Fix several bugs:

- main.c: Add hostname_len > 0 check to prevent strncpy underflow
- dns_server.c: Set new_resp = NULL after ares_free_string to prevent UAF
- ring_buffer.c: Set *rbp = NULL on allocation failure paths
- dns_poller.c: Fix type mismatch between size_t and ares_socklen_t
- logging.c: Add fdopen failure check in _log()

Author: aarond10

src/dns_poller.c

@@ -60,15 +60,17 @@ static char *get_addr_listing(struct ares_addrinfo_node * nodes) {
       DLOG("Not enough space for more addresses");
       break;
     }
-    size_t remaining = (size_t)(list + POLLER_ADDR_LIST_SIZE - 1 - pos);
+    // Use ares_socklen_t to match ares_inet_ntop() signature
+    // POLLER_ADDR_LIST_SIZE is 1024 (well within ares_socklen_t range)
+    const ares_socklen_t remaining = (ares_socklen_t)(list + POLLER_ADDR_LIST_SIZE - 1 - pos);
 
     if (node->ai_family == AF_INET) {
       res = ares_inet_ntop(AF_INET, (const void *)&((struct sockaddr_in *)node->ai_addr)->sin_addr,
-                           pos, (ares_socklen_t)remaining);
+                           pos, remaining);
       ipv4++;
     } else if (node->ai_family == AF_INET6) {
       res = ares_inet_ntop(AF_INET6, (const void *)&((struct sockaddr_in6 *)node->ai_addr)->sin6_addr,
-                           pos, (ares_socklen_t)remaining);
+                           pos, remaining);
       ipv6++;
     } else {
       WLOG("Unhandled address family: %d", node->ai_family);

src/dns_server.c

@@ -191,6 +191,7 @@ static void truncate_dns_response(char *buf, size_t *buflen, const uint16_t size
            tx_id, old_size, new_resp_len, size_limit);
     }
     ares_free_string(new_resp);
+    new_resp = NULL;
   }
 }
 

src/logging.c

@@ -126,6 +126,10 @@ void _log(const char *file, int line, int severity, const char *fmt, ...) {
   }
   if (!logfile) {
     logfile = fdopen(STDOUT_FILENO, "w");
+    if (!logfile) {
+      // Can't even log to stdout, abort
+      abort();
+    }
   }
 
   struct timeval tv;

src/main.c

@@ -60,7 +60,8 @@ static int hostname_from_url(const char* url_in,
       rc = curl_url_get(url, CURLUPART_HOST, &host, 0);
       if (rc == CURLUE_OK && host != NULL) {
         const size_t host_len = strlen(host);
-        if (host_len < hostname_len &&
+        if (hostname_len > 0 &&
+            host_len < hostname_len &&
             host[0] != '[' && host[host_len-1] != ']' && // skip IPv6 address
             !is_ipv4_address(host)) {
           strncpy(hostname, host, hostname_len-1);

src/ring_buffer.c

@@ -23,11 +23,13 @@ void ring_buffer_init(struct ring_buffer **rbp, uint32_t size)
     }
     struct ring_buffer *rb = (struct ring_buffer *)calloc(1, sizeof(struct ring_buffer));
     if (!rb) {
+        *rbp = NULL;
         return;
     }
     rb->storage = (char**)calloc(size, sizeof(char*));
     if (!rb->storage) {
         free((void*) rb);
+        *rbp = NULL;
         return;
     }
     rb->size = size;