From ca48cb40283e2346603491a6214e95117c275f2f Mon Sep 17 00:00:00 2001
From: Bin Meng <bmeng.cn@gmail.com>
Date: Fri, 15 Nov 2019 22:20:13 -0800
Subject: net: tftp: Fix tftp store address check in store_block()

During testing of qemu-riscv32 with a 2GiB memory configuration,
tftp always fails with a error message:

  Load address: 0x84000000
  Loading: #
  TFTP error: trying to overwrite reserved memory...

It turns out the result of 'tftp_load_addr + tftp_load_size' just
overflows (0x100000000) and the test logic in store_block() fails.
Fix this by adjusting the end address to ULONG_MAX when overflow
is detected.

Fixes: a156c47e39ad ("tftp: prevent overwriting reserved memory")
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
---
 net/tftp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'net')

diff --git a/net/tftp.c b/net/tftp.c
index 5a69bca..1e3c18a 100644
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -171,8 +171,13 @@ static inline int store_block(int block, uchar *src, unsigned int len)
 		void *ptr;
 
 #ifdef CONFIG_LMB
+		ulong end_addr = tftp_load_addr + tftp_load_size;
+
+		if (!end_addr)
+			end_addr = ULONG_MAX;
+
 		if (store_addr < tftp_load_addr ||
-		    store_addr + len > tftp_load_addr + tftp_load_size) {
+		    store_addr + len > end_addr) {
 			puts("\nTFTP error: ");
 			puts("trying to overwrite reserved memory...\n");
 			return -1;
-- 
cgit v1.1