From 1750b2485245729867353d98b376ca12415da42b Mon Sep 17 00:00:00 2001 From: millert Date: Sun, 19 Mar 2023 01:43:11 +0000 Subject: [PATCH] Fix a potential NULL dereference in the unpriv child expanding %{mda}. It is not legal to use %{mda} in anything but an mda wrapper. mda_expand_token() will now return an error when %{mda} is used and mda_command is NULL. OK op@ --- usr.sbin/smtpd/mda_variables.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/usr.sbin/smtpd/mda_variables.c b/usr.sbin/smtpd/mda_variables.c index 3592ca9938b..7c14d2eb551 100644 --- a/usr.sbin/smtpd/mda_variables.c +++ b/usr.sbin/smtpd/mda_variables.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mda_variables.c,v 1.7 2021/06/14 17:58:15 eric Exp $ */ +/* $OpenBSD: mda_variables.c,v 1.8 2023/03/19 01:43:11 millert Exp $ */ /* * Copyright (c) 2011-2017 Gilles Chehade @@ -51,7 +51,7 @@ mda_expand_token(char *dest, size_t len, const char *token, { char rtoken[MAXTOKENLEN]; char tmp[EXPAND_BUFFER]; - const char *string; + const char *string = NULL; char *lbracket, *rbracket, *content, *sep, *mods; ssize_t i; ssize_t begoff, endoff; @@ -159,6 +159,8 @@ mda_expand_token(char *dest, size_t len, const char *token, return -1; if (string != tmp) { + if (string == NULL) + return -1; if (strlcpy(tmp, string, sizeof tmp) >= sizeof tmp) return -1; string = tmp; -- 2.20.1