# Extended 3.24 — SocketPlugin: strncpy without NUL-term on DNS PTR record

Bug ref      : pharo.md §3.24
Severity     : HIGH (poisoned PTR record → OOB read in subsequent strlen)
File         : extracted/plugins/SocketPlugin/src/common/SocketPluginImpl.c
Lines (HEAD) : 1698 (`sqResolverStartAddrLookup`)

## Problem

```c
void sqResolverStartAddrLookup(sqInt address)
{
  const char *res;
  res= addrToName(address);
  strncpy(lastName, res, MAXHOSTNAMELEN);
  logTrace( "startAddrLookup %s\n", lastName);
}
```

`lastName` is a `MAXHOSTNAMELEN`-sized buffer. A hostile DNS PTR
record with a name `>= MAXHOSTNAMELEN` bytes leaves `lastName`
**not NUL-terminated**. The subsequent
`sqResolverAddrLookupResultSize` runs `strlen(lastName)` which
walks past the buffer.

## Fix

Force NUL-termination after the copy.

```diff
--- a/extracted/plugins/SocketPlugin/src/common/SocketPluginImpl.c
+++ b/extracted/plugins/SocketPlugin/src/common/SocketPluginImpl.c
@@ -1695,8 +1695,9 @@
 void sqResolverStartAddrLookup(sqInt address)
 {
   const char *res;
   res= addrToName(address);
-  strncpy(lastName, res, MAXHOSTNAMELEN);
+  strncpy(lastName, res, MAXHOSTNAMELEN - 1);
+  lastName[MAXHOSTNAMELEN - 1] = '\0';
   logTrace( "startAddrLookup %s\n", lastName);
 }
```

## Test plan

- Point at a DNS server that returns a PTR record of length
  exactly `MAXHOSTNAMELEN`. Before: `sqResolverAddrLookupResultSize`
  walks past the buffer. After: result is truncated to
  `MAXHOSTNAMELEN-1` bytes.
- Normal PTR records: unchanged.

## Risk notes

- Truncation by one byte for over-long PTR records; the legitimate
  hostnames are always shorter.
- The fix matches the canonical "strncpy + NUL terminator" pattern.