summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Martin Aumueller2008-07-30 23:03:56 +0200
committerGravatar Matt Colyer2008-07-31 09:03:01 -0700
commit3a659016bbe52ed729a46d5203372db9f1a1c9aa (patch)
tree31b6f5df920131d18ebb112f7e8064801887aae9
parent41bc8af628e60132747b4ca6a7f4620d19f2eea8 (diff)
downloadlibimobiledevice-3a659016bbe52ed729a46d5203372db9f1a1c9aa.tar.gz
libimobiledevice-3a659016bbe52ed729a46d5203372db9f1a1c9aa.tar.bz2
Don't access freed memory.
Signed-off-by: Matt Colyer <matt@colyer.name>
Diffstat
-rw-r--r--src/AFC.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/AFC.c b/src/AFC.c
index f4b802d..5462dfc 100644
--- a/src/AFC.c
+++ b/src/AFC.c
@@ -121,6 +121,7 @@ int receive_AFC_data(AFClient *client, char **dump_here) {
121 AFCPacket *r_packet; 121 AFCPacket *r_packet;
122 char *buffer = (char*)malloc(sizeof(AFCPacket) * 4); 122 char *buffer = (char*)malloc(sizeof(AFCPacket) * 4);
123 int bytes = 0, recv_len = 0; 123 int bytes = 0, recv_len = 0;
124 int retval = 0;
124 125
125 bytes = mux_recv(client->phone, client->connection, buffer, sizeof(AFCPacket) * 4); 126 bytes = mux_recv(client->phone, client->connection, buffer, sizeof(AFCPacket) * 4);
126 if (bytes <= 0) { 127 if (bytes <= 0) {
@@ -136,9 +137,10 @@ int receive_AFC_data(AFClient *client, char **dump_here) {
136 if (r_packet->entire_length == r_packet->this_length && r_packet->entire_length > sizeof(AFCPacket) && r_packet->operation != AFC_ERROR) { 137 if (r_packet->entire_length == r_packet->this_length && r_packet->entire_length > sizeof(AFCPacket) && r_packet->operation != AFC_ERROR) {
137 *dump_here = (char*)malloc(sizeof(char) * (r_packet->entire_length-sizeof(AFCPacket))); 138 *dump_here = (char*)malloc(sizeof(char) * (r_packet->entire_length-sizeof(AFCPacket)));
138 memcpy(*dump_here, buffer+sizeof(AFCPacket), r_packet->entire_length-sizeof(AFCPacket)); 139 memcpy(*dump_here, buffer+sizeof(AFCPacket), r_packet->entire_length-sizeof(AFCPacket));
140 retval = r_packet->entire_length - sizeof(AFCPacket);
139 free(buffer); 141 free(buffer);
140 free(r_packet); 142 free(r_packet);
141 return r_packet->entire_length - sizeof(AFCPacket); 143 return retval;
142 } 144 }
143 145
144 uint32 param1 = buffer[sizeof(AFCPacket)]; 146 uint32 param1 = buffer[sizeof(AFCPacket)];
© 2009-2020 sukimashita.com - Generated by cgit - Icons from Tango - Uses Google Analytics