Skip to content

Commit 2f1e6ed

Browse files
committed
Fix several bugs:
- main.c: Add hostname_len > 0 check to prevent strncpy underflow - dns_server.c: Set new_resp = NULL after ares_free_string to prevent UAF - ring_buffer.c: Set *rbp = NULL on allocation failure paths - dns_poller.c: Fix type mismatch between size_t and ares_socklen_t - logging.c: Add fdopen failure check in _log()
1 parent 75b3200 commit 2f1e6ed

5 files changed

Lines changed: 14 additions & 4 deletions

File tree

src/dns_poller.c

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -60,15 +60,17 @@ static char *get_addr_listing(struct ares_addrinfo_node * nodes) {
6060
DLOG("Not enough space for more addresses");
6161
break;
6262
}
63-
size_t remaining = (size_t)(list + POLLER_ADDR_LIST_SIZE - 1 - pos);
63+
// Use ares_socklen_t to match ares_inet_ntop() signature
64+
// POLLER_ADDR_LIST_SIZE is 1024 (well within ares_socklen_t range)
65+
const ares_socklen_t remaining = (ares_socklen_t)(list + POLLER_ADDR_LIST_SIZE - 1 - pos);
6466

6567
if (node->ai_family == AF_INET) {
6668
res = ares_inet_ntop(AF_INET, (const void *)&((struct sockaddr_in *)node->ai_addr)->sin_addr,
67-
pos, (ares_socklen_t)remaining);
69+
pos, remaining);
6870
ipv4++;
6971
} else if (node->ai_family == AF_INET6) {
7072
res = ares_inet_ntop(AF_INET6, (const void *)&((struct sockaddr_in6 *)node->ai_addr)->sin6_addr,
71-
pos, (ares_socklen_t)remaining);
73+
pos, remaining);
7274
ipv6++;
7375
} else {
7476
WLOG("Unhandled address family: %d", node->ai_family);

src/dns_server.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -191,6 +191,7 @@ static void truncate_dns_response(char *buf, size_t *buflen, const uint16_t size
191191
tx_id, old_size, new_resp_len, size_limit);
192192
}
193193
ares_free_string(new_resp);
194+
new_resp = NULL;
194195
}
195196
}
196197

src/logging.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,6 +126,10 @@ void _log(const char *file, int line, int severity, const char *fmt, ...) {
126126
}
127127
if (!logfile) {
128128
logfile = fdopen(STDOUT_FILENO, "w");
129+
if (!logfile) {
130+
// Can't even log to stdout, abort
131+
abort();
132+
}
129133
}
130134

131135
struct timeval tv;

src/main.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,8 @@ static int hostname_from_url(const char* url_in,
6060
rc = curl_url_get(url, CURLUPART_HOST, &host, 0);
6161
if (rc == CURLUE_OK && host != NULL) {
6262
const size_t host_len = strlen(host);
63-
if (host_len < hostname_len &&
63+
if (hostname_len > 0 &&
64+
host_len < hostname_len &&
6465
host[0] != '[' && host[host_len-1] != ']' && // skip IPv6 address
6566
!is_ipv4_address(host)) {
6667
strncpy(hostname, host, hostname_len-1);

src/ring_buffer.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,11 +23,13 @@ void ring_buffer_init(struct ring_buffer **rbp, uint32_t size)
2323
}
2424
struct ring_buffer *rb = (struct ring_buffer *)calloc(1, sizeof(struct ring_buffer));
2525
if (!rb) {
26+
*rbp = NULL;
2627
return;
2728
}
2829
rb->storage = (char**)calloc(size, sizeof(char*));
2930
if (!rb->storage) {
3031
free((void*) rb);
32+
*rbp = NULL;
3133
return;
3234
}
3335
rb->size = size;

0 commit comments

Comments
 (0)