diff options
| author | Sebastian Josue Alba Vives <[email protected]> | 2026-04-09 10:44:40 -0600 |
|---|---|---|
| committer | Jerome Forissier <[email protected]> | 2026-05-06 11:07:22 +0200 |
| commit | d6694018eaddefac6aae974f9cec72fd6e58f1bc (patch) | |
| tree | 0500654e96a10116e980fad4894ac17326800b10 | |
| parent | e86d1c0b883e1be99f416089012af36219158c08 (diff) | |
net: nfs: fix buffer overflow in nfs_readlink_reply()
nfs_readlink_reply() validates rlen only against the incoming packet
length (inherited from CVE-2019-14195), but not against the destination
buffer nfs_path_buff[2048]. A malicious NFS server can send a valid
READLINK reply where pathlen + rlen exceeds sizeof(nfs_path_buff),
overflowing the BSS buffer into adjacent memory.
The recent fix in fd6e3d34097f addressed the same overflow class in
net/lwip/nfs.c but left the legacy path in net/nfs-common.c unpatched.
Add bounds checks before both memcpy calls in nfs_readlink_reply():
- relative path branch: reject if pathlen + rlen >= sizeof(nfs_path_buff)
- absolute path branch: reject if rlen >= sizeof(nfs_path_buff)
Fixes: cf3a4f1e86 ("net: nfs: Fix CVE-2019-14195")
Cc: [email protected]
Signed-off-by: Sebastian Alba Vives <[email protected]>
Reviewed-by: Jerome Forissier <[email protected]>
| -rw-r--r-- | net/nfs-common.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/nfs-common.c b/net/nfs-common.c index 4fbde67a760..72d8fd823e3 100644 --- a/net/nfs-common.c +++ b/net/nfs-common.c @@ -674,11 +674,15 @@ static int nfs_readlink_reply(uchar *pkt, unsigned int len) strcat(nfs_path, "/"); pathlen = strlen(nfs_path); + if (pathlen + rlen >= sizeof(nfs_path_buff)) + return -NFS_RPC_DROP; memcpy(nfs_path + pathlen, (uchar *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset], rlen); nfs_path[pathlen + rlen] = 0; } else { + if (rlen >= sizeof(nfs_path_buff)) + return -NFS_RPC_DROP; memcpy(nfs_path, (uchar *)&rpc_pkt.u.reply.data[2 + nfsv3_data_offset], rlen); |