Wander Lairson Costa [off-list ref] wrote:

The opt_num field is controlled by user mode and is not currently
validated inside the kernel. An attacker can take advantage of this to
trigger an OOB read and potentially leak information.

[..]

Can you send a v2 that rejects bogus nf_osf_user_finger structs?

nfnl_osf_add_callback() seems to be the right place to refuse it.