Move the assignment of http_query down. Also do not assign a non-malloced

string to it since the code assumes it can call free on it.
Fixes crashes noticed by tobhe@ and florian@
OK otto@ tobhe@

1 files changed, 9 insertions, 9 deletions

diff --git a/usr.sbin/httpd/server_http.c b/usr.sbin/httpd/server_http.c
index 4c85444cb5c..d5d31fa03ef 100644
--- a/usr.sbin/httpd/server_http.c
+++ b/usr.sbin/httpd/server_http.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server_http.c,v 1.148 2021/11/05 19:01:02 benno Exp $	*/
+/*	$OpenBSD: server_http.c,v 1.149 2021/11/11 15:52:33 claudio Exp $	*/
 
 /*
  * Copyright (c) 2020 Matthias Pressfreund <mpfr@fn.de>
@@ -228,7 +228,7 @@ server_read_http(struct bufferevent *bev, void *arg)
 	struct evbuffer		*src = EVBUFFER_INPUT(bev);
 	char			*line = NULL, *key, *value;
 	const char		*errstr;
-	char			*http_version;
+	char			*http_version, *query;
 	size_t			 size, linelen;
 	int			 version;
 	struct kv		*hdr = NULL;
@@ -348,9 +348,6 @@ server_read_http(struct bufferevent *bev, void *arg)
 			}
 
 			*http_version++ = '\0';
-			desc->http_query = strchr(desc->http_path, '?');
-			if (desc->http_query != NULL)
-				*desc->http_query++ = '\0';
 
 			/*
 			 * We have to allocate the strings because they could
@@ -378,10 +375,13 @@ server_read_http(struct bufferevent *bev, void *arg)
 					goto fail;
 			}
 
-			if (desc->http_query != NULL &&
-			    (desc->http_query =
-			    strdup(desc->http_query)) == NULL)
-				goto fail;
+			query = strchr(desc->http_path, '?');
+			if (query != NULL) {
+				*query++ = '\0';
+
+				if ((desc->http_query = strdup(query)) == NULL)
+					goto fail;
+			}
 
 		} else if (desc->http_method != HTTP_METHOD_NONE &&
 		    strcasecmp("Content-Length", key) == 0) {