From: Bin Meng Date: Sat, 16 Nov 2019 06:20:13 +0000 (-0800) Subject: net: tftp: Fix tftp store address check in store_block() X-Git-Tag: v2025.01-rc5-pxa1908~2647^2~53 X-Git-Url: http://git.dujemihanovic.xyz/%22/img/sics.gif/%22/static/git-favicon.png?a=commitdiff_plain;h=ca48cb40283e2346603491a6214e95117c275f2f;p=u-boot.git net: tftp: Fix tftp store address check in store_block() During testing of qemu-riscv32 with a 2GiB memory configuration, tftp always fails with a error message: Load address: 0x84000000 Loading: # TFTP error: trying to overwrite reserved memory... It turns out the result of 'tftp_load_addr + tftp_load_size' just overflows (0x100000000) and the test logic in store_block() fails. Fix this by adjusting the end address to ULONG_MAX when overflow is detected. Fixes: a156c47e39ad ("tftp: prevent overwriting reserved memory") Signed-off-by: Bin Meng Acked-by: Joe Hershberger --- diff --git a/net/tftp.c b/net/tftp.c index 5a69bca641..1e3c18ae69 100644 --- a/net/tftp.c +++ b/net/tftp.c @@ -171,8 +171,13 @@ static inline int store_block(int block, uchar *src, unsigned int len) void *ptr; #ifdef CONFIG_LMB + ulong end_addr = tftp_load_addr + tftp_load_size; + + if (!end_addr) + end_addr = ULONG_MAX; + if (store_addr < tftp_load_addr || - store_addr + len > tftp_load_addr + tftp_load_size) { + store_addr + len > end_addr) { puts("\nTFTP error: "); puts("trying to overwrite reserved memory...\n"); return -1;