From 06eadf5ebf21c8520d696c6438a976e5f7c218c3 Mon Sep 17 00:00:00 2001
From: Curtis Larsen <larsen@dixie.edu>
Date: Sun, 7 Dec 2014 11:28:57 +0300
Subject: [PATCH] fix double free in grub_net_recv_tcp_packet

Using the http module to download config files, produces memory errors,
after the config file is downloaded.

The error was traced to the tcp stack in grub-core/net/tcp.c. The wrong
netbuff pointer was being freed in the clean up loop.

Changing the code to free the correct netbuff pointer removes the runtime
error.

Closes 42765.
---
 ChangeLog           | 5 +++++
 grub-core/net/tcp.c | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index a9ed5aa46..e5c9fd346 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-07  Curtis Larsen <larsen@dixie.edu>
+
+	* grub-core/net/tcp.c (grub_net_recv_tcp_packet): Fix double
+	free when multiple empty segments were received (closes 42765).
+
 2014-12-05  Andrei Borzenkov  <arvidjaar@gmail.com>
 
 	* tests/util/grub-shell.in: Support --files also for netboot.
diff --git a/grub-core/net/tcp.c b/grub-core/net/tcp.c
index 2077f5519..1d90f1ec5 100644
--- a/grub-core/net/tcp.c
+++ b/grub-core/net/tcp.c
@@ -918,7 +918,7 @@ grub_net_recv_tcp_packet (struct grub_net_buff *nb,
 	      do_ack = 1;
 	    }
 	  else
-	    grub_netbuff_free (nb);
+	    grub_netbuff_free (nb_top);
 	}
       if (do_ack)
 	ack (sock);