[PATCH 2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets
Sascha Hauer
s.hauer at pengutronix.de
Thu Apr 2 00:55:24 PDT 2026
nfs_read_req() reads the data length (rlen) from the server's READ3res
response and uses it to extract the payload via nfs_packet_read(). If a
malicious server sends an rlen larger than the remaining packet data,
nfs_packet_read() returns NULL. The subsequent kfifo_put() with a NULL
source pointer causes a NULL pointer dereference.
Add a NULL check after nfs_packet_read() to catch truncated responses.
Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply at anthropic.com>
---
fs/nfs.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/nfs.c b/fs/nfs.c
index edc15e0ce6..d42ef6bc86 100644
--- a/fs/nfs.c
+++ b/fs/nfs.c
@@ -1194,6 +1194,10 @@ static int nfs_read_req(struct file_priv *priv, uint64_t offset,
}
p = nfs_packet_read(nfs_packet, rlen);
+ if (!p) {
+ ret = -EINVAL;
+ goto err_free_packet;
+ }
kfifo_put(priv->fifo, (char *)p, rlen);
--
2.47.3
More information about the barebox
mailing list