diff options
| author | Andrei Cipu <acipu@ixiacom.com> | 2012-03-22 08:52:45 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2012-03-22 08:56:33 +0100 |
| commit | 97b66ebefe2090aea734af57c5e7e182a97f20bb (patch) | |
| tree | 0c4ee585898a45aa1da238013ed04f61212a8e4c | |
| parent | d2e5222ebc1568d54a2d6068250391345b99cc82 (diff) | |
| download | gnurl-97b66ebefe2090aea734af57c5e7e182a97f20bb.tar.gz gnurl-97b66ebefe2090aea734af57c5e7e182a97f20bb.tar.bz2 gnurl-97b66ebefe2090aea734af57c5e7e182a97f20bb.zip | |
cookies: strip the numerical ipv6 host properly
The commit e650dbde86d4 that stripped off [brackets] from ipv6-only host
headers for the sake of cookie parsing wrongly incremented the host
pointer which would cause a bad free() call later on.
| -rw-r--r-- | lib/http.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/http.c b/lib/http.c index a8b3e28fd..ec76bbe46 100644 --- a/lib/http.c +++ b/lib/http.c @@ -1851,9 +1851,13 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) the bracket has been closed */ int startsearch = 0; if(*cookiehost == '[') { - char *closingbracket = strchr(++cookiehost, ']'); + char *closingbracket; + closingbracket = strchr(cookiehost+1, ']'); if(closingbracket) *closingbracket = 0; + /* since the 'cookiehost' is an allocated memory area that will be + freed later we cannot simply increment the pointer */ + memmove(cookiehost, cookiehost + 1, strlen(cookiehost) - 1); } else { char *colon = strchr(cookiehost + startsearch, ':'); |