Thanks, I was unable to get a backtrace so this really helped. I
think the safest thing to do is to just return an error if the
expanded string is NULL. I'm not sure if there are other expansions
that can also be NULL here.
Alternately, we could move the check to be specific to the
else if (!strcasecmp("mda", rtoken)) {
...
}
block.
- todd
Index: mda_variables.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/mda_variables.c,v
retrieving revision 1.7
diff -u -p -u -r1.7 mda_variables.c
--- mda_variables.c 14 Jun 2021 17:58:15 -0000 1.7
+++ mda_variables.c 18 Mar 2023 19:03:11 -0000
@@ -51,7 +51,7 @@ mda_expand_token(char *dest, size_t len,
{
char rtoken[MAXTOKENLEN];
char tmp[EXPAND_BUFFER];
- const char *string;
+ const char *string = NULL;
char *lbracket, *rbracket, *content, *sep, *mods;
ssize_t i;
ssize_t begoff, endoff;
@@ -159,6 +159,8 @@ mda_expand_token(char *dest, size_t len,
return -1;
if (string != tmp) {
+ if (string == NULL)
+ return -1;
if (strlcpy(tmp, string, sizeof tmp) >= sizeof tmp)
return -1;
string = tmp;
