b35c50
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b35c50
From: Daniel Axtens <dja@axtens.net>
b35c50
Date: Tue, 18 Jan 2022 14:29:20 +1100
b35c50
Subject: [PATCH] net/tftp: Avoid a trivial UAF
b35c50
b35c50
Under tftp errors, we print a tftp error message from the tftp header.
b35c50
However, the tftph pointer is a pointer inside nb, the netbuff. Previously,
b35c50
we were freeing the nb and then dereferencing it. Don't do that, use it
b35c50
and then free it later.
b35c50
b35c50
This isn't really _bad_ per se, especially as we're single-threaded, but
b35c50
it trips up fuzzers.
b35c50
b35c50
Signed-off-by: Daniel Axtens <dja@axtens.net>
b35c50
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b35c50
(cherry picked from commit 956f4329cec23e4375182030ca9b2be631a61ba5)
b35c50
---
b35c50
 grub-core/net/tftp.c | 2 +-
b35c50
 1 file changed, 1 insertion(+), 1 deletion(-)
b35c50
b35c50
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
b35c50
index 788ad1dc44..a95766dcbd 100644
b35c50
--- a/grub-core/net/tftp.c
b35c50
+++ b/grub-core/net/tftp.c
b35c50
@@ -251,9 +251,9 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
b35c50
       return GRUB_ERR_NONE;
b35c50
     case TFTP_ERROR:
b35c50
       data->have_oack = 1;
b35c50
-      grub_netbuff_free (nb);
b35c50
       grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg);
b35c50
       grub_error_save (&data->save_err);
b35c50
+      grub_netbuff_free (nb);
b35c50
       return GRUB_ERR_NONE;
b35c50
     default:
b35c50
       grub_netbuff_free (nb);