nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0252-net-tftp-Avoid-a-trivial-UAF.patch

1c6ba0
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
1c6ba0
From: Daniel Axtens <dja@axtens.net>
1c6ba0
Date: Tue, 18 Jan 2022 14:29:20 +1100
1c6ba0
Subject: [PATCH] net/tftp: Avoid a trivial UAF
1c6ba0
1c6ba0
Under tftp errors, we print a tftp error message from the tftp header.
1c6ba0
However, the tftph pointer is a pointer inside nb, the netbuff. Previously,
1c6ba0
we were freeing the nb and then dereferencing it. Don't do that, use it
1c6ba0
and then free it later.
1c6ba0
1c6ba0
This isn't really _bad_ per se, especially as we're single-threaded, but
1c6ba0
it trips up fuzzers.
1c6ba0
1c6ba0
Signed-off-by: Daniel Axtens <dja@axtens.net>
1c6ba0
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
1c6ba0
(cherry picked from commit 956f4329cec23e4375182030ca9b2be631a61ba5)
1c6ba0
(cherry picked from commit dbe9abcdee6ce796811111b67e3f24eefe2135d1)
1c6ba0
---
1c6ba0
 grub-core/net/tftp.c | 2 +-
1c6ba0
 1 file changed, 1 insertion(+), 1 deletion(-)
1c6ba0
1c6ba0
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
1c6ba0
index 788ad1dc44..a95766dcbd 100644
1c6ba0
--- a/grub-core/net/tftp.c
1c6ba0
+++ b/grub-core/net/tftp.c
1c6ba0
@@ -251,9 +251,9 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
1c6ba0
       return GRUB_ERR_NONE;
1c6ba0
     case TFTP_ERROR:
1c6ba0
       data->have_oack = 1;
1c6ba0
-      grub_netbuff_free (nb);
1c6ba0
       grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg);
1c6ba0
       grub_error_save (&data->save_err);
1c6ba0
+      grub_netbuff_free (nb);
1c6ba0
       return GRUB_ERR_NONE;
1c6ba0
     default:
1c6ba0
       grub_netbuff_free (nb);