net/tftp: Fix NULL pointer dereference in grub_net_udp_close()

A NULL pointer dereference can occur in grub_net_udp_close(data->sock)
when handling a malformed TFTP OACK packet.

This issue was discovered via fuzzing. When a malformed OACK packet
contains an invalid file size, "tsize", value tftp_receive() detects
the error and saves it via grub_error_save(&data->save_err). Later,
tftp_open() restores this error and calls grub_net_udp_close(data->sock)
assuming the socket is still valid.

However, the socket may have already been closed and set to NULL after
processing the final data block in tftp_receive() leading to a NULL
pointer dereference when attempting to close it again.

Fix it by checking if the socket is non-NULL before closing.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>

diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
index 336b78691a5d4af9c866959bbb7aef5d6b1c0bb3..63953bc19fd465388fc9c355c4dda6597bc599d9 100644 (file)
--- a/grub-core/net/tftp.c
+++ b/grub-core/net/tftp.c
@@ -412,7 +412,11 @@ tftp_open (struct grub_file *file, const char *filename)
     grub_error_load (&data->save_err);
   if (grub_errno)
     {
-      grub_net_udp_close (data->sock);
+      if (data->sock != NULL)
+       {
+         grub_net_udp_close (data->sock);
+         data->sock = NULL;
+       }
       grub_free (data);
       file->data = NULL;
       return grub_errno;