wget: fix use-after-free of ->user. Closes 6836

function old new delta wget_main 2207 2223 +16 parse_url 339 353 +14 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Denys Vlasenko <vda.linux@googlemail.com> 2014-02-03 14:09:42 +0100
committer: Denys Vlasenko <vda.linux@googlemail.com> 2014-02-03 14:09:42 +0100
commit: d353bfff467517608af7468198431d32406bb943 (patch)
tree: c10aca8d6ca2f3e39f3e8d474b0118d39491871c /networking/wget.c
parent: 69a12fa7906d2dcdb5d8e124643a4e0f7865417a (diff)
download: busybox-w32-d353bfff467517608af7468198431d32406bb943.tar.gz
busybox-w32-d353bfff467517608af7468198431d32406bb943.tar.bz2
busybox-w32-d353bfff467517608af7468198431d32406bb943.zip
1 files changed, 9 insertions, 7 deletions
diff --git a/networking/wget.c b/networking/wget.c
index d6c509edc..7ca947aec 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -46,7 +46,7 @@
 struct host_info {
        char *allocated;
        const char *path;
-        const char *user;
+        char       *user;
        char       *host;
        int         port;
        smallint    is_ftp;
@@ -322,9 +322,6 @@ static void parse_url(const char *src_url, struct host_info *h)
                h->path = sp;
        }
-        // We used to set h->user to NULL here, but this interferes
-        // with handling of code 302 ("object was moved")
        sp = strrchr(h->host, '@');
        if (sp != NULL) {
                // URL-decode "user:password" string before base64-encoding:
@@ -333,11 +330,13 @@ static void parse_url(const char *src_url, struct host_info *h)
                // which decodes to "test:my pass".
                // Standard wget and curl do this too.
                *sp = '\0';
-                h->user = percent_decode_in_place(h->host, /*strict:*/ 0);
+                free(h->user);
+                h->user = xstrdup(percent_decode_in_place(h->host, /*strict:*/ 0));
                h->host = sp + 1;
        }
+        /* else: h->user remains NULL, or as set by original request
-        sp = h->host;
+         * before redirect (if we are here after a redirect).
+         */
 }
 static char *gethdr(FILE *fp)
@@ -880,6 +879,7 @@ However, in real world it was observed that some web servers
                                } else {
                                        parse_url(str, &target);
                                        if (!use_proxy) {
+                                                /* server.user remains untouched */
                                                free(server.allocated);
                                                server.allocated = NULL;
                                                server.host = target.host;
@@ -929,6 +929,8 @@ However, in real world it was observed that some web servers
        free(server.allocated);
        free(target.allocated);
+        free(server.user);
+        free(target.user);
        free(fname_out_alloc);
        free(redirected_path);
 }
author	Denys Vlasenko <vda.linux@googlemail.com>	2014-02-03 14:09:42 +0100
committer	Denys Vlasenko <vda.linux@googlemail.com>	2014-02-03 14:09:42 +0100
commit	d353bfff467517608af7468198431d32406bb943 (patch)
tree	c10aca8d6ca2f3e39f3e8d474b0118d39491871c /networking/wget.c
parent	69a12fa7906d2dcdb5d8e124643a4e0f7865417a (diff)
download	busybox-w32-d353bfff467517608af7468198431d32406bb943.tar.gz busybox-w32-d353bfff467517608af7468198431d32406bb943.tar.bz2 busybox-w32-d353bfff467517608af7468198431d32406bb943.zip

diff --git a/networking/wget.c b/networking/wget.c index d6c509edc..7ca947aec 100644 --- a/networking/wget.c +++ b/networking/wget.c
@@ -46,7 +46,7 @@
46	struct host_info {	46	struct host_info {
47	char *allocated;	47	char *allocated;
48	const char *path;	48	const char *path;
49	const char *user;	49	char *user;
50	char *host;	50	char *host;
51	int port;	51	int port;
52	smallint is_ftp;	52	smallint is_ftp;
@@ -322,9 +322,6 @@ static void parse_url(const char src_url, struct host_info h)
322	h->path = sp;	322	h->path = sp;
323	}	323	}
324		324
325	// We used to set h->user to NULL here, but this interferes
326	// with handling of code 302 ("object was moved")
327
328	sp = strrchr(h->host, '@');	325	sp = strrchr(h->host, '@');
329	if (sp != NULL) {	326	if (sp != NULL) {
330	// URL-decode "user:password" string before base64-encoding:	327	// URL-decode "user:password" string before base64-encoding:
@@ -333,11 +330,13 @@ static void parse_url(const char src_url, struct host_info h)
333	// which decodes to "test:my pass".	330	// which decodes to "test:my pass".
334	// Standard wget and curl do this too.	331	// Standard wget and curl do this too.
335	*sp = '\0';	332	*sp = '\0';
336	h->user = percent_decode_in_place(h->host, /strict:/ 0);	333	free(h->user);
		334	h->user = xstrdup(percent_decode_in_place(h->host, /strict:/ 0));
337	h->host = sp + 1;	335	h->host = sp + 1;
338	}	336	}
339		337	/* else: h->user remains NULL, or as set by original request
340	sp = h->host;	338	* before redirect (if we are here after a redirect).
		339	*/
341	}	340	}
342		341
343	static char gethdr(FILE fp)	342	static char gethdr(FILE fp)
@@ -880,6 +879,7 @@ However, in real world it was observed that some web servers
880	} else {	879	} else {
881	parse_url(str, &target);	880	parse_url(str, &target);
882	if (!use_proxy) {	881	if (!use_proxy) {
		882	/* server.user remains untouched */
883	free(server.allocated);	883	free(server.allocated);
884	server.allocated = NULL;	884	server.allocated = NULL;
885	server.host = target.host;	885	server.host = target.host;
@@ -929,6 +929,8 @@ However, in real world it was observed that some web servers
929		929
930	free(server.allocated);	930	free(server.allocated);
931	free(target.allocated);	931	free(target.allocated);
		932	free(server.user);
		933	free(target.user);
932	free(fname_out_alloc);	934	free(fname_out_alloc);
933	free(redirected_path);	935	free(redirected_path);
934	}	936	}