[PATCH v4 net-next 1/5] rtnetlink: use nla_nest_end_safe() in rtnl_fill_prop_list()
From: Eric Dumazet <edumazet@google.com>
Date: 2026-05-22 17:30:07
Subsystem:
networking [general], the rest · Maintainers:
"David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds
Avoid corrupting a netlink message and confuse user space in the very unlikely case rtnl_fill_prop_list was able to produce a very big nested element. This is extremely unlikely, because rtnl_prop_list_size() provisions nla_total_size(ALTIFNAMSIZ) per altname. Signed-off-by: Eric Dumazet <edumazet@google.com> --- net/core/rtnetlink.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 3d40ebe035b37ae0f38fb81f918eb76742371ef1..3dfa28927c7f92f906a0d89b7a1812b975d13854 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c@@ -1971,12 +1971,14 @@ static int rtnl_fill_prop_list(struct sk_buff *skb, if (ret <= 0) goto nest_cancel; - nla_nest_end(skb, prop_list); + if (nla_nest_end_safe(skb, prop_list) < 0) + goto nest_cancel; + return 0; nest_cancel: nla_nest_cancel(skb, prop_list); - return ret; + return -EMSGSIZE; } static int rtnl_fill_proto_down(struct sk_buff *skb,
--
2.54.0.746.g67dd491aae-goog