File 0011-lib-smtp-smtp-server-connection-Hold-a-command-refer.patch of Package dovecot23.15100

From 18d5837748d3eafe56e080653d5ed0b3e221be0b Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Tue, 24 Mar 2020 12:25:03 +0100
Subject: [PATCH 11/16] lib-smtp: smtp-server-connection - Hold a command
 reference while executing a command.

This fixes a use-after-free problem at the end of
smtp_server_connection_handle_command().
---
 src/lib-smtp/smtp-server-connection.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/lib-smtp/smtp-server-connection.c b/src/lib-smtp/smtp-server-connection.c
index 24843088fc..a4b7047ed7 100644
--- a/src/lib-smtp/smtp-server-connection.c
+++ b/src/lib-smtp/smtp-server-connection.c
@@ -293,21 +293,28 @@ smtp_server_connection_handle_command(struct smtp_server_connection *conn,
 {
 	struct smtp_server_connection *tmp_conn = conn;
 	struct smtp_server_command *cmd;
+	bool finished;
 
-	smtp_server_connection_ref(tmp_conn);
 	cmd = smtp_server_command_new(tmp_conn, cmd_name);
+
+	smtp_server_command_ref(cmd);
+
+	smtp_server_connection_ref(tmp_conn);
 	smtp_server_command_execute(cmd, cmd_params);
 	if (!smtp_server_connection_unref(&tmp_conn)) {
 		/* the command start callback managed to get this connection
 		   destroyed */
+		smtp_server_command_unref(&cmd);
 		return FALSE;
 	}
 
-	if (cmd != NULL && conn->command_queue_head == cmd)
+	if (conn->command_queue_head == cmd)
 		(void)smtp_server_command_next_to_reply(&cmd);
 
 	smtp_server_connection_timeout_update(conn);
-	return (cmd == NULL || !cmd->input_locked);
+
+	finished = !cmd->input_locked;
+	return (!smtp_server_command_unref(&cmd) || finished);
 }
 
 static int
-- 
2.11.0

openSUSE Build Service is sponsored by