[PATCH] net: nfs: fix buffer overflow in nfs_readlink_reply()

[Jerome Forissier]

Hi Murtaza,

On 26/04/2026 05:51, Murtaza wrote:
> Hi
> 
> Any updates here?
> 
> Thanks!
> 
> On Tue, Apr 7, 2026 at 2:32 PM Murtaza Munaim <murtaza at saramena.us <mailto:murtaza at saramena.us>> wrote:
> 
>     nfs_readlink_reply() copies the symlink target from an NFS READLINK
>     response into the global nfs_path_buff[2048] using a length (rlen)
>     obtained from the RPC reply. The existing bounds check validates that
>     rlen fits within the RPC packet, but does not check that the result
>     fits in the destination buffer.
> 
>     When processing relative symlinks, the target is appended to the
>     existing path. By chaining two symlink resolutions, a malicious NFS
>     server can cause the combined path to exceed 2048 bytes, overflowing
>     nfs_path_buff and corrupting adjacent global variables (nfs_path,
>     nfs_filename, nfs_download_state, file handles). This can be
>     exploited to achieve remote code execution during NFS boot.
> 
>     Add bounds checks against sizeof(nfs_path_buff) before both the
>     relative (append) and absolute (replace) memcpy operations.
> 
>     Signed-off-by: Murtaza Munaim <murtaza at saramena.us <mailto:murtaza at saramena.us>>
>     ---
>      net/nfs-common.c | 12 +++++++++++-
>      1 file changed, 11 insertions(+), 1 deletion(-)

This looks like a duplicate of https://patchwork.ozlabs.org/project/uboot/patch/20260409164440.323405-1-sebasjosue84@gmail.com/
(with a different return code and with error messages).

Thanks,
-- 
Jerome

>     diff --git a/net/nfs-common.c b/net/nfs-common.c
>     index 4fbde67a760..30f549f9e1b 100644
>     --- a/net/nfs-common.c
>     +++ b/net/nfs-common.c
>     @@ -671,14 +671,24 @@ static int nfs_readlink_reply(uchar *pkt, unsigned int len)
> 
>             if (*((char *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset]) != '/') {
>                     int pathlen;
>     +               int new_len;
> 
>                     strcat(nfs_path, "/");
>                     pathlen = strlen(nfs_path);
>     +               new_len = pathlen + rlen;
>     +               if (new_len >= sizeof(nfs_path_buff)) {
>     +                       printf("NFS: symlink too long (%d bytes)\n", new_len);
>     +                       return -NFS_RPC_ERR;
>     +               }
>                     memcpy(nfs_path + pathlen,
>                            (uchar *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset],
>                            rlen);
>     -               nfs_path[pathlen + rlen] = 0;
>     +               nfs_path[new_len] = 0;
>             } else {
>     +               if (rlen >= sizeof(nfs_path_buff)) {
>     +                       printf("NFS: symlink too long (%d bytes)\n", rlen);
>     +                       return -NFS_RPC_ERR;
>     +               }
>                     memcpy(nfs_path,
>                            (uchar *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset],
>                            rlen);
>     -- 
>     2.50.1 (Apple Git-155)
>