[PATCH 0/2] nfs: protect against corrupt packets and userdata

[PATCH 0/2] nfs: protect against corrupt packets and userdata

[Sascha Hauer]

One patch protecting against a too long mount path and one against
truncated packets.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Sascha Hauer (2):
      fs: nfs: fix stack and packet buffer overflows from long NFS paths
      fs: nfs: fix NULL dereference in nfs_read_req on truncated packets

 fs/nfs.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
---
base-commit: 0933e8f2ebf0d91dfcf177a4e4292b02921a53f1
change-id: 20260402-net-nfs-buffer-overflows-48255656eefe

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>

[PATCH 1/2] fs: nfs: fix stack and packet buffer overflows from long NFS paths

[Sascha Hauer]

nfs_mount_req() and nfs_umount_req() copy the NFS mount path into a
stack-allocated uint32_t data[1024] buffer (4096 bytes) with only ~40
bytes of RPC header overhead. A mount path longer than ~4056 characters
overflows the stack array.

Additionally, rpc_req() copies the data array into the PKTSIZE (1536)
packet buffer with only 1494 bytes available for UDP payload. After the
28-byte RPC call header, paths longer than ~1424 characters overflow
the packet buffer.

Fix by:
- Adding a path length check in nfs_mount_req() and nfs_umount_req()
  against the stack buffer capacity before constructing the request
- Adding a payload size check in rpc_req() before the memcpy to the
  packet buffer, protecting all RPC callers from overflows

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 fs/nfs.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/fs/nfs.c b/fs/nfs.c
index 0b40c56ff3..edc15e0ce6 100644
--- a/fs/nfs.c
+++ b/fs/nfs.c
@@ -534,6 +534,13 @@ static struct packet *rpc_req(struct nfs_priv *npriv, int rpc_prog,
 		pkt.vers = hton32(3);
 	}
 
+	if (sizeof(pkt) + datalen * sizeof(uint32_t) >
+	    PKTSIZE - ETHER_HDR_SIZE - sizeof(struct iphdr) - sizeof(struct udphdr)) {
+		dev_err(dev, "RPC request too large (%zu bytes)\n",
+			sizeof(pkt) + datalen * sizeof(uint32_t));
+		return ERR_PTR(-EMSGSIZE);
+	}
+
 	memcpy(payload, &pkt, sizeof(pkt));
 	memcpy(payload + sizeof(pkt), data, datalen * sizeof(uint32_t));
 
@@ -786,6 +793,11 @@ static int nfs_mount_req(struct nfs_priv *npriv)
 
 	pathlen = strlen(npriv->path);
 
+	if (pathlen > sizeof(data) - 11 * sizeof(uint32_t)) {
+		dev_err(dev, "path too long (%d bytes)\n", pathlen);
+		return -ENAMETOOLONG;
+	}
+
 	dev_dbg(dev, "%s: %s\n", __func__, npriv->path);
 
 	p = &(data[0]);
@@ -862,6 +874,8 @@ static void nfs_umount_req(struct nfs_priv *npriv)
 	struct packet *nfs_packet;
 
 	pathlen = strlen(npriv->path);
+	if (pathlen > sizeof(data) - 11 * sizeof(uint32_t))
+		return;
 
 	p = &(data[0]);
 	p = rpc_add_credentials(p);

-- 
2.47.3

[PATCH 2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets

[Sascha Hauer]

nfs_read_req() reads the data length (rlen) from the server's READ3res
response and uses it to extract the payload via nfs_packet_read(). If a
malicious server sends an rlen larger than the remaining packet data,
nfs_packet_read() returns NULL. The subsequent kfifo_put() with a NULL
source pointer causes a NULL pointer dereference.

Add a NULL check after nfs_packet_read() to catch truncated responses.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 fs/nfs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/nfs.c b/fs/nfs.c
index edc15e0ce6..d42ef6bc86 100644
--- a/fs/nfs.c
+++ b/fs/nfs.c
@@ -1194,6 +1194,10 @@ static int nfs_read_req(struct file_priv *priv, uint64_t offset,
 	}
 
 	p = nfs_packet_read(nfs_packet, rlen);
+	if (!p) {
+		ret = -EINVAL;
+		goto err_free_packet;
+	}
 
 	kfifo_put(priv->fifo, (char *)p, rlen);
 

-- 
2.47.3

Re: [PATCH 2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets

[Sascha Hauer]

On Thu, Apr 02, 2026 at 09:55:24AM +0200, Sascha Hauer wrote:
> nfs_read_req() reads the data length (rlen) from the server's READ3res
> response and uses it to extract the payload via nfs_packet_read(). If a
> malicious server sends an rlen larger than the remaining packet data,
> nfs_packet_read() returns NULL. The subsequent kfifo_put() with a NULL
> source pointer causes a NULL pointer dereference.
> 
> Add a NULL check after nfs_packet_read() to catch truncated responses.
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Fixes: 5be38817bc77 ("fs: nfs: do not read past packets")

Sascha

> ---
>  fs/nfs.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/fs/nfs.c b/fs/nfs.c
> index edc15e0ce6..d42ef6bc86 100644
> --- a/fs/nfs.c
> +++ b/fs/nfs.c
> @@ -1194,6 +1194,10 @@ static int nfs_read_req(struct file_priv *priv, uint64_t offset,
>  	}
>  
>  	p = nfs_packet_read(nfs_packet, rlen);
> +	if (!p) {
> +		ret = -EINVAL;
> +		goto err_free_packet;
> +	}
>  
>  	kfifo_put(priv->fifo, (char *)p, rlen);
>  
> 
> -- 
> 2.47.3
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Re: [PATCH 1/2] fs: nfs: fix stack and packet buffer overflows from long NFS paths

[Ahmad Fatoum]

On 4/2/26 9:55 AM, Sascha Hauer wrote:
> nfs_mount_req() and nfs_umount_req() copy the NFS mount path into a
> stack-allocated uint32_t data[1024] buffer (4096 bytes) with only ~40
> bytes of RPC header overhead. A mount path longer than ~4056 characters
> overflows the stack array.
> 
> Additionally, rpc_req() copies the data array into the PKTSIZE (1536)
> packet buffer with only 1494 bytes available for UDP payload. After the
> 28-byte RPC call header, paths longer than ~1424 characters overflow
> the packet buffer.
> 
> Fix by:
> - Adding a path length check in nfs_mount_req() and nfs_umount_req()
>   against the stack buffer capacity before constructing the request
> - Adding a payload size check in rpc_req() before the memcpy to the
>   packet buffer, protecting all RPC callers from overflows
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Acked-by: Ahmad Fatoum <a.fatoum@pengutronix.de>

I haven't checked if 11 * sizeof(uint32_t) are the correct cutoff, but
looks good to me otherwise.

> ---
>  fs/nfs.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/fs/nfs.c b/fs/nfs.c
> index 0b40c56ff3..edc15e0ce6 100644
> --- a/fs/nfs.c
> +++ b/fs/nfs.c
> @@ -534,6 +534,13 @@ static struct packet *rpc_req(struct nfs_priv *npriv, int rpc_prog,
>  		pkt.vers = hton32(3);
>  	}
>  
> +	if (sizeof(pkt) + datalen * sizeof(uint32_t) >
> +	    PKTSIZE - ETHER_HDR_SIZE - sizeof(struct iphdr) - sizeof(struct udphdr)) {
> +		dev_err(dev, "RPC request too large (%zu bytes)\n",
> +			sizeof(pkt) + datalen * sizeof(uint32_t));
> +		return ERR_PTR(-EMSGSIZE);
> +	}
> +
>  	memcpy(payload, &pkt, sizeof(pkt));
>  	memcpy(payload + sizeof(pkt), data, datalen * sizeof(uint32_t));
>  
> @@ -786,6 +793,11 @@ static int nfs_mount_req(struct nfs_priv *npriv)
>  
>  	pathlen = strlen(npriv->path);
>  
> +	if (pathlen > sizeof(data) - 11 * sizeof(uint32_t)) {
> +		dev_err(dev, "path too long (%d bytes)\n", pathlen);
> +		return -ENAMETOOLONG;
> +	}
> +
>  	dev_dbg(dev, "%s: %s\n", __func__, npriv->path);
>  
>  	p = &(data[0]);
> @@ -862,6 +874,8 @@ static void nfs_umount_req(struct nfs_priv *npriv)
>  	struct packet *nfs_packet;
>  
>  	pathlen = strlen(npriv->path);
> +	if (pathlen > sizeof(data) - 11 * sizeof(uint32_t))
> +		return;
>  
>  	p = &(data[0]);
>  	p = rpc_add_credentials(p);
> 

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |

Re: [PATCH 2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets

[Ahmad Fatoum]

On 4/2/26 9:55 AM, Sascha Hauer wrote:
> nfs_read_req() reads the data length (rlen) from the server's READ3res
> response and uses it to extract the payload via nfs_packet_read(). If a
> malicious server sends an rlen larger than the remaining packet data,
> nfs_packet_read() returns NULL. The subsequent kfifo_put() with a NULL
> source pointer causes a NULL pointer dereference.
> 
> Add a NULL check after nfs_packet_read() to catch truncated responses.
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>

> ---
>  fs/nfs.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/fs/nfs.c b/fs/nfs.c
> index edc15e0ce6..d42ef6bc86 100644
> --- a/fs/nfs.c
> +++ b/fs/nfs.c
> @@ -1194,6 +1194,10 @@ static int nfs_read_req(struct file_priv *priv, uint64_t offset,
>  	}
>  
>  	p = nfs_packet_read(nfs_packet, rlen);
> +	if (!p) {
> +		ret = -EINVAL;
> +		goto err_free_packet;
> +	}
>  
>  	kfifo_put(priv->fifo, (char *)p, rlen);
>  
> 

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |

Re: [PATCH 0/2] nfs: protect against corrupt packets and userdata

[Sascha Hauer]

On Thu, 02 Apr 2026 09:55:22 +0200, Sascha Hauer wrote:
> One patch protecting against a too long mount path and one against
> truncated packets.
> 
> 

Applied, thanks!

[1/2] fs: nfs: fix stack and packet buffer overflows from long NFS paths
      https://git.pengutronix.de/cgit/barebox/commit/?id=e3869dca71af (link may not be stable)
[2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets
      https://git.pengutronix.de/cgit/barebox/commit/?id=f0fa5dda6bbf (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>