[TFTPD] Fix bound checks for array cfig.hostRanges. Spotted by 'mudhead'.
authorHermès Bélusca-Maïto <hermes.belusca-maito@reactos.org>
Sat, 31 Mar 2018 14:49:24 +0000 (16:49 +0200)
committerHermès Bélusca-Maïto <hermes.belusca-maito@reactos.org>
Sat, 31 Mar 2018 15:07:45 +0000 (17:07 +0200)
CORE-14515

base/services/tftpd/tftpd.cpp

index faf1718..bc8ed64 100644 (file)
@@ -540,7 +540,11 @@ void processRequest(void *lpParam)
                 MYDWORD iip = ntohl(req.client.sin_addr.s_addr);
                 bool allowed = false;
 
                 MYDWORD iip = ntohl(req.client.sin_addr.s_addr);
                 bool allowed = false;
 
+#ifdef __REACTOS__
+                for (int j = 0; j < _countof(cfig.hostRanges) && cfig.hostRanges[j].rangeStart; j++)
+#else
                 for (int j = 0; j <= 32 && cfig.hostRanges[j].rangeStart; j++)
                 for (int j = 0; j <= 32 && cfig.hostRanges[j].rangeStart; j++)
+#endif
                 {
                     if (iip >= cfig.hostRanges[j].rangeStart && iip <= cfig.hostRanges[j].rangeEnd)
                     {
                 {
                     if (iip >= cfig.hostRanges[j].rangeStart && iip <= cfig.hostRanges[j].rangeEnd)
                     {
@@ -2050,7 +2054,11 @@ void init(void *lpParam)
 
         while (readSection(raw, f))
         {
 
         while (readSection(raw, f))
         {
+#ifdef __REACTOS__
+            if (i < _countof(cfig.hostRanges))
+#else
             if (i < 32)
             if (i < 32)
+#endif
             {
                 MYDWORD rs = 0;
                 MYDWORD re = 0;
             {
                 MYDWORD rs = 0;
                 MYDWORD re = 0;
@@ -2098,7 +2106,11 @@ void init(void *lpParam)
     {
         char temp[128];
 
     {
         char temp[128];
 
+#ifdef __REACTOS__
+        for (int i = 0; i < _countof(cfig.hostRanges) && cfig.hostRanges[i].rangeStart; i++)
+#else
         for (MYWORD i = 0; i <= sizeof(cfig.hostRanges) && cfig.hostRanges[i].rangeStart; i++)
         for (MYWORD i = 0; i <= sizeof(cfig.hostRanges) && cfig.hostRanges[i].rangeStart; i++)
+#endif
         {
             sprintf(logBuff, "%s", "permitted clients: ");
             sprintf(temp, "%s-", IP2String(tempbuff, htonl(cfig.hostRanges[i].rangeStart)));
         {
             sprintf(logBuff, "%s", "permitted clients: ");
             sprintf(temp, "%s-", IP2String(tempbuff, htonl(cfig.hostRanges[i].rangeStart)));