summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Vlasenko2011-12-18 05:11:56 +0100
committerDenys Vlasenko2011-12-18 05:11:56 +0100
commit93b4a605263612cf32ad9de746a4fafaf4515115 (patch)
tree90b3001eea03128a5e25aeb9accb63cf38356dbc
parentf282c6b65775d3dff03de6fd3585722a1638f734 (diff)
downloadbusybox-93b4a605263612cf32ad9de746a4fafaf4515115.zip
busybox-93b4a605263612cf32ad9de746a4fafaf4515115.tar.gz
wget: fix use-after-free on redirect
function old new delta wget_main 2153 2168 +15 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--networking/wget.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/networking/wget.c b/networking/wget.c
index 94a2f7c..1991a10 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -557,6 +557,7 @@ static void download_one_url(const char *url)
FILE *dfp; /* socket to ftp server (data) */
char *proxy = NULL;
char *fname_out_alloc;
+ char *redirected_path = NULL;
struct host_info server;
struct host_info target;
@@ -793,8 +794,8 @@ However, in real world it was observed that some web servers
bb_error_msg_and_die("too many redirections");
fclose(sfp);
if (str[0] == '/') {
- free(target.allocated);
- target.path = target.allocated = xstrdup(str+1);
+ free(redirected_path);
+ target.path = redirected_path = xstrdup(str+1);
/* lsa stays the same: it's on the same server */
} else {
parse_url(str, &target);
@@ -849,6 +850,7 @@ However, in real world it was observed that some web servers
free(server.allocated);
free(target.allocated);
free(fname_out_alloc);
+ free(redirected_path);
}
int wget_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;