The snprintf() for getting datasz should be checked, because can fail on unexpected
characters - from the manual:
```
[EILSEQ] An invalid wide character code was encountered.
```
That will make it safer when wanting to send data taken from SIP traffic (e.g., body of
requests).
On negative return code, likely pkg_malloc() will fail, requested size being big.
The second snprintf() is unlikely to fail, but I would use pkg_mallocxz() or set
send_data[0] = '\0' before it so in case it fails for what so ever unknown reason,
then the CURL library doesn't get a buffer with garbage and does not go beyond
allocated buffer to find the '\0'.
For reusing http_client, it would be good to review all modules. Can be done for this one
also after merging, it is easier to work directly in repo than as PR.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/2838#issuecomment-909005630