[PATCH net-next v1 01/11] wireguard: netlink: validate nested arrays in policy

Thu Oct 30 09:46:38 UTC 2025

On 10/29/25 8:51 PM, Asbjørn Sloth Tønnesen wrote:
> diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c
> index 67f962eb8b46d..9bc76e1bcba2d 100644
> --- a/drivers/net/wireguard/netlink.c
> +++ b/drivers/net/wireguard/netlink.c
> @@ -27,7 +27,7 @@ static const struct nla_policy device_policy[WGDEVICE_A_MAX + 1] = {
>   	[WGDEVICE_A_FLAGS]		= NLA_POLICY_MASK(NLA_U32, __WGDEVICE_F_ALL),
>   	[WGDEVICE_A_LISTEN_PORT]	= { .type = NLA_U16 },
>   	[WGDEVICE_A_FWMARK]		= { .type = NLA_U32 },
> -	[WGDEVICE_A_PEERS]		= { .type = NLA_NESTED }
> +	[WGDEVICE_A_PEERS]		= NLA_POLICY_NESTED_ARRAY(peer_policy),
>   };
>   
>   static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = {
> @@ -39,7 +39,7 @@ static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = {
>   	[WGPEER_A_LAST_HANDSHAKE_TIME]			= NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)),
>   	[WGPEER_A_RX_BYTES]				= { .type = NLA_U64 },
>   	[WGPEER_A_TX_BYTES]				= { .type = NLA_U64 },
> -	[WGPEER_A_ALLOWEDIPS]				= { .type = NLA_NESTED },
> +	[WGPEER_A_ALLOWEDIPS]				= NLA_POLICY_NESTED_ARRAY(allowedip_policy),
>   	[WGPEER_A_PROTOCOL_VERSION]			= { .type = NLA_U32 }
>   };

Oops, I messed this patch up.

I will add forward declarations in v2, which will be removed again once the policy code is generated,
as that will be less messy than reordering the policies.

-- 
pw-bot: changes-requested