From nobody Tue Feb 10 05:27:29 2026 Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 61200211A11 for ; Wed, 22 Jan 2025 13:49:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737553764; cv=none; b=T89P7NAPSSNkfkpRHnRHRTn9rWfJ+5t01RJwa7uegLdHUdEcud5u15UsMCnADwlBuVmav2bcTzZ0no/Tp9tRWX3hn237SmhY9IGkPixLTvH6Nzb5DGNPtYwysOAViT7vflEVQq+bimVZpTaLwJE9E0lV+u3i9yPuf/X7dU9lT/0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737553764; c=relaxed/simple; bh=/o3/l/9afeGTYp17GP2QC2MUMdmrgWfRjZnggaQP8GY=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=thWtHtLMNWkKfCPX16k5lIIY1oYR7bl5SXZPb9zmRX6UpAEVuxjDY+UdZS50GK7dqHWN+9BBcL95MXeezKs25XoOltq1AaTOK7QvXtu1HrunzOtj3FCnrUGVvCZOIamBPwP1ME+8cNstCSZnlb5T/IBKsH/VHmNNOO4+Kz0AE9A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=YttRcNa0; arc=none smtp.client-ip=209.85.221.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="YttRcNa0" Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-388cae9eb9fso3922724f8f.3 for ; Wed, 22 Jan 2025 05:49:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1737553761; x=1738158561; darn=vger.kernel.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=K51/6g4P9GYdkZ38G8mfX52Y5q+LxzCdwPw5czgkm70=; b=YttRcNa0noHwMbSsrzASNuHeMCWT2Fr6Sk06fBYAGoO40fm/2a349KQl5/05SB0XvX c+c5kVzd91QlMuIEkXC/fDcf/nxQLmTVXW/bOQEWG+SPzujVD1ncEqRl+5BCtsgp4Rjm nusRGYmd05ZPDkRXvYEmIv7g8HaNTuK3HweSxUmwzQtoEZM8apiVMaTTzeOaeAO7fUWD SWsD86+qJA25kstpusx/fuvhnE3WfaOsJHFF8S3kt5ERDDgfbMaw65gLYXEGv3dHKjRV lIIIQbtU+HKFF1X+TPZ+MUI3qR90CcBIOLD4xfTknP3d6Z1MH6WkfV5lRwJ91qyZF5Rx iutw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737553761; x=1738158561; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=K51/6g4P9GYdkZ38G8mfX52Y5q+LxzCdwPw5czgkm70=; b=fG0syk8rhr5jz8ssTRNsrBQbT1AxkhA5zunGvF81EsQ2Smnxk1JsNWPO3cnon5hffw unQNJlu+Ib5yCgmw+HYnMpXVpW+pV+02O6tKet9z01qScnGlivIq1SIhIDHTkGX/7xeN VSUl4aq+AOj/Y1BAl1vR6Y+KZlk11RrzemCulgHAvpfZQ4ySx/FUZVqTK+JH05Z95TTO AUoEZfJsuwYjIRtZaXHFtRpzI4NtiCeolvM1ndV6njEn7JMs5Z0NO5w2i5AZOJEpMqep ChUR+0NPY3G57eNZjcSl6xUQK4mRTsAqTf93hFZ2tgaZd+Qvhia9dYEUIb9gLAgRu9We 19nA== X-Forwarded-Encrypted: i=1; AJvYcCXek1CBR6WBqnVzW4EGS11DLJggNBYxzfnnbMew6koTbs0htBnWEIsOCmsh4gtbdcay7yNh1j0Bt2nmd3o=@vger.kernel.org X-Gm-Message-State: AOJu0YytG2JQpxCaYalaXCXewlVng5OJNVJE2LVhnlzVm+iQGPiarYlL fEm5U9tYEabmjNhan2vowUA5hKKoeXx+Z6thMAQiBG8W5CZOZe8LIdOYRc5Idxs= X-Gm-Gg: ASbGncsImu3VODJ7SYruuoSRCVSwAh0D6sTCLG3lj1brnDPZLRoNvaXLkK7CclXFeA/ Qiu9E1UdnMlpMdmenqtnq80vXJSVlDSwJ4AkV0rZs/8gHtvip9wJpps0k5LsLui7UJgkU6dxCag H/dmBihlrZDXNL+vAVd8x/BOxMtZNBAv3BF/u6U5tvs4/nuqvI9pOLyO1D/P/Y2DkIxdGEbrL8H yoenBFggJIYaa1r7QA9V5vXyqhvSlQVlgyfs0OeumKlnTFJAq7eSuV9/pfv5BNJBW5UdO49p7ek NWWQtwT4jQ== X-Google-Smtp-Source: AGHT+IE3o4b4BdauC6AlHv26it9Zg4i8+S7clf5AWO2pmyOuXXW5i8JwhMit4b//DvHU4sQvCrgQbw== X-Received: by 2002:a5d:47cf:0:b0:38c:1270:f961 with SMTP id ffacd0b85a97d-38c1270fabemr8203304f8f.46.1737553760630; Wed, 22 Jan 2025 05:49:20 -0800 (PST) Received: from localhost ([196.207.164.177]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-38bf3214c5csm16346804f8f.8.2025.01.22.05.49.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Jan 2025 05:49:20 -0800 (PST) Date: Wed, 22 Jan 2025 16:49:17 +0300 From: Dan Carpenter To: Thomas Graf Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH net] net: netlink: prevent potential integer overflow in nlmsg_new() Message-ID: <58023f9e-555e-48db-9822-283c2c1f6d0e@stanley.mountain> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The "payload" variable is type size_t, however the nlmsg_total_size() function will a few bytes to it and then truncate the result to type int. That means that if "payload" is more than UINT_MAX the alloc_skb() function might allocate a buffer which is smaller than intended. Cc: stable@vger.kernel.org Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/attributes inte= rface") Signed-off-by: Dan Carpenter --- include/net/netlink.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/net/netlink.h b/include/net/netlink.h index e015ffbed819..ca7a8152e6d4 100644 --- a/include/net/netlink.h +++ b/include/net/netlink.h @@ -1015,6 +1015,8 @@ static inline struct nlmsghdr *nlmsg_put_answer(struc= t sk_buff *skb, */ static inline struct sk_buff *nlmsg_new(size_t payload, gfp_t flags) { + if (payload > INT_MAX) + return NULL; return alloc_skb(nlmsg_total_size(payload), flags); } =20 --=20 2.45.2