https://bugs.exim.org/show_bug.cgi?id=3137
Bug ID: 3137
Summary: NULL deref in smtp_quit_handler(): FILE operation on
closed stream
Product: Exim
Version: N/A
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Mail Receipt
Assignee: unalloca...@exim.org
Reporter: 75f04b4e9636ea7765878d5d04bc9...@sh3ll.xyz
CC: exim-dev@lists.exim.org
Exim at commit 272a9eab951d93cda52dcc72ef52d46a23da2322 contains a NULL
dereference bug in the function smtp_quit_handler().
The functions attempts...
(void) poll_one_fd(fileno(smtp_in), POLLIN, 200);
but smtp_in might have been closed and set to NULL in synprot_error()
beforehand.
The following patch resolves the issue:
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 2fc6fd20e..bb4288ef4 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -3625,7 +3625,7 @@ log_close_event(US"by QUIT");
/* Pause, hoping client will FIN first so that they get the TIME_WAIT.
The socket should become readble (though with no data) */
-(void) poll_one_fd(fileno(smtp_in), POLLIN, 200);
+if (smtp_in) (void) poll_one_fd(fileno(smtp_in), POLLIN, 200);
#endif /*!SERVERSIDE_CLOSE_NOWAIT*/
}
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
