ipq806x: Added length check in tftp

Added length check in tftp to make sure the image file address
cannot start in u-boot reserved memory (RAM start + ~32MB) and
the image size cannot exceed (RAM end - ~4MB), so that it cannot
lead to Uboot stack corruption.

Change-Id: Ia045cc57d22c2e6eb7999b2e461a0e652ce2e3ae
Signed-off-by: Kathiravan T <kathirav@codeaurora.org>

include/configs/ipq806x.h

@@ -228,6 +228,9 @@ typedef struct {
 #define IPQ_NSSTCM_DUMP_ADDR            (IPQ_MEM_RESERVE_BASE(nsstcmdump))
 #define IPQ_TEMP_DUMP_ADDR              (IPQ_MEM_RESERVE_BASE(nsstcmdump))
 
+#define IPQ_TFTP_MIN_ADDR		(CONFIG_SYS_SDRAM_BASE + (32 << 20))
+#define IPQ_TFTP_MAX_ADDR		(gd->start_addr_sp - (4 << 20))
+
 #define CONFIG_QCA_SMEM_BASE	CONFIG_SYS_SDRAM_BASE + 0x1000000
 #endif /* __ASSEMBLY__ */
 

net/tftp.c

@@ -195,9 +195,13 @@ static inline void store_block(int block, uchar *src, unsigned len)
 		 * The file to be tftp'ed should not overwrite the
 		 * code/stack area.
 		 */
+#ifdef CONFIG_IPQ806X
+		if ((load_addr + newsize) >= IPQ_TFTP_MAX_ADDR) {
+#else
 		if (((load_addr + newsize) >= CONFIG_SYS_SDRAM_END) ||
 		    (((load_addr + newsize) >= CONFIG_IPQ_FDT_HIGH) &&
 		     ((load_addr + newsize) < CONFIG_TZ_END_ADDR))) {
+#endif /* CONFIG_IPQ806X */
 			puts("\nError file size too large\n");
 			net_set_state(NETLOOP_FAIL);
 			return;
@@ -819,10 +823,15 @@ void tftp_start(enum proto_t protocol)
 		 * Do not load files to the reserved region or the
 		 * region where linux is executed.
 		 */
+#ifdef CONFIG_IPQ806X
+		if ((load_addr < IPQ_TFTP_MIN_ADDR) ||
+			(load_addr >= IPQ_TFTP_MAX_ADDR)) {
+#else
 		if ((load_addr < IPQ_TFTP_MIN_ADDR) ||
 		    (load_addr >= CONFIG_SYS_SDRAM_END) ||
 		    ((load_addr >= CONFIG_IPQ_FDT_HIGH) &&
 		    (load_addr < CONFIG_TZ_END_ADDR))) {
+#endif /* CONFIG_IPQ806X */
 			puts("\nError specified load address not allowed\n");
 			net_set_state(NETLOOP_FAIL);
 			return;