[PATCH] net: nfs: fix buffer overflow in nfs_readlink_reply()

[Murtaza Munaim]

nfs_readlink_reply() copies the symlink target from an NFS READLINK
response into the global nfs_path_buff[2048] using a length (rlen)
obtained from the RPC reply. The existing bounds check validates that
rlen fits within the RPC packet, but does not check that the result
fits in the destination buffer.

When processing relative symlinks, the target is appended to the
existing path. By chaining two symlink resolutions, a malicious NFS
server can cause the combined path to exceed 2048 bytes, overflowing
nfs_path_buff and corrupting adjacent global variables (nfs_path,
nfs_filename, nfs_download_state, file handles). This can be
exploited to achieve remote code execution during NFS boot.

Add bounds checks against sizeof(nfs_path_buff) before both the
relative (append) and absolute (replace) memcpy operations.

Signed-off-by: Murtaza Munaim <murtaza at saramena.us>
---
 net/nfs-common.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/net/nfs-common.c b/net/nfs-common.c
index 4fbde67a760..30f549f9e1b 100644
--- a/net/nfs-common.c
+++ b/net/nfs-common.c
@@ -671,14 +671,24 @@ static int nfs_readlink_reply(uchar *pkt, unsigned int len)
 
 	if (*((char *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset]) != '/') {
 		int pathlen;
+		int new_len;
 
 		strcat(nfs_path, "/");
 		pathlen = strlen(nfs_path);
+		new_len = pathlen + rlen;
+		if (new_len >= sizeof(nfs_path_buff)) {
+			printf("NFS: symlink too long (%d bytes)\n", new_len);
+			return -NFS_RPC_ERR;
+		}
 		memcpy(nfs_path + pathlen,
 		       (uchar *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset],
 		       rlen);
-		nfs_path[pathlen + rlen] = 0;
+		nfs_path[new_len] = 0;
 	} else {
+		if (rlen >= sizeof(nfs_path_buff)) {
+			printf("NFS: symlink too long (%d bytes)\n", rlen);
+			return -NFS_RPC_ERR;
+		}
 		memcpy(nfs_path,
 		       (uchar *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset],
 		       rlen);
-- 
2.50.1 (Apple Git-155)