In ftp.c, the return value of ftp_response() is not checked before using the pointer respline. Subsequent call ftp_expected_bytes (respline) will possibly dereference the uninitialized pointer, thereby crashing wget.
This patch moves the dereference of respline after the return-value check, which should fix the crash. The problem has been reported against Fedora's wget package[1]. Thanks for reviewing and best wishes, Cong. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1169022
>From 7a5335a488847c67e2d1d3b114a5e92eb962bd6d Mon Sep 17 00:00:00 2001 From: Cong Ma <[email protected]> Date: Mon, 15 Dec 2014 21:21:10 +0800 Subject: [PATCH] ftp: fix invalid pointer dereference in getftp() The pointer respline in use after being passed to ftp_response() may be uninitialized if ftp_response() fails. Ensure that respline be used after checking the return value of ftp_response(). --- src/ftp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ftp.c b/src/ftp.c index a3b2cb6..34c3858 100644 --- a/src/ftp.c +++ b/src/ftp.c @@ -1350,7 +1350,6 @@ Error in server response, closing control connection.\n")); /* Get the server to tell us if everything is retrieved. */ err = ftp_response (csock, &respline); - *last_expected_bytes = ftp_expected_bytes (respline); if (err != FTPOK) { /* The control connection is decidedly closed. Print the time @@ -1366,6 +1365,7 @@ Error in server response, closing control connection.\n")); con->csock = -1; return FTPRETRINT; } /* err != FTPOK */ + *last_expected_bytes = ftp_expected_bytes (respline); /* If retrieval failed for any reason, return FTPRETRINT, but do not close socket, since the control connection is still alive. If there is something wrong with the control connection, it will -- 1.9.3
