On Fri, Oct 17, 2025 at 06:35:59PM +0000, Lidong Chen wrote:
> A NULL pointer dereference can occur in grub_net_udp_close(data->sock)
> when handling a malformed TFTP OACK packet.
>
> This issue was discovered via fuzzing. When a malformed OACK packet
> contains an invalid file size ("tsize") value, tftp_receive() detects
> the error and saves it via grub_error_save (&data->save_err). Later,
> tftp_open() restores this error and calls grub_net_udp_close(data->sock),
> assuming the socket is still valid.
>
> However, the socket may have already been closed and set to NULL after
> processing the final data block in tftp_receive(), leading to a NULL
> pointer dereferencing when attempting to close it again.
>
> Fix by checking if the socket is non-NULL before closing.
>
> Signed-off-by: Lidong Chen <[email protected]>Reviewed-by: Daniel Kiper <[email protected]> Daniel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
