ASA-2019-00485 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()

The problem exists in the NFSv3 case in the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.

ASA-2019-00481 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()

The problem exists in the NFSv2 case if the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.

ASA-2018-00023 – Apple XNU: Buffer overflows in macOS NFS client

This alert addresses only two among several vulnerabilities fixed by Apple. The first one is in the macro nfsm_chain_get_fh() and the second is in the macro nfsm_chain_get_opaque(). The macro nfsm_chain_get_fh() doesn't take the length of the message into account and then copies its contents to a buffer dynamically allocated. The macro nfsm_chain_get_opaque() has an integer overflow. This macro calls nfsm_rndup() macro to round 'LEN' up to the next multiple of 4. This allows the result to be overflowed because it doesn't check against overflows.