ynl/ethtool/netlink: warn nla_len overflow for large string sets

[PATCH net-next 4/4] netlink: warn on nla_len overflow in nla_nest_end()

Posted by Hangbin Liu 1 day, 19 hours ago

The nla_len field in struct nlattr is a __u16, which can only hold
values up to 65535. If a nested attribute grows beyond this limit,
nla_nest_end() silently truncates the length, producing a corrupted
netlink message with no indication of the problem.

Since this is unlikely to happen, to avoid unnecessary checking every
time on the production system, add a DEBUG_NET_WARN_ON_ONCE() before
the assignment to make this overflow visible in the debug kernel log.

Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
---
 include/net/netlink.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/net/netlink.h b/include/net/netlink.h
index 1a8356ca4b78..00ea52dc08c4 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -2260,6 +2260,7 @@ static inline struct nlattr *nla_nest_start(struct sk_buff *skb, int attrtype)
  */
 static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start)
 {
+	DEBUG_NET_WARN_ON_ONCE(skb_tail_pointer(skb) - (unsigned char *)start > U16_MAX);
 	start->nla_len = skb_tail_pointer(skb) - (unsigned char *)start;
 	return skb->len;
 }

-- 
Git-155)

[PATCH net-next 1/4] tools: ynl: ethtool: use doit instead of dumpit for per-device GET
[PATCH net-next 2/4] tools: ynl: ethtool: add --dbg-small-recv option
[PATCH net-next 3/4] ethtool: strset: check nla_len overflow before nla_nest_end
[PATCH net-next 4/4] netlink: warn on nla_len overflow in nla_nest_end()