Gitweb:
https://git.exim.org/exim.git/commitdiff/cf3fecb9e873df38a9245775a3887e73a8716083
Commit: cf3fecb9e873df38a9245775a3887e73a8716083
Parent: 8c5ab0901f665bfd16bb0a0e85cef8b26e4e7818
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Aug 3 18:34:06 2023 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Thu Aug 3 20:55:20 2023 +0100
Fix free of $value after ${run...}
---
doc/doc-txt/ChangeLog | 3 +++
src/src/expand.c | 10 ++++++++--
test/log/0635 | 7 +++++++
test/mail/0635.CALLER | 13 +++++++++++++
4 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9d7c45a79..ecb4aadec 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -170,6 +170,9 @@ JH/31 Bug 2998: Fix ${utf8clean:...} to disallow UTF-16 surrogate codepoints.
JH/32 Fix "tls_dhparam = none" under GnuTLS. At least with 3.7.9 this gave
a null-indirection SIGSEGV for the receive process.
+JH/33 Fix free for live variable $value created by a ${run ...} expansion.
+ Although not seen, this could have resulted in a SIGSEGV.
+
Exim version 4.96
-----------------
diff --git a/src/src/expand.c b/src/src/expand.c
index ae1657549..e0c571ade 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -5624,6 +5624,8 @@ while (*s)
FILE * f;
const uschar * arg, ** argv;
BOOL late_expand = TRUE;
+ uschar * save_value = lookup_value;
+ int yesno;
if (expand_forbid & RDO_RUN)
{
@@ -5747,20 +5749,24 @@ while (*s)
expand_string_message = string_sprintf("command killed by signal %d",
-runrc);
+ lookup_value = save_value;
goto EXPAND_FAILED;
}
}
/* Process the yes/no strings; $value may be useful in both cases */
- switch(process_yesno(
+ yesno = process_yesno(
flags, /* were previously skipping */
runrc == 0, /* success/failure indicator */
lookup_value, /* value to reset for string2 */
&s, /* input pointer */
&yield, /* output pointer */
US"run", /* condition type */
- &resetok))
+ &resetok);
+ lookup_value = save_value;
+
+ switch(yesno)
{
case 1: goto EXPAND_FAILED; /* when all is well, the */
case 2: goto EXPAND_FAILED_CURLY; /* returned value is 0 */
diff --git a/test/log/0635 b/test/log/0635
new file mode 100644
index 000000000..a8ccbcfbe
--- /dev/null
+++ b/test/log/0635
@@ -0,0 +1,7 @@
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 $recipients: "CALLER@???"
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 run-wrapped $recipients: "\n"
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 <= someone@??? U=CALLER P=local-smtp S=sss
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 => CALLER <CALLER@???> R=localuser T=local_delivery
+1999-03-02 09:44:33 10HmaX-000000005vi-0000 Completed
+1999-03-02 09:44:33 Start queue run: pid=p1234
+1999-03-02 09:44:33 End queue run: pid=p1234
diff --git a/test/mail/0635.CALLER b/test/mail/0635.CALLER
new file mode 100644
index 000000000..25b61aadd
--- /dev/null
+++ b/test/mail/0635.CALLER
@@ -0,0 +1,13 @@
+From someone@??? Tue Mar 02 09:44:33 1999
+Received: from CALLER (helo=test)
+ by the.local.host.name with local-smtp (Exim x.yz)
+ (envelope-from <someone@???>)
+ id 10HmaX-000000005vi-0000
+ for CALLER@???;
+ Tue, 2 Mar 1999 09:44:33 +0000
+Message-Id: <E10HmaX-000000005vi-0000@???>
+From: someone@???
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+This is a test message.
+
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
