[PATCH v2] net: lwip: nfs: fix buffer overflow when using symlinks

[Pranav Tilak]

When resolving a symlink, nfs_path points into a heap allocated buffer
which is just large enough to hold the original path with no extra
space. If the symlink target name is longer than the original
filename, the write goes beyond the end of the buffer corrupting
heap memory.

Fix this by ensuring nfs_path always points to a buffer large enough
to accommodate the resolved symlink path.

Fixes: 230cf3bc2776 ("net: lwip: nfs: Port the NFS code to work with lwIP")
Signed-off-by: Pranav Tilak <pranav.vinaytilak at amd.com>
Acked-by: Jerome Forissier <jerome.forissier at arm.com>
---
Changes in v2:
- Remove redundant nfs_path assignment.

 net/lwip/nfs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/lwip/nfs.c b/net/lwip/nfs.c
index c3b819a091e..9e6b801e465 100644
--- a/net/lwip/nfs.c
+++ b/net/lwip/nfs.c
@@ -114,8 +114,10 @@ static int nfs_loop(struct udevice *udev, ulong addr, char *fname,
 	if (!netif)
 		return -1;
 
-	nfs_filename = nfs_basename(fname);
-	nfs_path     = nfs_dirname(fname);
+	strlcpy(nfs_path_buff, fname, sizeof(nfs_path_buff));
+
+	nfs_filename = nfs_basename(nfs_path_buff);
+	nfs_path     = nfs_dirname(nfs_path_buff);
 
 	printf("Using %s device\n", udev->name);
 
-- 
2.34.1