From 83600e92240cd2538cd82f90ed03601731b1b0d9 Mon Sep 17 00:00:00 2001
From: tihmstar
Date: Wed, 15 Nov 2023 00:41:21 +0100
Subject: restore: Fix UaF

`fsname_base` points inside the dynamically allocated `path` which is
freed before `fsname_base` is used, creating a use-after-free condition.
This commits makes sure to free `path` only after it is no longer needed.
---
 src/restore.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/restore.c')

diff --git a/src/restore.c b/src/restore.c
index 7727411..7fa104b 100644
--- a/src/restore.c
+++ b/src/restore.c
@@ -913,11 +913,11 @@ int restore_send_filesystem(struct idevicerestore_client_t* client, idevice_t de
 	}
 	if (client->filesystem) {
 		char* path = strdup(client->filesystem);
-		char* fsname_base = path_get_basename(path);
+		const char* fsname_base = path_get_basename(path);
 		char* parent_dir = dirname(path);
 		ipsw_dummy = ipsw_open(parent_dir);
-		free(path);
 		file = ipsw_file_open(ipsw_dummy, fsname_base);
+		free(path);
 	} else {
 		file = ipsw_file_open(client->ipsw, fsname);
 	}
-- 
cgit v1.1-32-gdbae