A NULL pointer dereference can occur in grub_net_udp_close(data->sock)
when handling a malformed TFTP OACK packet.
This issue was discovered via fuzzing. When a malformed OACK packet
contains an invalid file size ("tsize") value, tftp_receive() detects
the error and saves it via grub_error_save (&data->save_err). Later,
tftp_open() restores this error and calls grub_net_udp_close(data->sock),
assuming the socket is still valid.
However, the socket may have already been closed and set to NULL after
processing the final data block in tftp_receive(), leading to a NULL
pointer dereferencing when attempting to close it again.
Fix by checking if the socket is non-NULL before closing.
Signed-off-by: Lidong Chen <[email protected]>
---
grub-core/net/tftp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
index 336b78691..63953bc19 100644
--- a/grub-core/net/tftp.c
+++ b/grub-core/net/tftp.c
@@ -412,7 +412,11 @@ tftp_open (struct grub_file *file, const char *filename)
grub_error_load (&data->save_err);
if (grub_errno)
{
- grub_net_udp_close (data->sock);
+ if (data->sock != NULL)
+ {
+ grub_net_udp_close (data->sock);
+ data->sock = NULL;
+ }
grub_free (data);
file->data = NULL;
return grub_errno;
--
2.43.0
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
