[PATCH] net: nfs: fix buffer overflow in nfs_readlink_reply()

Sun Apr 26 05:51:27 CEST 2026

Hi

Any updates here?

Thanks!

On Tue, Apr 7, 2026 at 2:32 PM Murtaza Munaim <murtaza at saramena.us> wrote:

> nfs_readlink_reply() copies the symlink target from an NFS READLINK
> response into the global nfs_path_buff[2048] using a length (rlen)
> obtained from the RPC reply. The existing bounds check validates that
> rlen fits within the RPC packet, but does not check that the result
> fits in the destination buffer.
>
> When processing relative symlinks, the target is appended to the
> existing path. By chaining two symlink resolutions, a malicious NFS
> server can cause the combined path to exceed 2048 bytes, overflowing
> nfs_path_buff and corrupting adjacent global variables (nfs_path,
> nfs_filename, nfs_download_state, file handles). This can be
> exploited to achieve remote code execution during NFS boot.
>
> Add bounds checks against sizeof(nfs_path_buff) before both the
> relative (append) and absolute (replace) memcpy operations.
>
> Signed-off-by: Murtaza Munaim <murtaza at saramena.us>
> ---
>  net/nfs-common.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/net/nfs-common.c b/net/nfs-common.c
> index 4fbde67a760..30f549f9e1b 100644
> --- a/net/nfs-common.c
> +++ b/net/nfs-common.c
> @@ -671,14 +671,24 @@ static int nfs_readlink_reply(uchar *pkt, unsigned
> int len)
>
>         if (*((char *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset]) !=
> '/') {
>                 int pathlen;
> +               int new_len;
>
>                 strcat(nfs_path, "/");
>                 pathlen = strlen(nfs_path);
> +               new_len = pathlen + rlen;
> +               if (new_len >= sizeof(nfs_path_buff)) {
> +                       printf("NFS: symlink too long (%d bytes)\n",
> new_len);
> +                       return -NFS_RPC_ERR;
> +               }
>                 memcpy(nfs_path + pathlen,
>                        (uchar *)&rpc_pkt.u.reply.data[2 +
> nfsv3_data_offset],
>                        rlen);
> -               nfs_path[pathlen + rlen] = 0;
> +               nfs_path[new_len] = 0;
>         } else {
> +               if (rlen >= sizeof(nfs_path_buff)) {
> +                       printf("NFS: symlink too long (%d bytes)\n", rlen);
> +                       return -NFS_RPC_ERR;
> +               }
>                 memcpy(nfs_path,
>                        (uchar *)&rpc_pkt.u.reply.data[2 +
> nfsv3_data_offset],
>                        rlen);
> --
> 2.50.1 (Apple Git-155)
>
>