Some hardening and code simplification with BSD helpers

diff --git a/CHANGES b/CHANGES
index 1af4ef3d166f1c1195a92ebf8322ddde49942729..d54f227682f81da8e8676ac2b88e5e433f4f59cb 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,7 @@
   * Ability to explicitly specify IP addresses to bind to
   * select() replaced with poll()
   * arc4random instead of /dev/urandom reading
+  * Some simple hardening
 
 20 November 2011: dht-bootstrap-0.2
 

diff --git a/dht-bootstrap.c b/dht-bootstrap.c
index eef8b06884657f982a2aa518912bc524d11cef70..e8c0b2c7bd87dc7bc40359e4f8223af248cf006c 100644 (file)
--- a/dht-bootstrap.c
+++ b/dht-bootstrap.c
@@ -20,6 +20,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 */
 
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <netdb.h>
@@ -29,6 +30,7 @@ THE SOFTWARE.
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/resource.h>
 #include <sys/socket.h>
 #include <time.h>
 #include <unistd.h>
@@ -139,16 +141,14 @@ static int token_bucket_tokens;
 
 static FILE *dht_debug = NULL;
 
-#ifdef __GNUC__
-__attribute__((format(printf, 1, 2)))
-#endif
 static void
 debugf(const char *format, ...)
 {
+    if (dht_debug == NULL)
+        return;
     va_list args;
     va_start(args, format);
-    if (dht_debug)
-        vfprintf(dht_debug, format, args);
+    vfprintf(dht_debug, format, args);
     va_end(args);
     fflush(dht_debug);
 }
@@ -369,34 +369,35 @@ newSock(const char *host, const char *port)
     hints.ai_family = AF_UNSPEC;
     hints.ai_socktype = SOCK_DGRAM;
     struct addrinfo *res = NULL;
-    int err = getaddrinfo(host, port, &hints, &res);
-    if (err != 0) {
-        fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(err));
-        exit(1);
-    }
+    int rc = getaddrinfo(host, port, &hints, &res);
+    if (rc != 0)
+        err(EXIT_FAILURE, "getaddrinfo: %s\n", gai_strerror(rc));
     int sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
-    if (sock == -1) {
-        perror("socket");
-        exit(1);
-    }
-    if (bind(sock, res->ai_addr, res->ai_addrlen) != 0) {
-        perror("bind");
-        exit(1);
-    }
-    int rc = fcntl(sock, F_GETFL, 0);
-    if (rc < 0) {
-        perror("F_GETFL");
-        exit(1);
-    }
+    if (sock == -1)
+        err(EXIT_FAILURE, "socket()");
+    if (bind(sock, res->ai_addr, res->ai_addrlen) != 0)
+        err(EXIT_FAILURE, "bind()");
+    rc = fcntl(sock, F_GETFL, 0);
+    if (rc < 0)
+        err(EXIT_FAILURE, "F_GETFL");
     rc = fcntl(sock, F_SETFL, (rc | O_NONBLOCK));
-    if (rc < 0) {
-        perror("F_SETFL");
-        exit(1);
-    }
+    if (rc < 0)
+        err(EXIT_FAILURE, "F_SETFL");
     freeaddrinfo(res);
     return sock;
 }
 
+static void
+rlimited(int res)
+{
+    struct rlimit r;
+    r.rlim_cur = 0;
+    r.rlim_max = 0;
+    if (setrlimit(res, &r) == -1) {
+        err(EXIT_FAILURE, "can not setrlimit()");
+    }
+}
+
 int
 main(int argc, char **argv)
 {
@@ -460,10 +461,8 @@ main(int argc, char **argv)
         else if (dht_socket6 < 0)
             hints.ai_family |= AF_INET;
         rc = getaddrinfo(argv[i], argv[i + 1], &hints, &info);
-        if (rc != 0) {
-            fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(rc));
-            exit(1);
-        }
+        if (rc != 0)
+            err(EXIT_FAILURE, "getaddrinfo: %s\n", gai_strerror(rc));
 
         i++;
         if (i >= argc)
@@ -490,6 +489,15 @@ main(int argc, char **argv)
     fds[1].fd = dht_socket6;
     fds[1].events = POLLIN;
 
+    close(STDIN_FILENO);
+    if (quiet)
+        close(STDOUT_FILENO);
+    rlimited(RLIMIT_NPROC);
+    rlimited(RLIMIT_FSIZE);
+#if __FreeBSD__
+    rlimited(RLIMIT_NOFILE);
+#endif // __FreeBSD__
+
     while (1) {
         int tv_sec = 0;
         if ((dht_socket >= 0 && list_elements(&v4_confirmed) <= 16) ||
@@ -696,7 +704,7 @@ main(int argc, char **argv)
 
 usage:
     fprintf(stderr, "dht-bootstrap [-q] [-4 ADDR4] [-6 ADDR6] port [node port...]\n");
-    exit(1);
+    exit(EXIT_FAILURE);
 }
 
 /* We could use a proper bencoding printer and parser, but the format of