Tag: NFS

ASA-2019-00485 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()

Posted on by Allele Security Intelligence in Alerts

The problem exists in the NFSv3 case in the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.

ASA-2019-00481 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()

Posted on by Allele Security Intelligence in Alerts

The problem exists in the NFSv2 case if the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.

ASA-2018-00023 – Apple XNU: Buffer overflows in macOS NFS client

Posted on by Allele Security Intelligence in Alerts

This alert addresses only two among several vulnerabilities fixed by Apple. The first one is in the macro nfsm_chain_get_fh() and the second is in the macro nfsm_chain_get_opaque(). The macro nfsm_chain_get_fh() doesn't take the length of the message into account and then copies its contents to a buffer dynamically allocated. The macro nfsm_chain_get_opaque() has an integer overflow. This macro calls nfsm_rndup() macro to round 'LEN' up to the next multiple of 4. This allows the result to be overflowed because it doesn't check against overflows.