Fix a potential NULL dereference in the unpriv child expanding %{mda}.

It is not legal to use %{mda} in anything but an mda wrapper.
mda_expand_token() will now return an error when %{mda} is used and
mda_command is NULL.  OK op@

diff --git a/usr.sbin/smtpd/mda_variables.c b/usr.sbin/smtpd/mda_variables.c
index 3592ca9..7c14d2e 100644 (file)
--- a/usr.sbin/smtpd/mda_variables.c
+++ b/usr.sbin/smtpd/mda_variables.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: mda_variables.c,v 1.7 2021/06/14 17:58:15 eric Exp $  */
+/*     $OpenBSD: mda_variables.c,v 1.8 2023/03/19 01:43:11 millert Exp $       */
 
 /*
  * Copyright (c) 2011-2017 Gilles Chehade <gilles@poolp.org>
@@ -51,7 +51,7 @@ mda_expand_token(char *dest, size_t len, const char *token,
 {
        char            rtoken[MAXTOKENLEN];
        char            tmp[EXPAND_BUFFER];
-       const char     *string;
+       const char     *string = NULL;
        char           *lbracket, *rbracket, *content, *sep, *mods;
        ssize_t         i;
        ssize_t         begoff, endoff;
@@ -159,6 +159,8 @@ mda_expand_token(char *dest, size_t len, const char *token,
                return -1;
 
        if (string != tmp) {
+               if (string == NULL)
+                       return -1;
                if (strlcpy(tmp, string, sizeof tmp) >= sizeof tmp)
                        return -1;
                string = tmp;