From 861a322400da021c524410452deaeefbf8d048fb Mon Sep 17 00:00:00 2001
From: Neil Horman <nhorman@openssl.org>
Date: Fri, 13 Dec 2024 08:54:49 -0500
Subject: [PATCH] Correct copying of the url value

When setting up the url value we copy data from memory regions that
overlap, it leads to bogus output, correct that.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26180)
---
 demos/http3/ossl-nghttp3-demo-server.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/demos/http3/ossl-nghttp3-demo-server.c b/demos/http3/ossl-nghttp3-demo-server.c
index dcfd652ca2d..2541d78d369 100644
--- a/demos/http3/ossl-nghttp3-demo-server.c
+++ b/demos/http3/ossl-nghttp3-demo-server.c
@@ -289,15 +289,15 @@ static int on_recv_header(nghttp3_conn *conn, int64_t stream_id, int32_t token,
     if (token == NGHTTP3_QPACK_TOKEN__PATH) {
         int len = (((vvalue.len) < (MAXURL)) ? (vvalue.len) : (MAXURL));
 
-        memcpy(h3ssl->url, vvalue.base, len);
-        if (h3ssl->url[0] == '/') {
-            if (h3ssl->url[1] == '\0') {
+        memset(h3ssl->url, 0, sizeof(h3ssl->url));
+        if (vvalue.base[0] == '/') {
+            if (vvalue.base[1] == '\0') {
                 strncpy(h3ssl->url, "index.html", MAXURL);
-                h3ssl->url[MAXURL - 1] = '\0';
             } else {
-                memcpy(h3ssl->url, h3ssl->url + 1, len - 1);
-                h3ssl->url[len - 1] = '\0';
+                memcpy(h3ssl->url, &vvalue.base[1], len - 1);
             }
+        } else {
+            memcpy(h3ssl->url, vvalue.base, len);
         }
     }
 
-- 
2.47.2