net: tftp: Fix tftp store address check in store_block()

During testing of qemu-riscv32 with a 2GiB memory configuration, tftp always fails with a error message: Load address: 0x84000000 Loading: # TFTP error: trying to overwrite reserved memory... It turns out the result of 'tftp_load_addr + tftp_load_size' just overflows (0x100000000) and the test logic in store_block() fails. Fix this by adjusting the end address to ULONG_MAX when overflow is detected. Fixes: a156c47 ("tftp: prevent overwriting reserved memory") Signed-off-by: Bin Meng <[email protected]> Acked-by: Joe Hershberger <[email protected]>
t-akashi · Dec 9, 2019 · ca48cb4 · ca48cb4
1 parent 8524423
commit ca48cb4
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/net/tftp.c b/net/tftp.c
@@ -171,8 +171,13 @@ static inline int store_block(int block, uchar *src, unsigned int len)
 		void *ptr;
 
 #ifdef CONFIG_LMB
+		ulong end_addr = tftp_load_addr + tftp_load_size;
+
+		if (!end_addr)
+			end_addr = ULONG_MAX;
+
 		if (store_addr < tftp_load_addr ||
-		    store_addr + len > tftp_load_addr + tftp_load_size) {
+		    store_addr + len > end_addr) {
 			puts("\nTFTP error: ");
 			puts("trying to overwrite reserved memory...\n");
 			return -1;