|
 |
4ff5f8d |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
4ff5f8d |
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
4ff5f8d |
Date: Tue, 4 Dec 2018 10:53:49 +0100
|
|
|
4ff5f8d |
Subject: [PATCH] Fix get_entry_number() wrongly dereferencing the tail pointer
|
|
|
4ff5f8d |
|
|
|
4ff5f8d |
The get_entry_number_helper() function attempts to lookup a boot entry by
|
|
|
4ff5f8d |
either title or id matching the value of an environment variable. If they
|
|
|
4ff5f8d |
are a substring of the variable, the tail pointer is set to the first char
|
|
|
4ff5f8d |
of the remainder of the string.
|
|
|
4ff5f8d |
|
|
|
4ff5f8d |
When get_entry_number() calls this function, it checks if this first char
|
|
|
4ff5f8d |
is a NUL byte, to know if the variable matched correctly. But tail can be
|
|
|
4ff5f8d |
set to NULL as well to indicate that there isn't a remainder in the string.
|
|
|
4ff5f8d |
|
|
|
4ff5f8d |
Resolves: rhbz#1654936
|
|
|
4ff5f8d |
|
|
|
4ff5f8d |
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
4ff5f8d |
---
|
|
|
4ff5f8d |
grub-core/normal/menu.c | 2 +-
|
|
|
4ff5f8d |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
4ff5f8d |
|
|
|
4ff5f8d |
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
|
|
|
4ff5f8d |
index fc25c702f3c..7e32c498aa8 100644
|
|
|
4ff5f8d |
--- a/grub-core/normal/menu.c
|
|
|
4ff5f8d |
+++ b/grub-core/normal/menu.c
|
|
|
4ff5f8d |
@@ -563,7 +563,7 @@ get_entry_number (grub_menu_t menu, const char *name)
|
|
|
4ff5f8d |
|
|
|
4ff5f8d |
grub_error_push ();
|
|
|
4ff5f8d |
entry = get_entry_number_helper(menu, val, &tail);
|
|
|
4ff5f8d |
- if (*tail != '\0')
|
|
|
4ff5f8d |
+ if (tail && *tail != '\0')
|
|
|
4ff5f8d |
entry = -1;
|
|
|
4ff5f8d |
grub_error_pop ();
|
|
|
4ff5f8d |
|