From c2cae77abe4ffad2ec84e7f82ced123739429cf8 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Fri, 17 Oct 2025 18:35:59 +0000
Subject: [PATCH] net/tftp: Fix NULL pointer dereference in
 grub_net_udp_close()

A NULL pointer dereference can occur in grub_net_udp_close(data->sock)
when handling a malformed TFTP OACK packet.

This issue was discovered via fuzzing. When a malformed OACK packet
contains an invalid file size, "tsize", value tftp_receive() detects
the error and saves it via grub_error_save(&data->save_err). Later,
tftp_open() restores this error and calls grub_net_udp_close(data->sock)
assuming the socket is still valid.

However, the socket may have already been closed and set to NULL after
processing the final data block in tftp_receive() leading to a NULL
pointer dereference when attempting to close it again.

Fix it by checking if the socket is non-NULL before closing.

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
---
 grub-core/net/tftp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
index 336b78691..63953bc19 100644
--- a/grub-core/net/tftp.c
+++ b/grub-core/net/tftp.c
@@ -412,7 +412,11 @@ tftp_open (struct grub_file *file, const char *filename)
     grub_error_load (&data->save_err);
   if (grub_errno)
     {
-      grub_net_udp_close (data->sock);
+      if (data->sock != NULL)
+	{
+	  grub_net_udp_close (data->sock);
+	  data->sock = NULL;
+	}
       grub_free (data);
       file->data = NULL;
       return grub_errno;