Re: [PATCH 1/2] fs: nfs: fix stack and packet buffer overflows from long NFS paths

[Ahmad Fatoum <a.fatoum@pengutronix.de>]

On 4/2/26 9:55 AM, Sascha Hauer wrote:
> nfs_mount_req() and nfs_umount_req() copy the NFS mount path into a
> stack-allocated uint32_t data[1024] buffer (4096 bytes) with only ~40
> bytes of RPC header overhead. A mount path longer than ~4056 characters
> overflows the stack array.
> 
> Additionally, rpc_req() copies the data array into the PKTSIZE (1536)
> packet buffer with only 1494 bytes available for UDP payload. After the
> 28-byte RPC call header, paths longer than ~1424 characters overflow
> the packet buffer.
> 
> Fix by:
> - Adding a path length check in nfs_mount_req() and nfs_umount_req()
>   against the stack buffer capacity before constructing the request
> - Adding a payload size check in rpc_req() before the memcpy to the
>   packet buffer, protecting all RPC callers from overflows
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Acked-by: Ahmad Fatoum <a.fatoum@pengutronix.de>

I haven't checked if 11 * sizeof(uint32_t) are the correct cutoff, but
looks good to me otherwise.

> ---
>  fs/nfs.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/fs/nfs.c b/fs/nfs.c
> index 0b40c56ff3..edc15e0ce6 100644
> --- a/fs/nfs.c
> +++ b/fs/nfs.c
> @@ -534,6 +534,13 @@ static struct packet *rpc_req(struct nfs_priv *npriv, int rpc_prog,
>  		pkt.vers = hton32(3);
>  	}
>  
> +	if (sizeof(pkt) + datalen * sizeof(uint32_t) >
> +	    PKTSIZE - ETHER_HDR_SIZE - sizeof(struct iphdr) - sizeof(struct udphdr)) {
> +		dev_err(dev, "RPC request too large (%zu bytes)\n",
> +			sizeof(pkt) + datalen * sizeof(uint32_t));
> +		return ERR_PTR(-EMSGSIZE);
> +	}
> +
>  	memcpy(payload, &pkt, sizeof(pkt));
>  	memcpy(payload + sizeof(pkt), data, datalen * sizeof(uint32_t));
>  
> @@ -786,6 +793,11 @@ static int nfs_mount_req(struct nfs_priv *npriv)
>  
>  	pathlen = strlen(npriv->path);
>  
> +	if (pathlen > sizeof(data) - 11 * sizeof(uint32_t)) {
> +		dev_err(dev, "path too long (%d bytes)\n", pathlen);
> +		return -ENAMETOOLONG;
> +	}
> +
>  	dev_dbg(dev, "%s: %s\n", __func__, npriv->path);
>  
>  	p = &(data[0]);
> @@ -862,6 +874,8 @@ static void nfs_umount_req(struct nfs_priv *npriv)
>  	struct packet *nfs_packet;
>  
>  	pathlen = strlen(npriv->path);
> +	if (pathlen > sizeof(data) - 11 * sizeof(uint32_t))
> +		return;
>  
>  	p = &(data[0]);
>  	p = rpc_add_credentials(p);
> 

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |