nla_len() has no valid reason to fail or return a negative number. Callers are not allowed to call this on an invalid structure. They usually would call nla_validate() first. However, as it returns a signed "int", coverity assumes that in some cases the value could be negative. That results in coverity warning like Error: INTEGER_OVERFLOW (CWE-190): libnl-3.9.0/lib/route/nh.c:339: tainted_data_return: Called function "nla_len(tb[NHA_GROUP])", and a possible return value may be less than zero. libnl-3.9.0/lib/route/nh.c:339: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow. libnl-3.9.0/lib/route/nh.c:340: overflow: The expression "len / 8UL" is deemed underflowed because at least one of its arguments has underflowed. libnl-3.9.0/lib/route/nh.c:340: cast_overflow: An assign that casts to a different type, which might trigger an overflow. libnl-3.9.0/lib/route/nh.c:342: overflow_sink: "size", which might have underflowed, is passed to "rtnl_nh_grp_info(size, (struct nexthop_grp const *)data, &nh_group)". # 340| size = len / sizeof(struct nexthop_grp); # 341| # 342|-> err = rtnl_nh_grp_info(size, (const struct nexthop_grp *)data, # 343| &nh_group); # 344| if (err < 0) { Add an internal _nla_len() with an API that clearly cannot return negative values. Also, add _nl_assert() which in debug builds do some consistency checks on the argument. https://issues.redhat.com/browse/RHEL-34299