> On 18 Oct 2025, at 12:05 AM, Lidong Chen via Grub-devel <[email protected]> > wrote: > > A NULL pointer dereference can occur in grub_net_udp_close(data->sock) > when handling a malformed TFTP OACK packet. > > This issue was discovered via fuzzing. When a malformed OACK packet > contains an invalid file size ("tsize") value, tftp_receive() detects > the error and saves it via grub_error_save (&data->save_err). Later, > tftp_open() restores this error and calls grub_net_udp_close(data->sock), > assuming the socket is still valid. > > However, the socket may have already been closed and set to NULL after > processing the final data block in tftp_receive(), leading to a NULL > pointer dereferencing when attempting to close it again. > > Fix by checking if the socket is non-NULL before closing. > > Signed-off-by: Lidong Chen <[email protected]>
Reviewed-by: Sudhakar Kuppusamy <[email protected]> Nit: below one > --- > grub-core/net/tftp.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c > index 336b78691..63953bc19 100644 > --- a/grub-core/net/tftp.c > +++ b/grub-core/net/tftp.c > @@ -412,7 +412,11 @@ tftp_open (struct grub_file *file, const char *filename) > grub_error_load (&data->save_err); > if (grub_errno) > { > - grub_net_udp_close (data->sock); > + if (data->sock != NULL) > + { > + grub_net_udp_close (data->sock); > + data->sock = NULL; > + } Correct the indentation like if (data->sock != NULL) { grub_net_udp_close (data->sock); data->sock = NULL; } Thanks Sudhakar > grub_free (data); > file->data = NULL; > return grub_errno; > -- > 2.43.0 > > > _______________________________________________ > Grub-devel mailing list > [email protected] > https://lists.gnu.org/mailman/listinfo/grub-devel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
