git-server-git.apps.pok.os.sepia.ceph.com Git

author	Hangbin Liu <liuhangbin@gmail.com>
	Wed, 8 Apr 2026 07:08:53 +0000 (15:08 +0800)
committer	Jakub Kicinski <kuba@kernel.org>
	Sun, 12 Apr 2026 18:23:50 +0000 (11:23 -0700)
commit	b2fb1a336383f1fb4667a9cc930c70f52ae1e20e
tree	02d67dde984beb008ce87dcfb9b3493a6bb688f5	tree \| snapshot
parent	1346586a9ac96588eff586ca1893dd2e88b88510	commit \| diff

ethtool: strset: check nla_len overflow

The netlink attribute length field nla_len is a __u16, which can only
represent values up to 65535 bytes. NICs with a large number of
statistics strings (e.g. mlx5_core with thousands of ETH_SS_STATS
entries) can produce a ETHTOOL_A_STRINGSET_STRINGS nest that exceeds
this limit.

When nla_nest_end() writes the actual nest size back to nla_len, the
value is silently truncated. This results in a corrupted netlink message
being sent to userspace: the parser reads a wrong (truncated) attribute
length and misaligns all subsequent attribute boundaries, causing decode
errors.

Fix this by using the new helper nla_nest_end_safe and error out if
the size exceeds U16_MAX.

Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20260408-b4-ynl_ethtool-v2-5-7623a5e8f70b@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>