The snprintf() for getting datasz should be checked, because can fail on
unexpected characters - from the manual:
```
[EILSEQ] An invalid wide character code was encountered.
```
That will make it safer when wanting to send data taken from SIP traffic (e.g.,
body of requests).
On negative return code, likely pkg_malloc() will fail, requested size being
big.
The second snprintf() is unlikely to fail, but I would use pkg_mallocxz() or
set send_data[0] = '\0' before it so in case it fails for what so ever unknown
reason, then the CURL library doesn't get a buffer with garbage and does not go
beyond allocated buffer to find the '\0'.
For reusing http_client, it would be good to review all modules. Can be done
for this one also after merging, it is easier to work directly in repo than as
PR.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/2838#issuecomment-909005630
_______________________________________________
Kamailio (SER) - Development Mailing List
sr-dev@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev
