From: Eric Dumazet <edumazet@google.com>
Date: Mon, 25 May 2026 08:35:38 +0000 (+0000)
Subject: rtnetlink: use nla_nest_end_safe() in rtnl_fill_prop_list()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73a7c8fb2302ae78920b210c098b752b9caa6bf6;p=thirdparty%2Flinux.git

rtnetlink: use nla_nest_end_safe() in rtnl_fill_prop_list()

Avoid corrupting a netlink message and confuse user space in the
very unlikely case rtnl_fill_prop_list was able to produce a very big
nested element.

This is extremely unlikely, because rtnl_prop_list_size()
provisions nla_total_size(ALTIFNAMSIZ) per altname.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260525083542.1565964-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 0aa429336ffe..cd1004410dd7 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1970,7 +1970,10 @@ static int rtnl_fill_prop_list(struct sk_buff *skb,
 	if (ret <= 0)
 		goto nest_cancel;
 
-	nla_nest_end(skb, prop_list);
+	ret = -EMSGSIZE;
+	if (nla_nest_end_safe(skb, prop_list) < 0)
+		goto nest_cancel;
+
 	return 0;
 
 nest_cancel: