From 0a9b2c9fd1688c7ecbff0702855577a3f8eef1df Mon Sep 17 00:00:00 2001 From: Jeremy Kerr Date: Wed, 21 May 2025 17:33:36 +0800 Subject: [PATCH] net: mctp: use nlmsg_payload() for netlink message data extraction Jakub suggests: > I have a different request :) Matt, once this ends up in net-next > (end of this week) could you refactor it to use nlmsg_payload() ? > It doesn't exist in net but this is exactly why it was added. This refactors the additions to both mctp_dump_addrinfo(), and mctp_rtm_getneigh() - two cases where we're calling nlh_data() on an an incoming netlink message, without a prior nlmsg_parse(). For the neigh.c case, we cannot hit the failure where the nlh does not contain a full ndmsg at present, as the core handler (net/core/neighbour.c, neigh_get()) has already validated the size through neigh_valid_req_get(), and would have failed the get operation before the MCTP hander is called. However, relying on that is a bit fragile, so apply the nlmsg_payload refector here too. Reviewed-by: Simon Horman Signed-off-by: Jeremy Kerr Link: https://patch.msgid.link/20250521-mctp-nlmsg-payload-v2-1-e85df160c405@codeconstruct.com.au Signed-off-by: Paolo Abeni --- net/mctp/device.c | 4 ++-- net/mctp/neigh.c | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/net/mctp/device.c b/net/mctp/device.c index 7c0dcf3df319..4d404edd7446 100644 --- a/net/mctp/device.c +++ b/net/mctp/device.c @@ -120,8 +120,8 @@ static int mctp_dump_addrinfo(struct sk_buff *skb, struct netlink_callback *cb) int ifindex = 0, rc; /* Filter by ifindex if a header is provided */ - if (cb->nlh->nlmsg_len >= nlmsg_msg_size(sizeof(*hdr))) { - hdr = nlmsg_data(cb->nlh); + hdr = nlmsg_payload(cb->nlh, sizeof(*hdr)); + if (hdr) { ifindex = hdr->ifa_index; } else { if (cb->strict_check) { diff --git a/net/mctp/neigh.c b/net/mctp/neigh.c index 590f642413e4..05b899f22d90 100644 --- a/net/mctp/neigh.c +++ b/net/mctp/neigh.c @@ -250,7 +250,10 @@ static int mctp_rtm_getneigh(struct sk_buff *skb, struct netlink_callback *cb) int idx; } *cbctx = (void *)cb->ctx; - ndmsg = nlmsg_data(cb->nlh); + ndmsg = nlmsg_payload(cb->nlh, sizeof(*ndmsg)); + if (!ndmsg) + return -EINVAL; + req_ifindex = ndmsg->ndm_ifindex; idx = 0; -- 2.50.1