]> git.ipfire.org Git - thirdparty/grub.git/commitdiff
projects / thirdparty / grub.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cd24e25)
net/dns: Prevent UAF and double free
authorLidong Chen <lidong.chen@oracle.com>
Tue, 21 Oct 2025 21:20:04 +0000 (21:20 +0000)
committerDaniel Kiper <daniel.kiper@oracle.com>
Fri, 24 Oct 2025 18:05:07 +0000 (20:05 +0200)
In recv_hook(), *data->addresses is freed without being set to NULL.
Since *data->addresses can be cached in dns_cache[h].addresses, this
can lead to UAF or double free if dns_cache[h].addresses is accessed
or cleared later.

The fix sets *data->addresses to NULL after freeing to avoid dangling
pointer.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
grub-core/net/dns.c patch | blob | blame | history

diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
index f20cd6f835c4042a8b4af2af0092ba02ac648457..bef697d980890c7baa9a5847557c60f41e9dd4d3 100644 (file)
--- a/grub-core/net/dns.c
+++ b/grub-core/net/dns.c
@@ -424,7 +424,10 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
   grub_netbuff_free (nb);
   grub_free (redirect_save);
   if (!*data->naddresses)
-    grub_free (*data->addresses);
+    {
+      grub_free (*data->addresses);
+      *data->addresses = NULL;
+    }
   return GRUB_ERR_NONE;
 }
 
Mirror of https://git.savannah.gnu.org/git/grub.git