The response argument is passed to `add_response_entry()` eventually
which does a check on NULL. This was done without accessing struct
members of *response* in the past, however since 185f740e0684 ("allow
clients to override sanity check for content-length header") an access
to response->flags leads to a segfault.
This was spotted when building an app with libhttpserver which currently
might pass a nullptr to `MHD_add_response_header()`, see the bug report
over there for details.
Link: https://github.com/etr/libhttpserver/issues/255
Fixes: 185f740e0684 ("allow clients to override sanity check for content-length
header")
Signed-off-by: Alexander Dahl <a...@thorsis.com>
---
Notes:
Hello everyone,
I discovered this when working with libhttpserver [1] which currently
does not check some return codes and thus ends up passing a null
pointer. This was no problem against version 0.9.62-1 from the debian
package, but is against recent 0.9.75. I'm working on fixing that
potentially harmful behaviour of the other lib, but I think the check
here is valuable in itself, because it prevents libmicrohttpd to
segfault.
Greets
Alex
[1] https://github.com/etr/libhttpserver
src/microhttpd/response.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/microhttpd/response.c b/src/microhttpd/response.c
index ca3639f4..2a8b3cbe 100644
--- a/src/microhttpd/response.c
+++ b/src/microhttpd/response.c
@@ -494,6 +494,9 @@ MHD_add_response_header (struct MHD_Response *response,
const char *header,
const char *content)
{
+ if (response == NULL)
+ return MHD_NO;
+
if (MHD_str_equal_caseless_ (header, MHD_HTTP_HEADER_CONNECTION))
return add_response_header_connection (response, content);
base-commit: 1b1361e4c6e07a74e1a70f96fc570510aaa36815
--
2.20.1
