net: lwip: nfs: fix buffer overflow when using symlinks

When resolving a symlink, nfs_path points into a heap allocated buffer
which is just large enough to hold the original path with no extra
space. If the symlink target name is longer than the original
filename, the write goes beyond the end of the buffer corrupting
heap memory.

Fix this by ensuring nfs_path always points to a buffer large enough
to accommodate the resolved symlink path.

Fixes: 230cf3bc2776 ("net: lwip: nfs: Port the NFS code to work with lwIP")
Signed-off-by: Pranav Tilak <pranav.vinaytilak@amd.com>
Acked-by: Jerome Forissier <jerome.forissier@arm.com>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>

diff --git a/net/lwip/nfs.c b/net/lwip/nfs.c
index c3b819a091eccacc1789b16c3c5dfafa8a52c753..9e6b801e465d230ff7a2ac8d5333acb99e73ea34 100644 (file)
--- a/net/lwip/nfs.c
+++ b/net/lwip/nfs.c
@@ -114,8 +114,10 @@ static int nfs_loop(struct udevice *udev, ulong addr, char *fname,
        if (!netif)
                return -1;
 
-       nfs_filename = nfs_basename(fname);
-       nfs_path     = nfs_dirname(fname);
+       strlcpy(nfs_path_buff, fname, sizeof(nfs_path_buff));
+
+       nfs_filename = nfs_basename(nfs_path_buff);
+       nfs_path     = nfs_dirname(nfs_path_buff);
 
        printf("Using %s device\n", udev->name);