2 vulnerabilities found in net/nfs.c (integer overflows leading to buffer overflow)

Daniel Cohen danielcohen627 at gmail.com
Mon Oct 6 15:24:46 CEST 2025


Hi, I'm Daniel,

I found two vulnerabilities that could get triggered through the nfs
driver, in the functions:
1. nfs_readlink_reply
2. nfs_lookup_reply
https://github.com/u-boot/u-boot/commit/cf3a4f1e86ecdd24f87b615051b49d8e1968c230
https://github.com/u-boot/u-boot/commit/aa207cf3a6d68f39d64cd29057a4fb63943e9078

In the commits you can see the two functions have integer overflow in the
bound check before the memcpy, since rlen is signed int and controlled by
an attacker he can set rlen to a negative number and bypass the check:

if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) >
len)

I also created a PoC triggering both of the vulnerabilities from a
malicious remote server, leading to a crash in u-boot.

Tested on latest commit on the master branch: 72f72fa

This is my first vulnerability report,
so if I missed any additional information please let me know.

Best regards,
Daniel S. Cohen

LinkedIn <https://www.linkedin.com/in/unknownd4/> | GitHub
<https://github.com/UnknownD4>


More information about the U-Boot mailing list