diff options
author | Felix Fietkau <nbd@nbd.name> | 2017-11-02 21:58:42 +0100 |
---|---|---|
committer | Felix Fietkau <nbd@nbd.name> | 2017-11-02 21:59:15 +0100 |
commit | 4b87d83160fec70d50b7fcd736a8c538c28a016c (patch) | |
tree | 75d2ffb6327124c6f9e56b5bf4f1fae7306964bf | |
parent | 24d6eded73dec427fc4a3a20cc73c94227f59c31 (diff) | |
download | uclient-4b87d83160fec70d50b7fcd736a8c538c28a016c.tar.gz |
uclient-fetch: fix overloading of output_file variable
When uclient-fetch is called with multiple URL's, it derives the
first filename from the URL. It then sets the global output_file
variable, causing a use-after-free bug on an attempt to use it as output
file for the next file.
Fix this by avoiding the overwrite entirely by only setting a local
variable
Reported-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
-rw-r--r-- | uclient-fetch.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/uclient-fetch.c b/uclient-fetch.c index dff144b..2e553a0 100644 --- a/uclient-fetch.c +++ b/uclient-fetch.c @@ -50,7 +50,7 @@ static bool verify = true; static bool proxy = true; static bool default_certs = false; static bool no_output; -static const char *output_file; +static const char *opt_output_file; static int output_fd = -1; static int error_ret; static off_t out_offset; @@ -97,6 +97,7 @@ get_proxy_url(char *url) static int open_output_file(const char *path, uint64_t resume_offset) { + const char *output_file = opt_output_file; char *filename = NULL; int flags; int ret; @@ -367,7 +368,7 @@ static void request_done(struct uclient *cl) return; } - if (output_fd >= 0 && !output_file) { + if (output_fd >= 0 && !opt_output_file) { close(output_fd); output_fd = -1; } @@ -615,7 +616,7 @@ int main(int argc, char **argv) user_agent = optarg; break; case 'O': - output_file = optarg; + opt_output_file = optarg; break; case 'P': if (chdir(optarg)) { |