diff options
author | Martin Aumueller | 2008-07-30 23:03:56 +0200 |
---|---|---|
committer | Matt Colyer | 2008-07-31 09:03:01 -0700 |
commit | 3a659016bbe52ed729a46d5203372db9f1a1c9aa (patch) | |
tree | 31b6f5df920131d18ebb112f7e8064801887aae9 | |
parent | 41bc8af628e60132747b4ca6a7f4620d19f2eea8 (diff) | |
download | libplist-3a659016bbe52ed729a46d5203372db9f1a1c9aa.tar.gz libplist-3a659016bbe52ed729a46d5203372db9f1a1c9aa.tar.bz2 |
Don't access freed memory.
Signed-off-by: Matt Colyer <matt@colyer.name>
-rw-r--r-- | src/AFC.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -121,6 +121,7 @@ int receive_AFC_data(AFClient *client, char **dump_here) { AFCPacket *r_packet; char *buffer = (char*)malloc(sizeof(AFCPacket) * 4); int bytes = 0, recv_len = 0; + int retval = 0; bytes = mux_recv(client->phone, client->connection, buffer, sizeof(AFCPacket) * 4); if (bytes <= 0) { @@ -136,9 +137,10 @@ int receive_AFC_data(AFClient *client, char **dump_here) { if (r_packet->entire_length == r_packet->this_length && r_packet->entire_length > sizeof(AFCPacket) && r_packet->operation != AFC_ERROR) { *dump_here = (char*)malloc(sizeof(char) * (r_packet->entire_length-sizeof(AFCPacket))); memcpy(*dump_here, buffer+sizeof(AFCPacket), r_packet->entire_length-sizeof(AFCPacket)); + retval = r_packet->entire_length - sizeof(AFCPacket); free(buffer); free(r_packet); - return r_packet->entire_length - sizeof(AFCPacket); + return retval; } uint32 param1 = buffer[sizeof(AFCPacket)]; |