https://git.reactos.org/?p=reactos.git;a=commitdiff;h=af57aba1043cd9fc910df…
commit af57aba1043cd9fc910df90848c9a6cea3d49937
Author: Hermès Bélusca-Maïto <hermes.belusca-maito(a)reactos.org>
AuthorDate: Sat Mar 31 16:49:24 2018 +0200
Commit: Hermès Bélusca-Maïto <hermes.belusca-maito(a)reactos.org>
CommitDate: Sat Mar 31 17:07:45 2018 +0200
[TFTPD] Fix bound checks for array cfig.hostRanges. Spotted by 'mudhead'.
CORE-14515
---
base/services/tftpd/tftpd.cpp | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/base/services/tftpd/tftpd.cpp b/base/services/tftpd/tftpd.cpp
index faf1718869..bc8ed64291 100644
--- a/base/services/tftpd/tftpd.cpp
+++ b/base/services/tftpd/tftpd.cpp
@@ -540,7 +540,11 @@ void processRequest(void *lpParam)
MYDWORD iip = ntohl(req.client.sin_addr.s_addr);
bool allowed = false;
+#ifdef __REACTOS__
+ for (int j = 0; j < _countof(cfig.hostRanges) &&
cfig.hostRanges[j].rangeStart; j++)
+#else
for (int j = 0; j <= 32 && cfig.hostRanges[j].rangeStart;
j++)
+#endif
{
if (iip >= cfig.hostRanges[j].rangeStart && iip <=
cfig.hostRanges[j].rangeEnd)
{
@@ -2050,7 +2054,11 @@ void init(void *lpParam)
while (readSection(raw, f))
{
+#ifdef __REACTOS__
+ if (i < _countof(cfig.hostRanges))
+#else
if (i < 32)
+#endif
{
MYDWORD rs = 0;
MYDWORD re = 0;
@@ -2098,7 +2106,11 @@ void init(void *lpParam)
{
char temp[128];
+#ifdef __REACTOS__
+ for (int i = 0; i < _countof(cfig.hostRanges) &&
cfig.hostRanges[i].rangeStart; i++)
+#else
for (MYWORD i = 0; i <= sizeof(cfig.hostRanges) &&
cfig.hostRanges[i].rangeStart; i++)
+#endif
{
sprintf(logBuff, "%s", "permitted clients: ");
sprintf(temp, "%s-", IP2String(tempbuff,
htonl(cfig.hostRanges[i].rangeStart)));