wget: fix use-after-free on redirect

function                                             old     new   delta
wget_main                                           2153    2168     +15

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/networking/wget.c b/networking/wget.c
index 94a2f7c3d2b5b725d629a7d108cc8cc898834933..1991a1072812acc4484d64e2ee1202709468a8d7 100644 (file)
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -557,6 +557,7 @@ static void download_one_url(const char *url)
        FILE *dfp;                      /* socket to ftp server (data)      */
        char *proxy = NULL;
        char *fname_out_alloc;
+       char *redirected_path = NULL;
        struct host_info server;
        struct host_info target;
 
@@ -793,8 +794,8 @@ However, in real world it was observed that some web servers
                                        bb_error_msg_and_die("too many redirections");
                                fclose(sfp);
                                if (str[0] == '/') {
-                                       free(target.allocated);
-                                       target.path = target.allocated = xstrdup(str+1);
+                                       free(redirected_path);
+                                       target.path = redirected_path = xstrdup(str+1);
                                        /* lsa stays the same: it's on the same server */
                                } else {
                                        parse_url(str, &target);
@@ -849,6 +850,7 @@ However, in real world it was observed that some web servers
        free(server.allocated);
        free(target.allocated);
        free(fname_out_alloc);
+       free(redirected_path);
 }
 
 int wget_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;