net/dns: Prevent UAF and double free

In recv_hook(), *data->addresses is freed without being set to NULL. Since *data->addresses can be cached in dns_cache[h].addresses, this can lead to UAF or double free if dns_cache[h].addresses is accessed or cleared later. The fix sets *data->addresses to NULL after freeing to avoid dangling pointer. Signed-off-by: Lidong Chen <lidong.chen@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2025-10-21 21:20:04 +00:00 · 2025-10-21 21:20:04 +00:00 · fadc94b919
commit fadc94b919
parent cd24e25910
1 changed files with 4 additions and 1 deletions
--- a/grub-core/net/dns.c
+++ b/grub-core/net/dns.c
@ -424,7 +424,10 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
  grub_netbuff_free (nb);
  grub_free (redirect_save);
  if (!*data->naddresses)
-    grub_free (*data->addresses);
+    {
+      grub_free (*data->addresses);
+      *data->addresses = NULL;
+    }
  return GRUB_ERR_NONE;
 }