https://git.reactos.org/?p=reactos.git;a=commitdiff;h=af57aba1043cd9fc910df9...

commit af57aba1043cd9fc910df90848c9a6cea3d49937 Author: Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org AuthorDate: Sat Mar 31 16:49:24 2018 +0200 Commit: Hermès Bélusca-Maïto hermes.belusca-maito@reactos.org CommitDate: Sat Mar 31 17:07:45 2018 +0200

[TFTPD] Fix bound checks for array cfig.hostRanges. Spotted by 'mudhead'. CORE-14515 --- base/services/tftpd/tftpd.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+)

diff --git a/base/services/tftpd/tftpd.cpp b/base/services/tftpd/tftpd.cpp index faf1718869..bc8ed64291 100644 --- a/base/services/tftpd/tftpd.cpp +++ b/base/services/tftpd/tftpd.cpp @@ -540,7 +540,11 @@ void processRequest(void *lpParam) MYDWORD iip = ntohl(req.client.sin_addr.s_addr); bool allowed = false;

+#ifdef __REACTOS__ + for (int j = 0; j < _countof(cfig.hostRanges) && cfig.hostRanges[j].rangeStart; j++) +#else for (int j = 0; j <= 32 && cfig.hostRanges[j].rangeStart; j++) +#endif { if (iip >= cfig.hostRanges[j].rangeStart && iip <= cfig.hostRanges[j].rangeEnd) { @@ -2050,7 +2054,11 @@ void init(void *lpParam)

while (readSection(raw, f)) { +#ifdef __REACTOS__ + if (i < _countof(cfig.hostRanges)) +#else if (i < 32) +#endif { MYDWORD rs = 0; MYDWORD re = 0; @@ -2098,7 +2106,11 @@ void init(void *lpParam) { char temp[128];

+#ifdef __REACTOS__ + for (int i = 0; i < _countof(cfig.hostRanges) && cfig.hostRanges[i].rangeStart; i++) +#else for (MYWORD i = 0; i <= sizeof(cfig.hostRanges) && cfig.hostRanges[i].rangeStart; i++) +#endif { sprintf(logBuff, "%s", "permitted clients: "); sprintf(temp, "%s-", IP2String(tempbuff, htonl(cfig.hostRanges[i].rangeStart)));