lib-smtp: smtp-server-cmd-data - Fix crash occurring when BDAT is the last in a too...

When smtp_server_reply() detects that too many replies were sent regarding
syntax errors, it will terminate the connection. Most commands will just stop
processing and exit when a reply is submitted, so no crash occurs for those.
However, BDAT will try to skip the data block, so that it will not be
interpreted as a large set of input commands, which subsequentely crashes
because the command parser is already gone after terminating the connection.

diff --git a/src/lib-smtp/smtp-server-cmd-data.c b/src/lib-smtp/smtp-server-cmd-data.c
index 572b52dee9655531381cf93b3731b079b6172f70..1acaa3d1e54f055e3c4c69b5a80a61cf7a78882d 100644 (file)
--- a/src/lib-smtp/smtp-server-cmd-data.c
+++ b/src/lib-smtp/smtp-server-cmd-data.c
@@ -644,9 +644,9 @@ void smtp_server_cmd_bdat(struct smtp_server_cmd_ctx *cmd,
                }
        }
 
-       if (ret > 0 || size > 0) {
-               /* read/skip data even in case of error, as long as size is
-                  known */
+       if (ret > 0 || (size > 0 && !conn->disconnected)) {
+               /* Read/skip data even in case of error, as long as size is
+                  known and connection is still usable. */
                input = smtp_command_parse_data_with_size(conn->smtp_parser,
                                                          size);
        }