Avoid corrupting a netlink message and confuse user space in the unlikely case rtnl_fill_prop_list was able to produce a very big nested element. Signed-off-by: Eric Dumazet --- net/core/rtnetlink.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 6a5e9ace55a0880d7b1e4303d12dc0a8b8b7c5ed..ae0254f19178735b2805a8189e81a960a49b2858 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1971,7 +1971,9 @@ static int rtnl_fill_prop_list(struct sk_buff *skb, if (ret <= 0) goto nest_cancel; - nla_nest_end(skb, prop_list); + if (nla_nest_end_safe(skb, prop_list) < 0) + goto nest_cancel; + return 0; nest_cancel: -- 2.54.0.563.g4f69b47b94-goog