X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/22a7eb21aaf6d6858503890bb05c376fd6e37049..b634f8eaf52aae84c311d7e306f38f3dc07ff1b0:/src/src/tls.c

diff --git a/src/src/tls.c b/src/src/tls.c
index e6bf1c8d3..c497ac307 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -158,8 +158,8 @@ return FALSE;
 # endif
 # ifdef EXIM_HAVE_KEVENT
 {
-uschar * s;
-int fd1, fd2, i, cnt = 0;
+uschar * s, * t;
+int fd1, fd2, i, j, cnt = 0;
 struct stat sb;
 #ifdef OpenBSD
 struct kevent k_dummy;
@@ -209,11 +209,14 @@ for (;;)
 
   if (!(S_ISLNK(sb.st_mode))) break;
 
-  s = store_get(1024, FALSE);
-  if ((i = readlink(CCS filename, (void *)s, 1024)) < 0) { s = US"readlink"; goto bad; }
-  filename = s;
-  *(s += i) = '\0';
-  store_release_above(s+1);
+  t = store_get(1024, FALSE);
+  Ustrncpy(t, s, 1022);
+  j = Ustrlen(s);
+  t[j++] = '/';
+  if ((i = readlink(CCS filename, (void *)(t+j), 1023-j)) < 0) { s = US"readlink"; goto bad; }
+  filename = t;
+  *(t += i+j) = '\0';
+  store_release_above(t+1);
   }
 
 #ifdef OpenBSD
@@ -222,7 +225,7 @@ if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, &k_dummy, 1, &ts) >= 0)
 #else
 if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, NULL, 0, NULL) >= 0)
   return TRUE;
-#endiv
+#endif
 s = US"kevent";
 
 bad:
@@ -356,11 +359,18 @@ opt_unset_or_noexpand(const uschar * opt)
 
 
 
-/* Called every time round the daemon loop */
+/* Called every time round the daemon loop.
 
-void
+If we reloaded fd-watcher, return the old watch fd
+having modified the global for the new one. Otherwise
+return -1.
+*/
+
+int
 tls_daemon_tick(void)
 {
+int old_watch_fd = tls_watch_fd;
+
 tls_per_lib_daemon_tick();
 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
 if (tls_creds_expire && time(NULL) >= tls_creds_expire)
@@ -372,6 +382,7 @@ if (tls_creds_expire && time(NULL) >= tls_creds_expire)
   DEBUG(D_tls) debug_printf("selfsign cert rotate\n");
   tls_creds_expire = 0;
   tls_daemon_creds_reload();
+  return old_watch_fd;
   }
 else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5)
   {
@@ -383,8 +394,10 @@ else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5)
   DEBUG(D_tls) debug_printf("watch triggered\n");
   tls_watch_trigger_time = tls_creds_expire = 0;
   tls_daemon_creds_reload();
+  return old_watch_fd;
   }
 #endif
+return -1;
 }
 
 /* Called once at daemon startup */
@@ -457,6 +470,9 @@ Returns:       the character
 int
 tls_ungetc(int ch)
 {
+if (ssl_xfer_buffer_lwm <= 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in tls_ungetc");
+
 ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
 return ch;
 }
@@ -669,7 +685,6 @@ else if ((subjdn = tls_cert_subject(cert, NULL)))
 return FALSE;
 }
 
-
 /* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
 and writes a file by that name.  Our OpenSSL code does the same, using keying
 info from the library API.