xyz-modem: Fix crash after cancelling transfer

Variable xyz.len is set to -1 on error. At the end xyzModem_stream_read()
function calls memcpy() with length from variable xyz.len. If this variable
is set to -1 then value passed to memcpy is casted to unsigned value, which
means to copy whole address space. Which then cause U-Boot crash. E.g. on
arm64 it cause CPU crash: "Synchronous Abort" handler, esr 0x96000006

Fix this issue by checking that value stored in xyz.len is valid prior
trying to use it.

Signed-off-by: Pali Rohár <pali@kernel.org>
Acked-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>