The response argument is passed to `add_response_entry()` eventually which does a check on NULL. This was done without accessing struct members of *response* in the past, however since 185f740e0684 ("allow clients to override sanity check for content-length header") an access to response->flags leads to a segfault.
This was spotted when building an app with libhttpserver which currently might pass a nullptr to `MHD_add_response_header()`, see the bug report over there for details. Link: https://github.com/etr/libhttpserver/issues/255 Fixes: 185f740e0684 ("allow clients to override sanity check for content-length header") Signed-off-by: Alexander Dahl <a...@thorsis.com> --- Notes: Hello everyone, I discovered this when working with libhttpserver [1] which currently does not check some return codes and thus ends up passing a null pointer. This was no problem against version 0.9.62-1 from the debian package, but is against recent 0.9.75. I'm working on fixing that potentially harmful behaviour of the other lib, but I think the check here is valuable in itself, because it prevents libmicrohttpd to segfault. Greets Alex [1] https://github.com/etr/libhttpserver src/microhttpd/response.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/microhttpd/response.c b/src/microhttpd/response.c index ca3639f4..2a8b3cbe 100644 --- a/src/microhttpd/response.c +++ b/src/microhttpd/response.c @@ -494,6 +494,9 @@ MHD_add_response_header (struct MHD_Response *response, const char *header, const char *content) { + if (response == NULL) + return MHD_NO; + if (MHD_str_equal_caseless_ (header, MHD_HTTP_HEADER_CONNECTION)) return add_response_header_connection (response, content); base-commit: 1b1361e4c6e07a74e1a70f96fc570510aaa36815 -- 2.20.1