diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 16:29:52 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 16:29:52 +0000 |
| commit | ca67b09c015d4af3ae3cce12aa72e60941dbb8b5 (patch) | |
| tree | b7316d7b06c373e08dabb79a2c866c568e08f49e /debian/patches/0083-net-tftp-Avoid-a-trivial-UAF.patch | |
| parent | Adding upstream version 2.06. (diff) | |
| download | grub2-debian.tar.xz grub2-debian.zip | |
Adding debian version 2.06-13+deb12u1.debian/2.06-13+deb12u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/0083-net-tftp-Avoid-a-trivial-UAF.patch')
| -rw-r--r-- | debian/patches/0083-net-tftp-Avoid-a-trivial-UAF.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/debian/patches/0083-net-tftp-Avoid-a-trivial-UAF.patch b/debian/patches/0083-net-tftp-Avoid-a-trivial-UAF.patch new file mode 100644 index 0000000..8e42215 --- /dev/null +++ b/debian/patches/0083-net-tftp-Avoid-a-trivial-UAF.patch @@ -0,0 +1,34 @@ +From fb66f40ba67b88408a43cb38492053985bfe4968 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens <dja@axtens.net> +Date: Tue, 18 Jan 2022 14:29:20 +1100 +Subject: net/tftp: Avoid a trivial UAF + +Under tftp errors, we print a tftp error message from the tftp header. +However, the tftph pointer is a pointer inside nb, the netbuff. Previously, +we were freeing the nb and then dereferencing it. Don't do that, use it +and then free it later. + +This isn't really _bad_ per se, especially as we're single-threaded, but +it trips up fuzzers. + +Signed-off-by: Daniel Axtens <dja@axtens.net> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +--- + grub-core/net/tftp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c +index d1afa2535..4222d93b6 100644 +--- a/grub-core/net/tftp.c ++++ b/grub-core/net/tftp.c +@@ -251,9 +251,9 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)), + return GRUB_ERR_NONE; + case TFTP_ERROR: + data->have_oack = 1; +- grub_netbuff_free (nb); + grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg); + grub_error_save (&data->save_err); ++ grub_netbuff_free (nb); + return GRUB_ERR_NONE; + default: + grub_netbuff_free (nb); |