ipset: Stop using NLA_PUT*().

These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by: David S. Miller <davem@davemloft.net>

ipset: Stop using NLA_PUT*().
These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by: David S. Miller <davem@davemloft.net>
7cf7899d · David S. Miller · 6c1dd3b6 · 7cf7899d · 7cf7899d · 7cf7899d
Commit 7cf7899d authored Apr 01, 2012 by David S. Miller
14 changed files
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -411,26 +411,32 @@ ip_set_get_h16(const struct nlattr *attr)
 #define ipset_nest_start(skb, attr) nla_nest_start(skb, attr | NLA_F_NESTED)
 #define ipset_nest_end(skb, start)  nla_nest_end(skb, start)
-#define NLA_PUT_IPADDR4(skb, type, ipaddr)			\
+static inline int nla_put_ipaddr4(struct sk_buff *skb, int type, __be32 ipaddr)
-do {								\
+{
-	struct nlattr *__nested = ipset_nest_start(skb, type);	\
+	struct nlattr *__nested = ipset_nest_start(skb, type);
-								\
+	int ret;
-	if (!__nested)						\
-		goto nla_put_failure;				\
+	if (!__nested)
-	NLA_PUT_NET32(skb, IPSET_ATTR_IPADDR_IPV4, ipaddr);	\
+		return -EMSGSIZE;
-	ipset_nest_end(skb, __nested);				\
+	ret = nla_put_net32(skb, IPSET_ATTR_IPADDR_IPV4, ipaddr);
-} while (0)
+	if (!ret)
+		ipset_nest_end(skb, __nested);
-#define NLA_PUT_IPADDR6(skb, type, ipaddrptr)			\
+	return ret;
-do {								\
+}
-	struct nlattr *__nested = ipset_nest_start(skb, type);	\
-								\
+static inline int nla_put_ipaddr6(struct sk_buff *skb, int type, const struct in6_addr *ipaddrptr)
-	if (!__nested)						\
+{
-		goto nla_put_failure;				\
+	struct nlattr *__nested = ipset_nest_start(skb, type);
-	NLA_PUT(skb, IPSET_ATTR_IPADDR_IPV6,			\
+	int ret;
-		sizeof(struct in6_addr), ipaddrptr);		\
-	ipset_nest_end(skb, __nested);				\
+	if (!__nested)
-} while (0)
+		return -EMSGSIZE;
+	ret = nla_put(skb, IPSET_ATTR_IPADDR_IPV6,
+		      sizeof(struct in6_addr), ipaddrptr);
+	if (!ret)
+		ipset_nest_end(skb, __nested);
+	return ret;
+}
 /* Get address from skbuff */
 static inline __be32

--- a/include/linux/netfilter/ipset/ip_set_ahash.h
+++ b/include/linux/netfilter/ipset/ip_set_ahash.h
@@ -594,17 +594,20 @@ type_pf_head(struct ip_set *set, struct sk_buff *skb)
 	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
 	if (!nested)
 		goto nla_put_failure;
-	NLA_PUT_NET32(skb, IPSET_ATTR_HASHSIZE,
+	if (nla_put_net32(skb, IPSET_ATTR_HASHSIZE,
-		      htonl(jhash_size(h->table->htable_bits)));
+			  htonl(jhash_size(h->table->htable_bits))) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_MAXELEM, htonl(h->maxelem));
+	    nla_put_net32(skb, IPSET_ATTR_MAXELEM, htonl(h->maxelem)))
+		goto nla_put_failure;
 #ifdef IP_SET_HASH_WITH_NETMASK
-	if (h->netmask != HOST_MASK)
+	if (h->netmask != HOST_MASK &&
-		NLA_PUT_U8(skb, IPSET_ATTR_NETMASK, h->netmask);
+	    nla_put_u8(skb, IPSET_ATTR_NETMASK, h->netmask))
+		goto nla_put_failure;
 #endif
-	NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
+	if (nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize));
+	    nla_put_net32(skb, IPSET_ATTR_MEMSIZE, htonl(memsize)) ||
-	if (with_timeout(h->timeout))
+	    (with_timeout(h->timeout) &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(h->timeout));
+	     nla_put_net32(skb, IPSET_ATTR_TIMEOUT, htonl(h->timeout))))
+		goto nla_put_failure;
 	ipset_nest_end(skb, nested);
 	return 0;

--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -109,8 +109,9 @@ bitmap_ip_list(const struct ip_set *set,
 			} else
 				goto nla_put_failure;
 		}
-		NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
+		if (nla_put_ipaddr4(skb, IPSET_ATTR_IP,
-				htonl(map->first_ip + id * map->hosts));
+				    htonl(map->first_ip + id * map->hosts)))
+			goto nla_put_failure;
 		ipset_nest_end(skb, nested);
 	}
 	ipset_nest_end(skb, atd);
@@ -194,10 +195,11 @@ bitmap_ip_tlist(const struct ip_set *set,
 			} else
 				goto nla_put_failure;
 		}
-		NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
+		if (nla_put_ipaddr4(skb, IPSET_ATTR_IP,
-				htonl(map->first_ip + id * map->hosts));
+				    htonl(map->first_ip + id * map->hosts)) ||
-		NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+		    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-			      htonl(ip_set_timeout_get(members[id])));
+				  htonl(ip_set_timeout_get(members[id]))))
+			goto nla_put_failure;
 		ipset_nest_end(skb, nested);
 	}
 	ipset_nest_end(skb, adt);
@@ -334,15 +336,16 @@ bitmap_ip_head(struct ip_set *set, struct sk_buff *skb)
 	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
 	if (!nested)
 		goto nla_put_failure;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip));
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, htonl(map->first_ip)) ||
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip));
+	    nla_put_ipaddr4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip)) ||
-	if (map->netmask != 32)
+	    (map->netmask != 32 &&
-		NLA_PUT_U8(skb, IPSET_ATTR_NETMASK, map->netmask);
+	     nla_put_u8(skb, IPSET_ATTR_NETMASK, map->netmask)) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
+	    nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
+	    nla_put_net32(skb, IPSET_ATTR_MEMSIZE,
-		      htonl(sizeof(*map) + map->memsize));
+			  htonl(sizeof(*map) + map->memsize)) ||
-	if (with_timeout(map->timeout))
+	    (with_timeout(map->timeout) &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
+	     nla_put_net32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout))))
+		goto nla_put_failure;
 	ipset_nest_end(skb, nested);
 	return 0;

--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -186,11 +186,12 @@ bitmap_ipmac_list(const struct ip_set *set,
 			} else
 				goto nla_put_failure;
 		}
-		NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
+		if (nla_put_ipaddr4(skb, IPSET_ATTR_IP,
-				htonl(map->first_ip + id));
+				    htonl(map->first_ip + id)) ||
-		if (elem->match == MAC_FILLED)
+		    (elem->match == MAC_FILLED &&
-			NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
+		     nla_put(skb, IPSET_ATTR_ETHER, ETH_ALEN,
-				elem->ether);
+			     elem->ether)))
+			goto nla_put_failure;
 		ipset_nest_end(skb, nested);
 	}
 	ipset_nest_end(skb, atd);
@@ -314,14 +315,16 @@ bitmap_ipmac_tlist(const struct ip_set *set,
 			} else
 				goto nla_put_failure;
 		}
-		NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
+		if (nla_put_ipaddr4(skb, IPSET_ATTR_IP,
-				htonl(map->first_ip + id));
+				    htonl(map->first_ip + id)) ||
-		if (elem->match == MAC_FILLED)
+		    (elem->match == MAC_FILLED &&
-			NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
+		     nla_put(skb, IPSET_ATTR_ETHER, ETH_ALEN,
-				elem->ether);
+			     elem->ether)))
+		    goto nla_put_failure;
 		timeout = elem->match == MAC_UNSET ? elem->timeout
 				: ip_set_timeout_get(elem->timeout);
-		NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(timeout));
+		if (nla_put_net32(skb, IPSET_ATTR_TIMEOUT, htonl(timeout)))
+		    goto nla_put_failure;
 		ipset_nest_end(skb, nested);
 	}
 	ipset_nest_end(skb, atd);
@@ -438,14 +441,16 @@ bitmap_ipmac_head(struct ip_set *set, struct sk_buff *skb)
 	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
 	if (!nested)
 		goto nla_put_failure;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip));
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, htonl(map->first_ip)) ||
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip));
+	    nla_put_ipaddr4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip)) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
+	    nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
+	    nla_put_net32(skb, IPSET_ATTR_MEMSIZE,
-		      htonl(sizeof(*map)
+			  htonl(sizeof(*map) +
-			    + (map->last_ip - map->first_ip + 1) * map->dsize));
+				((map->last_ip - map->first_ip + 1) *
-	if (with_timeout(map->timeout))
+				 map->dsize))) ||
-		NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
+	    (with_timeout(map->timeout) &&
+	     nla_put_net32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout))))
+		goto nla_put_failure;
 	ipset_nest_end(skb, nested);
 	return 0;

--- a/net/netfilter/ipset/ip_set_bitmap_port.c
+++ b/net/netfilter/ipset/ip_set_bitmap_port.c
@@ -96,8 +96,9 @@ bitmap_port_list(const struct ip_set *set,
 			} else
 				goto nla_put_failure;
 		}
-		NLA_PUT_NET16(skb, IPSET_ATTR_PORT,
+		if (nla_put_net16(skb, IPSET_ATTR_PORT,
-			      htons(map->first_port + id));
+				  htons(map->first_port + id)))
+			goto nla_put_failure;
 		ipset_nest_end(skb, nested);
 	}
 	ipset_nest_end(skb, atd);
@@ -183,10 +184,11 @@ bitmap_port_tlist(const struct ip_set *set,
 			} else
 				goto nla_put_failure;
 		}
-		NLA_PUT_NET16(skb, IPSET_ATTR_PORT,
+		if (nla_put_net16(skb, IPSET_ATTR_PORT,
-			      htons(map->first_port + id));
+				  htons(map->first_port + id)) ||
-		NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+		    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-			      htonl(ip_set_timeout_get(members[id])));
+				  htonl(ip_set_timeout_get(members[id]))))
+			goto nla_put_failure;
 		ipset_nest_end(skb, nested);
 	}
 	ipset_nest_end(skb, adt);
@@ -320,13 +322,14 @@ bitmap_port_head(struct ip_set *set, struct sk_buff *skb)
 	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
 	if (!nested)
 		goto nla_put_failure;
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, htons(map->first_port));
+	if (nla_put_net16(skb, IPSET_ATTR_PORT, htons(map->first_port)) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT_TO, htons(map->last_port));
+	    nla_put_net16(skb, IPSET_ATTR_PORT_TO, htons(map->last_port)) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
+	    nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
+	    nla_put_net32(skb, IPSET_ATTR_MEMSIZE,
-		      htonl(sizeof(*map) + map->memsize));
+			  htonl(sizeof(*map) + map->memsize)) ||
-	if (with_timeout(map->timeout))
+	    (with_timeout(map->timeout) &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
+	     nla_put_net32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout))))
+		goto nla_put_failure;
 	ipset_nest_end(skb, nested);
 	return 0;

--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1092,19 +1092,21 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
 			ret = -EMSGSIZE;
 			goto release_refcount;
 		}
-		NLA_PUT_U8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
+		if (nla_put_u8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
-		NLA_PUT_STRING(skb, IPSET_ATTR_SETNAME, set->name);
+		    nla_put_string(skb, IPSET_ATTR_SETNAME, set->name))
+			goto nla_put_failure;
 		if (dump_flags & IPSET_FLAG_LIST_SETNAME)
 			goto next_set;
 		switch (cb->args[2]) {
 		case 0:
 			/* Core header data */
-			NLA_PUT_STRING(skb, IPSET_ATTR_TYPENAME,
+			if (nla_put_string(skb, IPSET_ATTR_TYPENAME,
-				       set->type->name);
+					   set->type->name) ||
-			NLA_PUT_U8(skb, IPSET_ATTR_FAMILY,
+			    nla_put_u8(skb, IPSET_ATTR_FAMILY,
-				   set->family);
+				       set->family) ||
-			NLA_PUT_U8(skb, IPSET_ATTR_REVISION,
+			    nla_put_u8(skb, IPSET_ATTR_REVISION,
-				   set->revision);
+				       set->revision))
+				goto nla_put_failure;
 			ret = set->variant->head(set, skb);
 			if (ret < 0)
 				goto release_refcount;
@@ -1410,11 +1412,12 @@ ip_set_header(struct sock *ctnl, struct sk_buff *skb,
 			 IPSET_CMD_HEADER);
 	if (!nlh2)
 		goto nlmsg_failure;
-	NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
+	if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
-	NLA_PUT_STRING(skb2, IPSET_ATTR_SETNAME, set->name);
+	    nla_put_string(skb2, IPSET_ATTR_SETNAME, set->name) ||
-	NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, set->type->name);
+	    nla_put_string(skb2, IPSET_ATTR_TYPENAME, set->type->name) ||
-	NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, set->family);
+	    nla_put_u8(skb2, IPSET_ATTR_FAMILY, set->family) ||
-	NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, set->revision);
+	    nla_put_u8(skb2, IPSET_ATTR_REVISION, set->revision))
+		goto nla_put_failure;
 	nlmsg_end(skb2, nlh2);
 	ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
@@ -1469,11 +1472,12 @@ ip_set_type(struct sock *ctnl, struct sk_buff *skb,
 			 IPSET_CMD_TYPE);
 	if (!nlh2)
 		goto nlmsg_failure;
-	NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
+	if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL) ||
-	NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, typename);
+	    nla_put_string(skb2, IPSET_ATTR_TYPENAME, typename) ||
-	NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, family);
+	    nla_put_u8(skb2, IPSET_ATTR_FAMILY, family) ||
-	NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, max);
+	    nla_put_u8(skb2, IPSET_ATTR_REVISION, max) ||
-	NLA_PUT_U8(skb2, IPSET_ATTR_REVISION_MIN, min);
+	    nla_put_u8(skb2, IPSET_ATTR_REVISION_MIN, min))
+		goto nla_put_failure;
 	nlmsg_end(skb2, nlh2);
 	pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
@@ -1517,7 +1521,8 @@ ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
 			 IPSET_CMD_PROTOCOL);
 	if (!nlh2)
 		goto nlmsg_failure;
-	NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
+	if (nla_put_u8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL))
+		goto nla_put_failure;
 	nlmsg_end(skb2, nlh2);
 	ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);

--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -81,7 +81,8 @@ hash_ip4_data_zero_out(struct hash_ip4_elem *elem)
 static inline bool
 hash_ip4_data_list(struct sk_buff *skb, const struct hash_ip4_elem *data)
 {
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -94,9 +95,10 @@ hash_ip4_data_tlist(struct sk_buff *skb, const struct hash_ip4_elem *data)
 	const struct hash_ip4_telem *tdata =
 		(const struct hash_ip4_telem *)data;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(tdata->timeout)));
+			  htonl(ip_set_timeout_get(tdata->timeout))))
+		goto nla_put_failure;
 	return 0;
@@ -262,7 +264,8 @@ ip6_netmask(union nf_inet_addr *ip, u8 prefix)
 static bool
 hash_ip6_data_list(struct sk_buff *skb, const struct hash_ip6_elem *data)
 {
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -275,9 +278,10 @@ hash_ip6_data_tlist(struct sk_buff *skb, const struct hash_ip6_elem *data)
 	const struct hash_ip6_telem *e =
 		(const struct hash_ip6_telem *)data;
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(e->timeout)));
+			  htonl(ip_set_timeout_get(e->timeout))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:

--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -93,9 +93,10 @@ static bool
 hash_ipport4_data_list(struct sk_buff *skb,
 		       const struct hash_ipport4_elem *data)
 {
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -109,12 +110,12 @@ hash_ipport4_data_tlist(struct sk_buff *skb,
 	const struct hash_ipport4_telem *tdata =
 		(const struct hash_ipport4_telem *)data;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, tdata->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(tdata->timeout)));
+			  htonl(ip_set_timeout_get(tdata->timeout))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -308,9 +309,10 @@ static bool
 hash_ipport6_data_list(struct sk_buff *skb,
 		       const struct hash_ipport6_elem *data)
 {
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -324,11 +326,12 @@ hash_ipport6_data_tlist(struct sk_buff *skb,
 	const struct hash_ipport6_telem *e =
 		(const struct hash_ipport6_telem *)data;
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(e->timeout)));
+			  htonl(ip_set_timeout_get(e->timeout))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:

--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -94,10 +94,11 @@ static bool
 hash_ipportip4_data_list(struct sk_buff *skb,
 		       const struct hash_ipportip4_elem *data)
 {
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, data->ip2);
+	    nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip2) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -111,13 +112,13 @@ hash_ipportip4_data_tlist(struct sk_buff *skb,
 	const struct hash_ipportip4_telem *tdata =
 		(const struct hash_ipportip4_telem *)data;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, tdata->ip2);
+	    nla_put_ipaddr4(skb, IPSET_ATTR_IP2, tdata->ip2) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, tdata->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(tdata->timeout)));
+			  htonl(ip_set_timeout_get(tdata->timeout))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -319,10 +320,11 @@ static bool
 hash_ipportip6_data_list(struct sk_buff *skb,
 			 const struct hash_ipportip6_elem *data)
 {
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
+	    nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip2.in6) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -336,12 +338,13 @@ hash_ipportip6_data_tlist(struct sk_buff *skb,
 	const struct hash_ipportip6_telem *e =
 		(const struct hash_ipportip6_telem *)data;
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
+	    nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip2.in6) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(e->timeout)));
+			  htonl(ip_set_timeout_get(e->timeout))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:

--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -124,13 +124,14 @@ hash_ipportnet4_data_list(struct sk_buff *skb,
 {
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, data->ip2);
+	    nla_put_ipaddr4(skb, IPSET_ATTR_IP2, data->ip2) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr + 1);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr + 1) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -145,16 +146,16 @@ hash_ipportnet4_data_tlist(struct sk_buff *skb,
 		(const struct hash_ipportnet4_telem *)data;
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, tdata->ip2);
+	    nla_put_ipaddr4(skb, IPSET_ATTR_IP2, tdata->ip2) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, tdata->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr + 1);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr + 1) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(tdata->timeout)));
+			  htonl(ip_set_timeout_get(tdata->timeout))) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -436,13 +437,14 @@ hash_ipportnet6_data_list(struct sk_buff *skb,
 {
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
+	    nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip2.in6) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr + 1);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr + 1) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -457,15 +459,16 @@ hash_ipportnet6_data_tlist(struct sk_buff *skb,
 		(const struct hash_ipportnet6_telem *)data;
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
+	    nla_put_ipaddr6(skb, IPSET_ATTR_IP2, &data->ip2.in6) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr + 1);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR2, data->cidr + 1) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(e->timeout)));
+			  htonl(ip_set_timeout_get(e->timeout))) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:

--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -111,10 +111,11 @@ hash_net4_data_list(struct sk_buff *skb, const struct hash_net4_elem *data)
 {
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -128,13 +129,13 @@ hash_net4_data_tlist(struct sk_buff *skb, const struct hash_net4_elem *data)
 		(const struct hash_net4_telem *)data;
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, tdata->cidr);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, tdata->cidr) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(tdata->timeout)));
+			  htonl(ip_set_timeout_get(tdata->timeout))) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -339,10 +340,11 @@ hash_net6_data_list(struct sk_buff *skb, const struct hash_net6_elem *data)
 {
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -356,12 +358,13 @@ hash_net6_data_tlist(struct sk_buff *skb, const struct hash_net6_elem *data)
 		(const struct hash_net6_telem *)data;
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, e->cidr);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, e->cidr) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(e->timeout)));
+			  htonl(ip_set_timeout_get(e->timeout))) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:

--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -252,11 +252,12 @@ hash_netiface4_data_list(struct sk_buff *skb,
 	if (data->nomatch)
 		flags |= IPSET_FLAG_NOMATCH;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
-	NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
+	    nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -273,13 +274,14 @@ hash_netiface4_data_tlist(struct sk_buff *skb,
 	if (data->nomatch)
 		flags |= IPSET_FLAG_NOMATCH;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
-	NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
+	    nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(tdata->timeout)));
+			  htonl(ip_set_timeout_get(tdata->timeout))))
+		goto nla_put_failure;
 	return 0;
@@ -555,11 +557,12 @@ hash_netiface6_data_list(struct sk_buff *skb,
 	if (data->nomatch)
 		flags |= IPSET_FLAG_NOMATCH;
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
-	NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
+	    nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -576,13 +579,14 @@ hash_netiface6_data_tlist(struct sk_buff *skb,
 	if (data->nomatch)
 		flags |= IPSET_FLAG_NOMATCH;
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr) ||
-	NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
+	    nla_put_string(skb, IPSET_ATTR_IFACE, data->iface) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(e->timeout)));
+			  htonl(ip_set_timeout_get(e->timeout))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:

--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -124,12 +124,13 @@ hash_netport4_data_list(struct sk_buff *skb,
 {
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr + 1);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -144,15 +145,15 @@ hash_netport4_data_tlist(struct sk_buff *skb,
 		(const struct hash_netport4_telem *)data;
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+	if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, tdata->ip) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, tdata->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr + 1);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(tdata->timeout)));
+			  htonl(ip_set_timeout_get(tdata->timeout))) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -402,12 +403,13 @@ hash_netport6_data_list(struct sk_buff *skb,
 {
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr + 1);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:
@@ -422,14 +424,15 @@ hash_netport6_data_tlist(struct sk_buff *skb,
 		(const struct hash_netport6_telem *)data;
 	u32 flags = data->nomatch ? IPSET_FLAG_NOMATCH : 0;
-	NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+	if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6) ||
-	NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+	    nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr + 1);
+	    nla_put_u8(skb, IPSET_ATTR_CIDR, data->cidr + 1) ||
-	NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+	    nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+	    nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
-		      htonl(ip_set_timeout_get(e->timeout)));
+			  htonl(ip_set_timeout_get(e->timeout))) ||
-	if (flags)
+	    (flags &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
+	     nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
+		goto nla_put_failure;
 	return 0;
 nla_put_failure:

--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -402,12 +402,13 @@ list_set_head(struct ip_set *set, struct sk_buff *skb)
 	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
 	if (!nested)
 		goto nla_put_failure;
-	NLA_PUT_NET32(skb, IPSET_ATTR_SIZE, htonl(map->size));
+	if (nla_put_net32(skb, IPSET_ATTR_SIZE, htonl(map->size)) ||
-	if (with_timeout(map->timeout))
+	    (with_timeout(map->timeout) &&
-		NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
+	     nla_put_net32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout))) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
+	    nla_put_net32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1)) ||
-	NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
+	    nla_put_net32(skb, IPSET_ATTR_MEMSIZE,
-		      htonl(sizeof(*map) + map->size * map->dsize));
+			  htonl(sizeof(*map) + map->size * map->dsize)))
+		goto nla_put_failure;
 	ipset_nest_end(skb, nested);
 	return 0;
@@ -442,13 +443,15 @@ list_set_list(const struct ip_set *set,
 			} else
 				goto nla_put_failure;
 		}
-		NLA_PUT_STRING(skb, IPSET_ATTR_NAME,
+		if (nla_put_string(skb, IPSET_ATTR_NAME,
-			       ip_set_name_byindex(e->id));
+				   ip_set_name_byindex(e->id)))
+			goto nla_put_failure;
 		if (with_timeout(map->timeout)) {
 			const struct set_telem *te =
 				(const struct set_telem *) e;
-			NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+			__be32 to = htonl(ip_set_timeout_get(te->timeout));
-				      htonl(ip_set_timeout_get(te->timeout)));
+			if (nla_put_net32(skb, IPSET_ATTR_TIMEOUT, to))
+				goto nla_put_failure;
 		}
 		ipset_nest_end(skb, nested);
 	}