From fadc94b919a2d35c3f81c3593004af14b4535701 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Tue, 21 Oct 2025 21:20:04 +0000
Subject: [PATCH] net/dns: Prevent UAF and double free

In recv_hook(), *data->addresses is freed without being set to NULL.
Since *data->addresses can be cached in dns_cache[h].addresses, this
can lead to UAF or double free if dns_cache[h].addresses is accessed
or cleared later.

The fix sets *data->addresses to NULL after freeing to avoid dangling
pointer.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/net/dns.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
index f20cd6f83..bef697d98 100644
--- a/grub-core/net/dns.c
+++ b/grub-core/net/dns.c
@@ -424,7 +424,10 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
   grub_netbuff_free (nb);
   grub_free (redirect_save);
   if (!*data->naddresses)
-    grub_free (*data->addresses);
+    {
+      grub_free (*data->addresses);
+      *data->addresses = NULL;
+    }
   return GRUB_ERR_NONE;
 }
 
-- 
2.47.3