ipq806x: Added length check in tftp
Added length check in tftp to make sure the image file address
cannot start in u-boot reserved memory (RAM start + ~32MB) and
the image size cannot exceed (RAM end - ~4MB), so that it cannot
lead to Uboot stack corruption.
Change-Id: Ia045cc57d22c2e6eb7999b2e461a0e652ce2e3ae
Signed-off-by: Kathiravan T <kathirav@codeaurora.org>
diff --git a/include/configs/ipq806x.h b/include/configs/ipq806x.h
index 1dcd4f3..d757f7d 100644
--- a/include/configs/ipq806x.h
+++ b/include/configs/ipq806x.h
@@ -228,6 +228,9 @@
#define IPQ_NSSTCM_DUMP_ADDR (IPQ_MEM_RESERVE_BASE(nsstcmdump))
#define IPQ_TEMP_DUMP_ADDR (IPQ_MEM_RESERVE_BASE(nsstcmdump))
+#define IPQ_TFTP_MIN_ADDR (CONFIG_SYS_SDRAM_BASE + (32 << 20))
+#define IPQ_TFTP_MAX_ADDR (gd->start_addr_sp - (4 << 20))
+
#define CONFIG_QCA_SMEM_BASE CONFIG_SYS_SDRAM_BASE + 0x1000000
#endif /* __ASSEMBLY__ */
diff --git a/net/tftp.c b/net/tftp.c
index 847ca45..67d9b93 100644
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -195,9 +195,13 @@
* The file to be tftp'ed should not overwrite the
* code/stack area.
*/
+#ifdef CONFIG_IPQ806X
+ if ((load_addr + newsize) >= IPQ_TFTP_MAX_ADDR) {
+#else
if (((load_addr + newsize) >= CONFIG_SYS_SDRAM_END) ||
(((load_addr + newsize) >= CONFIG_IPQ_FDT_HIGH) &&
((load_addr + newsize) < CONFIG_TZ_END_ADDR))) {
+#endif /* CONFIG_IPQ806X */
puts("\nError file size too large\n");
net_set_state(NETLOOP_FAIL);
return;
@@ -819,10 +823,15 @@
* Do not load files to the reserved region or the
* region where linux is executed.
*/
+#ifdef CONFIG_IPQ806X
+ if ((load_addr < IPQ_TFTP_MIN_ADDR) ||
+ (load_addr >= IPQ_TFTP_MAX_ADDR)) {
+#else
if ((load_addr < IPQ_TFTP_MIN_ADDR) ||
(load_addr >= CONFIG_SYS_SDRAM_END) ||
((load_addr >= CONFIG_IPQ_FDT_HIGH) &&
(load_addr < CONFIG_TZ_END_ADDR))) {
+#endif /* CONFIG_IPQ806X */
puts("\nError specified load address not allowed\n");
net_set_state(NETLOOP_FAIL);
return;