From 3527e1e29aa962172ce04524857842ec5036831e Mon Sep 17 00:00:00 2001
From: Kathiravan T <kathirav@codeaurora.org>
Date: Fri, 15 Dec 2017 14:31:40 +0530
Subject: [PATCH] ipq806x: Added length check in tftp

Added length check in tftp to make sure the image file address
cannot start in u-boot reserved memory (RAM start + ~32MB) and
the image size cannot exceed (RAM end - ~4MB), so that it cannot
lead to Uboot stack corruption.

Change-Id: Ia045cc57d22c2e6eb7999b2e461a0e652ce2e3ae
Signed-off-by: Kathiravan T <kathirav@codeaurora.org>
---
 include/configs/ipq806x.h | 3 +++
 net/tftp.c                | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/include/configs/ipq806x.h b/include/configs/ipq806x.h
index 1dcd4f36ec..d757f7d312 100644
--- a/include/configs/ipq806x.h
+++ b/include/configs/ipq806x.h
@@ -228,6 +228,9 @@ typedef struct {
 #define IPQ_NSSTCM_DUMP_ADDR            (IPQ_MEM_RESERVE_BASE(nsstcmdump))
 #define IPQ_TEMP_DUMP_ADDR              (IPQ_MEM_RESERVE_BASE(nsstcmdump))
 
+#define IPQ_TFTP_MIN_ADDR		(CONFIG_SYS_SDRAM_BASE + (32 << 20))
+#define IPQ_TFTP_MAX_ADDR		(gd->start_addr_sp - (4 << 20))
+
 #define CONFIG_QCA_SMEM_BASE	CONFIG_SYS_SDRAM_BASE + 0x1000000
 #endif /* __ASSEMBLY__ */
 
diff --git a/net/tftp.c b/net/tftp.c
index 847ca458e1..67d9b93344 100644
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -195,9 +195,13 @@ static inline void store_block(int block, uchar *src, unsigned len)
 		 * The file to be tftp'ed should not overwrite the
 		 * code/stack area.
 		 */
+#ifdef CONFIG_IPQ806X
+		if ((load_addr + newsize) >= IPQ_TFTP_MAX_ADDR) {
+#else
 		if (((load_addr + newsize) >= CONFIG_SYS_SDRAM_END) ||
 		    (((load_addr + newsize) >= CONFIG_IPQ_FDT_HIGH) &&
 		     ((load_addr + newsize) < CONFIG_TZ_END_ADDR))) {
+#endif /* CONFIG_IPQ806X */
 			puts("\nError file size too large\n");
 			net_set_state(NETLOOP_FAIL);
 			return;
@@ -819,10 +823,15 @@ void tftp_start(enum proto_t protocol)
 		 * Do not load files to the reserved region or the
 		 * region where linux is executed.
 		 */
+#ifdef CONFIG_IPQ806X
+		if ((load_addr < IPQ_TFTP_MIN_ADDR) ||
+			(load_addr >= IPQ_TFTP_MAX_ADDR)) {
+#else
 		if ((load_addr < IPQ_TFTP_MIN_ADDR) ||
 		    (load_addr >= CONFIG_SYS_SDRAM_END) ||
 		    ((load_addr >= CONFIG_IPQ_FDT_HIGH) &&
 		    (load_addr < CONFIG_TZ_END_ADDR))) {
+#endif /* CONFIG_IPQ806X */
 			puts("\nError specified load address not allowed\n");
 			net_set_state(NETLOOP_FAIL);
 			return;