msg is allocated by vasprintf, and is leaked on return of server_sendlog. vasprintf calculates the length of the string, so we can zap a needless call to strlen while there.
Index: server.c =================================================================== RCS file: /cvs/src/usr.sbin/httpd/server.c,v retrieving revision 1.121 diff -u -p -r1.121 server.c --- server.c 11 Oct 2020 03:21:44 -0000 1.121 +++ server.c 31 Dec 2020 10:06:28 -0000 @@ -1251,12 +1251,14 @@ server_sendlog(struct server_config *srv iov[0].iov_base = &srv_conf->id; iov[0].iov_len = sizeof(srv_conf->id); iov[1].iov_base = msg; - iov[1].iov_len = strlen(msg) + 1; + iov[1].iov_len = ret + 1; if (proc_composev(httpd_env->sc_ps, PROC_LOGGER, cmd, iov, 2) != 0) { log_warn("%s: failed to compose imsg", __func__); + free(msg); return; } + free(msg); } void