From: Lidong Chen <lidong.chen@oracle.com>
Date: Tue, 21 Oct 2025 21:20:03 +0000 (+0000)
Subject: net/bootp: Prevent a UAF in network interface unregister
X-Git-Tag: grub-2.14-rc1~15
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cd24e259108aa433115345952f5b7ed918de0afa;p=thirdparty%2Fgrub.git

net/bootp: Prevent a UAF in network interface unregister

A UAF occurs in grub_net_network_level_interface_unregister()
when inter->name is accessed after being freed in grub_cmd_bootp().
Fix it by deferring grub_free(ifaces[j].name) until after
grub_net_network_level_interface_unregister() completes.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c
index 2f45a3cc2..fa3834f63 100644
--- a/grub-core/net/bootp.c
+++ b/grub-core/net/bootp.c
@@ -901,14 +901,17 @@ grub_cmd_bootp (struct grub_command *cmd __attribute__ ((unused)),
   err = GRUB_ERR_NONE;
   for (j = 0; j < ncards; j++)
     {
-      grub_free (ifaces[j].name);
       if (!ifaces[j].prev)
-	continue;
+	{
+	  grub_free (ifaces[j].name);
+	  continue;
+	}
       grub_error_push ();
       grub_net_network_level_interface_unregister (&ifaces[j]);
       err = grub_error (GRUB_ERR_FILE_NOT_FOUND,
 			N_("couldn't autoconfigure %s"),
 			ifaces[j].card->name);
+      grub_free (ifaces[j].name);
     }
 
   grub_free (ifaces);