ASA-2018-00023 – Apple XNU: Buffer overflows in macOS NFS client

This alert addresses only two among several vulnerabilities fixed by Apple. The first one is in the macro nfsm_chain_get_fh() and the second is in the macro nfsm_chain_get_opaque(). The macro nfsm_chain_get_fh() doesn't take the length of the message into account and then copies its contents to a buffer dynamically allocated. The macro nfsm_chain_get_opaque() has an integer overflow. This macro calls nfsm_rndup() macro to round 'LEN' up to the next multiple of 4. This allows the result to be overflowed because it doesn't check against overflows.