Message ID | 1573885213-16690-1-git-send-email-bmeng.cn@gmail.com |
---|---|
State | Accepted |
Commit | ca48cb40283e2346603491a6214e95117c275f2f |
Delegated to: | Joe Hershberger |
Headers | show |
Series | [U-Boot,RESEND] net: tftp: Fix tftp store address check in store_block() | expand |
On Sat, Nov 16, 2019 at 12:20 AM Bin Meng <bmeng.cn@gmail.com> wrote: > > During testing of qemu-riscv32 with a 2GiB memory configuration, > tftp always fails with a error message: > > Load address: 0x84000000 > Loading: # > TFTP error: trying to overwrite reserved memory... > > It turns out the result of 'tftp_load_addr + tftp_load_size' just > overflows (0x100000000) and the test logic in store_block() fails. > Fix this by adjusting the end address to ULONG_MAX when overflow > is detected. > > Fixes: a156c47e39ad ("tftp: prevent overwriting reserved memory") > Signed-off-by: Bin Meng <bmeng.cn@gmail.com> Odd corner case, but sure... Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Hi Joe, On Wed, Nov 20, 2019 at 5:54 AM Joe Hershberger <joe.hershberger@ni.com> wrote: > > On Sat, Nov 16, 2019 at 12:20 AM Bin Meng <bmeng.cn@gmail.com> wrote: > > > > During testing of qemu-riscv32 with a 2GiB memory configuration, > > tftp always fails with a error message: > > > > Load address: 0x84000000 > > Loading: # > > TFTP error: trying to overwrite reserved memory... > > > > It turns out the result of 'tftp_load_addr + tftp_load_size' just > > overflows (0x100000000) and the test logic in store_block() fails. > > Fix this by adjusting the end address to ULONG_MAX when overflow > > is detected. > > > > Fixes: a156c47e39ad ("tftp: prevent overwriting reserved memory") > > Signed-off-by: Bin Meng <bmeng.cn@gmail.com> > > Odd corner case, but sure... > > Acked-by: Joe Hershberger <joe.hershberger@ni.com> Could you pull this for v2020.01? thanks! Regards, Bin
Hi Bin, On Sun, Dec 1, 2019 at 7:46 PM Bin Meng <bmeng.cn@gmail.com> wrote: > > Hi Joe, > > On Wed, Nov 20, 2019 at 5:54 AM Joe Hershberger <joe.hershberger@ni.com> wrote: > > > > On Sat, Nov 16, 2019 at 12:20 AM Bin Meng <bmeng.cn@gmail.com> wrote: > > > > > > During testing of qemu-riscv32 with a 2GiB memory configuration, > > > tftp always fails with a error message: > > > > > > Load address: 0x84000000 > > > Loading: # > > > TFTP error: trying to overwrite reserved memory... > > > > > > It turns out the result of 'tftp_load_addr + tftp_load_size' just > > > overflows (0x100000000) and the test logic in store_block() fails. > > > Fix this by adjusting the end address to ULONG_MAX when overflow > > > is detected. > > > > > > Fixes: a156c47e39ad ("tftp: prevent overwriting reserved memory") > > > Signed-off-by: Bin Meng <bmeng.cn@gmail.com> > > > > Odd corner case, but sure... > > > > Acked-by: Joe Hershberger <joe.hershberger@ni.com> > > Could you pull this for v2020.01? thanks! Yep, working on it! I'm currently looking for the patches that are causing sizes to expand beyond linking on a few targets. Cheers, -Joe
diff --git a/net/tftp.c b/net/tftp.c index 5a69bca..1e3c18a 100644 --- a/net/tftp.c +++ b/net/tftp.c @@ -171,8 +171,13 @@ static inline int store_block(int block, uchar *src, unsigned int len) void *ptr; #ifdef CONFIG_LMB + ulong end_addr = tftp_load_addr + tftp_load_size; + + if (!end_addr) + end_addr = ULONG_MAX; + if (store_addr < tftp_load_addr || - store_addr + len > tftp_load_addr + tftp_load_size) { + store_addr + len > end_addr) { puts("\nTFTP error: "); puts("trying to overwrite reserved memory...\n"); return -1;
During testing of qemu-riscv32 with a 2GiB memory configuration, tftp always fails with a error message: Load address: 0x84000000 Loading: # TFTP error: trying to overwrite reserved memory... It turns out the result of 'tftp_load_addr + tftp_load_size' just overflows (0x100000000) and the test logic in store_block() fails. Fix this by adjusting the end address to ULONG_MAX when overflow is detected. Fixes: a156c47e39ad ("tftp: prevent overwriting reserved memory") Signed-off-by: Bin Meng <bmeng.cn@gmail.com> --- net/tftp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)