nfs_readlink_req() interprets a 32bit value directly received from the network as length argument to memcpy() without any boundary checking. Clamp the copy size at the end of the incoming packet. Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> --- fs/nfs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/nfs.c b/fs/nfs.c index d606ccd1e9..0ad07aa3f2 100644 --- a/fs/nfs.c +++ b/fs/nfs.c @@ -1023,6 +1023,10 @@ static int nfs_readlink_req(struct nfs_priv *npriv, struct nfs_fh *fh, p = nfs_read_post_op_attr(p, NULL); len = ntoh32(net_read_uint32(p)); /* new path length */ + + len = max_t(unsigned int, len, + nfs_packet->len - sizeof(struct rpc_reply) - sizeof(uint32_t)); + p++; *target = xzalloc(len + 1); -- 2.23.0 _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox