From aa9ffe06f796adc50e2ded21a81ad5633d426247 Mon Sep 17 00:00:00 2001
From: gilles <gilles@openbsd.org>
Date: Tue, 6 Jan 2015 10:31:09 +0000
Subject: [PATCH] move the message parser init earlier to avoid a possible use
 after free in an unlikely error code path

---
 usr.sbin/smtpd/smtp_session.c | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c
index 3173c5b8143..90231b97d79 100644
--- a/usr.sbin/smtpd/smtp_session.c
+++ b/usr.sbin/smtpd/smtp_session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtp_session.c,v 1.221 2014/12/17 15:49:23 millert Exp $	*/
+/*	$OpenBSD: smtp_session.c,v 1.222 2015/01/06 10:31:09 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -315,7 +315,9 @@ header_append_domain_buffer(char *buffer, char *domain, size_t len)
 			has_domain = 1;
 		if (buffer[i] == ':' && !escape && !comment && !quote)
 			has_group = 1;
-		if (! isspace(buffer[i]))
+
+		/* update insert point if not in comment and not on a whitespace */
+		if (!comment && buffer[i] != ')' && !isspace((int)buffer[i]))
 			pos_component = i;
 	}
 
@@ -507,6 +509,21 @@ smtp_session(struct listener *listener, int sock,
 
 	(void)strlcpy(s->smtpname, listener->hostname, sizeof(s->smtpname));
 
+	/* Setup parser and callbacks before smtp_connected() can be called */
+	rfc2822_parser_init(&s->rfc2822_parser);
+	rfc2822_header_default_callback(&s->rfc2822_parser,
+	    header_default_callback, s);
+	rfc2822_header_callback(&s->rfc2822_parser, "bcc",
+	    header_bcc_callback, s);
+	rfc2822_header_callback(&s->rfc2822_parser, "from",
+	    header_masquerade_callback, s);
+	rfc2822_header_callback(&s->rfc2822_parser, "to",
+	    header_masquerade_callback, s);
+	rfc2822_header_callback(&s->rfc2822_parser, "cc",
+	    header_masquerade_callback, s);
+	rfc2822_body_callback(&s->rfc2822_parser,
+	    dataline_callback, s);
+
 	/* For local enqueueing, the hostname is already set */
 	if (hostname) {
 		s->flags |= SF_AUTHENTICATED;
@@ -524,19 +541,7 @@ smtp_session(struct listener *listener, int sock,
 		tree_xset(&wait_lka_ptr, s->id, s);
 	}
 
-	rfc2822_parser_init(&s->rfc2822_parser);
-	rfc2822_header_default_callback(&s->rfc2822_parser,
-	    header_default_callback, s);
-	rfc2822_header_callback(&s->rfc2822_parser, "bcc",
-	    header_bcc_callback, s);
-	rfc2822_header_callback(&s->rfc2822_parser, "from",
-	    header_masquerade_callback, s);
-	rfc2822_header_callback(&s->rfc2822_parser, "to",
-	    header_masquerade_callback, s);
-	rfc2822_header_callback(&s->rfc2822_parser, "cc",
-	    header_masquerade_callback, s);
-	rfc2822_body_callback(&s->rfc2822_parser,
-	    dataline_callback, s);
+	/* session may have been freed by now */
 
 	return (0);
 }
-- 
2.20.1