ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES

ethnl_update_profile() walks the ETHTOOL_A_PROFILE_IRQ_MODERATION
nest list with an index 'i' and writes new_profile[i++] without
bounding i. The destination is kmemdup()'d at NET_DIM_PARAMS_NUM_PROFILES
entries (5), but the Netlink nest count is entirely user-controlled.
Netlink policies do not have support for constraining the number
of nested entries (or number of multi-attr entries).

Fixes: f750dfe825b9 ("ethtool: provide customized dim profile management")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ethtool/coalesce.c b/net/ethtool/coalesce.c
index 1e2c5c7048a8376da85674e43424531faf147935..e73fc3e5a02ba7f928f860aa01a19a1173b92b24 100644 (file)
--- a/net/ethtool/coalesce.c
+++ b/net/ethtool/coalesce.c
@@ -472,6 +472,12 @@ static int ethnl_update_profile(struct net_device *dev,
 
        nla_for_each_nested_type(nest, ETHTOOL_A_PROFILE_IRQ_MODERATION,
                                 nests, rem) {
+               if (i >= NET_DIM_PARAMS_NUM_PROFILES) {
+                       NL_SET_BAD_ATTR(extack, nest);
+                       ret = -E2BIG;
+                       goto err_out;
+               }
+
                ret = nla_parse_nested(tb, len_irq_moder - 1, nest,
                                       coalesce_irq_moderation_policy,
                                       extack);