From c2e63d99c0807cbaa79ae198a1f995ec3679913a Mon Sep 17 00:00:00 2001 From: gilles Date: Tue, 26 May 2026 22:43:32 +0000 Subject: [PATCH] Ensure pending asynchronous lookups do not retain dangling smtp_session references after teardown. This is mainly a robustness fix inside the privsep model: stale references may permit lateral effects between smtpd processes after another compromise. diff by Stuart Thomas --- usr.sbin/smtpd/smtp_session.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c index 8fa48d6c635..bc7d864fc54 100644 --- a/usr.sbin/smtpd/smtp_session.c +++ b/usr.sbin/smtpd/smtp_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtp_session.c,v 1.448 2026/04/08 12:04:56 op Exp $ */ +/* $OpenBSD: smtp_session.c,v 1.449 2026/05/26 22:43:32 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade @@ -2102,6 +2102,9 @@ smtp_reply(struct smtp_session *s, char *fmt, ...) va_start(ap, fmt); n = vsnprintf(buf, sizeof buf, fmt, ap); va_end(ap); + if (n >= (int)sizeof buf) + n = (int)sizeof buf - 1; + if (n < 0) fatalx("smtp_reply: response format error"); if (n < 4) @@ -2198,6 +2201,18 @@ smtp_free(struct smtp_session *s, const char * reason) smtp_report_link_disconnect(s); smtp_filter_end(s); + tree_pop(&wait_lka_helo, s->id); + tree_pop(&wait_lka_mail, s->id); + tree_pop(&wait_lka_rcpt, s->id); + tree_pop(&wait_parent_auth, s->id); + tree_pop(&wait_queue_msg, s->id); + tree_pop(&wait_queue_fd, s->id); + tree_pop(&wait_queue_commit, s->id); + tree_pop(&wait_ssl_init, s->id); + tree_pop(&wait_ssl_verify, s->id); + tree_pop(&wait_filters, s->id); + tree_pop(&wait_filter_fd, s->id); + if (s->flags & SF_SECURE && s->listener->flags & F_SMTPS) stat_decrement("smtp.smtps", 1); if (s->flags & SF_SECURE && s->listener->flags & F_STARTTLS)