[exim-dev] $reply_address expansion segfault (with patch)

Top Page
Delete this message
Reply to this message
Author: Michael Haardt
Date:  
To: exim-dev
Subject: [exim-dev] $reply_address expansion segfault (with patch)
Hello,

expanding $reply_address on a mail with empty Reply-To and no From
segfaults. Here is a patch to fix that. According to the documentation,
setting *newsize back to 0 should be ok. Philip, please have a look if
this is really ok or if newsize should be saved and restored.

After finding out that Reply-To is empty, s is "" and newsize is 2.
Now find_header returns NULL, because From is not set, but newsize is
still 2, although a pointer to the statically allocated "" is returned.

Michael
----------------------------------------------------------------------
--- src/expand.c.orig    2005-07-29 10:45:22.000000000 +0200
+++ src/expand.c    2005-07-29 10:52:01.000000000 +0200
@@ -1425,8 +1425,9 @@
     case vtype_reply:                          /* Get reply address */
     s = find_header(US"reply-to:", exists_only, newsize, FALSE,
       headers_charset);
-    if (s == NULL || *s == 0)
-      s = find_header(US"from:", exists_only, newsize, FALSE, headers_charset);
+    if (s != NULL && *s != 0) return s;
+    *newsize=0;
+    s = find_header(US"from:", exists_only, newsize, FALSE, headers_charset);
     return (s == NULL)? US"" : s;


     /* A recipients list is available only during system message filtering,