diff options
| author | Hangbin Liu <liuhangbin@gmail.com> | 2026-04-08 10:08:53 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-04-12 21:23:50 +0300 |
| commit | b2fb1a336383f1fb4667a9cc930c70f52ae1e20e (patch) | |
| tree | 02d67dde984beb008ce87dcfb9b3493a6bb688f5 | |
| parent | 1346586a9ac96588eff586ca1893dd2e88b88510 (diff) | |
| download | linux-b2fb1a336383f1fb4667a9cc930c70f52ae1e20e.tar.xz | |
ethtool: strset: check nla_len overflow
The netlink attribute length field nla_len is a __u16, which can only
represent values up to 65535 bytes. NICs with a large number of
statistics strings (e.g. mlx5_core with thousands of ETH_SS_STATS
entries) can produce a ETHTOOL_A_STRINGSET_STRINGS nest that exceeds
this limit.
When nla_nest_end() writes the actual nest size back to nla_len, the
value is silently truncated. This results in a corrupted netlink message
being sent to userspace: the parser reads a wrong (truncated) attribute
length and misaligns all subsequent attribute boundaries, causing decode
errors.
Fix this by using the new helper nla_nest_end_safe and error out if
the size exceeds U16_MAX.
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260408-b4-ynl_ethtool-v2-5-7623a5e8f70b@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
| -rw-r--r-- | net/ethtool/strset.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ethtool/strset.c b/net/ethtool/strset.c index 9271aba8255e..bb1e829ba099 100644 --- a/net/ethtool/strset.c +++ b/net/ethtool/strset.c @@ -443,7 +443,8 @@ static int strset_fill_set(struct sk_buff *skb, if (strset_fill_string(skb, set_info, i) < 0) goto nla_put_failure; } - nla_nest_end(skb, strings_attr); + if (nla_nest_end_safe(skb, strings_attr) < 0) + goto nla_put_failure; } nla_nest_end(skb, stringset_attr); |