[PATCH 2/2] fs: nfs: fix NULL dereference in nfs_read_req on truncated packets
Ahmad Fatoum
a.fatoum at pengutronix.de
Fri Apr 17 02:12:22 PDT 2026
On 4/2/26 9:55 AM, Sascha Hauer wrote:
> nfs_read_req() reads the data length (rlen) from the server's READ3res
> response and uses it to extract the payload via nfs_packet_read(). If a
> malicious server sends an rlen larger than the remaining packet data,
> nfs_packet_read() returns NULL. The subsequent kfifo_put() with a NULL
> source pointer causes a NULL pointer dereference.
>
> Add a NULL check after nfs_packet_read() to catch truncated responses.
>
> Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply at anthropic.com>
Reviewed-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
> ---
> fs/nfs.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/nfs.c b/fs/nfs.c
> index edc15e0ce6..d42ef6bc86 100644
> --- a/fs/nfs.c
> +++ b/fs/nfs.c
> @@ -1194,6 +1194,10 @@ static int nfs_read_req(struct file_priv *priv, uint64_t offset,
> }
>
> p = nfs_packet_read(nfs_packet, rlen);
> + if (!p) {
> + ret = -EINVAL;
> + goto err_free_packet;
> + }
>
> kfifo_put(priv->fifo, (char *)p, rlen);
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the barebox
mailing list