From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Tue, 24 Mar 2020 11:25:03 +0000 (+0100)
Subject: lib-smtp: smtp-server-connection - Hold a command reference while executing a command.
X-Git-Tag: 2.3.10.1~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=18d5837748d3eafe56e080653d5ed0b3e221be0b;p=thirdparty%2Fdovecot%2Fcore.git

lib-smtp: smtp-server-connection - Hold a command reference while executing a command.

This fixes a use-after-free problem at the end of
smtp_server_connection_handle_command().
---

diff --git a/src/lib-smtp/smtp-server-connection.c b/src/lib-smtp/smtp-server-connection.c
index 24843088fc..a4b7047ed7 100644
--- a/src/lib-smtp/smtp-server-connection.c
+++ b/src/lib-smtp/smtp-server-connection.c
@@ -293,21 +293,28 @@ smtp_server_connection_handle_command(struct smtp_server_connection *conn,
 {
 	struct smtp_server_connection *tmp_conn = conn;
 	struct smtp_server_command *cmd;
+	bool finished;
 
-	smtp_server_connection_ref(tmp_conn);
 	cmd = smtp_server_command_new(tmp_conn, cmd_name);
+
+	smtp_server_command_ref(cmd);
+
+	smtp_server_connection_ref(tmp_conn);
 	smtp_server_command_execute(cmd, cmd_params);
 	if (!smtp_server_connection_unref(&tmp_conn)) {
 		/* the command start callback managed to get this connection
 		   destroyed */
+		smtp_server_command_unref(&cmd);
 		return FALSE;
 	}
 
-	if (cmd != NULL && conn->command_queue_head == cmd)
+	if (conn->command_queue_head == cmd)
 		(void)smtp_server_command_next_to_reply(&cmd);
 
 	smtp_server_connection_timeout_update(conn);
-	return (cmd == NULL || !cmd->input_locked);
+
+	finished = !cmd->input_locked;
+	return (!smtp_server_command_unref(&cmd) || finished);
 }
 
 static int