Hi, I'm Daniel, I found two vulnerabilities that could get triggered through the nfs driver, in the functions: 1. nfs_readlink_reply 2. nfs_lookup_reply https://github.com/u-boot/u-boot/commit/cf3a4f1e86ecdd24f87b615051b49d8e1968c230 https://github.com/u-boot/u-boot/commit/aa207cf3a6d68f39d64cd29057a4fb63943e9078
In the commits you can see the two functions have integer overflow in the bound check before the memcpy, since rlen is signed int and controlled by an attacker he can set rlen to a negative number and bypass the check: if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len) I also created a PoC triggering both of the vulnerabilities from a malicious remote server, leading to a crash in u-boot. Tested on latest commit on the master branch: 72f72fa This is my first vulnerability report, so if I missed any additional information please let me know. Best regards, Daniel S. Cohen LinkedIn <https://www.linkedin.com/in/unknownd4/> | GitHub <https://github.com/UnknownD4>
