From cf3fecb9e873df38a9245775a3887e73a8716083 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 3 Aug 2023 18:34:06 +0100 Subject: [PATCH 1/1] Fix free of $value after ${run...} --- doc/doc-txt/ChangeLog | 3 +++ src/src/expand.c | 10 ++++++++-- test/log/0635 | 7 +++++++ test/mail/0635.CALLER | 13 +++++++++++++ 4 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 test/log/0635 create mode 100644 test/mail/0635.CALLER diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 9d7c45a79..ecb4aadec 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -170,6 +170,9 @@ JH/31 Bug 2998: Fix ${utf8clean:...} to disallow UTF-16 surrogate codepoints. JH/32 Fix "tls_dhparam = none" under GnuTLS. At least with 3.7.9 this gave a null-indirection SIGSEGV for the receive process. +JH/33 Fix free for live variable $value created by a ${run ...} expansion. + Although not seen, this could have resulted in a SIGSEGV. + Exim version 4.96 ----------------- diff --git a/src/src/expand.c b/src/src/expand.c index ae1657549..e0c571ade 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -5624,6 +5624,8 @@ while (*s) FILE * f; const uschar * arg, ** argv; BOOL late_expand = TRUE; + uschar * save_value = lookup_value; + int yesno; if (expand_forbid & RDO_RUN) { @@ -5747,20 +5749,24 @@ while (*s) expand_string_message = string_sprintf("command killed by signal %d", -runrc); + lookup_value = save_value; goto EXPAND_FAILED; } } /* Process the yes/no strings; $value may be useful in both cases */ - switch(process_yesno( + yesno = process_yesno( flags, /* were previously skipping */ runrc == 0, /* success/failure indicator */ lookup_value, /* value to reset for string2 */ &s, /* input pointer */ &yield, /* output pointer */ US"run", /* condition type */ - &resetok)) + &resetok); + lookup_value = save_value; + + switch(yesno) { case 1: goto EXPAND_FAILED; /* when all is well, the */ case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */ diff --git a/test/log/0635 b/test/log/0635 new file mode 100644 index 000000000..a8ccbcfbe --- /dev/null +++ b/test/log/0635 @@ -0,0 +1,7 @@ +1999-03-02 09:44:33 10HmaX-000000005vi-0000 $recipients: "CALLER@the.local.host.name" +1999-03-02 09:44:33 10HmaX-000000005vi-0000 run-wrapped $recipients: "\n" +1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= someone@some.domain U=CALLER P=local-smtp S=sss +1999-03-02 09:44:33 10HmaX-000000005vi-0000 => CALLER R=localuser T=local_delivery +1999-03-02 09:44:33 10HmaX-000000005vi-0000 Completed +1999-03-02 09:44:33 Start queue run: pid=p1234 +1999-03-02 09:44:33 End queue run: pid=p1234 diff --git a/test/mail/0635.CALLER b/test/mail/0635.CALLER new file mode 100644 index 000000000..25b61aadd --- /dev/null +++ b/test/mail/0635.CALLER @@ -0,0 +1,13 @@ +From someone@some.domain Tue Mar 02 09:44:33 1999 +Received: from CALLER (helo=test) + by the.local.host.name with local-smtp (Exim x.yz) + (envelope-from ) + id 10HmaX-000000005vi-0000 + for CALLER@the.local.host.name; + Tue, 2 Mar 1999 09:44:33 +0000 +Message-Id: +From: someone@some.domain +Date: Tue, 2 Mar 1999 09:44:33 +0000 + +This is a test message. + -- 2.30.2