Hi, In order to avoid triggering the coming runtime memcpy() bounds checking, the length of the destination needs to be "visible" to the compiler in some way. However, netlink is constructed in a rather hidden fashion, and my attempts to wrangle it have resulted in this series, which perform explicit bounds checking before using unsafe_memcpy(). -Kees Kees Cook (2): netlink: Bounds-check nlmsg_len() netlink: Bounds-check struct nlmsgerr creation include/net/netlink.h | 10 ++++++- net/netfilter/ipset/ip_set_core.c | 10 +++++-- net/netlink/af_netlink.c | 49 +++++++++++++++++++++---------- 3 files changed, 49 insertions(+), 20 deletions(-) -- 2.34.1
