diff options
author | Bin Meng <bmeng.cn@gmail.com> | 2019-11-15 22:20:13 -0800 |
---|---|---|
committer | Joe Hershberger <joe.hershberger@ni.com> | 2019-12-09 09:47:42 -0600 |
commit | ca48cb40283e2346603491a6214e95117c275f2f (patch) | |
tree | 64df34a1708aec49f050e6e3555cd42a8f1cedee /net | |
parent | 8524423da9afc637167057dd69e1f52f6dbcc8e5 (diff) |
net: tftp: Fix tftp store address check in store_block()
During testing of qemu-riscv32 with a 2GiB memory configuration,
tftp always fails with a error message:
Load address: 0x84000000
Loading: #
TFTP error: trying to overwrite reserved memory...
It turns out the result of 'tftp_load_addr + tftp_load_size' just
overflows (0x100000000) and the test logic in store_block() fails.
Fix this by adjusting the end address to ULONG_MAX when overflow
is detected.
Fixes: a156c47e39ad ("tftp: prevent overwriting reserved memory")
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/tftp.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/net/tftp.c b/net/tftp.c index 5a69bca641..1e3c18ae69 100644 --- a/net/tftp.c +++ b/net/tftp.c @@ -171,8 +171,13 @@ static inline int store_block(int block, uchar *src, unsigned int len) void *ptr; #ifdef CONFIG_LMB + ulong end_addr = tftp_load_addr + tftp_load_size; + + if (!end_addr) + end_addr = ULONG_MAX; + if (store_addr < tftp_load_addr || - store_addr + len > tftp_load_addr + tftp_load_size) { + store_addr + len > end_addr) { puts("\nTFTP error: "); puts("trying to overwrite reserved memory...\n"); return -1; |