[SECURITY PATCH 21/30] net/tftp: Avoid a trivial UAF

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 21/30] net/tftp: Avoid a trivial UAF

From:	Daniel Kiper
Subject:	[SECURITY PATCH 21/30] net/tftp: Avoid a trivial UAF
Date:	Tue, 7 Jun 2022 19:01:30 +0200

From: Daniel Axtens <dja@axtens.net>

Under tftp errors, we print a tftp error message from the tftp header.
However, the tftph pointer is a pointer inside nb, the netbuff. Previously,
we were freeing the nb and then dereferencing it. Don't do that, use it
and then free it later.

This isn't really _bad_ per se, especially as we're single-threaded, but
it trips up fuzzers.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/net/tftp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
index ee305e18a..7dbd3056d 100644
--- a/grub-core/net/tftp.c
+++ b/grub-core/net/tftp.c
@@ -251,9 +251,9 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ 
((unused)),
       return GRUB_ERR_NONE;
     case TFTP_ERROR:
       data->have_oack = 1;
-      grub_netbuff_free (nb);
       grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg);
       grub_error_save (&data->save_err);
+      grub_netbuff_free (nb);
       return GRUB_ERR_NONE;
     default:
       grub_netbuff_free (nb);
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 20/30] net/tftp: Prevent a UAF and double-free from a failed seek, (continued)
- [SECURITY PATCH 20/30] net/tftp: Prevent a UAF and double-free from a failed seek, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 18/30] net/dns: Fix double-free addresses on corrupt DNS response, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 17/30] net/netbuff: Block overly large netbuff allocs, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 24/30] net/http: Error out on headers with LF without CR, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 08/30] video/readers/png: Drop greyscale support to fix heap out-of-bounds write, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 14/30] video/readers/jpeg: Block int underflow -> wild pointer write, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 27/30] fs/f2fs: Do not copy file names that are too long, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 29/30] fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 28/30] fs/btrfs: Fix several fuzz issues with invalid dir item sizing, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 06/30] video/readers/png: Abort sooner if a read operation fails, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 21/30] net/tftp: Avoid a trivial UAF, Daniel Kiper <=
- [SECURITY PATCH 22/30] net/http: Do not tear down socket if it's already been torn down, Daniel Kiper, 2022/06/07
- [SECURITY PATCH 23/30] net/http: Fix OOB write for split http headers, Daniel Kiper, 2022/06/07

Prev by Date: [SECURITY PATCH 06/30] video/readers/png: Abort sooner if a read operation fails
Next by Date: [SECURITY PATCH 22/30] net/http: Do not tear down socket if it's already been torn down
Previous by thread: [SECURITY PATCH 06/30] video/readers/png: Abort sooner if a read operation fails
Next by thread: [SECURITY PATCH 22/30] net/http: Do not tear down socket if it's already been torn down
Index(es):
- Date
- Thread