Fix null pointer dereference in ResolveAddress

[hirorogo]

Summary

ResolveAddress in src/sofa/pbrpc/rpc_endpoint.cc unconditionally dereferences the RpcEndpoint* endpoint parameter without validating it against NULL. In the 3-argument overload, if endpoint is NULL and DNS resolution succeeds, the write *endpoint = it->endpoint() at line 40 causes a segmentation fault.

The 2-argument overload delegates to the 3-argument version, so it is equally affected.

Fix

Add an early if (!endpoint) return false; guard at the top of both ResolveAddress overloads, before any dereference occurs. This is a minimal, defensive change that returns false (indicating failure) rather than crashing.

PoC

#include <cstdio>
#include <cstring>

struct RpcEndpoint {
    char host[64];
    int port;
};

struct ResolverEntry {
    RpcEndpoint ep;
    RpcEndpoint endpoint() { return ep; }
};

// Reproduction of the vulnerable code path
bool ResolveAddress_buggy(const char* host, const char* svc,
        RpcEndpoint* endpoint)
{
    ResolverEntry entry;
    strncpy(entry.ep.host, host, 63);
    entry.ep.port = 8080;

    // Simulate successful DNS resolution
    *endpoint = entry.endpoint();  // CRASH: endpoint == NULL
    return true;
}

int main() {
    __try {
        ResolveAddress_buggy("localhost", "8080", NULL);
    }
    __except(1) {
        printf("ACCESS VIOLATION: NULL pointer dereference confirmed\n");
    }
    return 0;
}

Result:

ACCESS VIOLATION: NULL pointer dereference confirmed

How it was found

This bug was identified during a SPECA security audit (bug ID: PROP-N1-npd-003).