From 9779e1083eaf0016c5af8941acee0dc760be3ce0 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Mon, 18 May 2015 16:45:16 +0000
Subject: [PATCH] The first line of a HTTP request is the method-url-version. 
 The second line is a key-value header.  So you cannot append to the previous
 key-value before line three.  Also reset the last header when all headers are
 purged to avoid a use after free. OK benno@ reyk@

---
 usr.sbin/relayd/relay_http.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/relayd/relay_http.c b/usr.sbin/relayd/relay_http.c
index 97bff864226..4e3af605a15 100644
--- a/usr.sbin/relayd/relay_http.c
+++ b/usr.sbin/relayd/relay_http.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relay_http.c,v 1.44 2015/04/29 08:41:24 bluhm Exp $	*/
+/*	$OpenBSD: relay_http.c,v 1.45 2015/05/18 16:45:16 bluhm Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -149,6 +149,7 @@ relay_httpdesc_free(struct http_descriptor *desc)
 		desc->query_val = NULL;
 	}
 	kv_purge(&desc->http_headers);
+	desc->http_lastheader = NULL;
 }
 
 void
@@ -213,7 +214,7 @@ relay_read_http(struct bufferevent *bev, void *arg)
 		else
 			value = strchr(key, ':');
 		if (value == NULL) {
-			if (cre->line == 1) {
+			if (cre->line <= 2) {
 				free(line);
 				relay_abort_http(con, 400, "malformed", 0);
 				return;
-- 
2.20.1