In the Linux kernel, the following vulnerability has been resolved:
netfilter: complete validation of user input
In my recent commit, I missed that doreplace() handlers use copyfromsockptr() (which I fixed), followed by unsafe copyfromsockptroffset() calls.
In all functions, we can perform the @optlen validation before even calling xtalloctable_info() with the following check:
if ((u64)optlen < (u64)tmp.size + sizeof(tmp)) return -EINVAL;