From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 16 Jan 2024 22:50:02 +0000 (+0100)
Subject: headers: remove assert from Curl_headers_push
X-Git-Tag: curl-8_6_0~69
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c8cffcb8d45449b3b9b7ce48d3e8ee24ceb3e6b2;p=thirdparty%2Fcurl.git

headers: remove assert from Curl_headers_push

The fuzzer managed to reach the function without a terminating CR or LF
so let's handle it normally. While there, remove the goto.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65839

Closes #12721
---

diff --git a/lib/headers.c b/lib/headers.c
index 9c29238993..8a3264ab56 100644
--- a/lib/headers.c
+++ b/lib/headers.c
@@ -291,9 +291,9 @@ CURLcode Curl_headers_push(struct Curl_easy *data, const char *header,
   end = strchr(header, '\r');
   if(!end) {
     end = strchr(header, '\n');
-    DEBUGASSERT(end);
     if(!end)
-      return CURLE_BAD_FUNCTION_ARGUMENT;
+      /* neither CR nor LF as terminator is not a valid header */
+      return CURLE_WEIRD_SERVER_REPLY;
   }
   hlen = end - header;
 
@@ -320,21 +320,19 @@ CURLcode Curl_headers_push(struct Curl_easy *data, const char *header,
   hs->buffer[hlen] = 0; /* nul terminate */
 
   result = namevalue(hs->buffer, hlen, type, &name, &value);
-  if(result)
-    goto fail;
-
-  hs->name = name;
-  hs->value = value;
-  hs->type = type;
-  hs->request = data->state.requests;
-
-  /* insert this node into the list of headers */
-  Curl_llist_insert_next(&data->state.httphdrs, data->state.httphdrs.tail,
-                         hs, &hs->node);
-  data->state.prevhead = hs;
-  return CURLE_OK;
-fail:
-  free(hs);
+  if(!result) {
+    hs->name = name;
+    hs->value = value;
+    hs->type = type;
+    hs->request = data->state.requests;
+
+    /* insert this node into the list of headers */
+    Curl_llist_insert_next(&data->state.httphdrs, data->state.httphdrs.tail,
+                           hs, &hs->node);
+    data->state.prevhead = hs;
+  }
+  else
+    free(hs);
   return result;
 }