From: Theodore Riera <warsang@hotmail.com>
Date: Thu, 4 Jun 2026 11:15:12 +0000 (+0100)
Subject: [nfs] Fix off-by-one heap overflow in nfs_uri_symlink()
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1661%2Fhead;p=thirdparty%2Fipxe.git

[nfs] Fix off-by-one heap overflow in nfs_uri_symlink()

The length calculations in nfs_uri_symlink() omitted space for the
NUL terminator, causing strcpy() to write one byte past the heap
allocation.

Signed-off-by: Theodore Riera <warsang@hotmail.com>
---

diff --git a/src/net/oncrpc/nfs_uri.c b/src/net/oncrpc/nfs_uri.c
index b97fb91f9..132329566 100644
--- a/src/net/oncrpc/nfs_uri.c
+++ b/src/net/oncrpc/nfs_uri.c
@@ -97,7 +97,7 @@ int nfs_uri_symlink ( struct nfs_uri *uri, const char *symlink ) {
 			return -EINVAL;
 
 		len = strlen ( uri->lookup_pos ) + strlen ( symlink ) - \
-		      strlen ( uri->mountpoint );
+		      strlen ( uri->mountpoint ) + 1;
 		if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
 			return -ENOMEM;
 
@@ -105,7 +105,7 @@ int nfs_uri_symlink ( struct nfs_uri *uri, const char *symlink ) {
 		strcpy ( new_path + strlen ( new_path ), uri->lookup_pos );
 
 	} else {
-		len = strlen ( uri->lookup_pos ) + strlen ( symlink );
+		len = strlen ( uri->lookup_pos ) + strlen ( symlink ) + 1;
 		if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
 			return -ENOMEM;