net/bootp: Prevent a UAF in network interface unregister

A UAF occurs in grub_net_network_level_interface_unregister()
when inter->name is accessed after being freed in grub_cmd_bootp().
Fix it by deferring grub_free(ifaces[j].name) until after
grub_net_network_level_interface_unregister() completes.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c
index 2f45a3cc2b4770334debd52bda45626f21de0086..fa3834f63dfb48fe737e7e828c0ac2979792e1d4 100644 (file)
--- a/grub-core/net/bootp.c
+++ b/grub-core/net/bootp.c
@@ -901,14 +901,17 @@ grub_cmd_bootp (struct grub_command *cmd __attribute__ ((unused)),
   err = GRUB_ERR_NONE;
   for (j = 0; j < ncards; j++)
     {
-      grub_free (ifaces[j].name);
       if (!ifaces[j].prev)
-       continue;
+       {
+         grub_free (ifaces[j].name);
+         continue;
+       }
       grub_error_push ();
       grub_net_network_level_interface_unregister (&ifaces[j]);
       err = grub_error (GRUB_ERR_FILE_NOT_FOUND,
                        N_("couldn't autoconfigure %s"),
                        ifaces[j].card->name);
+      grub_free (ifaces[j].name);
     }
 
   grub_free (ifaces);