rtnetlink: use nla_nest_end_safe() in rtnl_fill_prop_list()

Avoid corrupting a netlink message and confuse user space in the
very unlikely case rtnl_fill_prop_list was able to produce a very big
nested element.

This is extremely unlikely, because rtnl_prop_list_size()
provisions nla_total_size(ALTIFNAMSIZ) per altname.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260525083542.1565964-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 0aa429336ffe1015390be634fc4bacbbb9842a50..cd1004410dd7f5c45ebfdc329b461dde7b1d9411 100644 (file)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1970,7 +1970,10 @@ static int rtnl_fill_prop_list(struct sk_buff *skb,
        if (ret <= 0)
                goto nest_cancel;
 
-       nla_nest_end(skb, prop_list);
+       ret = -EMSGSIZE;
+       if (nla_nest_end_safe(skb, prop_list) < 0)
+               goto nest_cancel;
+
        return 0;
 
 nest_cancel: