From af57aba1043cd9fc910df90848c9a6cea3d49937 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Herm=C3=A8s=20B=C3=A9lusca-Ma=C3=AFto?=
 <hermes.belusca-maito@reactos.org>
Date: Sat, 31 Mar 2018 16:49:24 +0200
Subject: [PATCH] [TFTPD] Fix bound checks for array cfig.hostRanges. Spotted
 by 'mudhead'. CORE-14515

---
 base/services/tftpd/tftpd.cpp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/base/services/tftpd/tftpd.cpp b/base/services/tftpd/tftpd.cpp
index faf17188693..bc8ed642916 100644
--- a/base/services/tftpd/tftpd.cpp
+++ b/base/services/tftpd/tftpd.cpp
@@ -540,7 +540,11 @@ void processRequest(void *lpParam)
                 MYDWORD iip = ntohl(req.client.sin_addr.s_addr);
                 bool allowed = false;
 
+#ifdef __REACTOS__
+                for (int j = 0; j < _countof(cfig.hostRanges) && cfig.hostRanges[j].rangeStart; j++)
+#else
                 for (int j = 0; j <= 32 && cfig.hostRanges[j].rangeStart; j++)
+#endif
                 {
                     if (iip >= cfig.hostRanges[j].rangeStart && iip <= cfig.hostRanges[j].rangeEnd)
                     {
@@ -2050,7 +2054,11 @@ void init(void *lpParam)
 
         while (readSection(raw, f))
         {
+#ifdef __REACTOS__
+            if (i < _countof(cfig.hostRanges))
+#else
             if (i < 32)
+#endif
             {
                 MYDWORD rs = 0;
                 MYDWORD re = 0;
@@ -2098,7 +2106,11 @@ void init(void *lpParam)
     {
         char temp[128];
 
+#ifdef __REACTOS__
+        for (int i = 0; i < _countof(cfig.hostRanges) && cfig.hostRanges[i].rangeStart; i++)
+#else
         for (MYWORD i = 0; i <= sizeof(cfig.hostRanges) && cfig.hostRanges[i].rangeStart; i++)
+#endif
         {
             sprintf(logBuff, "%s", "permitted clients: ");
             sprintf(temp, "%s-", IP2String(tempbuff, htonl(cfig.hostRanges[i].rangeStart)));
-- 
2.17.1