0ccc47
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
0ccc47
From: Daniel Axtens <dja@axtens.net>
0ccc47
Date: Tue, 18 Jan 2022 14:29:20 +1100
0ccc47
Subject: [PATCH] net/tftp: Avoid a trivial UAF
0ccc47
0ccc47
Under tftp errors, we print a tftp error message from the tftp header.
0ccc47
However, the tftph pointer is a pointer inside nb, the netbuff. Previously,
0ccc47
we were freeing the nb and then dereferencing it. Don't do that, use it
0ccc47
and then free it later.
0ccc47
0ccc47
This isn't really _bad_ per se, especially as we're single-threaded, but
0ccc47
it trips up fuzzers.
0ccc47
0ccc47
Signed-off-by: Daniel Axtens <dja@axtens.net>
0ccc47
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
0ccc47
(cherry picked from commit 956f4329cec23e4375182030ca9b2be631a61ba5)
0ccc47
(cherry picked from commit dbe9abcdee6ce796811111b67e3f24eefe2135d1)
0ccc47
(cherry picked from commit 72ae9c5d389d2c0337c44edead6e00db0bb84039)
0ccc47
---
0ccc47
 grub-core/net/tftp.c | 2 +-
0ccc47
 1 file changed, 1 insertion(+), 1 deletion(-)
0ccc47
0ccc47
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
0ccc47
index 69a9ba6979..09e1511ccf 100644
0ccc47
--- a/grub-core/net/tftp.c
0ccc47
+++ b/grub-core/net/tftp.c
0ccc47
@@ -252,9 +252,9 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
0ccc47
       return GRUB_ERR_NONE;
0ccc47
     case TFTP_ERROR:
0ccc47
       data->have_oack = 1;
0ccc47
-      grub_netbuff_free (nb);
0ccc47
       grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg);
0ccc47
       grub_error_save (&data->save_err);
0ccc47
+      grub_netbuff_free (nb);
0ccc47
       return GRUB_ERR_NONE;
0ccc47
     default:
0ccc47
       grub_netbuff_free (nb);