Ensure pending asynchronous lookups do not retain dangling smtp_session references after teardown.

This is mainly a robustness fix inside the privsep model:
stale references may permit lateral effects between smtpd processes after another compromise.


diff by Stuart Thomas <stuart.thomas@triageforge.co.uk>

usr.sbin/smtpd/smtp_session.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtp_session.c,v 1.448 2026/04/08 12:04:56 op Exp $	*/
+/*	$OpenBSD: smtp_session.c,v 1.449 2026/05/26 22:43:32 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -2102,6 +2102,9 @@ smtp_reply(struct smtp_session *s, char *fmt, ...)
 	va_start(ap, fmt);
 	n = vsnprintf(buf, sizeof buf, fmt, ap);
 	va_end(ap);
+	if (n >= (int)sizeof buf)
+		n = (int)sizeof buf - 1;
+
 	if (n < 0)
 		fatalx("smtp_reply: response format error");
 	if (n < 4)
@@ -2198,6 +2201,18 @@ smtp_free(struct smtp_session *s, const char * reason)
 	smtp_report_link_disconnect(s);
 	smtp_filter_end(s);
 
+	tree_pop(&wait_lka_helo, s->id);
+	tree_pop(&wait_lka_mail, s->id);
+	tree_pop(&wait_lka_rcpt, s->id);
+	tree_pop(&wait_parent_auth, s->id);
+	tree_pop(&wait_queue_msg, s->id);
+	tree_pop(&wait_queue_fd, s->id);
+	tree_pop(&wait_queue_commit, s->id);
+	tree_pop(&wait_ssl_init, s->id);
+	tree_pop(&wait_ssl_verify, s->id);
+	tree_pop(&wait_filters, s->id);
+	tree_pop(&wait_filter_fd, s->id);
+
 	if (s->flags & SF_SECURE && s->listener->flags & F_SMTPS)
 		stat_decrement("smtp.smtps", 1);
 	if (s->flags & SF_SECURE && s->listener->flags & F_STARTTLS)