ynl/ethtool/netlink: warn nla_len overflow for large string sets

[PATCH net-next 3/4] ethtool: strset: check nla_len overflow before nla_nest_end

Posted by Hangbin Liu 1 day, 19 hours ago

The netlink attribute length field nla_len is a __u16, which can only
represent values up to 65535 bytes. NICs with a large number of
statistics strings (e.g. mlx5_core with thousands of ETH_SS_STATS
entries) can produce a ETHTOOL_A_STRINGSET_STRINGS nest that exceeds
this limit.

When nla_nest_end() writes the actual nest size back to nla_len, the
value is silently truncated. This results in a corrupted netlink message
being sent to userspace: the parser reads a wrong (truncated) attribute
length and misaligns all subsequent attribute boundaries, causing decode
errors.

Fix this by checking whether the size of strings_attr would exceed
U16_MAX after all strings have been written, and give up nla put if so.

Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
---
 net/ethtool/strset.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/ethtool/strset.c b/net/ethtool/strset.c
index f6a67109beda..9c502b290f5c 100644
--- a/net/ethtool/strset.c
+++ b/net/ethtool/strset.c
@@ -441,6 +441,10 @@ static int strset_fill_set(struct sk_buff *skb,
 			if (strset_fill_string(skb, set_info, i) < 0)
 				goto nla_put_failure;
 		}
+
+		if (skb_tail_pointer(skb) - (unsigned char *)strings_attr > U16_MAX)
+			goto nla_put_failure;
+
 		nla_nest_end(skb, strings_attr);
 	}
 

-- 
Git-155)

Re: [PATCH net-next 3/4] ethtool: strset: check nla_len overflow before nla_nest_end

Posted by Jakub Kicinski 22 hours ago

On Tue, 31 Mar 2026 11:56:13 +0800 Hangbin Liu wrote:
> +		if (skb_tail_pointer(skb) - (unsigned char *)strings_attr > U16_MAX)
> +			goto nla_put_failure;

bit ugly, let's add a variant of nla_nest_end() which can return 
an error on overflow (without the warning from patch 4) ?

> +
>  		nla_nest_end(skb, strings_attr);

Re: [PATCH net-next 3/4] ethtool: strset: check nla_len overflow before nla_nest_end

Posted by Hangbin Liu 16 hours ago

On Tue, Mar 31, 2026 at 06:46:37PM -0700, Jakub Kicinski wrote:
> On Tue, 31 Mar 2026 11:56:13 +0800 Hangbin Liu wrote:
> > +		if (skb_tail_pointer(skb) - (unsigned char *)strings_attr > U16_MAX)
> > +			goto nla_put_failure;
> 
> bit ugly, let's add a variant of nla_nest_end() which can return 
> an error on overflow (without the warning from patch 4) ?

I was tried to not touch nla_nest_end() as it is used everywhere. But it makes
sense to me to add a new function to check this. I'm not very good at naming,
maybe `nla_nest_end_validate()` ? Or any other name if you have?

Thanks
Hangbin
> 
> > +
> >  		nla_nest_end(skb, strings_attr);

[PATCH net-next 1/4] tools: ynl: ethtool: use doit instead of dumpit for per-device GET
[PATCH net-next 2/4] tools: ynl: ethtool: add --dbg-small-recv option
[PATCH net-next 3/4] ethtool: strset: check nla_len overflow before nla_nest_end
[PATCH net-next 4/4] netlink: warn on nla_len overflow in nla_nest_end()