File 0011-lib-smtp-smtp-server-connection-Hold-a-command-refer.patch of Package dovecot23.15100
From 18d5837748d3eafe56e080653d5ed0b3e221be0b Mon Sep 17 00:00:00 2001
From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Tue, 24 Mar 2020 12:25:03 +0100
Subject: [PATCH 11/16] lib-smtp: smtp-server-connection - Hold a command
reference while executing a command.
This fixes a use-after-free problem at the end of
smtp_server_connection_handle_command().
---
src/lib-smtp/smtp-server-connection.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/lib-smtp/smtp-server-connection.c b/src/lib-smtp/smtp-server-connection.c
index 24843088fc..a4b7047ed7 100644
--- a/src/lib-smtp/smtp-server-connection.c
+++ b/src/lib-smtp/smtp-server-connection.c
@@ -293,21 +293,28 @@ smtp_server_connection_handle_command(struct smtp_server_connection *conn,
{
struct smtp_server_connection *tmp_conn = conn;
struct smtp_server_command *cmd;
+ bool finished;
- smtp_server_connection_ref(tmp_conn);
cmd = smtp_server_command_new(tmp_conn, cmd_name);
+
+ smtp_server_command_ref(cmd);
+
+ smtp_server_connection_ref(tmp_conn);
smtp_server_command_execute(cmd, cmd_params);
if (!smtp_server_connection_unref(&tmp_conn)) {
/* the command start callback managed to get this connection
destroyed */
+ smtp_server_command_unref(&cmd);
return FALSE;
}
- if (cmd != NULL && conn->command_queue_head == cmd)
+ if (conn->command_queue_head == cmd)
(void)smtp_server_command_next_to_reply(&cmd);
smtp_server_connection_timeout_update(conn);
- return (cmd == NULL || !cmd->input_locked);
+
+ finished = !cmd->input_locked;
+ return (!smtp_server_command_unref(&cmd) || finished);
}
static int
--
2.11.0