diff options
author | tihmstar | 2023-11-15 00:41:21 +0100 |
---|---|---|
committer | Nikias Bassen | 2023-11-15 00:41:21 +0100 |
commit | 83600e92240cd2538cd82f90ed03601731b1b0d9 (patch) | |
tree | 6a0c5c925c7e771b3f10bd52408aacfe55ad078b /src | |
parent | 85ea3378255cc15e3f39365018f45a42d7469375 (diff) | |
download | idevicerestore-83600e92240cd2538cd82f90ed03601731b1b0d9.tar.gz idevicerestore-83600e92240cd2538cd82f90ed03601731b1b0d9.tar.bz2 |
restore: Fix UaF
`fsname_base` points inside the dynamically allocated `path` which is
freed before `fsname_base` is used, creating a use-after-free condition.
This commits makes sure to free `path` only after it is no longer needed.
Diffstat (limited to 'src')
-rw-r--r-- | src/restore.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/restore.c b/src/restore.c index 7727411..7fa104b 100644 --- a/src/restore.c +++ b/src/restore.c @@ -913,11 +913,11 @@ int restore_send_filesystem(struct idevicerestore_client_t* client, idevice_t de } if (client->filesystem) { char* path = strdup(client->filesystem); - char* fsname_base = path_get_basename(path); + const char* fsname_base = path_get_basename(path); char* parent_dir = dirname(path); ipsw_dummy = ipsw_open(parent_dir); - free(path); file = ipsw_file_open(ipsw_dummy, fsname_base); + free(path); } else { file = ipsw_file_open(client->ipsw, fsname); } |