diff options
author | Daniel Axtens <dja@axtens.net> | 2022-01-18 14:29:20 +1100 |
---|---|---|
committer | Daniel Kiper <daniel.kiper@oracle.com> | 2022-06-07 16:39:33 +0200 |
commit | 8f287c3e13da2bf82049e2e464eca7ca4fef0a85 (patch) | |
tree | 40155494d1755a5516b66cd7e06269eedbd1fb93 | |
parent | ee9652031491326736714a988fbbaeab8ef9255c (diff) | |
download | grub-8f287c3e13da2bf82049e2e464eca7ca4fef0a85.tar.gz |
net/tftp: Avoid a trivial UAF
Under tftp errors, we print a tftp error message from the tftp header.
However, the tftph pointer is a pointer inside nb, the netbuff. Previously,
we were freeing the nb and then dereferencing it. Don't do that, use it
and then free it later.
This isn't really _bad_ per se, especially as we're single-threaded, but
it trips up fuzzers.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-rw-r--r-- | grub-core/net/tftp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c index ee305e18a..7dbd3056d 100644 --- a/grub-core/net/tftp.c +++ b/grub-core/net/tftp.c @@ -251,9 +251,9 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)), return GRUB_ERR_NONE; case TFTP_ERROR: data->have_oack = 1; - grub_netbuff_free (nb); grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg); grub_error_save (&data->save_err); + grub_netbuff_free (nb); return GRUB_ERR_NONE; default: grub_netbuff_free (nb); |