lib-smtp: smtp-server-connection - Hold a command reference while executing a command.

This fixes a use-after-free problem at the end of
smtp_server_connection_handle_command().

diff --git a/src/lib-smtp/smtp-server-connection.c b/src/lib-smtp/smtp-server-connection.c
index 24843088fc7929c7be8be3ac96e1b204302428ce..a4b7047ed7ab54a9e5f87f27af0289a278f07399 100644 (file)
--- a/src/lib-smtp/smtp-server-connection.c
+++ b/src/lib-smtp/smtp-server-connection.c
@@ -293,21 +293,28 @@ smtp_server_connection_handle_command(struct smtp_server_connection *conn,
 {
        struct smtp_server_connection *tmp_conn = conn;
        struct smtp_server_command *cmd;
+       bool finished;
 
-       smtp_server_connection_ref(tmp_conn);
        cmd = smtp_server_command_new(tmp_conn, cmd_name);
+
+       smtp_server_command_ref(cmd);
+
+       smtp_server_connection_ref(tmp_conn);
        smtp_server_command_execute(cmd, cmd_params);
        if (!smtp_server_connection_unref(&tmp_conn)) {
                /* the command start callback managed to get this connection
                   destroyed */
+               smtp_server_command_unref(&cmd);
                return FALSE;
        }
 
-       if (cmd != NULL && conn->command_queue_head == cmd)
+       if (conn->command_queue_head == cmd)
                (void)smtp_server_command_next_to_reply(&cmd);
 
        smtp_server_connection_timeout_update(conn);
-       return (cmd == NULL || !cmd->input_locked);
+
+       finished = !cmd->input_locked;
+       return (!smtp_server_command_unref(&cmd) || finished);
 }
 
 static int