ethtool: strset: check nla_len overflow - wireguard-linux

diff options

author	Hangbin Liu <liuhangbin@gmail.com>	2026-04-08 15:08:53 +0800
committer	Jakub Kicinski <kuba@kernel.org>	2026-04-12 11:23:50 -0700
commit	b2fb1a336383f1fb4667a9cc930c70f52ae1e20e (patch)
tree	02d67dde984beb008ce87dcfb9b3493a6bb688f5 /rust/kernel/ssh:/git@git.zx2c4.com
parent	netlink: add a nla_nest_end_safe() helper (diff)

ethtool: strset: check nla_len overflow

The netlink attribute length field nla_len is a __u16, which can only represent values up to 65535 bytes. NICs with a large number of statistics strings (e.g. mlx5_core with thousands of ETH_SS_STATS entries) can produce a ETHTOOL_A_STRINGSET_STRINGS nest that exceeds this limit. When nla_nest_end() writes the actual nest size back to nla_len, the value is silently truncated. This results in a corrupted netlink message being sent to userspace: the parser reads a wrong (truncated) attribute length and misaligns all subsequent attribute boundaries, causing decode errors. Fix this by using the new helper nla_nest_end_safe and error out if the size exceeds U16_MAX. Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> Link: https://patch.msgid.link/20260408-b4-ynl_ethtool-v2-5-7623a5e8f70b@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Diffstat (limited to 'rust/kernel/ssh:/git@git.zx2c4.com')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: