[PATCH 1/2] fs: nfs: fix stack and packet buffer overflows from long NFS paths

Sascha Hauer s.hauer at pengutronix.de
Thu Apr 2 00:55:23 PDT 2026 

nfs_mount_req() and nfs_umount_req() copy the NFS mount path into a
stack-allocated uint32_t data[1024] buffer (4096 bytes) with only ~40
bytes of RPC header overhead. A mount path longer than ~4056 characters
overflows the stack array.

Additionally, rpc_req() copies the data array into the PKTSIZE (1536)
packet buffer with only 1494 bytes available for UDP payload. After the
28-byte RPC call header, paths longer than ~1424 characters overflow
the packet buffer.

Fix by:
- Adding a path length check in nfs_mount_req() and nfs_umount_req()
  against the stack buffer capacity before constructing the request
- Adding a payload size check in rpc_req() before the memcpy to the
  packet buffer, protecting all RPC callers from overflows

Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply at anthropic.com>
---
 fs/nfs.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/fs/nfs.c b/fs/nfs.c
index 0b40c56ff3..edc15e0ce6 100644
--- a/fs/nfs.c
+++ b/fs/nfs.c
@@ -534,6 +534,13 @@ static struct packet *rpc_req(struct nfs_priv *npriv, int rpc_prog,
 		pkt.vers = hton32(3);
 	}
 
+	if (sizeof(pkt) + datalen * sizeof(uint32_t) >
+	    PKTSIZE - ETHER_HDR_SIZE - sizeof(struct iphdr) - sizeof(struct udphdr)) {
+		dev_err(dev, "RPC request too large (%zu bytes)\n",
+			sizeof(pkt) + datalen * sizeof(uint32_t));
+		return ERR_PTR(-EMSGSIZE);
+	}
+
 	memcpy(payload, &pkt, sizeof(pkt));
 	memcpy(payload + sizeof(pkt), data, datalen * sizeof(uint32_t));
 
@@ -786,6 +793,11 @@ static int nfs_mount_req(struct nfs_priv *npriv)
 
 	pathlen = strlen(npriv->path);
 
+	if (pathlen > sizeof(data) - 11 * sizeof(uint32_t)) {
+		dev_err(dev, "path too long (%d bytes)\n", pathlen);
+		return -ENAMETOOLONG;
+	}
+
 	dev_dbg(dev, "%s: %s\n", __func__, npriv->path);
 
 	p = &(data[0]);
@@ -862,6 +874,8 @@ static void nfs_umount_req(struct nfs_priv *npriv)
 	struct packet *nfs_packet;
 
 	pathlen = strlen(npriv->path);
+	if (pathlen > sizeof(data) - 11 * sizeof(uint32_t))
+		return;
 
 	p = &(data[0]);
 	p = rpc_add_credentials(p);

-- 
2.47.3

More information about the barebox mailing list