20060403
Bugfix: the pipe-to-command error message was lost when the
command could not be executed. File: global/pipe_command.c.
+
+20060404
+
+ Bugfix in sanity check: after reading a record from the
+ address verification database, a sanity check did not reject
+ a record with all-zero time stamp fields. Such records are
+ never written; the test is there just in case something is
+ broken, so that Postfix will not blindly march on and create
+ chaos. The sanity check tested pointer values, instead of
+ dereferencing the pointers. Found by Coverity. File:
+ verify/verify.c.
+
+ Bugfix in sanity check: when the maildir delivery routine
+ opens an output file it looks up the file attributes via
+ the file handle it just got. There is a sanity check that
+ detects if the attribute lookup fails, an error that never
+ happens. The code that handles the impossible error did not
+ close the output file. This would cause a virtual or local
+ delivery agent to waste up to 100 file descriptors. But
+ for that error to happen the system would have to be so
+ sick that you would have more serious problems than a file
+ descriptor leak. Found by Coverity. Files: local/maildir.c,
+ virtual/maildir.c.
* Patches change the patchlevel and the release date. Snapshots change the
* release date only.
*/
-#define MAIL_RELEASE_DATE "20060403"
-#define MAIL_VERSION_NUMBER "2.2.10-RC2"
+#define MAIL_RELEASE_DATE "20060405"
+#define MAIL_VERSION_NUMBER "2.2.10"
#define VAR_MAIL_VERSION "mail_version"
#ifdef SNAPSHOT
|| (dst = vstream_fopen(tmpfile, O_WRONLY | O_CREAT | O_EXCL, 0600)) == 0)) {
vstring_sprintf(why, "create %s: %m", tmpfile);
} else if (fstat(vstream_fileno(dst), &st) < 0) {
- vstring_sprintf(why, "create %s: %m", tmpfile);
+
+ /*
+ * Coverity 200604: file descriptor leak in code that never executes.
+ * Code replaced by msg_fatal(), as it is not worthwhile to continue
+ * after an impossible error condition.
+ */
+ msg_fatal("fstat %s: %m", tmpfile);
} else {
vstring_sprintf(buf, "%lu.V%lxI%lxM%lu.%s",
(unsigned long) starttime.tv_sec,
*probed = atol(probed_text);
*updated = atol(updated_text);
*status = atoi(buf);
+
+ /*
+ * Coverity 200604: the code incorrectly tested (probed || updated),
+ * so that the sanity check never detected all-zero time stamps. Such
+ * records are never written. If we read a record with all-zero time
+ * stamps, then something is badly broken.
+ */
if ((*status == DEL_RCPT_STAT_OK
|| *status == DEL_RCPT_STAT_DEFER
|| *status == DEL_RCPT_STAT_BOUNCE
|| *status == DEL_RCPT_STAT_TODO)
- && (probed || updated))
+ && (*probed || *updated))
return (0);
}
msg_warn("bad address verify table entry: %.100s", buf);
|| (dst = vstream_fopen(tmpfile, O_WRONLY | O_CREAT | O_EXCL, 0600)) == 0)) {
vstring_sprintf(why, "create %s: %m", tmpfile);
} else if (fstat(vstream_fileno(dst), &st) < 0) {
- vstring_sprintf(why, "create %s: %m", tmpfile);
+
+ /*
+ * Coverity 200604: file descriptor leak in code that never executes.
+ * Code replaced by msg_fatal(), as it is not worthwhile to continue
+ * after an impossible error condition.
+ */
+ msg_fatal("fstat %s: %m", tmpfile);
} else {
vstring_sprintf(buf, "%lu.V%lxI%lxM%lu.%s",
(unsigned long) starttime.tv_sec,
projects / thirdparty / postfix.git / commitdiff
