Re: [PATCH net-next v2 5/5] ethtool: strset: check nla_len overflow

Next message: Hugo Villeneuve: "Re: [PATCH v2 1/2] serial: sh-sci: Avoid divide-by-zero fault"
Previous message: Tim Chen: "Re: [PATCH v2 4/4] sched/rt: Split cpupri_vec-&gt;cpumask to per NUMA node to reduce contention"
In reply to: Hangbin Liu: "[PATCH net-next v2 5/5] ethtool: strset: check nla_len overflow"
Next in thread: Jakub Kicinski: "Re: [PATCH net-next v2 5/5] ethtool: strset: check nla_len overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stanislav Fomichev

Date: Wed Apr 08 2026 - 12:48:09 EST

On 04/08, Hangbin Liu wrote:
> The netlink attribute length field nla_len is a __u16, which can only
> represent values up to 65535 bytes. NICs with a large number of
> statistics strings (e.g. mlx5_core with thousands of ETH_SS_STATS
> entries) can produce a ETHTOOL_A_STRINGSET_STRINGS nest that exceeds
> this limit.
>
> When nla_nest_end() writes the actual nest size back to nla_len, the
> value is silently truncated. This results in a corrupted netlink message
> being sent to userspace: the parser reads a wrong (truncated) attribute
> length and misaligns all subsequent attribute boundaries, causing decode
> errors.
>
> Fix this by using the new helper nla_nest_end_safe and error out if
> the size exceeds U16_MAX.

Not sure that's the user supposed to do? Does it mean there is no way
to retrieve ETHTOOL_A_STRINGSET_STRINGS for those devices with too
many strings?