diff options
author | Denys Vlasenko | 2011-12-18 05:11:56 +0100 |
---|---|---|
committer | Denys Vlasenko | 2011-12-18 05:11:56 +0100 |
commit | 93b4a605263612cf32ad9de746a4fafaf4515115 (patch) | |
tree | 90b3001eea03128a5e25aeb9accb63cf38356dbc /networking | |
parent | f282c6b65775d3dff03de6fd3585722a1638f734 (diff) | |
download | busybox-93b4a605263612cf32ad9de746a4fafaf4515115.zip busybox-93b4a605263612cf32ad9de746a4fafaf4515115.tar.gz |
wget: fix use-after-free on redirect
function old new delta
wget_main 2153 2168 +15
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'networking')
-rw-r--r-- | networking/wget.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/networking/wget.c b/networking/wget.c index 94a2f7c..1991a10 100644 --- a/networking/wget.c +++ b/networking/wget.c @@ -557,6 +557,7 @@ static void download_one_url(const char *url) FILE *dfp; /* socket to ftp server (data) */ char *proxy = NULL; char *fname_out_alloc; + char *redirected_path = NULL; struct host_info server; struct host_info target; @@ -793,8 +794,8 @@ However, in real world it was observed that some web servers bb_error_msg_and_die("too many redirections"); fclose(sfp); if (str[0] == '/') { - free(target.allocated); - target.path = target.allocated = xstrdup(str+1); + free(redirected_path); + target.path = redirected_path = xstrdup(str+1); /* lsa stays the same: it's on the same server */ } else { parse_url(str, &target); @@ -849,6 +850,7 @@ However, in real world it was observed that some web servers free(server.allocated); free(target.allocated); free(fname_out_alloc); + free(redirected_path); } int wget_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; |