net: lwip: nfs: fix buffer overflow when using symlinks

When resolving a symlink, nfs_path points into a heap allocated buffer which is just large enough to hold the original path with no extra space. If the symlink target name is longer than the original filename, the write goes beyond the end of the buffer corrupting heap memory. Fix this by ensuring nfs_path always points to a buffer large enough to accommodate the resolved symlink path. Fixes: 230cf3bc2776 ("net: lwip: nfs: Port the NFS code to work with lwIP") Signed-off-by: Pranav Tilak <[email protected]> Acked-by: Jerome Forissier <[email protected]> Reviewed-by: Jerome Forissier <[email protected]>
author: Pranav Tilak <[email protected]> 2026-03-23 15:14:14 +0530
committer: Jerome Forissier <[email protected]> 2026-03-31 16:43:28 +0200
commit: fd6e3d34097f9fbe268aa56a50fecc013f4d07a3 (patch)
tree: 6612cf003a59ae26dee5fe2dc4ea56a7fb04980b
parent: 078e2663e44ae36a66d4f4cd9b6506689e328633 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/net/lwip/nfs.c b/net/lwip/nfs.c
index c3b819a091e..9e6b801e465 100644
--- a/net/lwip/nfs.c
+++ b/net/lwip/nfs.c
@@ -114,8 +114,10 @@ static int nfs_loop(struct udevice *udev, ulong addr, char *fname,
 	if (!netif)
 		return -1;
 
-	nfs_filename = nfs_basename(fname);
-	nfs_path     = nfs_dirname(fname);
+	strlcpy(nfs_path_buff, fname, sizeof(nfs_path_buff));
+
+	nfs_filename = nfs_basename(nfs_path_buff);
+	nfs_path     = nfs_dirname(nfs_path_buff);
 
 	printf("Using %s device\n", udev->name);
author	Pranav Tilak <[email protected]>	2026-03-23 15:14:14 +0530
committer	Jerome Forissier <[email protected]>	2026-03-31 16:43:28 +0200
commit	fd6e3d34097f9fbe268aa56a50fecc013f4d07a3 (patch)
tree	6612cf003a59ae26dee5fe2dc4ea56a7fb04980b
parent	078e2663e44ae36a66d4f4cd9b6506689e328633 (diff)