libopkg: fix use-after-free with duplicate packages on the command line

When the same package file is specified multiple times on the opkg install
command line, the name pointer on the argv array becomes stale after the
package structures have been merged, leading to invalid memory accesses
upon install.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index 97e1a84e5be8238e1f3a1395779a6330cd0e4eef..631bdabd4a3dee974fb54cdf3198a1f583bb4cdf 100644 (file)
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -335,7 +335,7 @@ opkg_prepare_url_for_install(const char *url, char **namep)
      hash_insert_pkg(pkg, 1);
 
      if (namep) {
      hash_insert_pkg(pkg, 1);
 
      if (namep) {

-         *namep = pkg->name;
+         *namep = xstrdup(pkg->name);

      }
      return 0;
 }
      }
      return 0;
 }