The first line of a HTTP request is the method-url-version. The

second line is a key-value header.  So you cannot append to the
previous key-value before line three.  Also reset the last header
when all headers are purged to avoid a use after free.
OK benno@ reyk@

diff --git a/usr.sbin/relayd/relay_http.c b/usr.sbin/relayd/relay_http.c
index 97bff86..4e3af60 100644 (file)
--- a/usr.sbin/relayd/relay_http.c
+++ b/usr.sbin/relayd/relay_http.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: relay_http.c,v 1.44 2015/04/29 08:41:24 bluhm Exp $   */
+/*     $OpenBSD: relay_http.c,v 1.45 2015/05/18 16:45:16 bluhm Exp $   */
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -149,6 +149,7 @@ relay_httpdesc_free(struct http_descriptor *desc)
                desc->query_val = NULL;
        }
        kv_purge(&desc->http_headers);
+       desc->http_lastheader = NULL;
 }
 
 void
@@ -213,7 +214,7 @@ relay_read_http(struct bufferevent *bev, void *arg)
                else
                        value = strchr(key, ':');
                if (value == NULL) {
-                       if (cre->line == 1) {
+                       if (cre->line <= 2) {
                                free(line);
                                relay_abort_http(con, 400, "malformed", 0);
                                return;