From fd6e3d34097f9fbe268aa56a50fecc013f4d07a3 Mon Sep 17 00:00:00 2001 From: Pranav Tilak Date: Mon, 23 Mar 2026 15:14:14 +0530 Subject: [PATCH] net: lwip: nfs: fix buffer overflow when using symlinks When resolving a symlink, nfs_path points into a heap allocated buffer which is just large enough to hold the original path with no extra space. If the symlink target name is longer than the original filename, the write goes beyond the end of the buffer corrupting heap memory. Fix this by ensuring nfs_path always points to a buffer large enough to accommodate the resolved symlink path. Fixes: 230cf3bc2776 ("net: lwip: nfs: Port the NFS code to work with lwIP") Signed-off-by: Pranav Tilak Acked-by: Jerome Forissier Reviewed-by: Jerome Forissier --- net/lwip/nfs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/lwip/nfs.c b/net/lwip/nfs.c index c3b819a091e..9e6b801e465 100644 --- a/net/lwip/nfs.c +++ b/net/lwip/nfs.c @@ -114,8 +114,10 @@ static int nfs_loop(struct udevice *udev, ulong addr, char *fname, if (!netif) return -1; - nfs_filename = nfs_basename(fname); - nfs_path = nfs_dirname(fname); + strlcpy(nfs_path_buff, fname, sizeof(nfs_path_buff)); + + nfs_filename = nfs_basename(nfs_path_buff); + nfs_path = nfs_dirname(nfs_path_buff); printf("Using %s device\n", udev->name);