Check tor_vasprintf for error return values.

In case of error, a negative value will be returned or NULL written into
first supplied argument.

This patch uses both cases to comply with style in the specific files.

A tor_vasprintf error in process_vprintf would lead to a NULL dereference
later on in buf_add, because the return value -1 casted to size_t would
pass an assertion check inside of buf_add.

On the other hand, common systems will fail on such an operation, so it
is not a huge difference to a simple assertion. Yet it is better to
properly fail instead of relying on such behaviour on all systems.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

src/feature/control/control_events.c

@@ -1653,7 +1653,10 @@ control_event_status(int type, int severity, const char *format, va_list args)
     log_warn(LD_BUG, "Format string too long.");
     return -1;
   }
-  tor_vasprintf(&user_buf, format, args);
+  if (tor_vasprintf(&user_buf, format, args)<0) {
+    log_warn(LD_BUG, "Failed to create user buffer.");
+    return -1;
+  }
 
   send_control_event(type,  "%s %s\r\n", format_buf, user_buf);
   tor_free(user_buf);

src/lib/buf/buffers.c

@@ -578,6 +578,7 @@ buf_add_vprintf(buf_t *buf, const char *format, va_list args)
   /* XXXX Faster implementations are easy enough, but let's optimize later */
   char *tmp;
   tor_vasprintf(&tmp, format, args);
+  tor_assert(tmp != NULL);
   buf_add(buf, tmp, strlen(tmp));
   tor_free(tmp);
 }

src/lib/process/process.c

@@ -550,6 +550,7 @@ process_vprintf(process_t *process,
   char *data;
 
   size = tor_vasprintf(&data, format, args);
+  tor_assert(data != NULL);
   process_write(process, (uint8_t *)data, size);
   tor_free(data);
 }