[PATCH] net: lwip: nfs: fix buffer overflow when using symlinks
Jerome Forissier
jerome.forissier at arm.com
Mon Mar 23 08:42:01 CET 2026
On 18/03/2026 12:39, Pranav Tilak wrote:
> When resolving a symlink, nfs_path points into a heap allocated buffer
> which is just large enough to hold the original path with no extra
> space. If the symlink target name is longer than the original
> filename, the write goes beyond the end of the buffer corrupting
> heap memory.
>
> Fix this by ensuring nfs_path always points to a buffer large enough
> to accommodate the resolved symlink path.
>
> Fixes: 230cf3bc2776 ("net: lwip: nfs: Port the NFS code to work with lwIP")
> Signed-off-by: Pranav Tilak <pranav.vinaytilak at amd.com>
> ---
> net/lwip/nfs.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/net/lwip/nfs.c b/net/lwip/nfs.c
> index c3b819a091e..b2e8fb3382d 100644
> --- a/net/lwip/nfs.c
> +++ b/net/lwip/nfs.c
> @@ -114,8 +114,11 @@ static int nfs_loop(struct udevice *udev, ulong addr, char *fname,
> if (!netif)
> return -1;
>
> - nfs_filename = nfs_basename(fname);
> - nfs_path = nfs_dirname(fname);
> + nfs_path = nfs_path_buff;
This assignment is not needed.
> + strlcpy(nfs_path_buff, fname, sizeof(nfs_path_buff));
> +
> + nfs_filename = nfs_basename(nfs_path_buff);
> + nfs_path = nfs_dirname(nfs_path_buff);
>
> printf("Using %s device\n", udev->name);
>
Other than that LGTM.
Acked-by: Jerome Forissier <jerome.forissier at arm.com>
Thanks,
--
Jerome
More information about the U-Boot
mailing list