|
 |
d18179 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
d18179 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
d18179 |
Date: Tue, 18 Jan 2022 14:29:20 +1100
|
|
|
d18179 |
Subject: [PATCH] net/tftp: Avoid a trivial UAF
|
|
|
d18179 |
|
|
|
d18179 |
Under tftp errors, we print a tftp error message from the tftp header.
|
|
|
d18179 |
However, the tftph pointer is a pointer inside nb, the netbuff. Previously,
|
|
|
d18179 |
we were freeing the nb and then dereferencing it. Don't do that, use it
|
|
|
d18179 |
and then free it later.
|
|
|
d18179 |
|
|
|
d18179 |
This isn't really _bad_ per se, especially as we're single-threaded, but
|
|
|
d18179 |
it trips up fuzzers.
|
|
|
d18179 |
|
|
|
d18179 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
d18179 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
d18179 |
(cherry picked from commit 956f4329cec23e4375182030ca9b2be631a61ba5)
|
|
|
d18179 |
(cherry picked from commit dbe9abcdee6ce796811111b67e3f24eefe2135d1)
|
|
|
d18179 |
(cherry picked from commit 72ae9c5d389d2c0337c44edead6e00db0bb84039)
|
|
|
d18179 |
(cherry picked from commit e98cfb24fb3c80b0ccc8ca10c521456b4ae8c535)
|
|
|
d18179 |
---
|
|
|
d18179 |
grub-core/net/tftp.c | 2 +-
|
|
|
d18179 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
d18179 |
|
|
|
d18179 |
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
|
|
|
d18179 |
index 69a9ba6979..09e1511ccf 100644
|
|
|
d18179 |
--- a/grub-core/net/tftp.c
|
|
|
d18179 |
+++ b/grub-core/net/tftp.c
|
|
|
d18179 |
@@ -252,9 +252,9 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
|
|
|
d18179 |
return GRUB_ERR_NONE;
|
|
|
d18179 |
case TFTP_ERROR:
|
|
|
d18179 |
data->have_oack = 1;
|
|
|
d18179 |
- grub_netbuff_free (nb);
|
|
|
d18179 |
grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg);
|
|
|
d18179 |
grub_error_save (&data->save_err);
|
|
|
d18179 |
+ grub_netbuff_free (nb);
|
|
|
d18179 |
return GRUB_ERR_NONE;
|
|
|
d18179 |
default:
|
|
|
d18179 |
grub_netbuff_free (nb);
|