wget: fix use-after-free on redirect

function                                             old     new   delta
wget_main                                           2153    2168     +15

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

1 files changed, 4 insertions, 2 deletions

diff --git a/networking/wget.c b/networking/wget.c
index 94a2f7c3d..1991a1072 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -557,6 +557,7 @@ static void download_one_url(const char *url)
         FILE *dfp;                      /* socket to ftp server (data)      */
         char *proxy = NULL;
         char *fname_out_alloc;
+        char *redirected_path = NULL;
         struct host_info server;
         struct host_info target;
 
@@ -793,8 +794,8 @@ However, in real world it was observed that some web servers
                                         bb_error_msg_and_die("too many redirections");
                                 fclose(sfp);
                                 if (str[0] == '/') {
-                                        free(target.allocated);
-                                        target.path = target.allocated = xstrdup(str+1);
+                                        free(redirected_path);
+                                        target.path = redirected_path = xstrdup(str+1);
                                         /* lsa stays the same: it's on the same server */
                                 } else {
                                         parse_url(str, &target);
@@ -849,6 +850,7 @@ However, in real world it was observed that some web servers
         free(server.allocated);
         free(target.allocated);
         free(fname_out_alloc);
+        free(redirected_path);
 }
 
 int wget_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;