On Fri, Oct 24, 2025 at 07:43:30PM +0530, Sudhakar Kuppusamy wrote: > > > > On 18 Oct 2025, at 12:05 AM, Lidong Chen via Grub-devel > > <[email protected]> wrote: > > > > A NULL pointer dereference can occur in grub_net_udp_close(data->sock) > > when handling a malformed TFTP OACK packet. > > > > This issue was discovered via fuzzing. When a malformed OACK packet > > contains an invalid file size ("tsize") value, tftp_receive() detects > > the error and saves it via grub_error_save (&data->save_err). Later, > > tftp_open() restores this error and calls grub_net_udp_close(data->sock), > > assuming the socket is still valid. > > > > However, the socket may have already been closed and set to NULL after > > processing the final data block in tftp_receive(), leading to a NULL > > pointer dereferencing when attempting to close it again. > > > > Fix by checking if the socket is non-NULL before closing. > > > > Signed-off-by: Lidong Chen <[email protected]> > > Reviewed-by: Sudhakar Kuppusamy <[email protected]> > > Nit: below one > > > --- > > grub-core/net/tftp.c | 6 +++++- > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c > > index 336b78691..63953bc19 100644 > > --- a/grub-core/net/tftp.c > > +++ b/grub-core/net/tftp.c > > @@ -412,7 +412,11 @@ tftp_open (struct grub_file *file, const char > > *filename) > > grub_error_load (&data->save_err); > > if (grub_errno) > > { > > - grub_net_udp_close (data->sock); > > + if (data->sock != NULL) > > + { > > + grub_net_udp_close (data->sock); > > + data->sock = NULL; > > + } > > Correct the indentation like
The indentions, with tabs, are correct but can be rendered incorrectly in your email reader... Anyway, thank you for review... Daniel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
