net: tftp: Fix tftp store address check in store_block()

During testing of qemu-riscv32 with a 2GiB memory configuration,
tftp always fails with a error message:

  Load address: 0x84000000
  Loading: #
  TFTP error: trying to overwrite reserved memory...

It turns out the result of 'tftp_load_addr + tftp_load_size' just
overflows (0x100000000) and the test logic in store_block() fails.
Fix this by adjusting the end address to ULONG_MAX when overflow
is detected.

Fixes: a156c47e39ad ("tftp: prevent overwriting reserved memory")
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>

diff --git a/net/tftp.c b/net/tftp.c
index 5a69bca6413c14326c385134c3b92f9f1a6705fe..1e3c18ae69c0f975e22383fcdcba18bcee0eec38 100644 (file)
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -171,8 +171,13 @@ static inline int store_block(int block, uchar *src, unsigned int len)
                void *ptr;
 
 #ifdef CONFIG_LMB
+               ulong end_addr = tftp_load_addr + tftp_load_size;
+
+               if (!end_addr)
+                       end_addr = ULONG_MAX;
+
                if (store_addr < tftp_load_addr ||
-                   store_addr + len > tftp_load_addr + tftp_load_size) {
+                   store_addr + len > end_addr) {
                        puts("\nTFTP error: ");
                        puts("trying to overwrite reserved memory...\n");
                        return -1;