nfs_readlink_reply() interprets a 32bit value directly received from the
network as length argument to memcpy() without any boundary checking.
Clamp the copy size at the end of the incoming packet.
Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
---
net/nfs.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/nfs.c b/net/nfs.c
index 0a3021994a..63573098d7 100644
--- a/net/nfs.c
+++ b/net/nfs.c
@@ -502,7 +502,7 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
{
uint32_t *data;
char *path;
- int rlen;
+ unsigned int rlen;
int ret;
ret = rpc_check_reply(pkt, 1);
@@ -515,6 +515,9 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len)
rlen = ntohl(net_read_uint32(data)); /* new path length */
+ rlen = max_t(unsigned int, rlen,
+ len - sizeof(struct rpc_reply) - sizeof(uint32_t));
+
data++;
path = (char *)data;
--
2.23.0
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
