emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

wget: fix use-after-free on redirect

Browse Source 
function                                             old     new   delta
wget_main                                           2153    2168     +15

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2011-12-18 05:11:56 +01:00
parent f282c6b657
commit 93b4a60526
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
networking/wget.c
View File

@ -557,6 +557,7 @@ static void download_one_url(const char *url)
FILE *dfp; /* socket to ftp server (data) */ FILE *dfp; /* socket to ftp server (data) */
char *proxy = NULL; char *proxy = NULL;
char *fname_out_alloc; char *fname_out_alloc;
char *redirected_path = NULL;
struct host_info server; struct host_info server;
struct host_info target; struct host_info target;
@ -793,8 +794,8 @@ However, in real world it was observed that some web servers
bb_error_msg_and_die("too many redirections"); bb_error_msg_and_die("too many redirections");
fclose(sfp); fclose(sfp);
if (str[0] == '/') { if (str[0] == '/') {
free(target.allocated); free(redirected_path);
target.path = target.allocated = xstrdup(str+1); target.path = redirected_path = xstrdup(str+1);
/* lsa stays the same: it's on the same server */ /* lsa stays the same: it's on the same server */
} else { } else {
parse_url(str, &target); parse_url(str, &target);
@ -849,6 +850,7 @@ However, in real world it was observed that some web servers
free(server.allocated); free(server.allocated);
free(target.allocated); free(target.allocated);
free(fname_out_alloc); free(fname_out_alloc);
free(redirected_path);
} }
int wget_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; int wget_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;