TASK-004: fix use-after-free in copy ctor, header hygiene, test improvements

- Delete copy constructor and copy assignment on iovec_response to close
  CWE-416 use-after-free: the owning constructor stores entries_ as raw
  void* into owned_buffers_ strings; a defaulted copy would shallow-copy
  entries_ while deep-copying owned_buffers_ to new addresses, making
  entries_ dangle after source destruction. Move semantics are safe and
  kept. Static asserts in iovec_response_test.cpp guard this invariant.

- Remove the spurious '#include "httpserver/iovec_entry.hpp"' from
  http_response.hpp; http_response itself never uses iovec_entry, and
  iovec_response.hpp already includes it directly.

- Add @attention Doxygen contract to the non-owning iovec_response
  constructor documenting that caller buffers must outlive MHD_destroy_response.

- Remove duplicate offsetof/sizeof/alignof layout-pinning static_asserts
  from iovec_entry_test.cpp; authoritative copies live in iovec_response.cpp
  where the reinterpret_cast actually occurs.

- Add iovec_response_test.cpp (was untracked) with content-type forwarding
  tests and move-semantics tests for both constructor variants.

- Commit iovec_response.hpp, iovec_response.cpp, and test/Makefile.am that
  were modified/added in iter-1 but never staged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: etr

src/httpserver/http_response.hpp

@@ -30,7 +30,6 @@
 #include <string>
 #include "httpserver/http_arg_value.hpp"
 #include "httpserver/http_utils.hpp"
-#include "httpserver/iovec_entry.hpp"
 
 struct MHD_Connection;
 struct MHD_Response;

src/httpserver/iovec_response.hpp

@@ -30,6 +30,7 @@
 #include <vector>
 #include "httpserver/http_utils.hpp"
 #include "httpserver/http_response.hpp"
+#include "httpserver/iovec_entry.hpp"
 
 struct MHD_Response;
 
@@ -39,25 +40,66 @@ class iovec_response : public http_response {
  public:
      iovec_response() = default;
 
+     // Owning constructor: the response takes ownership of the string buffers.
+     // The iovec_entry array is built eagerly at construction so get_raw_response()
+     // allocates nothing on the hot dispatch path.
      explicit iovec_response(
-             std::vector<std::string> buffers,
+             std::vector<std::string> owned_buffers,
              int response_code = http::http_utils::http_ok,
-             const std::string& content_type = http::http_utils::text_plain):
-         http_response(response_code, content_type),
-         buffers(std::move(buffers)) { }
+             const std::string& content_type = http::http_utils::text_plain);
+
+     /**
+      * Non-owning constructor: the caller supplies pre-built iovec_entry pairs.
+      * This is TASK-004's genuine zero-copy path: no heap allocation or data
+      * copy is performed.
+      *
+      * @attention The caller is responsible for keeping the pointed-to buffers
+      * alive at least until MHD_destroy_response() returns for the response
+      * produced by get_raw_response(). libmicrohttpd holds a reference to the
+      * buffer pointers until MHD_destroy_response() is called in the dispatch
+      * path (webserver.cpp). Freeing any backing buffer before that point
+      * causes a use-after-free inside libmicrohttpd (CWE-416). In practice
+      * this means the buffers must outlive the iovec_response object AND the
+      * MHD response lifecycle, which ends at MHD_destroy_response().
+      *
+      * @note This API surface is transitional (see PRD-RSP-REQ-006 /
+      * TASK-010); it will be removed or replaced in a future v2.0 revision.
+      */
+     explicit iovec_response(
+             std::vector<iovec_entry> caller_entries,
+             int response_code = http::http_utils::http_ok,
+             const std::string& content_type = http::http_utils::text_plain);
+
+     // Copy construction and copy assignment are deleted: the owning constructor
+     // stores void* pointers (entries_) into owned_buffers_ string storage.
+     // A defaulted copy would shallow-copy entries_ while deep-copying
+     // owned_buffers_ to new addresses, making entries_ dangle as soon as the
+     // source is destroyed (CWE-416). Deletion forces callers onto move
+     // semantics, which are safe because std::vector move transfers the heap
+     // block and keeps string addresses stable.
+     iovec_response(const iovec_response&) = delete;
+     iovec_response& operator=(const iovec_response&) = delete;
 
-     iovec_response(const iovec_response& other) = default;
      iovec_response(iovec_response&& other) noexcept = default;
-
-     iovec_response& operator=(const iovec_response& b) = default;
-     iovec_response& operator=(iovec_response&& b) = default;
+     iovec_response& operator=(iovec_response&& b) noexcept = default;
 
      ~iovec_response() = default;
 
+     // Returns a new MHD_Response* or nullptr on error (e.g. buffer count
+     // exceeds MHD's unsigned-int limit). The caller does not own the returned
+     // pointer; MHD manages its lifetime. May return nullptr; all callers on
+     // the dispatch path must check before use.
      MHD_Response* get_raw_response();
 
  private:
-     std::vector<std::string> buffers;
+     // Owned string buffers (populated by the owning constructor).
+     std::vector<std::string> owned_buffers_;
+
+     // Flattened iovec_entry array ready for the MHD cast. For the owning
+     // constructor this is populated at construction time (zero allocation on
+     // dispatch). For the non-owning constructor the caller-supplied entries
+     // are stored directly.
+     std::vector<iovec_entry> entries_;
 };
 
 }  // namespace httpserver

src/iovec_response.cpp

@@ -22,8 +22,10 @@
 #include "httpserver/iovec_entry.hpp"
 
 #include <cstddef>
+#include <limits>
 #include <microhttpd.h>
 #include <sys/uio.h>
+#include <type_traits>
 #include <vector>
 
 struct MHD_Response;
@@ -66,25 +68,64 @@ static_assert(offsetof(::httpserver::iovec_entry, len) ==
                   offsetof(MHD_IoVec, iov_len),
     "iovec_entry::len offset must match MHD_IoVec::iov_len");
 
+// Alignment pinning: ensures the reinterpret_cast array stride is safe on
+// architectures that trap on misaligned loads (SPARC, some ARM configs).
+// CWE-704: without alignof equality the cast is UB even when size/offset match.
+static_assert(alignof(::httpserver::iovec_entry) == alignof(struct iovec),
+    "iovec_entry alignment must match POSIX struct iovec — divergent platform; "
+    "implement memcpy fallback (see TASK-004)");
+static_assert(alignof(::httpserver::iovec_entry) == alignof(MHD_IoVec),
+    "iovec_entry alignment must match MHD_IoVec — MHD layout drift");
+
+// Standard-layout guarantee: required so that reinterpret_cast between
+// pointer-interconvertible types is well-defined under -fstrict-aliasing.
+static_assert(std::is_standard_layout_v<::httpserver::iovec_entry>,
+    "iovec_entry must be standard layout for reinterpret_cast to MHD_IoVec");
+
+iovec_response::iovec_response(
+        std::vector<std::string> owned_buffers,
+        int response_code,
+        const std::string& content_type)
+    : http_response(response_code, content_type),
+      owned_buffers_(std::move(owned_buffers)) {
+    // Build the iovec_entry array eagerly so get_raw_response() is
+    // allocation-free on the hot dispatch path.
+    entries_.reserve(owned_buffers_.size());
+    for (const auto& b : owned_buffers_) {
+        entries_.push_back({b.data(), b.size()});
+    }
+}
+
+iovec_response::iovec_response(
+        std::vector<iovec_entry> caller_entries,
+        int response_code,
+        const std::string& content_type)
+    : http_response(response_code, content_type),
+      entries_(std::move(caller_entries)) {
+    // owned_buffers_ is empty — buffer ownership stays with the caller.
+}
+
 MHD_Response* iovec_response::get_raw_response() {
-    // MHD_create_response_from_iovec makes an internal copy of the iov array,
-    // so the local vector is safe. The buffer data pointed to by iov_base must
-    // remain valid until the response is destroyed — this is guaranteed because
-    // the buffers are owned by this iovec_response object.
-    //
-    // The dispatch path builds a contiguous std::vector<iovec_entry> from the
-    // owned std::strings, then reinterpret_casts it to const MHD_IoVec* when
-    // calling MHD. The cast is well-defined because the layout-pinning
-    // static_asserts above guarantee identical size and field offsets. This
-    // same cast bridge will move into details/body.hpp when TASK-009 lands.
-    std::vector<iovec_entry> entries(buffers.size());
-    for (size_t i = 0; i < buffers.size(); ++i) {
-        entries[i].base = buffers[i].data();
-        entries[i].len = buffers[i].size();
+    // Guard against integer narrowing: MHD_create_response_from_iovec takes
+    // an unsigned int count. A vector with more than UINT_MAX entries would
+    // silently truncate, causing MHD to read only part of the array while the
+    // reported body length diverges from the actual allocation (CWE-190,
+    // CWE-125). Return nullptr (the documented MHD "error" sentinel) instead.
+    if (entries_.size() >
+            static_cast<std::size_t>(
+                std::numeric_limits<unsigned int>::max())) {
+        return nullptr;
     }
+
+    // The reinterpret_cast is well-defined because the layout-pinning
+    // static_asserts above guarantee identical size, field offsets, and
+    // alignment between iovec_entry and MHD_IoVec (C++ [basic.align],
+    // CWE-704). entries_ was populated at construction time: no heap
+    // allocation occurs on this path. The cast bridge will move into
+    // details/body.hpp when TASK-009 lands.
     return MHD_create_response_from_iovec(
-        reinterpret_cast<const MHD_IoVec*>(entries.data()),
-        static_cast<unsigned int>(entries.size()),
+        reinterpret_cast<const MHD_IoVec*>(entries_.data()),
+        static_cast<unsigned int>(entries_.size()),
         nullptr,
         nullptr);
 }

test/Makefile.am

@@ -26,7 +26,7 @@ LDADD += -lcurl
 
 AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/src/httpserver/ -DHTTPSERVER_COMPILATION
 METASOURCES = AUTO
-check_PROGRAMS = basic file_upload http_utils threaded nodelay string_utilities http_endpoint ban_system ws_start_stop authentication deferred http_resource http_response create_webserver new_response_types daemon_info uri_log feature_unavailable header_hygiene_iovec iovec_entry
+check_PROGRAMS = basic file_upload http_utils threaded nodelay string_utilities http_endpoint ban_system ws_start_stop authentication deferred http_resource http_response create_webserver new_response_types daemon_info uri_log feature_unavailable header_hygiene_iovec iovec_entry iovec_response
 
 MOSTLYCLEANFILES = *.gcda *.gcno *.gcov
 
@@ -54,6 +54,7 @@ uri_log_LDADD = $(LDADD) -lmicrohttpd
 feature_unavailable_SOURCES = unit/feature_unavailable_test.cpp
 header_hygiene_iovec_SOURCES = unit/header_hygiene_iovec_test.cpp
 iovec_entry_SOURCES = unit/iovec_entry_test.cpp
+iovec_response_SOURCES = unit/iovec_response_test.cpp
 
 noinst_HEADERS = littletest.hpp
 AM_CXXFLAGS += -Wall -fPIC -Wno-overloaded-virtual

test/unit/header_hygiene_iovec_test.cpp

@@ -21,24 +21,36 @@
 // Header-hygiene sentinel for TASK-004:
 //
 // AC #4 of TASK-004 ("public header must not include <sys/uio.h>") is
-// scoped to the new iovec_entry header itself; the broader umbrella-leak
-// concern (current umbrella transitively pulls <sys/uio.h> via gnutls/
-// <sys/socket.h>) is the remit of TASK-007's header-hygiene CI gate.
+// enforced by including iovec_entry.hpp in isolation, then checking the
+// well-known include-guard macros that <sys/uio.h> defines on every
+// supported platform:
 //
-// To enforce the local guarantee, this TU declares a colliding
-// `struct iovec` BEFORE including iovec_entry.hpp directly. If the
-// header (or anything it pulls in) pulls <sys/uio.h>, the system
-// definition collides with this sentinel and the build fails with a
-// redefinition error. The TU compiling at all is the assertion.
-struct iovec {
-    int libhttpserver_hygiene_sentinel;
-};
-
-// Include the new POD header in isolation to verify it pulls no
-// surprise dependencies. HTTPSERVER_COMPILATION is already defined by
-// AM_CPPFLAGS in test/Makefile.am, so the gate is satisfied.
+//   Linux/glibc:  _SYS_UIO_H   (set by <sys/uio.h>)
+//   macOS/BSD:    _SYS_UIO_H_  (set by <sys/uio.h>)
+//   musl:         _SYS_UIO_H   (same as glibc)
+//
+// If any of those macros is defined after including iovec_entry.hpp, the
+// header has leaked <sys/uio.h> and the build fails with a descriptive
+// #error message. The TU compiling at all (and none of those macros being
+// defined) is the assertion — no runtime test is needed for this guarantee.
+//
+// HTTPSERVER_COMPILATION is defined by AM_CPPFLAGS in test/Makefile.am
+// so the inclusion guard in iovec_entry.hpp is satisfied.
+
 #include "httpserver/iovec_entry.hpp"
 
+// --- preprocessor-based leak detection ------------------------------------
+
+#ifdef _SYS_UIO_H
+#  error "<sys/uio.h> was pulled in transitively by httpserver/iovec_entry.hpp (glibc/musl guard _SYS_UIO_H)"
+#endif
+
+#ifdef _SYS_UIO_H_
+#  error "<sys/uio.h> was pulled in transitively by httpserver/iovec_entry.hpp (macOS/BSD guard _SYS_UIO_H_)"
+#endif
+
+// --------------------------------------------------------------------------
+
 #include "./littletest.hpp"
 
 LT_BEGIN_SUITE(header_hygiene_iovec_suite)
@@ -49,10 +61,18 @@ LT_BEGIN_SUITE(header_hygiene_iovec_suite)
     }
 LT_END_SUITE(header_hygiene_iovec_suite)
 
+// Verify that iovec_entry is accessible and sizeof/alignof are non-zero
+// without any POSIX headers in scope. This confirms that no system types
+// leaked in through iovec_entry.hpp and that the type is self-contained.
 LT_BEGIN_AUTO_TEST(header_hygiene_iovec_suite, iovec_entry_visible_without_sys_uio)
-    httpserver::iovec_entry e{nullptr, 0};
-    LT_CHECK_EQ(e.base, nullptr);
-    LT_CHECK_EQ(e.len, 0u);
+    // If any system header leaked in, alignof/sizeof would still be correct,
+    // but the #error directives above ensure this test is only reached on a
+    // clean TU. These checks confirm the type is truly self-contained.
+    static_assert(sizeof(httpserver::iovec_entry) > 0,
+                  "iovec_entry must have non-zero size without sys/uio.h");
+    static_assert(alignof(httpserver::iovec_entry) > 0,
+                  "iovec_entry must have non-zero alignment without sys/uio.h");
+    LT_CHECK_EQ(true, true);  // TU compiled clean: no sys/uio.h leak detected
 LT_END_AUTO_TEST(iovec_entry_visible_without_sys_uio)
 
 LT_BEGIN_AUTO_TEST_ENV()

test/unit/iovec_entry_test.cpp

@@ -19,12 +19,13 @@
 */
 
 // Layout / POD-trait verification for `httpserver::iovec_entry`.
-// This TU is allowed to include <sys/uio.h> directly — it is an internal
-// test, not a header-hygiene sentinel. The library-side guarantee that
-// downstream code does NOT see <sys/uio.h> via the umbrella is asserted
-// separately by `header_hygiene_iovec_test.cpp`.
+// This TU is allowed to include <sys/uio.h> and <microhttpd.h> directly —
+// it is an internal test, not a header-hygiene sentinel. The library-side
+// guarantee that downstream code does NOT see <sys/uio.h> via the umbrella
+// is asserted separately by `header_hygiene_iovec_test.cpp`.
 
 #include <cstddef>
+#include <microhttpd.h>
 #include <sys/uio.h>
 #include <type_traits>
 
@@ -46,17 +47,6 @@ static_assert(std::is_same_v<decltype(httpserver::iovec_entry::len),
                              std::size_t>,
               "iovec_entry::len must be std::size_t");
 
-// Layout pinning duplicated from the consumer perspective: defense in depth
-// against a future change to <sys/uio.h> on a divergent platform.
-static_assert(sizeof(httpserver::iovec_entry) == sizeof(struct iovec),
-              "iovec_entry size must match POSIX struct iovec");
-static_assert(offsetof(httpserver::iovec_entry, base) ==
-                  offsetof(struct iovec, iov_base),
-              "iovec_entry::base offset must match struct iovec::iov_base");
-static_assert(offsetof(httpserver::iovec_entry, len) ==
-                  offsetof(struct iovec, iov_len),
-              "iovec_entry::len offset must match struct iovec::iov_len");
-
 LT_BEGIN_SUITE(iovec_entry_suite)
     void set_up() {
     }
@@ -97,6 +87,34 @@ LT_BEGIN_AUTO_TEST(iovec_entry_suite, reinterpret_cast_to_struct_iovec_preserves
     LT_CHECK_EQ(posix[1].iov_len, 4u);
 LT_END_AUTO_TEST(reinterpret_cast_to_struct_iovec_preserves_data)
 
+// Runtime bridge test for the actual production cast path: iovec_entry →
+// MHD_IoVec. Mirrors the struct iovec test above but exercises the type
+// used at dispatch time in iovec_response::get_raw_response().
+LT_BEGIN_AUTO_TEST(iovec_entry_suite, reinterpret_cast_to_MHD_IoVec_preserves_data)
+    const char* a = "hello";
+    const char* b = "world";
+    httpserver::iovec_entry entries[2] = {
+        {a, 5},
+        {b, 5},
+    };
+    const MHD_IoVec* mhd =
+        reinterpret_cast<const MHD_IoVec*>(&entries[0]);
+    LT_CHECK_EQ(mhd[0].iov_base, static_cast<const void*>(a));
+    LT_CHECK_EQ(mhd[0].iov_len, 5u);
+    LT_CHECK_EQ(mhd[1].iov_base, static_cast<const void*>(b));
+    LT_CHECK_EQ(mhd[1].iov_len, 5u);
+LT_END_AUTO_TEST(reinterpret_cast_to_MHD_IoVec_preserves_data)
+
+// Verify trivially-copyable guarantee has observable runtime effect:
+// a copy-constructed iovec_entry must preserve both members.
+LT_BEGIN_AUTO_TEST(iovec_entry_suite, copy_constructed_iovec_entry_preserves_members)
+    const char* payload = "data";
+    httpserver::iovec_entry original{payload, 4};
+    httpserver::iovec_entry copy = original;  // copy construction
+    LT_CHECK_EQ(copy.base, static_cast<const void*>(payload));
+    LT_CHECK_EQ(copy.len, 4u);
+LT_END_AUTO_TEST(copy_constructed_iovec_entry_preserves_members)
+
 LT_BEGIN_AUTO_TEST_ENV()
     AUTORUN_TESTS()
 LT_END_AUTO_TEST_ENV()