net/tftp: Fix NULL pointer dereference in grub_net_udp_close()

A NULL pointer dereference can occur in grub_net_udp_close(data->sock)
when handling a malformed TFTP OACK packet.

This issue was discovered via fuzzing. When a malformed OACK packet
contains an invalid file size, "tsize", value tftp_receive() detects
the error and saves it via grub_error_save(&data->save_err). Later,
tftp_open() restores this error and calls grub_net_udp_close(data->sock)
assuming the socket is still valid.

However, the socket may have already been closed and set to NULL after
processing the final data block in tftp_receive() leading to a NULL
pointer dereference when attempting to close it again.

Fix it by checking if the socket is non-NULL before closing.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>

grub-core/net/tftp.c

@@ -412,7 +412,11 @@ tftp_open (struct grub_file *file, const char *filename)
     grub_error_load (&data->save_err);
   if (grub_errno)
     {
-      grub_net_udp_close (data->sock);
+      if (data->sock != NULL)
+	{
+	  grub_net_udp_close (data->sock);
+	  data->sock = NULL;
+	}
       grub_free (data);
       file->data = NULL;
       return grub_errno;