net/http: move postdata ownership to http_t instead of copying it in net_http_new

LibretroAdmin · LibretroAdmin · commit 1759e1b6acd1 · 2026-04-23T19:38:36.000+02:00
net_http_new(conn) used to malloc + memcpy conn-&gt;postdata into a fresh
state-&gt;request.postdata buffer.  For multi-MB POST bodies (file
uploads, netplay syncs, translation-service requests) that is a full
body-sized allocation + copy on every request dispatch.

The copy was unnecessary.  conn is freed by the caller right after
net_http_new returns - both call sites in the tree follow the pattern

    conn = net_http_connection_new(...);
    /* optionally net_http_connection_set_content(conn, ...) */
    h    = net_http_new(conn);
    /* ... drive h to completion ... */
    net_http_delete(h);
    net_http_connection_free(conn);

(see tasks/task_http.c:90 and libretro-common/samples/net/net_http_test.c:66)
and conn-&gt;postdata is only read by net_http_new and freed by
net_http_connection_free - no other code path observes or uses it.
The http_connection_t struct is forward-declared in the public
header, so external code cannot reach postdata by any other route.

Move ownership: assign state-&gt;request.postdata = conn-&gt;postdata, then
null conn-&gt;postdata and zero conn-&gt;contentlength so
net_http_connection_free does not double-free.  One tracked allocation
flows from net_http_connection_new / net_http_connection_set_content
straight through to net_http_delete, with no intermediate copy.

This also removes an OOM failure mode: the previous code's malloc
could fail for large bodies on memory-constrained systems, and the
caller had to detect that via the (conn-&gt;postdata &amp;&amp; conn-&gt;contentlength
&amp;&amp; !state-&gt;request.postdata) check further down.  With ownership
transfer the setup cannot fail on the postdata path, so drop that
OOM check and document why.

Safety analysis:
  - Threading: conn is single-owner during net_http_new (no concurrent
    access; task_http.c's cb_http_conn_default is the only dispatcher
    and holds conn exclusively for the duration of the call).
  - Double-free: conn-&gt;postdata is nulled before net_http_new returns,
    so net_http_connection_free's 'if (conn-&gt;postdata) free(...)' is a
    no-op on the stolen field.
  - OOM during the rest of net_http_new: the postdata is already
    transferred by that point, so if any subsequent strdup fails and
    we take the error path, net_http_delete(state) frees the stolen
    postdata via its normal request.postdata teardown.  No leak on
    the error path.
  - conn-&gt;contentlength is also zeroed; net_http_connection_free does
    not look at it so this is purely for consistency, but it also
    means anyone who later queries the emptied conn sees a correctly
    empty body rather than a claim of nonzero content-length with a
    NULL buffer.

contenttype / domain / path / method / useragent / headers still use
strdup - those are small and bounded, and keeping them as copies
preserves the property that conn is still 'complete' after
net_http_new for debugging or future reuse scenarios.  Only postdata,
which dominates the memory cost, gets the ownership-transfer
treatment.
diff --git a/libretro-common/net/net_http.c b/libretro-common/net/net_http.c
@@ -837,10 +837,20 @@ struct http_t *net_http_new(struct http_connection_t *conn)
    state->request.contentlength = conn->contentlength;
    if (conn->postdata && conn->contentlength)
    {
-      state->request.postdata   = malloc(conn->contentlength);
-      if (state->request.postdata)
-         memcpy(state->request.postdata, conn->postdata, conn->contentlength);
-      /* If malloc failed, the OOM guard further below catches it. */
+      /* Move ownership of postdata from conn to state->request rather
+       * than malloc+memcpy.  conn is freed by the caller shortly after
+       * this function returns (see task_http.c and the sample in
+       * libretro-common/samples/net/net_http_test.c; both use conn
+       * once with net_http_new then call net_http_connection_free),
+       * and conn->postdata is only read by net_http_new and freed by
+       * net_http_connection_free - no other code paths observe it.
+       * Null the conn fields so net_http_connection_free does not
+       * double-free.  Eliminates an O(body size) copy that materially
+       * matters for multi-MB POST payloads (file uploads, netplay,
+       * translation service requests). */
+      state->request.postdata   = conn->postdata;
+      conn->postdata            = NULL;
+      conn->contentlength       = 0;
    }
    state->request.useragent= conn->useragent ? strdup(conn->useragent) : NULL;
    state->request.headers  = conn->headers ? strdup(conn->headers) : NULL;
@@ -870,10 +880,15 @@ struct http_t *net_http_new(struct http_connection_t *conn)
        || !state->request.path
        || !state->request.method
        || (conn->contenttype && !state->request.contenttype)
-       || (conn->postdata && conn->contentlength && !state->request.postdata)
        || (conn->useragent && !state->request.useragent)
        || (conn->headers   && !state->request.headers))
    {
+      /* Note: no postdata OOM check here.  Ownership of postdata is
+       * moved from conn (above), not copied, so the transfer cannot
+       * fail.  Both conn->postdata and state->request.postdata are
+       * correctly set (NULL on conn, the original pointer on
+       * state->request) regardless of any OOM elsewhere in this
+       * function. */
       if (state->response.data)
          free(state->response.data);
       if (state->response.headers)
