diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-05-18 16:45:17 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-05-18 16:45:17 +0000 |
| commit | af33d02f5d3b312e4092075023c82e7be9f8251d (patch) | |
| tree | d5ce8e302b2babfc76e34af0ee1ac582f85b99e8 /usr.sbin/relayd | |
| parent | 498b85f7ebfd15704302f7a237cc6c876624755c (diff) | |
The first line of a HTTP request is the method-url-version. The
second line is a key-value header. So you cannot append to the
previous key-value before line three. Also reset the last header
when all headers are purged to avoid a use after free.
OK benno@ reyk@
Diffstat (limited to 'usr.sbin/relayd')
| -rw-r--r-- | usr.sbin/relayd/relay_http.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/usr.sbin/relayd/relay_http.c b/usr.sbin/relayd/relay_http.c index 97bff864226..4e3af605a15 100644 --- a/usr.sbin/relayd/relay_http.c +++ b/usr.sbin/relayd/relay_http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay_http.c,v 1.44 2015/04/29 08:41:24 bluhm Exp $ */ +/* $OpenBSD: relay_http.c,v 1.45 2015/05/18 16:45:16 bluhm Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -149,6 +149,7 @@ relay_httpdesc_free(struct http_descriptor *desc) desc->query_val = NULL; } kv_purge(&desc->http_headers); + desc->http_lastheader = NULL; } void @@ -213,7 +214,7 @@ relay_read_http(struct bufferevent *bev, void *arg) else value = strchr(key, ':'); if (value == NULL) { - if (cre->line == 1) { + if (cre->line <= 2) { free(line); relay_abort_http(con, 400, "malformed", 0); return; |