From 4b87d83160fec70d50b7fcd736a8c538c28a016c Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Thu, 2 Nov 2017 21:58:42 +0100 Subject: [PATCH] uclient-fetch: fix overloading of output_file variable When uclient-fetch is called with multiple URL's, it derives the first filename from the URL. It then sets the global output_file variable, causing a use-after-free bug on an attempt to use it as output file for the next file. Fix this by avoiding the overwrite entirely by only setting a local variable Reported-by: Philip Prindeville Signed-off-by: Felix Fietkau --- uclient-fetch.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/uclient-fetch.c b/uclient-fetch.c index dff144b..2e553a0 100644 --- a/uclient-fetch.c +++ b/uclient-fetch.c @@ -50,7 +50,7 @@ static bool verify = true; static bool proxy = true; static bool default_certs = false; static bool no_output; -static const char *output_file; +static const char *opt_output_file; static int output_fd = -1; static int error_ret; static off_t out_offset; @@ -97,6 +97,7 @@ get_proxy_url(char *url) static int open_output_file(const char *path, uint64_t resume_offset) { + const char *output_file = opt_output_file; char *filename = NULL; int flags; int ret; @@ -367,7 +368,7 @@ static void request_done(struct uclient *cl) return; } - if (output_fd >= 0 && !output_file) { + if (output_fd >= 0 && !opt_output_file) { close(output_fd); output_fd = -1; } @@ -615,7 +616,7 @@ int main(int argc, char **argv) user_agent = optarg; break; case 'O': - output_file = optarg; + opt_output_file = optarg; break; case 'P': if (chdir(optarg)) { -- 2.25.1