The problem exists in the NFSv3 case in the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.
Tag: NFS
ASA-2019-00484 – Das U-Boot: Read out-of-bound data at nfs_read_reply()
There is a read of out-of-bounds data at nfs_read_reply().
ASA-2019-00483 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_lookup_reply()
This problem exists in the nfs_lookup_reply() function that again parses an nfs reply coming from the network. It parses 4 bytes and uses them as length for a memcpy in two different locations.
ASA-2019-00482 – Das U-Boot: Unbounded memcpy with an unvalidated length at nfs_readlink_reply()
There is an unbounded memcpy with an unvalidated length at nfs_readlink_reply(), in the else block after calculating the new path length.
ASA-2019-00481 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_read_reply()/store_block()
The problem exists in the NFSv2 case if the function nfs_read_reply() when reading a file and storing it into another medium (flash or physical memory) for later processing. The data and length is fully controlled by the attacker and never validated.
ASA-2019-00480 – Das U-Boot: Unbounded memcpy with an unvalidated length at nfs_readlink_reply()
There is an unbounded memcpy with an unvalidated length at nfs_readlink_reply(), in the if block after calculating the new path length.
ASA-2018-00023 – Apple XNU: Buffer overflows in macOS NFS client
This alert addresses only two among several vulnerabilities fixed by Apple. The first one is in the macro nfsm_chain_get_fh() and the second is in the macro nfsm_chain_get_opaque(). The macro nfsm_chain_get_fh() doesn't take the length of the message into account and then copies its contents to a buffer dynamically allocated. The macro nfsm_chain_get_opaque() has an integer overflow. This macro calls nfsm_rndup() macro to round 'LEN' up to the next multiple of 4. This allows the result to be overflowed because it doesn't check against overflows.