[PATCH net-next v2 5/5] ethtool: strset: check nla_len overflow

Next message: Krzysztof Kozlowski: "Re: [PATCH v4 1/2] dt-bindings: display: panel: Add ChipWealth CH13726A AMOLED driver"
Previous message: Hangbin Liu: "[PATCH net-next v2 4/5] netlink: add a nla_nest_end_safe() helper"
In reply to: Hangbin Liu: "[PATCH net-next v2 4/5] netlink: add a nla_nest_end_safe() helper"
Next in thread: Stanislav Fomichev: "Re: [PATCH net-next v2 5/5] ethtool: strset: check nla_len overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hangbin Liu

Date: Wed Apr 08 2026 - 03:11:50 EST

The netlink attribute length field nla_len is a __u16, which can only
represent values up to 65535 bytes. NICs with a large number of
statistics strings (e.g. mlx5_core with thousands of ETH_SS_STATS
entries) can produce a ETHTOOL_A_STRINGSET_STRINGS nest that exceeds
this limit.

When nla_nest_end() writes the actual nest size back to nla_len, the
value is silently truncated. This results in a corrupted netlink message
being sent to userspace: the parser reads a wrong (truncated) attribute
length and misaligns all subsequent attribute boundaries, causing decode
errors.

Fix this by using the new helper nla_nest_end_safe and error out if
the size exceeds U16_MAX.

Signed-off-by: Hangbin Liu <liuhangbin@xxxxxxxxx>
---
net/ethtool/strset.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ethtool/strset.c b/net/ethtool/strset.c
index 9271aba8255e..bb1e829ba099 100644
--- a/net/ethtool/strset.c
+++ b/net/ethtool/strset.c
@@ -443,7 +443,8 @@ static int strset_fill_set(struct sk_buff *skb,
if (strset_fill_string(skb, set_info, i) < 0)
goto nla_put_failure;
}
- nla_nest_end(skb, strings_attr);
+ if (nla_nest_end_safe(skb, strings_attr) < 0)
+ goto nla_put_failure;
}

nla_nest_end(skb, stringset_attr);

--
Git-155)