summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2023-08-03 18:34:06 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2023-08-03 20:55:20 +0100
commitcf3fecb9e873df38a9245775a3887e73a8716083 (patch)
tree12aaeab205f2401efa8c95e5d90636bc939f57db
parent8c5ab0901f665bfd16bb0a0e85cef8b26e4e7818 (diff)
Fix free of $value after ${run...}
-rw-r--r--doc/doc-txt/ChangeLog3
-rw-r--r--src/src/expand.c10
-rw-r--r--test/log/06357
-rw-r--r--test/mail/0635.CALLER13
4 files changed, 31 insertions, 2 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9d7c45a79..ecb4aadec 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -170,6 +170,9 @@ JH/31 Bug 2998: Fix ${utf8clean:...} to disallow UTF-16 surrogate codepoints.
JH/32 Fix "tls_dhparam = none" under GnuTLS. At least with 3.7.9 this gave
a null-indirection SIGSEGV for the receive process.
+JH/33 Fix free for live variable $value created by a ${run ...} expansion.
+ Although not seen, this could have resulted in a SIGSEGV.
+
Exim version 4.96
-----------------
diff --git a/src/src/expand.c b/src/src/expand.c
index ae1657549..e0c571ade 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -5624,6 +5624,8 @@ while (*s)
FILE * f;
const uschar * arg, ** argv;
BOOL late_expand = TRUE;
+ uschar * save_value = lookup_value;
+ int yesno;
if (expand_forbid & RDO_RUN)
{
@@ -5747,20 +5749,24 @@ while (*s)
expand_string_message = string_sprintf("command killed by signal %d",
-runrc);
+ lookup_value = save_value;
goto EXPAND_FAILED;
}
}
/* Process the yes/no strings; $value may be useful in both cases */
- switch(process_yesno(
+ yesno = process_yesno(
flags, /* were previously skipping */
runrc == 0, /* success/failure indicator */
lookup_value, /* value to reset for string2 */
&s, /* input pointer */
&yield, /* output pointer */
US"run", /* condition type */
- &resetok))
+ &resetok);
+ lookup_value = save_value;
+
+ switch(yesno)
{
case 1: goto EXPAND_FAILED; /* when all is well, the */
case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
diff --git a/test/log/0635 b/test/log/0635
new file mode 100644
index 000000000..a8ccbcfbe
--- /dev/null
+++ b/test/log/0635
@@ -0,0 +1,7 @@
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 $recipients: "CALLER@the.local.host.name"
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 run-wrapped $recipients: "\n"
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= someone@some.domain U=CALLER P=local-smtp S=sss
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 => CALLER <CALLER@the.local.host.name> R=localuser T=local_delivery
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 Completed
+1999-03-02 09:44:33 Start queue run: pid=p1234
+1999-03-02 09:44:33 End queue run: pid=p1234
diff --git a/test/mail/0635.CALLER b/test/mail/0635.CALLER
new file mode 100644
index 000000000..25b61aadd
--- /dev/null
+++ b/test/mail/0635.CALLER
@@ -0,0 +1,13 @@
+From someone@some.domain Tue Mar 02 09:44:33 1999
+Received: from CALLER (helo=test)
+ by the.local.host.name with local-smtp (Exim x.yz)
+ (envelope-from <someone@some.domain>)
+ id 10HmaX-000000005vi-0000
+ for CALLER@the.local.host.name;
+ Tue, 2 Mar 1999 09:44:33 +0000
+Message-Id: <E10HmaX-000000005vi-0000@the.local.host.name>
+From: someone@some.domain
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+This is a test message.
+