aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBin Meng2019-11-15 22:20:13 -0800
committerJoe Hershberger2019-12-09 09:47:42 -0600
commitca48cb40283e2346603491a6214e95117c275f2f (patch)
tree64df34a1708aec49f050e6e3555cd42a8f1cedee
parent8524423da9afc637167057dd69e1f52f6dbcc8e5 (diff)
net: tftp: Fix tftp store address check in store_block()
During testing of qemu-riscv32 with a 2GiB memory configuration, tftp always fails with a error message: Load address: 0x84000000 Loading: # TFTP error: trying to overwrite reserved memory... It turns out the result of 'tftp_load_addr + tftp_load_size' just overflows (0x100000000) and the test logic in store_block() fails. Fix this by adjusting the end address to ULONG_MAX when overflow is detected. Fixes: a156c47e39ad ("tftp: prevent overwriting reserved memory") Signed-off-by: Bin Meng <bmeng.cn@gmail.com> Acked-by: Joe Hershberger <joe.hershberger@ni.com>
-rw-r--r--net/tftp.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/net/tftp.c b/net/tftp.c
index 5a69bca6413..1e3c18ae69c 100644
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -171,8 +171,13 @@ static inline int store_block(int block, uchar *src, unsigned int len)
void *ptr;
#ifdef CONFIG_LMB
+ ulong end_addr = tftp_load_addr + tftp_load_size;
+
+ if (!end_addr)
+ end_addr = ULONG_MAX;
+
if (store_addr < tftp_load_addr ||
- store_addr + len > tftp_load_addr + tftp_load_size) {
+ store_addr + len > end_addr) {
puts("\nTFTP error: ");
puts("trying to overwrite reserved memory...\n");
return -1;