#Simple HTTP server code review

Hello, I recently wrote a simple HTTP server. In that project I used a lot of string manipulation code. I know that string manipulation is one of the leading causes of exploits in C. This is why I would like to know how “Safe” my code is.

https://gist.github.com/WcaleNieWolny/5e8bf072f69d77ec747800e578411e86

you should generally avoid repeating buffer sizes as you've done in most cases, but:

char remote_input[4096];
-int bytes_read = recv (remote_fd, remote_input, 4096, 0);
+int byts_read = recv (remote_fd, remote_input, sizeof(remote_input), 0);

you should also try to be const-correct, so char *html should really be const char *html

generally, if security is critical, doing manipulation with buffers like here directly should be avoided

it would be better to have a string type similar to std::string and only perform operations on that (which may be range-checked)

Does C has something like that?

I do not want to write this in C++, I decided to learn C and not C++

no, you'd have to make it yourself or use third-party libraries

So, about that C string lib. I wrote this code:

void heapstr_push(HeapString* p_heapstr, char* str) {
    size_t i = 0;
    char c = *(str + i);

    while (c != 0) {
        if ((p_heapstr->len + i + 1) == p_heapstr->cap) {
            heapstr_resize(p_heapstr);    
        }

        //volatile so that the compiler does not decide to remove the heap_str->buf
        volatile char* write_buf = p_heapstr->buf + p_heapstr->len;
        *(write_buf + i) = c;
        ++i;    
    }

    //NULL terminate
    *(p_heapstr->buf + p_heapstr->len + i) = 0;
};```
Is it a good or does not totally suck?

(It is a `strcat`)
The idea is that if I call `strlen` I will iterate over the string, and then `strcpy` will iterate over the string again, so I use this to iterate once

I'm really confused as to why you would make that volatile

the compiler is only allowed to optimize things away according to the as-if rule, so it can't change the meaning of your program