From 444b8f5b32d0263f1a20e18eb3044bfeed334361 Mon Sep 17 00:00:00 2001
From: Hiltjo Posthuma <hiltjo@codemadness.org>
Date: Mon, 5 Mar 2018 01:12:09 +0100
Subject: [PATCH] http_send_response: fix undefined behaviour for copying the
 target string

... the format string and buffer were the same (undefined behaviour).
---
 http.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/http.c b/http.c
index 98dfb00..118389b 100644
--- a/http.c
+++ b/http.c
@@ -346,10 +346,11 @@ http_send_response(int fd, struct request *r)
 
 		/* if we have a vhost prefix, prepend it to the target */
 		if (s.vhost[i].prefix) {
-			if (esnprintf(realtarget, sizeof(realtarget), "%s%s",
+			if (esnprintf(tmptarget, sizeof(tmptarget), "%s%s",
 			              s.vhost[i].prefix, realtarget)) {
 				return http_send_status(fd, S_REQUEST_TOO_LARGE);
 			}
+			memcpy(realtarget, tmptarget, sizeof(realtarget));
 		}
 	}