Thanks, I was unable to get a backtrace so this really helped. I think the safest thing to do is to just return an error if the expanded string is NULL. I'm not sure if there are other expansions that can also be NULL here.
Alternately, we could move the check to be specific to the else if (!strcasecmp("mda", rtoken)) { ... } block. - todd Index: mda_variables.c =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/mda_variables.c,v retrieving revision 1.7 diff -u -p -u -r1.7 mda_variables.c --- mda_variables.c 14 Jun 2021 17:58:15 -0000 1.7 +++ mda_variables.c 18 Mar 2023 19:03:11 -0000 @@ -51,7 +51,7 @@ mda_expand_token(char *dest, size_t len, { char rtoken[MAXTOKENLEN]; char tmp[EXPAND_BUFFER]; - const char *string; + const char *string = NULL; char *lbracket, *rbracket, *content, *sep, *mods; ssize_t i; ssize_t begoff, endoff; @@ -159,6 +159,8 @@ mda_expand_token(char *dest, size_t len, return -1; if (string != tmp) { + if (string == NULL) + return -1; if (strlcpy(tmp, string, sizeof tmp) >= sizeof tmp) return -1; string = tmp;