nfs_readlink_reply() interprets a 32bit value directly received from the network as length argument to memcpy() without any boundary checking. Clamp the copy size at the end of the incoming packet. Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> --- net/nfs.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/nfs.c b/net/nfs.c index 0a3021994a..63573098d7 100644 --- a/net/nfs.c +++ b/net/nfs.c @@ -502,7 +502,7 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len) { uint32_t *data; char *path; - int rlen; + unsigned int rlen; int ret; ret = rpc_check_reply(pkt, 1); @@ -515,6 +515,9 @@ static int nfs_readlink_reply(unsigned char *pkt, unsigned len) rlen = ntohl(net_read_uint32(data)); /* new path length */ + rlen = max_t(unsigned int, rlen, + len - sizeof(struct rpc_reply) - sizeof(uint32_t)); + data++; path = (char *)data; -- 2.23.0 _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox