[BUG] Stack buffer overflow WRITE of size 1 in nfs_start function

Sascha Hauer sha at pengutronix.de
Tue May 11 01:58:45 PDT 2021

On Mon, May 10, 2021 at 04:38:51PM +0530, Neeraj Pal wrote:
> Hi Sascha,
> Thank you for the patches.
> I have confirmed it and observed no crashes as reported earlier but I
> think there is a small typo in the nfs_start() function in
> net/nfs.c#L677.
> 672    static int nfs_start(char *p)
> 673    {
> 674        debug("%s\n", __func__);
> 675
> 676        nfs_path = strdup(p);
> 677        if (nfs_path)
> 678            return -ENOMEM;
> 679
> In line 677, if strdup is successful then it is returning ENOMEM so I
> think there is a typo, it is supposed to check for NULL so it would be
> if (!nfs_path) or if (nfs_path == NULL) then it should return ENOMEM.
> Please confirm and also sending a small patch.

Ok, so my patch doesn't resolve the whole issue. I just tried the nfs
command once after a long time now and this really seems to be broken
in other ways as well. I tend to entirely remove the command instead
of further trying to fix it. The normal way to handle nfs should be
to use the NFS filesystem implementation anyway which would be

mount -t nfs $server:/path/to/share /foo

I don't think we have the manpower to maintain two NFS implementations,
so we shouldn't try to.


Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

More information about the barebox mailing list