From 934c95ca11ef43146e012e490a9c2b2a54c41ad8 Mon Sep 17 00:00:00 2001
From: Reyk Floeter <reyk@cvs.openbsd.org>
Date: Mon, 23 Feb 2015 11:48:42 +0000
Subject: Fix an issues that was found by halex@: we didn't set the return_uri
 in non-location virtual hosts.  Add comments clarify the variable-length
 values.

OK halex@
---
 usr.sbin/httpd/config.c | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/usr.sbin/httpd/config.c b/usr.sbin/httpd/config.c
index f631214e7b4..2dc915935b4 100644
--- a/usr.sbin/httpd/config.c
+++ b/usr.sbin/httpd/config.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.c,v 1.35 2015/02/07 23:56:02 reyk Exp $	*/
+/*	$OpenBSD: config.c,v 1.36 2015/02/23 11:48:41 reyk Exp $	*/
 
 /*
  * Copyright (c) 2011 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -272,6 +272,17 @@ config_getserver_config(struct httpd *env, struct server *srv,
 	if (config_getserver_auth(env, srv_conf) != 0)
 		goto fail;
 
+	/*
+	 * Get variable-length values for the virtual host.  The tls_* ones
+	 * aren't needed in the virtual hosts unless we implement SNI.
+	 */
+	if (srv_conf->return_uri_len != 0) {
+		if ((srv_conf->return_uri = get_data(p + s,
+		    srv_conf->return_uri_len)) == NULL)
+			goto fail;
+		s += srv_conf->return_uri_len;
+	}
+
 	if (srv_conf->flags & SRVFLAG_LOCATION) {
 		/* Inherit configuration from the parent */
 		f = SRVFLAG_INDEX|SRVFLAG_NO_INDEX;
@@ -344,6 +355,7 @@ config_getserver_config(struct httpd *env, struct server *srv,
 
 		f = SRVFLAG_BLOCK|SRVFLAG_NO_BLOCK;
 		if ((srv_conf->flags & f) == 0) {
+			free(srv_conf->return_uri);
 			srv_conf->flags |= parent->flags & f;
 			srv_conf->return_code = parent->return_code;
 			srv_conf->return_uri_len = parent->return_uri_len;
@@ -351,13 +363,6 @@ config_getserver_config(struct httpd *env, struct server *srv,
 			    (srv_conf->return_uri =
 			    strdup(parent->return_uri)) == NULL)
 				goto fail;
-		} else {
-			if (srv_conf->return_uri_len != 0) {
-				if ((srv_conf->return_uri = get_data(p + s,
-				    srv_conf->return_uri_len)) == NULL)
-					goto fail;
-				s += srv_conf->return_uri_len;
-			}
 		}
 
 		memcpy(&srv_conf->timeout, &parent->timeout,
@@ -408,7 +413,8 @@ config_getserver(struct httpd *env, struct imsg *imsg)
 	serverconfig_reset(&srv_conf);
 
 	if ((IMSG_DATA_SIZE(imsg) - s) <
-	    (srv_conf.tls_cert_len + srv_conf.tls_key_len)) {
+	    (srv_conf.tls_cert_len + srv_conf.tls_key_len +
+	    srv_conf.return_uri_len)) {
 		log_debug("%s: invalid message length", __func__);
 		goto fail;
 	}
@@ -450,6 +456,9 @@ config_getserver(struct httpd *env, struct imsg *imsg)
 	    srv->srv_conf.name, srv->srv_conf.id,
 	    printb_flags(srv->srv_conf.flags, SRVFLAG_BITS));
 
+	/*
+	 * Get all variable-length values for the parent server.
+	 */
 	if (srv->srv_conf.return_uri_len != 0) {
 		if ((srv->srv_conf.return_uri = get_data(p + s,
 		    srv->srv_conf.return_uri_len)) == NULL)
-- 
cgit v1.2.3