Re: [PATCH net-next v2 5/5] ethtool: strset: check nla_len overflow

Next message: Michael Byczkowski: "[PATCH v3 2/3] pps: convert pps_device lock to raw_spinlock for PREEMPT_RT"
Previous message: Eric Dumazet: "Re: [PATCH v2] ax25: fix OOB read after address header strip in ax25_rcv()."
In reply to: Jakub Kicinski: "Re: [PATCH net-next v2 5/5] ethtool: strset: check nla_len overflow"
Next in thread: Andrew Lunn: "Re: [PATCH net-next v2 5/5] ethtool: strset: check nla_len overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stanislav Fomichev

Date: Thu Apr 09 2026 - 11:38:56 EST

On 04/08, Jakub Kicinski wrote:
> On Wed, 8 Apr 2026 09:43:35 -0700 Stanislav Fomichev wrote:
> > On 04/08, Hangbin Liu wrote:
> > > The netlink attribute length field nla_len is a __u16, which can only
> > > represent values up to 65535 bytes. NICs with a large number of
> > > statistics strings (e.g. mlx5_core with thousands of ETH_SS_STATS
> > > entries) can produce a ETHTOOL_A_STRINGSET_STRINGS nest that exceeds
> > > this limit.
> > >
> > > When nla_nest_end() writes the actual nest size back to nla_len, the
> > > value is silently truncated. This results in a corrupted netlink message
> > > being sent to userspace: the parser reads a wrong (truncated) attribute
> > > length and misaligns all subsequent attribute boundaries, causing decode
> > > errors.
> > >
> > > Fix this by using the new helper nla_nest_end_safe and error out if
> > > the size exceeds U16_MAX.
> >
> > Not sure that's the user supposed to do? Does it mean there is no way
> > to retrieve ETHTOOL_A_STRINGSET_STRINGS for those devices with too
> > many strings?
>
> Not via Netlink, they can still read them via the ioctl?
> Since the legacy stats themselves can't be fetched over Netlink
> I'm not sure we should lose sleep over reading the stats strings
> via Netlink.

I guess... Should we update ethtool.yaml doc to tell the users to prefer
ioctl over netlink for strset-get and mention this new EMSGSIZE?