From nobody Sun Dec 14 18:14:34 2025 Received: from mail1.fiberby.net (mail1.fiberby.net [193.104.135.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACF192D23A3; Wed, 29 Oct 2025 20:52:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.104.135.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761771125; cv=none; b=aIw1TI+luK09pRNBh16cJGtKzzaL58/MhWLVYPqQ41DrAKoNLzd0nzhO1rt38GOsgRgZqz/QakhDZCTfGfKAdsYHGNOjI5zP2ocIjUzs8l8ZiSQVbwwgD3VHCi7ygcaRDqyVWe2COCj49RSYXk6TpNVYPO+nNoU1c4rJcpelWhU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761771125; c=relaxed/simple; bh=ZvnGd3OsRH5v0uE+BlJB6KcPeJ9Xfxdfkx6mAE1wlyg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=D3mdg0YbonC7gB4W8vdlAavR0uCS8FT62CyF/fmB7VBDsfpMP1YjITqVTJCvSQVpmoNKato5j8qcZdXiCRejdGWJgD4APXm3+TS7MCy2QQJeRPE4m9j6AR/jc/I52y4Y8zLn2sv8CSTLZWlsilEu6aVM3oACOhYc7W3EM3gg9Ec= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=fiberby.net; spf=pass smtp.mailfrom=fiberby.net; dkim=pass (2048-bit key) header.d=fiberby.net header.i=@fiberby.net header.b=Tdw/8eFX; arc=none smtp.client-ip=193.104.135.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=fiberby.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fiberby.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=fiberby.net header.i=@fiberby.net header.b="Tdw/8eFX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fiberby.net; s=202008; t=1761771115; bh=ZvnGd3OsRH5v0uE+BlJB6KcPeJ9Xfxdfkx6mAE1wlyg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Tdw/8eFXMbGY+seep/Jz0lMMj1hdIQqabslic2z+tUe4+aLGKsXif7rHeizPqsA3m mai/5qLCIfshhCcibCxE5mft2FYdkZkHCnaADw3jtZJ3ajKK/Fe9wV0KJQeilXvltg MfA0lZU7P94X8QMxg7YoMnyLAaacldkv6qc5xlf2ZCgkugzDF65s3I4w4PQ4vNHZDT EAhRtrarcJFL+cK47/88s1ZlB0TgG7L89YmPva+b8Re39aWsrr3K7URAuZhpDyAYTb S1HKPr+RfVmuL/B7jfas5Os/FP+cyNvc6zv4faVRHa/9ZCIvXbaDWuiGvpP6ddaxEa BY95QkXWyUcqw== Received: from x201s (193-104-135-243.ip4.fiberby.net [193.104.135.243]) by mail1.fiberby.net (Postfix) with ESMTPSA id 988D6600FF; Wed, 29 Oct 2025 20:51:54 +0000 (UTC) Received: by x201s (Postfix, from userid 1000) id D5AE02013B8; Wed, 29 Oct 2025 20:51:29 +0000 (UTC) From: =?UTF-8?q?Asbj=C3=B8rn=20Sloth=20T=C3=B8nnesen?= To: "Jason A. Donenfeld" , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: =?UTF-8?q?Asbj=C3=B8rn=20Sloth=20T=C3=B8nnesen?= , Donald Hunter , Simon Horman , Jacob Keller , Andrew Lunn , wireguard@lists.zx2c4.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net-next v1 01/11] wireguard: netlink: validate nested arrays in policy Date: Wed, 29 Oct 2025 20:51:09 +0000 Message-ID: <20251029205123.286115-2-ast@fiberby.net> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251029205123.286115-1-ast@fiberby.net> References: <20251029205123.286115-1-ast@fiberby.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Use NLA_POLICY_NESTED_ARRAY() to perform nested array validation in the policy validation step. The nested policy was already enforced through nla_parse_nested(), however extack wasn't passed previously. Signed-off-by: Asbj=C3=B8rn Sloth T=C3=B8nnesen --- drivers/net/wireguard/netlink.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlin= k.c index 67f962eb8b46d..9bc76e1bcba2d 100644 --- a/drivers/net/wireguard/netlink.c +++ b/drivers/net/wireguard/netlink.c @@ -27,7 +27,7 @@ static const struct nla_policy device_policy[WGDEVICE_A_M= AX + 1] =3D { [WGDEVICE_A_FLAGS] =3D NLA_POLICY_MASK(NLA_U32, __WGDEVICE_F_ALL), [WGDEVICE_A_LISTEN_PORT] =3D { .type =3D NLA_U16 }, [WGDEVICE_A_FWMARK] =3D { .type =3D NLA_U32 }, - [WGDEVICE_A_PEERS] =3D { .type =3D NLA_NESTED } + [WGDEVICE_A_PEERS] =3D NLA_POLICY_NESTED_ARRAY(peer_policy), }; =20 static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] =3D { @@ -39,7 +39,7 @@ static const struct nla_policy peer_policy[WGPEER_A_MAX += 1] =3D { [WGPEER_A_LAST_HANDSHAKE_TIME] =3D NLA_POLICY_EXACT_LEN(sizeof(struct _= _kernel_timespec)), [WGPEER_A_RX_BYTES] =3D { .type =3D NLA_U64 }, [WGPEER_A_TX_BYTES] =3D { .type =3D NLA_U64 }, - [WGPEER_A_ALLOWEDIPS] =3D { .type =3D NLA_NESTED }, + [WGPEER_A_ALLOWEDIPS] =3D NLA_POLICY_NESTED_ARRAY(allowedip_policy), [WGPEER_A_PROTOCOL_VERSION] =3D { .type =3D NLA_U32 } }; =20 @@ -467,7 +467,7 @@ static int set_peer(struct wg_device *wg, struct nlattr= **attrs) =20 nla_for_each_nested(attr, attrs[WGPEER_A_ALLOWEDIPS], rem) { ret =3D nla_parse_nested(allowedip, WGALLOWEDIP_A_MAX, - attr, allowedip_policy, NULL); + attr, NULL, NULL); if (ret < 0) goto out; ret =3D set_allowedip(peer, allowedip); @@ -593,7 +593,7 @@ static int wg_set_device(struct sk_buff *skb, struct ge= nl_info *info) =20 nla_for_each_nested(attr, info->attrs[WGDEVICE_A_PEERS], rem) { ret =3D nla_parse_nested(peer, WGPEER_A_MAX, attr, - peer_policy, NULL); + NULL, NULL); if (ret < 0) goto out; ret =3D set_peer(wg, peer); --=20 2.51.0