Hi, If a client sends a bogus request with an unknown method or no http version string, httpd currently grabs the last error with strerror(), this patch causes it to call server_abort_http() directly with a more explicit error message:
Index: server_http.c =================================================================== RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v retrieving revision 1.54 diff -u -p -r1.54 server_http.c --- server_http.c 25 Oct 2014 03:23:49 -0000 1.54 +++ server_http.c 28 Nov 2014 15:37:51 -0000 @@ -216,8 +216,10 @@ server_read_http(struct bufferevent *bev */ if (clt->clt_line == 1) { if ((desc->http_method = server_httpmethod_byname(key)) - == HTTP_METHOD_NONE) - goto fail; + == HTTP_METHOD_NONE) { + server_abort_http(clt, 501, "unknown method"); + return + } /* * Decode request path and query @@ -230,7 +232,8 @@ server_read_http(struct bufferevent *bev desc->http_version = strchr(desc->http_path, ' '); if (desc->http_version == NULL) { free(line); - goto fail; + server_abort_http(clt, 500, "no http version"); + return; } *desc->http_version++ = '\0'; desc->http_query = strchr(desc->http_path, '?');