tftp.c

Timestamp:

Jul 3, 2012 10:20:10 AM (12 years ago)

Author:

vboxsync

Message:

NAT/tftp: fixed buffer overflow in new code found by parfait

File:

trunk/src/VBox/Devices/Network/slirp/tftp.c

-              r41994
+              r41995
     cBlockSessionFile = ASMDivU64ByU32RetU32(cbSessionFile, pTftpSession->u16BlkSize);
     while (   cBlockSessionFile >= UINT16_MAX
            && idxRFC2348TftpSessionBlkSize <= RT_ELEMENTS(g_au16RFC2348TftpSessionBlkSize))
+           && idxRFC2348TftpSessionBlkSize < RT_ELEMENTS(g_au16RFC2348TftpSessionBlkSize))
+    {
         if (pTftpSession->u16BlkSize > g_au16RFC2348TftpSessionBlkSize[idxRFC2348TftpSessionBlkSize])
 …
         idxRFC2348TftpSessionBlkSize++;
         /* No bigger values in RFC2348 */
         AssertReturn(idxRFC2348TftpSessionBlkSize <= RT_ELEMENTS(g_au16RFC2348TftpSessionBlkSize), VERR_INTERNAL_ERROR);
+        AssertReturn(idxRFC2348TftpSessionBlkSize < RT_ELEMENTS(g_au16RFC2348TftpSessionBlkSize), VERR_INTERNAL_ERROR);
         if (g_au16RFC2348TftpSessionBlkSize[idxRFC2348TftpSessionBlkSize] >= if_maxlinkhdr)
+        {

Note: See TracChangeset for help on using the changeset viewer.