From: Theo Buehler <tb@theobuehler.org>
Subject: httpd timegm error check
To: tech@openbsd.org
Date: Fri, 19 Jun 2026 09:47:36 +0200

Split the logic chain into individual checks and use the timegm(3) error
check from the manual.

Index: server_file.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_file.c,v
diff -u -p -r1.80 server_file.c
--- server_file.c	29 Apr 2024 16:17:46 -0000	1.80
+++ server_file.c	3 Jun 2026 08:53:29 -0000
@@ -718,6 +718,7 @@ server_file_modified_since(struct http_d
 {
 	struct kv	 key, *since;
 	struct tm	 tm;
+	time_t		 t;
 
 	key.kv_key = "If-Modified-Since";
 	if ((since = kv_find(&desc->http_headers, &key)) != NULL &&
@@ -729,8 +730,12 @@ server_file_modified_since(struct http_d
 		 * the requested time.
 		 */
 		if (strptime(since->kv_value,
-		    "%a, %d %h %Y %T %Z", &tm) != NULL &&
-		    timegm(&tm) >= mtim->tv_sec)
+		    "%a, %d %h %Y %T %Z", &tm) == NULL)
+			return (-1);
+		tm.tm_wday = -1;
+		if ((t = timegm(&tm)) == -1 && tm.tm_wday == -1)
+			return (-1);
+		if (t >= mtim->tv_sec)
 			return (304);
 	}