Don't run past the end of an NFSv3 file handle.

NFSv2 file handles are always 32 bytes long, possibly with zero padding
at the end.

NFSv3 file handles are variable-length, however, so we cannot assume
that they have any minimum number of bytes of data; check that bytes
are present before looking at them.

1 files changed, 120 insertions, 105 deletions

diff --git a/parsenfsfh.c b/parsenfsfh.c
index a2bfc1c4..d534ece0 100644
--- a/parsenfsfh.c
+++ b/parsenfsfh.c
@@ -102,10 +102,10 @@
 	((lsb) + ((e)<<8) + ((d)<<16) + ((c)<<24))
 #endif
 
-static int is_UCX(const unsigned char *);
+static int is_UCX(const unsigned char *, u_int);
 
 void
-Parse_fh(register const unsigned char *fh, int len _U_, my_fsid *fsidp,
+Parse_fh(register const unsigned char *fh, int len, my_fsid *fsidp,
 	 uint32_t *inop,
 	 const char **osnamep, /* if non-NULL, return OS name here */
 	 const char **fsnamep, /* if non-NULL, return server fs name here (for VMS) */
@@ -116,136 +116,144 @@ Parse_fh(register const unsigned char *fh, int len _U_, my_fsid *fsidp,
 	int fhtype = FHT_UNKNOWN;
 	int i;
 
-	if (ourself) {
-	    /* File handle generated on this host, no need for guessing */
+	/*
+	 * Require at least 16 bytes of file handle; it's variable-length
+	 * in NFSv3.  "len" is in units of 32-bit words, not bytes.
+	 */
+	if (len < 16/4)
+		fhtype = FHT_UNKNOWN;
+	else {
+		if (ourself) {
+		    /* File handle generated on this host, no need for guessing */
 #if	defined(IRIX40)
-	    fhtype = FHT_IRIX4;
+		    fhtype = FHT_IRIX4;
 #endif
 #if	defined(IRIX50)
-	    fhtype = FHT_IRIX5;
+		    fhtype = FHT_IRIX5;
 #endif
 #if	defined(IRIX51)
-	    fhtype = FHT_IRIX5;
+		    fhtype = FHT_IRIX5;
 #endif
 #if	defined(SUNOS4)
-	    fhtype = FHT_SUNOS4;
+		    fhtype = FHT_SUNOS4;
 #endif
 #if	defined(SUNOS5)
-	    fhtype = FHT_SUNOS5;
+		    fhtype = FHT_SUNOS5;
 #endif
 #if	defined(ultrix)
-	    fhtype = FHT_ULTRIX;
+		    fhtype = FHT_ULTRIX;
 #endif
 #if	defined(__osf__)
-	    fhtype = FHT_DECOSF;
+		    fhtype = FHT_DECOSF;
 #endif
 #if	defined(__NetBSD__) || defined(__FreeBSD__) || defined(__DragonFly__) \
      || defined(__OpenBSD__)
-	    fhtype = FHT_BSD44;
-#endif
-	}
-	/*
-	 * This is basically a big decision tree
-	 */
-	else if ((fhp[0] == 0) && (fhp[1] == 0)) {
-	    /* bytes[0,1] == (0,0); rules out Ultrix, IRIX5, SUNOS5 */
-	    /* probably rules out HP-UX, AIX unless they allow major=0 */
-	    if ((fhp[2] == 0) && (fhp[3] == 0)) {
-		/* bytes[2,3] == (0,0); must be Auspex */
-		/* XXX or could be Ultrix+MASSBUS "hp" disk? */
-		fhtype = FHT_AUSPEX;
-	    }
-	    else {
-		/*
-		 * bytes[2,3] != (0,0); rules out Auspex, could be
-		 * DECOSF, SUNOS4, or IRIX4
-		 */
-		if ((fhp[4] != 0) && (fhp[5] == 0) &&
-			(fhp[8] == 12) && (fhp[9] == 0)) {
-		    /* seems to be DECOSF, with minor == 0 */
-		    fhtype = FHT_DECOSF;
-		}
-		else {
-		    /* could be SUNOS4 or IRIX4 */
-		    /* XXX the test of fhp[5] == 8 could be wrong */
-		    if ((fhp[4] == 0) && (fhp[5] == 8) && (fhp[6] == 0) &&
-			(fhp[7] == 0)) {
-			/* looks like a length, not a file system typecode */
-			fhtype = FHT_IRIX4;
-		    }
-		    else {
-			/* by elimination */
-			fhtype = FHT_SUNOS4;
-		    }
-		}
-	    }
-	}
-	else {
-	    /*
-	     * bytes[0,1] != (0,0); rules out Auspex, IRIX4, SUNOS4
-	     * could be IRIX5, DECOSF, UCX, Ultrix, SUNOS5
-	     * could be AIX, HP-UX
-	     */
-	    if ((fhp[2] == 0) && (fhp[3] == 0)) {
-		/*
-		 * bytes[2,3] == (0,0); rules out OSF, probably not UCX
-		 * (unless the exported device name is just one letter!),
-		 * could be Ultrix, IRIX5, AIX, or SUNOS5
-		 * might be HP-UX (depends on their values for minor devs)
-		 */
-		if ((fhp[6] == 0) && (fhp[7] == 0)) {
 		    fhtype = FHT_BSD44;
+#endif
 		}
-		/*XXX we probably only need to test of these two bytes */
-		else if ((fhp[21] == 0) && (fhp[23] == 0)) {
-		    fhtype = FHT_ULTRIX;
-		}
-		else {
-		    /* Could be SUNOS5/IRIX5, maybe AIX */
-		    /* XXX no obvious difference between SUNOS5 and IRIX5 */
-		    if (fhp[9] == 10)
-			fhtype = FHT_SUNOS5;
-		    /* XXX what about AIX? */
-		}
-	    }
-	    else {
 		/*
-		 * bytes[2,3] != (0,0); rules out Ultrix, could be
-		 * DECOSF, SUNOS5, IRIX5, AIX, HP-UX, or UCX
+		 * This is basically a big decision tree
 		 */
-		if ((fhp[8] == 12) && (fhp[9] == 0)) {
-		    fhtype = FHT_DECOSF;
-		}
-		else if ((fhp[8] == 0) && (fhp[9] == 10)) {
-		    /* could be SUNOS5/IRIX5, AIX, HP-UX */
-		    if ((fhp[7] == 0) && (fhp[6] == 0) &&
-			(fhp[5] == 0) && (fhp[4] == 0)) {
-			/* XXX is this always true of HP-UX? */
-			fhtype = FHT_HPUX9;
-		    }
-		    else if (fhp[7] == 2) {
-			/* This would be MNT_NFS on AIX, which is impossible */
-			fhtype = FHT_SUNOS5;	/* or maybe IRIX5 */
+		else if ((fhp[0] == 0) && (fhp[1] == 0)) {
+		    /* bytes[0,1] == (0,0); rules out Ultrix, IRIX5, SUNOS5 */
+		    /* probably rules out HP-UX, AIX unless they allow major=0 */
+		    if ((fhp[2] == 0) && (fhp[3] == 0)) {
+			/* bytes[2,3] == (0,0); must be Auspex */
+			/* XXX or could be Ultrix+MASSBUS "hp" disk? */
+			fhtype = FHT_AUSPEX;
 		    }
 		    else {
 			/*
-			 * XXX Could be SUNOS5/IRIX5 or AIX.  I don't
-			 * XXX see any way to disambiguate these, so
-			 * XXX I'm going with the more likely guess.
-			 * XXX Sorry, Big Blue.
+			 * bytes[2,3] != (0,0); rules out Auspex, could be
+			 * DECOSF, SUNOS4, or IRIX4
 			 */
-			fhtype = FHT_SUNOS5;	/* or maybe IRIX5 */
+			if ((fhp[4] != 0) && (fhp[5] == 0) &&
+				(fhp[8] == 12) && (fhp[9] == 0)) {
+			    /* seems to be DECOSF, with minor == 0 */
+			    fhtype = FHT_DECOSF;
+			}
+			else {
+			    /* could be SUNOS4 or IRIX4 */
+			    /* XXX the test of fhp[5] == 8 could be wrong */
+			    if ((fhp[4] == 0) && (fhp[5] == 8) && (fhp[6] == 0) &&
+			        (fhp[7] == 0)) {
+				/* looks like a length, not a file system typecode */
+				fhtype = FHT_IRIX4;
+			    }
+			    else {
+				/* by elimination */
+				fhtype = FHT_SUNOS4;
+			    }
+			}
 		    }
-	        }
+		}
 		else {
-		    if (is_UCX(fhp)) {
-			fhtype = FHT_VMSUCX;
+		    /*
+		     * bytes[0,1] != (0,0); rules out Auspex, IRIX4, SUNOS4
+		     * could be IRIX5, DECOSF, UCX, Ultrix, SUNOS5
+		     * could be AIX, HP-UX
+		     */
+		    if ((fhp[2] == 0) && (fhp[3] == 0)) {
+			/*
+			 * bytes[2,3] == (0,0); rules out OSF, probably not UCX
+			 * (unless the exported device name is just one letter!),
+			 * could be Ultrix, IRIX5, AIX, or SUNOS5
+			 * might be HP-UX (depends on their values for minor devs)
+			 */
+			if ((fhp[6] == 0) && (fhp[7] == 0)) {
+			    fhtype = FHT_BSD44;
+			}
+			/*XXX we probably only need to test of these two bytes */
+			else if ((len >= 24/4) && (fhp[21] == 0) && (fhp[23] == 0)) {
+			    fhtype = FHT_ULTRIX;
+			}
+			else {
+			    /* Could be SUNOS5/IRIX5, maybe AIX */
+			    /* XXX no obvious difference between SUNOS5 and IRIX5 */
+			    if (fhp[9] == 10)
+				fhtype = FHT_SUNOS5;
+			    /* XXX what about AIX? */
+			}
 		    }
 		    else {
-			fhtype = FHT_UNKNOWN;
+			/*
+			 * bytes[2,3] != (0,0); rules out Ultrix, could be
+			 * DECOSF, SUNOS5, IRIX5, AIX, HP-UX, or UCX
+			 */
+			if ((fhp[8] == 12) && (fhp[9] == 0)) {
+			    fhtype = FHT_DECOSF;
+			}
+			else if ((fhp[8] == 0) && (fhp[9] == 10)) {
+			    /* could be SUNOS5/IRIX5, AIX, HP-UX */
+			    if ((fhp[7] == 0) && (fhp[6] == 0) &&
+				(fhp[5] == 0) && (fhp[4] == 0)) {
+				/* XXX is this always true of HP-UX? */
+				fhtype = FHT_HPUX9;
+			    }
+			    else if (fhp[7] == 2) {
+				/* This would be MNT_NFS on AIX, which is impossible */
+				fhtype = FHT_SUNOS5;	/* or maybe IRIX5 */
+			    }
+			    else {
+				/*
+				 * XXX Could be SUNOS5/IRIX5 or AIX.  I don't
+				 * XXX see any way to disambiguate these, so
+				 * XXX I'm going with the more likely guess.
+				 * XXX Sorry, Big Blue.
+				 */
+				fhtype = FHT_SUNOS5;	/* or maybe IRIX5 */
+			    }
+		        }
+			else {
+			    if (is_UCX(fhp, len)) {
+				fhtype = FHT_VMSUCX;
+			    }
+			    else {
+				fhtype = FHT_UNKNOWN;
+			    }
+			}
 		    }
 		}
-	    }
 	}
 
 	/* XXX still needs to handle SUNOS3 */
@@ -409,12 +417,12 @@ Parse_fh(register const unsigned char *fh, int len _U_, my_fsid *fsidp,
 	case FHT_UNKNOWN:
 #ifdef DEBUG
 	    /* XXX debugging */
-	    for (i = 0; i < 32; i++)
+	    for (i = 0; i < len*4; i++)
 		(void)fprintf(stderr, "%x.", fhp[i]);
 	    (void)fprintf(stderr, "\n");
 #endif
 	    /* Save the actual handle, so it can be display with -u */
-	    for (i = 0; i < 32; i++)
+	    for (i = 0; i < len*4; i++)
 	    	(void)snprintf(&(fsidp->Opaque_Handle[i*2]), 3, "%.2X", fhp[i]);
 
 	    /* XXX for now, give "bogus" values to aid debugging */
@@ -442,11 +450,18 @@ Parse_fh(register const unsigned char *fh, int len _U_, my_fsid *fsidp,
  *	(3) followed by string of nulls
  */
 static int
-is_UCX(const unsigned char *fhp)
+is_UCX(const unsigned char *fhp, u_int len)
 {
 	register int i;
 	int seen_null = 0;
 
+	/*
+	 * Require at least 28 bytes of file handle; it's variable-length
+	 * in NFSv3.  "len" is in units of 32-bit words, not bytes.
+	 */
+	if (len < 28/4)
+		return(0);
+
 	for (i = 1; i < 14; i++) {
 	    if (ND_ISPRINT(fhp[i])) {
 		if (seen_null)