From fb7f6cfa972d6eb122f37f195382f54148155725 Mon Sep 17 00:00:00 2001 From: Ding Tao Date: Wed, 25 Oct 2017 19:59:52 +0800 Subject: [PATCH] net: lib: http: Fix invalid pointer body_start The body_start field at http_client_ctx.rsp is used to check if this fragment contains (a part of) headers or not. If the device recived more than one fragment in one http response, may cause re-use of the result buffer in function on_body(). Once the device re-use the result buffer, the body_start that point to this buffer address will no longer be valid. Signed-off-by: Ding Tao --- subsys/net/lib/http/http_client.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/subsys/net/lib/http/http_client.c b/subsys/net/lib/http/http_client.c index 5b19b0b60c2..c3b3168be8d 100644 --- a/subsys/net/lib/http/http_client.c +++ b/subsys/net/lib/http/http_client.c @@ -292,7 +292,8 @@ static int on_body(struct http_parser *parser, const char *at, size_t length) NET_DBG("Processed %zd length %zd", ctx->rsp.processed, length); - if (!ctx->rsp.body_start) { + if ((u8_t *)at != (u8_t *)ctx->rsp.response_buf) { + /* This fragment contains the start of the body */ ctx->rsp.body_start = (u8_t *)at; } @@ -309,6 +310,7 @@ static int on_body(struct http_parser *parser, const char *at, size_t length) /* Re-use the result buffer and start to fill it again */ ctx->rsp.data_len = 0; + ctx->rsp.body_start = NULL; } return 0;