Buffer overflow in NFS readlink handling in the Linux Kernel 2.4 up to 2.4.31 allows remote NFS servers to cause a denial of service via a long symlink. More detailed description can be found in bug 169230.
It looks like rhel2 gets this right: strlen = (u32*)res->buffer; /* Convert length of symlink */ len = ntohl(*strlen); if (len > res->bufsiz - 5) len = res->bufsiz - 5; *strlen = len; /* NULL terminate the string we got */ string = (char *)(strlen + 1); string[len] = 0; (nfs2/3 on pensacola and derry are all similar)