[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 18/30] net/dns: Fix double-free addresses on corrupt DNS

From: Daniel Kiper
Subject: [SECURITY PATCH 18/30] net/dns: Fix double-free addresses on corrupt DNS response
Date: Tue, 7 Jun 2022 19:01:27 +0200

From: Daniel Axtens <>

grub_net_dns_lookup() takes as inputs a pointer to an array of addresses
("addresses") for the given name, and pointer to a number of addresses
("naddresses"). grub_net_dns_lookup() is responsible for allocating
"addresses", and the caller is responsible for freeing it if
"naddresses" > 0.

The DNS recv_hook will sometimes set and free the addresses array,
for example if the packet is too short:

      if (ptr + 10 >= nb->tail)
          if (!*data->naddresses)
            grub_free (*data->addresses);
          grub_netbuff_free (nb);
          return GRUB_ERR_NONE;

Later on the nslookup command code unconditionally frees the "addresses"
array. Normally this is fine: the array is either populated with valid
data or is NULL. But in these sorts of error cases it is neither NULL
nor valid and we get a double-free.

Only free "addresses" if "naddresses" > 0.

It looks like the other use of grub_net_dns_lookup() is not affected.

Signed-off-by: Daniel Axtens <>
Reviewed-by: Daniel Kiper <>
 grub-core/net/dns.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
index 27c5f4142..841ede51e 100644
--- a/grub-core/net/dns.c
+++ b/grub-core/net/dns.c
@@ -667,9 +667,11 @@ grub_cmd_nslookup (struct grub_command *cmd __attribute__ 
       grub_net_addr_to_str (&addresses[i], buf);
       grub_printf ("%s\n", buf);
-  grub_free (addresses);
   if (naddresses)
-    return GRUB_ERR_NONE;
+    {
+      grub_free (addresses);
+      return GRUB_ERR_NONE;
+    }
   return grub_error (GRUB_ERR_NET_NO_DOMAIN, N_("no DNS record found"));

reply via email to

[Prev in Thread] Current Thread [Next in Thread]