From: claudio Date: Thu, 11 Nov 2021 15:52:33 +0000 (+0000) Subject: Move the assignment of http_query down. Also do not assign a non-malloced X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=a89b976f53c4148440f39b9b2998a1c87e8725b5;p=openbsd Move the assignment of http_query down. Also do not assign a non-malloced string to it since the code assumes it can call free on it. Fixes crashes noticed by tobhe@ and florian@ OK otto@ tobhe@ --- diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c index 4c85444cb5c..d5d31fa03ef 100644 --- a/usr.sbin/httpd/server_http.c +++ b/usr.sbin/httpd/server_http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_http.c,v 1.148 2021/11/05 19:01:02 benno Exp $ */ +/* $OpenBSD: server_http.c,v 1.149 2021/11/11 15:52:33 claudio Exp $ */ /* * Copyright (c) 2020 Matthias Pressfreund @@ -228,7 +228,7 @@ server_read_http(struct bufferevent *bev, void *arg) struct evbuffer *src = EVBUFFER_INPUT(bev); char *line = NULL, *key, *value; const char *errstr; - char *http_version; + char *http_version, *query; size_t size, linelen; int version; struct kv *hdr = NULL; @@ -348,9 +348,6 @@ server_read_http(struct bufferevent *bev, void *arg) } *http_version++ = '\0'; - desc->http_query = strchr(desc->http_path, '?'); - if (desc->http_query != NULL) - *desc->http_query++ = '\0'; /* * We have to allocate the strings because they could @@ -378,10 +375,13 @@ server_read_http(struct bufferevent *bev, void *arg) goto fail; } - if (desc->http_query != NULL && - (desc->http_query = - strdup(desc->http_query)) == NULL) - goto fail; + query = strchr(desc->http_path, '?'); + if (query != NULL) { + *query++ = '\0'; + + if ((desc->http_query = strdup(query)) == NULL) + goto fail; + } } else if (desc->http_method != HTTP_METHOD_NONE && strcasecmp("Content-Length", key) == 0) {