From: Pranav Tilak <pranav.vinaytilak@amd.com>
Date: Mon, 23 Mar 2026 09:44:14 +0000 (+0530)
Subject: net: lwip: nfs: fix buffer overflow when using symlinks
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd6e3d34097f9fbe268aa56a50fecc013f4d07a3;p=thirdparty%2Fu-boot.git

net: lwip: nfs: fix buffer overflow when using symlinks

When resolving a symlink, nfs_path points into a heap allocated buffer
which is just large enough to hold the original path with no extra
space. If the symlink target name is longer than the original
filename, the write goes beyond the end of the buffer corrupting
heap memory.

Fix this by ensuring nfs_path always points to a buffer large enough
to accommodate the resolved symlink path.

Fixes: 230cf3bc2776 ("net: lwip: nfs: Port the NFS code to work with lwIP")
Signed-off-by: Pranav Tilak <pranav.vinaytilak@amd.com>
Acked-by: Jerome Forissier <jerome.forissier@arm.com>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
---

diff --git a/net/lwip/nfs.c b/net/lwip/nfs.c
index c3b819a091e..9e6b801e465 100644
--- a/net/lwip/nfs.c
+++ b/net/lwip/nfs.c
@@ -114,8 +114,10 @@ static int nfs_loop(struct udevice *udev, ulong addr, char *fname,
 	if (!netif)
 		return -1;
 
-	nfs_filename = nfs_basename(fname);
-	nfs_path     = nfs_dirname(fname);
+	strlcpy(nfs_path_buff, fname, sizeof(nfs_path_buff));
+
+	nfs_filename = nfs_basename(nfs_path_buff);
+	nfs_path     = nfs_dirname(nfs_path_buff);
 
 	printf("Using %s device\n", udev->name);