[PATCH] wget: removed pointless free, fixes bug accessing freed memory

Denys Vlasenko vda.linux at googlemail.com
Sun Mar 20 15:21:01 UTC 2011 

On Tuesday 15 March 2011 03:07, gotrunks at gmail.com wrote:
> Hi,
> 
> I have just noticed a recent wget bug. Busybox wget doesn't parse the
> URL correctly in some circumstances; long guessed output filenames &&
> HTTP redirection.
> 
> e.g.
> $./busybox wget
> http://cdimage.debian.org/debian-cd/6.0.0/kfreebsd-i386/iso-cd/debian-6.0.0-kfreebsd-i386-CD-1.iso
> Connecting to cdimage.debian.org (130.239.18.173:80)
> Connecting to hammurabi.acc.umu.se (130.239.18.165:80)
> wget: can't open '': No such file or directory

Can't reproduce. What causes this on your machine?


> and AFAIS it's pointless to free(h->allocated) on parse_url(), because
> we already free it at the end (and other places) of
> download_one_url().

There is a case when parse_url(str, &target) is called repeatedly
if we traverse a long chain of redirects:


 resolve_lsa:
        lsa = xhost2sockaddr(server.host, server.port);
        if (!(option_mask32 & WGET_OPT_QUIET)) {
                char *s = xmalloc_sockaddr2dotted(&lsa->u.sa);
                fprintf(stderr, "Connecting to %s (%s)\n", server.host, s);
                free(s);
        }
 establish_session:
        /*G.content_len = 0; - redundant, got_clen = 0 is enough */
        G.got_clen = 0;
        G.chunked = 0;
        if (use_proxy || !target.is_ftp) {
...
                /*
                 * Retrieve HTTP headers.
                 */
                while ((str = gethdr(sfp)) != NULL) {
...
                        if (key == KEY_location && status >= 300) {
                                if (--redir_limit == 0)
                                        bb_error_msg_and_die("too many redirections");
                                fclose(sfp);
                                if (str[0] == '/') {
                                        free(target.allocated);
                                        target.path = target.allocated = xstrdup(str+1);
                                        /* lsa stays the same: it's on the same server */
                                } else {
HERE ===>                               parse_url(str, &target);
                                        if (!use_proxy) {
                                                free(server.allocated);
                                                server.allocated = NULL;
                                                server.host = target.host;
                                                /* strip_ipv6_scope_id(target.host); - no! */
                                                /* we assume remote never gives us IPv6 addr with scope id */
                                                server.port = target.port;
                                                free(lsa);
                                                goto resolve_lsa;
                                        } /* else: lsa stays the same: we use proxy */
                                }
                                goto establish_session;
                        }

I don't want to leak target.allocated in this case.
-- 
vda

More information about the busybox mailing list