[libmicrohttpd] [PATCH] MHD_add_response_header: Check on passed nullptr

[Alexander Dahl]

The response argument is passed to `add_response_entry()` eventually
which does a check on NULL.  This was done without accessing struct
members of *response* in the past, however since 185f740e0684 ("allow
clients to override sanity check for content-length header") an access
to response->flags leads to a segfault.

This was spotted when building an app with libhttpserver which currently
might pass a nullptr to `MHD_add_response_header()`, see the bug report
over there for details.

Link: https://github.com/etr/libhttpserver/issues/255
Fixes: 185f740e0684 ("allow clients to override sanity check for content-length 
header")
Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    Hello everyone,
    
    I discovered this when working with libhttpserver [1] which currently
    does not check some return codes and thus ends up passing a null
    pointer.  This was no problem against version 0.9.62-1 from the debian
    package, but is against recent 0.9.75.  I'm working on fixing that
    potentially harmful behaviour of the other lib, but I think the check
    here is valuable in itself, because it prevents libmicrohttpd to
    segfault.
    
    Greets
    Alex
    
    [1] https://github.com/etr/libhttpserver

 src/microhttpd/response.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/microhttpd/response.c b/src/microhttpd/response.c
index ca3639f4..2a8b3cbe 100644
--- a/src/microhttpd/response.c
+++ b/src/microhttpd/response.c
@@ -494,6 +494,9 @@ MHD_add_response_header (struct MHD_Response *response,
                          const char *header,
                          const char *content)
 {
+  if (response == NULL)
+    return MHD_NO;
+
   if (MHD_str_equal_caseless_ (header, MHD_HTTP_HEADER_CONNECTION))
     return add_response_header_connection (response, content);
 

base-commit: 1b1361e4c6e07a74e1a70f96fc570510aaa36815
-- 
2.20.1