From 09813e31290062f8264054e85b512dd30f26ecec Mon Sep 17 00:00:00 2001
From: Daniel Beer <daniel@tortek.co.nz>
Date: Sat, 25 Sep 2010 20:29:38 +1200
Subject: [PATCH] Fixed BSL memory range checking.

---
 bsl.c       | 7 ++++++-
 flash_bsl.c | 4 ++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/bsl.c b/bsl.c
index 0b3ceaa..ee3adc3 100644
--- a/bsl.c
+++ b/bsl.c
@@ -263,6 +263,11 @@ static int bsl_writemem(device_t dev_base,
 {
 	struct bsl_device *dev = (struct bsl_device *)dev_base;
 
+	if (addr >= 0x10000 || len > 0x10000 || addr + len > 0x10000) {
+		printc_err("bsl: memory write out of range\n");
+		return -1;
+	}
+
 	while (len) {
 		int wlen = len > 100 ? 100 : len;
 		int r;
@@ -288,7 +293,7 @@ static int bsl_readmem(device_t dev_base,
 {
 	struct bsl_device *dev = (struct bsl_device *)dev_base;
 
-        if ((addr | len | (addr + len)) & 0xffff0000) {
+	if (addr >= 0x10000 || len > 0x10000 || addr + len > 0x10000) {
 		printc_err("bsl: memory read out of range\n");
 		return -1;
 	}
diff --git a/flash_bsl.c b/flash_bsl.c
index 3aaa392..71b9efe 100644
--- a/flash_bsl.c
+++ b/flash_bsl.c
@@ -278,7 +278,7 @@ static int flash_bsl_readmem(device_t dev_base,
 	uint16_t read_size;
 	int ret;
 
-	if (addr > 0xfffff || addr + len > 0xfffff) {
+	if (addr > 0xfffff || addr + len > 0x100000) {
 		printc_err("flash_bsl: read exceeds possible range\n");
 		return -1;
 	}
@@ -466,7 +466,7 @@ static int flash_bsl_writemem(device_t dev_base,
 	uint16_t write_size;
 	int n_recv;
 
-	if (addr > 0xfffff || addr + len > 0xfffff) {
+	if (addr > 0xfffff || addr + len > 0x100000) {
 		printc_err("flash_bsl: write exceeds possible range\n");
 		return -1;
 	}