From 83d7687366a12e339be060bcbc9b67cf781fc317 Mon Sep 17 00:00:00 2001
From: Stefan Becker <stefan.becker@nokia.com>
Date: Fri, 8 Oct 2010 00:16:37 +0300
Subject: [PATCH] Fix for bug #3082602: Crash on Autodiscover

The real problem was that we received a redirect response with an invalid URL.
But the check for that was at the wrong place and let to a use-after-free
situation.

Now we parse the URL first and if it is valid then we do the cloning of the
http_conn for the redirect.
---
 src/core/http-conn.c | 37 +++++++++++++++++++++++++------------
 1 file changed, 25 insertions(+), 12 deletions(-)

diff --git a/src/core/http-conn.c b/src/core/http-conn.c
index a4505303..3254e2ae 100644
--- a/src/core/http-conn.c
+++ b/src/core/http-conn.c
@@ -176,7 +176,7 @@ static void
 http_conn_close(HttpConn *http_conn, const char *message)
 {
 	SIPE_DEBUG_INFO("http_conn_close: closing http connection: %s", message ? message : "");
-	
+
 	g_return_if_fail(http_conn);
 
 	sipe_backend_transport_disconnect(http_conn->conn);
@@ -411,20 +411,33 @@ http_conn_process_input_message(HttpConn *http_conn,
 	     http_conn->allow_redirect)
 	{
 		const char *location = sipmsg_find_header(msg, "Location");
+		gchar *host, *url;
+		guint port;
 
 		SIPE_DEBUG_INFO("http_conn_process_input_message: Redirect to: %s", location ? location : "");
+		http_conn_parse_url(location, &host, &port, &url);
+
+		if (host) {
+			http_conn->do_close = http_conn_clone(http_conn);
+			http_conn->sec_ctx = NULL;
+
+			g_free(http_conn->host);
+			g_free(http_conn->url);
+
+			http_conn->host = host;
+			http_conn->port = port;
+			http_conn->url  = url;
 
-		http_conn->do_close = http_conn_clone(http_conn);
-		http_conn->sec_ctx = NULL;
-
-		g_free(http_conn->host);
-		g_free(http_conn->url);
-		http_conn_parse_url(location, &http_conn->host, &http_conn->port, &http_conn->url);
-		http_conn->conn = http_conn_setup(http_conn,
-						  http_conn->sipe_public,
-						  http_conn->conn_type,
-						  http_conn->host,
-						  http_conn->port);
+			http_conn->conn = http_conn_setup(http_conn,
+							  http_conn->sipe_public,
+							  http_conn->conn_type,
+							  host,
+							  port);
+		} else {
+			SIPE_DEBUG_ERROR_NOFORMAT("http_conn_process_input_message: no redirect host");
+			g_free(url);
+			return;
+		}
 	}
 	/* Authentication required */
 	else if (msg->response == 401) {
-- 
2.11.4.GIT