CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/06/01 09:12:04
Modified files:
usr.sbin/smtpd : Tag: OPENBSD_7_8 crypto.c lka.c mproc.c
queue_backend.c smtp_session.c
Log message:
Validate encrypted queue buffer sizes before processing auth tag
and IV data: current callers already treat malformed input as a
decrypt failure but rejecting truncated buffers earlier makes
boundary conditions more explicit.
from gilles@; diff by Stuart Thomas <[email protected]>
Ensure pending asynchronous lookups do not retain dangling smtp_session
references after teardown.
This is mainly a robustness fix inside the privsep model: stale
references may permit lateral effects between smtpd processes after
another compromise.
from gilles@; diff by Stuart Thomas <[email protected]>
Zero the temporary envelope parsing buffers before use.
While current parsing paths do not expose uninitialized data, keeping
stack residue in these transient buffers unnecessarily weakens
compartmentalization and may aid lateral movement inside the privsep
environment after another bug.
The diff also fixes a theoretical double close race bug which can't
really happen in smtpd due to requiring concurrency in our single
threaded event loop, and which would have very limited reliability
impact if it was triggered (forcing a mail to fail on a schedule
tick and be retried at next tick). This is still incorrect so let's
avoid a copy of this code in more problematic places.
from gilles@; diff by Stuart Thomas <[email protected]>
Reject oversized sockaddr payloads received over privsep IPC. This
is not an issue on its own but may permit lateral movement or memory
corruption inside the privsep environment after another bug.
from gilles@; diff by Stuart Thomas <[email protected]>
Clear userinfo before sending over imsg.
This is not an issue by itself but it weakens compartmentalization
and may assist lateral movement inside the privsep environment after
another bug.
from gilles@; diff by Stuart Thomas <[email protected]>
this is errata/7.8/038_smtpd.patch.sig
