fix: critical bugs in DNS proxy (#201)

toxeh · afanasyev · web-flow · commit caad1ebfe177 · 2026-02-09T19:35:24.000-05:00
- main.c: fix NULL pointer dereference in https_resp_cb() — req was
  used before NULL check, and FLOG also dereferenced NULL req-&gt;tx_id
- main.c: fix potential crash in get_host_from_uri() — strlen(host)
  was called before checking curl_url_get() return code, host could
  be NULL
- dns_server_tcp.c: fix data corruption on EAGAIN — sent += len was
  executed with len == -1 when EAGAIN/EWOULDBLOCK occurred, causing
  negative offset; added continue to skip the addition
- dns_server_tcp.c: fix format string mismatches in FLOG() calls —
  format had 2 specifiers but 4 arguments were passed (ipstr, port,
  strerror, errno); changed format to include all 4 arguments
- dns_server_tcp.c: fix typo 'listaning' -&gt; 'listening'
- https_client.c: remove deprecated CURLPIPE_HTTP1 (since libcurl
  7.62.0), keep only CURLPIPE_MULTIPLEX

Co-authored-by: afanasyev &lt;aafanasev@rtk-soft.ru&gt;
diff --git a/src/dns_server_tcp.c b/src/dns_server_tcp.c
@@ -257,17 +257,17 @@ static int get_tcp_listen_sock(struct addrinfo *listen_addrinfo) {
   }
 
   if (listen(sock, LISTEN_BACKLOG) == -1) {
-    FLOG("Error listaning on %s:%d TCP: %s (%d)", ipstr, port,
+    FLOG("Error listening on %s:%d TCP: %s (%d)", ipstr, port,
          strerror(errno), errno);
   }
 
   int flags = fcntl(sock, F_GETFL, 0);
   if (flags == -1) {
-    FLOG("Error getting TCP socket flags: %s (%d)", ipstr, port,
+    FLOG("Error getting TCP socket flags on %s:%d: %s (%d)", ipstr, port,
          strerror(errno), errno);
   }
   if (fcntl(sock, F_SETFL, flags | O_NONBLOCK) == -1) {
-    FLOG("Error setting TCP socket to non-blocking: %s (%d)", ipstr, port,
+    FLOG("Error setting TCP socket to non-blocking on %s:%d: %s (%d)", ipstr, port,
          strerror(errno), errno);
   }
 
@@ -344,6 +344,7 @@ void dns_server_tcp_respond(dns_server_tcp_t *d,
         remove_client(client);
         return;
       }
+      continue;
     }
     sent += len;
 
diff --git a/src/https_client.c b/src/https_client.c
@@ -659,7 +659,7 @@ static void https_client_multi_init(https_client_t *c, struct curl_slist *header
   c->curlm = curl_multi_init(); // if fails, first setopt will fail
   c->header_list = header_list;
 
-  ASSERT_CURL_MULTI_SETOPT(c->curlm, CURLMOPT_PIPELINING, CURLPIPE_HTTP1 | CURLPIPE_MULTIPLEX);
+  ASSERT_CURL_MULTI_SETOPT(c->curlm, CURLMOPT_PIPELINING, CURLPIPE_MULTIPLEX);
   ASSERT_CURL_MULTI_SETOPT(c->curlm, CURLMOPT_MAX_TOTAL_CONNECTIONS, HTTPS_CONNECTION_LIMIT);
   ASSERT_CURL_MULTI_SETOPT(c->curlm, CURLMOPT_MAX_HOST_CONNECTIONS, HTTPS_CONNECTION_LIMIT);
   ASSERT_CURL_MULTI_SETOPT(c->curlm, CURLMOPT_SOCKETDATA, c);
diff --git a/src/main.c b/src/main.c
@@ -58,13 +58,15 @@ static int hostname_from_url(const char* url_in,
     if (rc == CURLUE_OK) {
       char *host = NULL;
       rc = curl_url_get(url, CURLUPART_HOST, &host, 0);
-      const size_t host_len = strlen(host);
-      if (rc == CURLUE_OK && host_len < hostname_len &&
-          host[0] != '[' && host[host_len-1] != ']' && // skip IPv6 address
-          !is_ipv4_address(host)) {
-        strncpy(hostname, host, hostname_len-1);
-        hostname[hostname_len-1] = '\0';
-        res = 1; // success
+      if (rc == CURLUE_OK && host != NULL) {
+        const size_t host_len = strlen(host);
+        if (host_len < hostname_len &&
+            host[0] != '[' && host[host_len-1] != ']' && // skip IPv6 address
+            !is_ipv4_address(host)) {
+          strncpy(hostname, host, hostname_len-1);
+          hostname[hostname_len-1] = '\0';
+          res = 1; // success
+        }
       }
       curl_free(host);
     }
@@ -88,10 +90,10 @@ static void sigpipe_cb(struct ev_loop __attribute__((__unused__)) *loop,
 
 static void https_resp_cb(void *data, char *buf, size_t buflen) {
   request_t *req = (request_t *)data;
-  DLOG("Received response for id: %hX, len: %zu", req->tx_id, buflen);
   if (req == NULL) {
-    FLOG("%04hX: data NULL", req->tx_id);
+    FLOG("data NULL, buflen: %zu", buflen);
   }
+  DLOG("Received response for id: %hX, len: %zu", req->tx_id, buflen);
   if (buf != NULL) { // May be NULL for timeout, DNS failure, or something similar.
     if (buflen < DNS_HEADER_LENGTH) {
       WLOG("%04hX: Malformed response received, too short: %u", req->tx_id, buflen);

Original file line number	Diff line number	Diff line change
`@@ -257,17 +257,17 @@ static int get_tcp_listen_sock(struct addrinfo *listen_addrinfo) {`
`257`	`257`	`}`
`258`	`258`
`259`	`259`	`if (listen(sock, LISTEN_BACKLOG) == -1) {`
`260`		`- FLOG("Error listaning on %s:%d TCP: %s (%d)", ipstr, port,`
	`260`	`+ FLOG("Error listening on %s:%d TCP: %s (%d)", ipstr, port,`
`261`	`261`	`strerror(errno), errno);`
`262`	`262`	`}`
`263`	`263`
`264`	`264`	`int flags = fcntl(sock, F_GETFL, 0);`
`265`	`265`	`if (flags == -1) {`
`266`		`- FLOG("Error getting TCP socket flags: %s (%d)", ipstr, port,`
	`266`	`+ FLOG("Error getting TCP socket flags on %s:%d: %s (%d)", ipstr, port,`
`267`	`267`	`strerror(errno), errno);`
`268`	`268`	`}`
`269`	`269`	`if (fcntl(sock, F_SETFL, flags \| O_NONBLOCK) == -1) {`
`270`		`- FLOG("Error setting TCP socket to non-blocking: %s (%d)", ipstr, port,`
	`270`	`+ FLOG("Error setting TCP socket to non-blocking on %s:%d: %s (%d)", ipstr, port,`
`271`	`271`	`strerror(errno), errno);`
`272`	`272`	`}`
`273`	`273`
`@@ -344,6 +344,7 @@ void dns_server_tcp_respond(dns_server_tcp_t *d,`
`344`	`344`	`remove_client(client);`
`345`	`345`	`return;`
`346`	`346`	`}`
	`347`	`+ continue;`
`347`	`348`	`}`
`348`	`349`	`sent += len;`
`349`	`350`