A UAF occurs in grub_net_network_level_interface_unregister() when inter->name is accessed after being freed in grub_cmd_bootp(). Fix it by deferring grub_free(ifaces[j].name) until after grub_net_network_level_interface_unregister() completes.
Signed-off-by: Lidong Chen <[email protected]> --- grub-core/net/bootp.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c index 2f45a3cc2..fa3834f63 100644 --- a/grub-core/net/bootp.c +++ b/grub-core/net/bootp.c @@ -901,14 +901,17 @@ grub_cmd_bootp (struct grub_command *cmd __attribute__ ((unused)), err = GRUB_ERR_NONE; for (j = 0; j < ncards; j++) { - grub_free (ifaces[j].name); if (!ifaces[j].prev) - continue; + { + grub_free (ifaces[j].name); + continue; + } grub_error_push (); grub_net_network_level_interface_unregister (&ifaces[j]); err = grub_error (GRUB_ERR_FILE_NOT_FOUND, N_("couldn't autoconfigure %s"), ifaces[j].card->name); + grub_free (ifaces[j].name); } grub_free (ifaces); -- 2.43.0 _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
