There is a stack-based buffer overflow in the nfs_handler reply helper function: nfs_lookup_reply().
Tag: nfs_lookup_reply()
ASA-2019-00483 – Das U-Boot: Unbounded memcpy with a failed length check at nfs_lookup_reply()
This problem exists in the nfs_lookup_reply() function that again parses an nfs reply coming from the network. It parses 4 bytes and uses them as length for a memcpy in two different locations.