nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone
bf0270
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
bf0270
From: Daniel Axtens <dja@axtens.net>
bf0270
Date: Tue, 18 Jan 2022 14:29:20 +1100
bf0270
Subject: [PATCH] net/tftp: Avoid a trivial UAF
bf0270
bf0270
Under tftp errors, we print a tftp error message from the tftp header.
bf0270
However, the tftph pointer is a pointer inside nb, the netbuff. Previously,
bf0270
we were freeing the nb and then dereferencing it. Don't do that, use it
bf0270
and then free it later.
bf0270
bf0270
This isn't really _bad_ per se, especially as we're single-threaded, but
bf0270
it trips up fuzzers.
bf0270
bf0270
Signed-off-by: Daniel Axtens <dja@axtens.net>
bf0270
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
bf0270
(cherry picked from commit 956f4329cec23e4375182030ca9b2be631a61ba5)
bf0270
(cherry picked from commit dbe9abcdee6ce796811111b67e3f24eefe2135d1)
bf0270
(cherry picked from commit 72ae9c5d389d2c0337c44edead6e00db0bb84039)
bf0270
---
bf0270
 grub-core/net/tftp.c | 2 +-
bf0270
 1 file changed, 1 insertion(+), 1 deletion(-)
bf0270
bf0270
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
bf0270
index 69a9ba6979..09e1511ccf 100644
bf0270
--- a/grub-core/net/tftp.c
bf0270
+++ b/grub-core/net/tftp.c
bf0270
@@ -252,9 +252,9 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
bf0270
       return GRUB_ERR_NONE;
bf0270
     case TFTP_ERROR:
bf0270
       data->have_oack = 1;
bf0270
-      grub_netbuff_free (nb);
bf0270
       grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg);
bf0270
       grub_error_save (&data->save_err);
bf0270
+      grub_netbuff_free (nb);
bf0270
       return GRUB_ERR_NONE;
bf0270
     default:
bf0270
       grub_netbuff_free (nb);