From ce6ad2be0272df2e0188edcb8c3ed35f41103f8c Mon Sep 17 00:00:00 2001
From: Theodore Riera <warsang@hotmail.com>
Date: Thu, 4 Jun 2026 12:15:12 +0100
Subject: [PATCH] [nfs] Fix off-by-one heap overflow in nfs_uri_symlink()

The length calculations in nfs_uri_symlink() omitted space for the
NUL terminator, causing strcpy() to write one byte past the heap
allocation.

Signed-off-by: Theodore Riera <warsang@hotmail.com>
---
 src/net/oncrpc/nfs_uri.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/net/oncrpc/nfs_uri.c b/src/net/oncrpc/nfs_uri.c
index b97fb91f9..132329566 100644
--- a/src/net/oncrpc/nfs_uri.c
+++ b/src/net/oncrpc/nfs_uri.c
@@ -97,7 +97,7 @@ int nfs_uri_symlink ( struct nfs_uri *uri, const char *symlink ) {
 			return -EINVAL;
 
 		len = strlen ( uri->lookup_pos ) + strlen ( symlink ) - \
-		      strlen ( uri->mountpoint );
+		      strlen ( uri->mountpoint ) + 1;
 		if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
 			return -ENOMEM;
 
@@ -105,7 +105,7 @@ int nfs_uri_symlink ( struct nfs_uri *uri, const char *symlink ) {
 		strcpy ( new_path + strlen ( new_path ), uri->lookup_pos );
 
 	} else {
-		len = strlen ( uri->lookup_pos ) + strlen ( symlink );
+		len = strlen ( uri->lookup_pos ) + strlen ( symlink ) + 1;
 		if ( ! ( new_path = malloc ( len * sizeof ( char ) ) ) )
 			return -ENOMEM;
 
-- 
2.47.3