Fix NULL pointer dereference in HTTPS response callback

aarond10 · aarond10 · commit 95fe77c98076 · 2026-02-10T12:04:06.000+11:00
Move NULL check before accessing req-&gt;tx_id. Include buflen in
error message for debugging. Add missing return statement to
prevent dereferencing NULL after logging.
diff --git a/src/dns_poller.c b/src/dns_poller.c
@@ -55,13 +55,20 @@ static char *get_addr_listing(struct ares_addrinfo_node * nodes) {
   for (struct ares_addrinfo_node *node = nodes; node != NULL; node = node->ai_next) {
     const char *res = NULL;
 
+    // Check that we have space for at least one character plus null terminator
+    if (pos >= list + POLLER_ADDR_LIST_SIZE - 1) {
+      DLOG("Not enough space for more addresses");
+      break;
+    }
+    size_t remaining = (size_t)(list + POLLER_ADDR_LIST_SIZE - 1 - pos);
+
     if (node->ai_family == AF_INET) {
       res = ares_inet_ntop(AF_INET, (const void *)&((struct sockaddr_in *)node->ai_addr)->sin_addr,
-                           pos, (ares_socklen_t)(list + POLLER_ADDR_LIST_SIZE - 1 - pos));
+                           pos, (ares_socklen_t)remaining);
       ipv4++;
     } else if (node->ai_family == AF_INET6) {
       res = ares_inet_ntop(AF_INET6, (const void *)&((struct sockaddr_in6 *)node->ai_addr)->sin6_addr,
-                           pos, (ares_socklen_t)(list + POLLER_ADDR_LIST_SIZE - 1 - pos));
+                           pos, (ares_socklen_t)remaining);
       ipv6++;
     } else {
       WLOG("Unhandled address family: %d", node->ai_family);
@@ -70,6 +77,9 @@ static char *get_addr_listing(struct ares_addrinfo_node * nodes) {
 
     if (res != NULL) {
       pos += strlen(pos);
+      // We already checked above that pos < list + POLLER_ADDR_LIST_SIZE - 1,
+      // and ares_inet_ntop ensures null termination, so strlen(pos) >= 1.
+      // Therefore pos++ is safe and there's room for the comma.
       *pos = ',';
       pos++;
     } else {
diff --git a/src/main.c b/src/main.c
@@ -92,6 +92,7 @@ static void https_resp_cb(void *data, char *buf, size_t buflen) {
   request_t *req = (request_t *)data;
   if (req == NULL) {
     FLOG("Request data is NULL (buflen: %zu)", buflen);
+    return;
   }
   DLOG("Received response for id: %hX, len: %zu", req->tx_id, buflen);
   if (buf != NULL) { // May be NULL for timeout, DNS failure, or something similar.

Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,7 @@ static void https_resp_cb(void data, char buf, size_t buflen) {`
`92`	`92`	`request_t req = (request_t )data;`
`93`	`93`	`if (req == NULL) {`
`94`	`94`	`FLOG("Request data is NULL (buflen: %zu)", buflen);`
	`95`	`+ return;`
`95`	`96`	`}`
`96`	`97`	`DLOG("Received response for id: %hX, len: %zu", req->tx_id, buflen);`
`97`	`98`	`if (buf != NULL) { // May be NULL for timeout, DNS failure, or something similar.`