hsts: skip single-dot hostname

author Daniel Stenberg <daniel@haxx.se>

Thu, 2 Nov 2023 09:52:46 +0000 (10:52 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Thu, 2 Nov 2023 12:17:45 +0000 (13:17 +0100)
author Daniel Stenberg <daniel@haxx.se>
Thu, 2 Nov 2023 09:52:46 +0000 (10:52 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Thu, 2 Nov 2023 12:17:45 +0000 (13:17 +0100)
diff --git a/lib/hsts.c b/lib/hsts.c

index 7ecf0042a599a6718d38dcbc82059d5994f4f129..6fac2b7c043d003036e02700e3c600b4d79e2354 100644 (file)
--- a/lib/hsts.c
+++ b/lib/hsts.c
@@ -40,6 +40,7 @@
  #include "fopen.h"
  #include "rename.h"
  #include "share.h"
+#include "strdup.h"
  
  /* The last 3 #include files should be in this order */
  #include "curl_printf.h"
@@ -116,22 +117,30 @@ static CURLcode hsts_create(struct hsts *h,
                              bool subdomains,
                              curl_off_t expires)
  {
-  struct stsentry *sts = hsts_entry();
+  struct stsentry *sts;
    char *duphost;
    size_t hlen;
+  DEBUGASSERT(h);
+  DEBUGASSERT(hostname);
+
+  hlen = strlen(hostname);
+  if(hlen && (hostname[hlen - 1] == '.'))
+    /* strip off any trailing dot */
+    --hlen;
+  if(!hlen)
+    /* no host name left */
+    return CURLE_BAD_FUNCTION_ARGUMENT;
+
+  sts = hsts_entry();
    if(!sts)
      return CURLE_OUT_OF_MEMORY;
  
-  duphost = strdup(hostname);
+  duphost = Curl_memdup(hostname, hlen + 1);
    if(!duphost) {
      free(sts);
      return CURLE_OUT_OF_MEMORY;
    }
-
-  hlen = strlen(duphost);
-  if(duphost[hlen - 1] == '.')
-    /* strip off trailing any dot */
-    duphost[--hlen] = 0;
+  duphost[hlen] = 0; /* might remove a dot */
  
    sts->host = duphost;
    sts->expires = expires;
author	Daniel Stenberg <daniel@haxx.se>
	Thu, 2 Nov 2023 09:52:46 +0000 (10:52 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Thu, 2 Nov 2023 12:17:45 +0000 (13:17 +0100)