From: Eric Dumazet <edumazet@google.com>
Date: Tue, 12 May 2026 15:52:44 +0000 (+0000)
Subject: netlink: add one debug check in nla_nest_end()
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=ff205bf8c55451f95300bceed9779b647205a850;p=thirdparty%2Fkernel%2Flinux.git

netlink: add one debug check in nla_nest_end()

Add a DEBUG_NET_WARN_ON_ONCE(diff > U16_MAX)
to warn if the kernel sends corrupted nested attribute
to user space.

Offenders can be converted to nla_nest_end_safe().

Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260512155244.4137851-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

diff --git a/include/net/netlink.h b/include/net/netlink.h
index 546d10586576..b5048dd1d511 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -2260,7 +2260,10 @@ static inline struct nlattr *nla_nest_start(struct sk_buff *skb, int attrtype)
  */
 static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start)
 {
-	start->nla_len = skb_tail_pointer(skb) - (unsigned char *)start;
+	unsigned long diff = skb_tail_pointer(skb) - (unsigned char *)start;
+
+	DEBUG_NET_WARN_ON_ONCE(diff > U16_MAX);
+	start->nla_len = diff;
 	return skb->len;
 }