wget: fix use-after-free on redirect

function                                             old     new   delta
wget_main                                           2153    2168     +15

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

1 files changed, 4 insertions, 2 deletions

diff --git a/networking/wget.c b/networking/wget.c
index 94a2f7c3d..1991a1072 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -557,6 +557,7 @@ static void download_one_url(const char *url)
 	FILE *dfp;                      /* socket to ftp server (data)      */
 	char *proxy = NULL;
 	char *fname_out_alloc;
+	char *redirected_path = NULL;
 	struct host_info server;
 	struct host_info target;
 
@@ -793,8 +794,8 @@ However, in real world it was observed that some web servers
 					bb_error_msg_and_die("too many redirections");
 				fclose(sfp);
 				if (str[0] == '/') {
-					free(target.allocated);
-					target.path = target.allocated = xstrdup(str+1);
+					free(redirected_path);
+					target.path = redirected_path = xstrdup(str+1);
 					/* lsa stays the same: it's on the same server */
 				} else {
 					parse_url(str, &target);
@@ -849,6 +850,7 @@ However, in real world it was observed that some web servers
 	free(server.allocated);
 	free(target.allocated);
 	free(fname_out_alloc);
+	free(redirected_path);
 }
 
 int wget_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;