From b49d95e6e7394c8512018270249b920d9dcd976e Mon Sep 17 00:00:00 2001
From: millert <millert@openbsd.org>
Date: Thu, 8 Jan 2015 22:10:08 +0000
Subject: [PATCH] Avoid a crash (free of bogus pointer) when there is a syntax
 error reading the config socket by clearing the entire blacklist struct
 instead of just the tag string.  Also avoid holes in the blacklist array on
 error since the code can't cope with them.  OK beck@

---
 libexec/spamd/sdl.c | 31 ++++++++++++++++++-------------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/libexec/spamd/sdl.c b/libexec/spamd/sdl.c
index 40aac687cfa..a056286ff49 100644
--- a/libexec/spamd/sdl.c
+++ b/libexec/spamd/sdl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sdl.c,v 1.19 2014/10/11 03:25:16 doug Exp $ */
+/*	$OpenBSD: sdl.c,v 1.20 2015/01/08 22:10:08 millert Exp $ */
 
 /*
  * Copyright (c) 2003-2007 Bob Beck.  All rights reserved.
@@ -73,18 +73,18 @@ sdl_add(char *sdname, char *sdstring, char ** addrs, int addrc)
 	} else {
 		if (debug > 0)
 			printf("adding list %s; %d entries\n", sdname, addrc);
-		idx = blu;
-	}
-	if (idx == blu && blu == blc) {
-		struct sdlist *tmp;
+		if (blu == blc) {
+			struct sdlist *tmp;
 
-		tmp = reallocarray(blacklists, blc + 128,
-		    sizeof(struct sdlist));
-		if (tmp == NULL)
-			return (-1);
-		blacklists = tmp;
-		blc += 128;
-		sdl_clear(&blacklists[idx]);
+			tmp = reallocarray(blacklists, blc + 128,
+			    sizeof(struct sdlist));
+			if (tmp == NULL)
+				return (-1);
+			blacklists = tmp;
+			blc += 128;
+			sdl_clear(&blacklists[blu]);
+		}
+		idx = blu;
 	}
 
 	if ((blacklists[idx].tag = strdup(sdname)) == NULL)
@@ -151,7 +151,7 @@ sdl_add(char *sdname, char *sdstring, char ** addrs, int addrc)
 	}
 	if (idx == blu) {
 		blu++;
-		blacklists[blu].tag = NULL;
+		sdl_clear(&blacklists[blu]);
 	}
 	return (0);
  parse_error:
@@ -159,6 +159,11 @@ sdl_add(char *sdname, char *sdstring, char ** addrs, int addrc)
 		printf("sdl_add: parse error, \"%s\"\n", addrs[i]);
  misc_error:
 	sdl_free(&blacklists[idx]);
+	if (idx != blu) {
+		memmove(&blacklists[idx], &blacklists[idx + 1],
+		    (blu - idx) * sizeof(*blacklists));
+		blu--;
+	}
 	return (-1);
 }
 
-- 
2.20.1