe61092b7538c0d4bba5e
parent: 2bcf59eefb9f00a2b1d426b639ee49c305a80695 (diff)
download: linux-73a7c8fb2302ae78920b210c098b752b9caa6bf6.tar.xz
1 files changed, 4 insertions, 1 deletions
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 0aa429336ffe..cd1004410dd7 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1970,7 +1970,10 @@ static int rtnl_fill_prop_list(struct sk_buff *skb,
 	if (ret <= 0)
 		goto nest_cancel;
 
-	nla_nest_end(skb, prop_list);
+	ret = -EMSGSIZE;
+	if (nla_nest_end_safe(skb, prop_list) < 0)
+		goto nest_cancel;
+
 	return 0;
 
 nest_cancel:
author	Eric Dumazet <edumazet@google.com>	2026-05-25 11:35:38 +0300
committer	Jakub Kicinski <kuba@kernel.org>	2026-05-27 05:20:15 +0300
commit	73a7c8fb2302ae78920b210c098b752b9caa6bf6 (patch)
tree	ea53efff95ba894f61afe61092b7538c0d4bba5e
parent	2bcf59eefb9f00a2b1d426b639ee49c305a80695 (diff)
download	linux-73a7c8fb2302ae78920b210c098b752b9caa6bf6.tar.xz