In recv_hook(), *data->addresses is freed without being set to NULL. Since *data->addresses can be cached in dns_cache[h].addresses, this can lead to UAF or double free if dns_cache[h].addresses is accessed or cleared later.
The fix sets *data->addresses to NULL after freeing to avoid dangling pointer. Signed-off-by: Lidong Chen <[email protected]> --- grub-core/net/dns.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c index f20cd6f83..bef697d98 100644 --- a/grub-core/net/dns.c +++ b/grub-core/net/dns.c @@ -424,7 +424,10 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), grub_netbuff_free (nb); grub_free (redirect_save); if (!*data->naddresses) - grub_free (*data->addresses); + { + grub_free (*data->addresses); + *data->addresses = NULL; + } return GRUB_ERR_NONE; } -- 2.43.0 _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
