summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar tihmstar2023-11-15 00:41:21 +0100
committerGravatar Nikias Bassen2023-11-15 00:41:21 +0100
commit83600e92240cd2538cd82f90ed03601731b1b0d9 (patch)
tree6a0c5c925c7e771b3f10bd52408aacfe55ad078b
parent85ea3378255cc15e3f39365018f45a42d7469375 (diff)
downloadidevicerestore-83600e92240cd2538cd82f90ed03601731b1b0d9.tar.gz
idevicerestore-83600e92240cd2538cd82f90ed03601731b1b0d9.tar.bz2
restore: Fix UaF
`fsname_base` points inside the dynamically allocated `path` which is freed before `fsname_base` is used, creating a use-after-free condition. This commits makes sure to free `path` only after it is no longer needed.
-rw-r--r--src/restore.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/restore.c b/src/restore.c
index 7727411..7fa104b 100644
--- a/src/restore.c
+++ b/src/restore.c
@@ -913,11 +913,11 @@ int restore_send_filesystem(struct idevicerestore_client_t* client, idevice_t de
}
if (client->filesystem) {
char* path = strdup(client->filesystem);
- char* fsname_base = path_get_basename(path);
+ const char* fsname_base = path_get_basename(path);
char* parent_dir = dirname(path);
ipsw_dummy = ipsw_open(parent_dir);
- free(path);
file = ipsw_file_open(ipsw_dummy, fsname_base);
+ free(path);
} else {
file = ipsw_file_open(client->ipsw, fsname);
}