Avoid possible memory-smashing bug, and rewrite some really stupid

initialization code.

tftpd/tftpd.c

@@ -122,7 +122,7 @@ off_t	tsize;
 int     tsize_ok;
 
 int	ndirs;
-char	**dirs;
+const char **dirs;
 
 int	secure = 0;
 int	cancreate = 0;
@@ -201,7 +201,7 @@ main(int argc, char **argv)
   struct options *opt;
   struct sockaddr_in myaddr;
   struct sockaddr_in bindaddr;
-  int n = 0;
+  int n;
   int on = 1;
   int fd = 0;
   int listen = 0;		/* Standalone (listen) mode */
@@ -267,20 +267,12 @@ main(int argc, char **argv)
       usage();
       break;
     }
-  
+
-  for (; optind != argc; optind++) {
+  dirs = xmalloc((argc-optind+1)*sizeof(char *));
-    if (dirs)
+  for ( ndirs = 0 ; optind != argc ; optind++ )
-      dirs = realloc(dirs, (ndirs+2) * sizeof (char *));
+    dirs[ndirs++] = argv[optind];
-    else
+
-      dirs = calloc(ndirs+2, sizeof(char *));
+  dirs[ndirs] = NULL;
-    if (dirs == NULL) {
-      syslog(LOG_ERR, "malloc: %m");
-      exit(EX_OSERR);
-    }			
-    dirs[n++] = argv[optind];
-    dirs[n] = NULL;
-    ndirs++;
-  }
   
   if (secure) {
     if (ndirs == 0) {
@@ -817,8 +809,10 @@ int
 validate_access(char *filename, int mode, struct formats *pf)
 {
   struct stat stbuf;
+  int   i, len;
   int	fd, wmode;
-  char *cp, **dirp;
+  char *cp;
+  const char **dirp;
   
   tsize_ok = 0;
   
@@ -829,9 +823,13 @@ validate_access(char *filename, int mode, struct formats *pf)
      * prevent tricksters from getting around the directory
      * restrictions
      */
-    for (cp = filename + 1; *cp; cp++)
+    len = strlen(filename);
-      if(*cp == '.' && strncmp(cp-1, "/../", 4) == 0)
+    for ( i = 1 ; i < len-3 ; i++ ) {
+      cp = filename + i;
+      if ( *cp == '.' && memcmp(cp-1, "/../", 4) == 0)
 	return(EACCESS);
+    }
+
     for (dirp = dirs; *dirp; dirp++)
       if (strncmp(filename, *dirp, strlen(*dirp)) == 0)
 	break;