summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Martin Aumueller2008-07-30 23:03:56 +0200
committerGravatar Matt Colyer2008-07-31 09:03:01 -0700
commit3a659016bbe52ed729a46d5203372db9f1a1c9aa (patch)
tree31b6f5df920131d18ebb112f7e8064801887aae9
parent41bc8af628e60132747b4ca6a7f4620d19f2eea8 (diff)
downloadlibplist-3a659016bbe52ed729a46d5203372db9f1a1c9aa.tar.gz
libplist-3a659016bbe52ed729a46d5203372db9f1a1c9aa.tar.bz2
Don't access freed memory.
Signed-off-by: Matt Colyer <matt@colyer.name>
-rw-r--r--src/AFC.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/AFC.c b/src/AFC.c
index f4b802d..5462dfc 100644
--- a/src/AFC.c
+++ b/src/AFC.c
@@ -121,6 +121,7 @@ int receive_AFC_data(AFClient *client, char **dump_here) {
AFCPacket *r_packet;
char *buffer = (char*)malloc(sizeof(AFCPacket) * 4);
int bytes = 0, recv_len = 0;
+ int retval = 0;
bytes = mux_recv(client->phone, client->connection, buffer, sizeof(AFCPacket) * 4);
if (bytes <= 0) {
@@ -136,9 +137,10 @@ int receive_AFC_data(AFClient *client, char **dump_here) {
if (r_packet->entire_length == r_packet->this_length && r_packet->entire_length > sizeof(AFCPacket) && r_packet->operation != AFC_ERROR) {
*dump_here = (char*)malloc(sizeof(char) * (r_packet->entire_length-sizeof(AFCPacket)));
memcpy(*dump_here, buffer+sizeof(AFCPacket), r_packet->entire_length-sizeof(AFCPacket));
+ retval = r_packet->entire_length - sizeof(AFCPacket);
free(buffer);
free(r_packet);
- return r_packet->entire_length - sizeof(AFCPacket);
+ return retval;
}
uint32 param1 = buffer[sizeof(AFCPacket)];