From: Andrei Borzenkov <address@hidden>
Subject: [PATCH] dns: out of bounds for data->addresses in recv_hook

We may get more than one response before exiting out of loop in
grub_net_dns_lookup. We never really use more than the very first
addresses during lookup so there is little point in collecting all
of them. Just quit early if we already have some reply.

Code needs serious redesign to actually collect multiple answers
and select the best fit according to requested type (IPv4 nr IPv6).

---
 grub-core/net/dns.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
index 89741dd..5d9afe0 100644
--- a/grub-core/net/dns.c
+++ b/grub-core/net/dns.c
@@ -238,6 +238,15 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
   char *redirect_save = NULL;
   grub_uint32_t ttl_all = ~0U;
 
+  /* Code apparently assumed that only one packet is received as response.
+     We may get multiple responses due to network condition, so check here
+     and quit early. */
+  if (*data->addresses)
+    {
+      grub_netbuff_free (nb);
+      return GRUB_ERR_NONE;
+    }
+
   head = (struct dns_header *) nb->data;
   ptr = (grub_uint8_t *) (head + 1);
   if (ptr >= nb->tail)
-- 
tg: (b524fa2..) u/dns-fix-naddresses-out-of-bounds (depends on: master)