From: Andrei Cipu <acipu@ixiacom.com>
Date: Thu, 22 Mar 2012 07:52:45 +0000 (+0100)
Subject: cookies: strip the numerical ipv6 host properly
X-Git-Tag: curl-7_25_0~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=97b66ebe;p=thirdparty%2Fcurl.git

cookies: strip the numerical ipv6 host properly

The commit e650dbde86d4 that stripped off [brackets] from ipv6-only host
headers for the sake of cookie parsing wrongly incremented the host
pointer which would cause a bad free() call later on.
---

diff --git a/lib/http.c b/lib/http.c
index a8b3e28fd9..ec76bbe46b 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1851,9 +1851,13 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
          the bracket has been closed */
       int startsearch = 0;
       if(*cookiehost == '[') {
-        char *closingbracket = strchr(++cookiehost, ']');
+        char *closingbracket;
+        closingbracket = strchr(cookiehost+1, ']');
         if(closingbracket)
           *closingbracket = 0;
+        /* since the 'cookiehost' is an allocated memory area that will be
+           freed later we cannot simply increment the pointer */
+        memmove(cookiehost, cookiehost + 1, strlen(cookiehost) - 1);
       }
       else {
         char *colon = strchr(cookiehost + startsearch, ':');