Prereq: "3.4.19" diff -ur --new-file /var/tmp/postfix-3.4.19/src/global/mail_version.h ./src/global/mail_version.h --- /var/tmp/postfix-3.4.19/src/global/mail_version.h 2021-01-17 10:23:09.000000000 -0500 +++ ./src/global/mail_version.h 2021-04-11 09:49:45.000000000 -0400 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20210117" -#define MAIL_VERSION_NUMBER "3.4.19" +#define MAIL_RELEASE_DATE "20210411" +#define MAIL_VERSION_NUMBER "3.4.20" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -ur --new-file /var/tmp/postfix-3.4.19/HISTORY ./HISTORY --- /var/tmp/postfix-3.4.19/HISTORY 2021-01-17 09:55:14.000000000 -0500 +++ ./HISTORY 2021-04-11 10:41:55.000000000 -0400 @@ -24572,3 +24572,24 @@ causing unnecessary dnssec_probe activity. The default is now "dane" when smtp_tls_security_level is "dane", otherwise it is "may". File: global/mail_params.h. + +20210411 + + Missing null pointer checks (introduced: Postfix 3.4) after + an internal I/O error during the smtp(8) to tlsproxy(8) + handshake. Found by Coverity, reported by Jaroslav Skarvada. + Based on fix by Viktor Dukhovni. File: tls/tls_proxy_client_scan.c. + + Null pointer bug (introduced: Postfix 3.0) and memory leak + (introduced: Postfix 3.4) after an inline: table syntax + error in main.cf or master.cf. Found by Coverity, reported + by Jaroslav Skarvada. Based on fix by Viktor Dukhovni. File: + util/dict_inline.c. + + Incomplete null pointer check (introduced: Postfix 2.10) + after truncated HaProxy version 1 handshake message. Found + by Coverity, reported by Jaroslav Skarvada. Fix by Viktor + Dukhovni. File: global/haproxy_srvr.c. + + Missing null pointer check (introduced: Postfix alpha) after + null argv[0] value. File: global/mail_task.c. diff -ur --new-file /var/tmp/postfix-3.4.19/src/global/haproxy_srvr.c ./src/global/haproxy_srvr.c --- /var/tmp/postfix-3.4.19/src/global/haproxy_srvr.c 2012-06-17 13:47:09.000000000 -0400 +++ ./src/global/haproxy_srvr.c 2021-04-04 13:01:15.000000000 -0400 @@ -59,6 +59,8 @@ static INET_PROTO_INFO *proto_info; +#define STR_OR_NULL(str) ((str) ? (str) : "(null)") + /* haproxy_srvr_parse_lit - extract and validate string literal */ static int haproxy_srvr_parse_lit(const char *str,...) @@ -68,7 +70,7 @@ int result = -1; if (msg_verbose) - msg_info("haproxy_srvr_parse: %s", str); + msg_info("haproxy_srvr_parse: %s", STR_OR_NULL(str)); if (str != 0) { va_start(ap, str); @@ -85,8 +87,10 @@ static int haproxy_srvr_parse_proto(const char *str, int *addr_family) { if (msg_verbose) - msg_info("haproxy_srvr_parse: proto=%s", str); + msg_info("haproxy_srvr_parse: proto=%s", STR_OR_NULL(str)); + if (str == 0) + return (-1); #ifdef AF_INET6 if (strcasecmp(str, "TCP6") == 0) { if (strchr((char *) proto_info->sa_family_list, AF_INET6) != 0) { @@ -110,7 +114,8 @@ int addr_family) { if (msg_verbose) - msg_info("haproxy_srvr_parse: addr=%s proto=%d", str, addr_family); + msg_info("haproxy_srvr_parse: addr=%s proto=%d", + STR_OR_NULL(str), addr_family); if (str == 0 || strlen(str) >= sizeof(MAI_HOSTADDR_STR)) return (-1); @@ -145,7 +150,7 @@ static int haproxy_srvr_parse_port(const char *str, MAI_SERVPORT_STR *port) { if (msg_verbose) - msg_info("haproxy_srvr_parse: port=%s", str); + msg_info("haproxy_srvr_parse: port=%s", STR_OR_NULL(str)); if (str == 0 || strlen(str) >= sizeof(MAI_SERVPORT_STR) || !valid_hostport(str, DONT_GRIPE)) { return (-1); diff -ur --new-file /var/tmp/postfix-3.4.19/src/global/mail_task.c ./src/global/mail_task.c --- /var/tmp/postfix-3.4.19/src/global/mail_task.c 2019-01-29 17:24:42.000000000 -0500 +++ ./src/global/mail_task.c 2021-04-04 16:18:38.000000000 -0400 @@ -17,8 +17,8 @@ /* /* The result is overwritten with each call. /* -/* A null argv0 argument requests that the current -/* result is returned. +/* A null argv0 argument requests that the current result is +/* returned, or "unknown" when no current result exists. /* LICENSE /* .ad /* .fi @@ -59,6 +59,8 @@ const char *slash; const char *tag; + if (argv0 == 0 && canon_name == 0) + argv0 = "unknown"; if (argv0) { if (canon_name == 0) canon_name = vstring_alloc(10); diff -ur --new-file /var/tmp/postfix-3.4.19/src/tls/tls_proxy_client_scan.c ./src/tls/tls_proxy_client_scan.c --- /var/tmp/postfix-3.4.19/src/tls/tls_proxy_client_scan.c 2019-02-11 08:32:27.000000000 -0500 +++ ./src/tls/tls_proxy_client_scan.c 2021-04-04 12:53:49.000000000 -0400 @@ -430,7 +430,8 @@ if (buf) vstring_free(buf); if (ret != 1) { - tls_proxy_client_certs_free(head); + if (head) + tls_proxy_client_certs_free(head); head = 0; } *(TLS_CERTS **) ptr = head; @@ -489,7 +490,8 @@ if (buf) vstring_free(buf); if (ret != 1) { - tls_proxy_client_pkeys_free(head); + if (head) + tls_proxy_client_pkeys_free(head); head = 0; } *(TLS_PKEYS **) ptr = head; @@ -538,7 +540,8 @@ ret = (ret == 3 ? 1 : -1); } if (ret != 1) { - tls_proxy_client_tlsa_free(head); + if (head) + tls_proxy_client_tlsa_free(head); head = 0; } *(TLS_TLSA **) ptr = head; diff -ur --new-file /var/tmp/postfix-3.4.19/src/util/dict_inline.c ./src/util/dict_inline.c --- /var/tmp/postfix-3.4.19/src/util/dict_inline.c 2018-11-05 19:25:30.000000000 -0500 +++ ./src/util/dict_inline.c 2021-04-04 12:53:49.000000000 -0400 @@ -113,9 +113,9 @@ dict = dict_open3(DICT_TYPE_HT, name, open_flags, dict_flags); dict_type_override(dict, DICT_TYPE_INLINE); while ((nameval = mystrtokq(&cp, CHARS_COMMA_SP, CHARS_BRACE)) != 0) { - if ((nameval[0] != CHARS_BRACE[0] - || (err = free_me = extpar(&nameval, CHARS_BRACE, EXTPAR_FLAG_STRIP)) == 0) - && (err = split_qnameval(nameval, &vname, &value)) != 0) + if (nameval[0] == CHARS_BRACE[0]) + err = free_me = extpar(&nameval, CHARS_BRACE, EXTPAR_FLAG_STRIP); + if (err != 0 || (err = split_qnameval(nameval, &vname, &value)) != 0) break; if ((dict->flags & DICT_FLAG_SRC_RHS_IS_FILE) != 0) {