From: Wietse Venema Date: Wed, 5 Apr 2006 05:00:00 +0000 (-0500) Subject: postfix-2.2.10 X-Git-Tag: v2.2.10^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=00eac8f824fd4409931152011fd1806e31e72bea;p=thirdparty%2Fpostfix.git postfix-2.2.10 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 6515148ae..0c85ec7f4 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -10897,3 +10897,26 @@ Apologies for any names omitted. 20060403 Bugfix: the pipe-to-command error message was lost when the command could not be executed. File: global/pipe_command.c. + +20060404 + + Bugfix in sanity check: after reading a record from the + address verification database, a sanity check did not reject + a record with all-zero time stamp fields. Such records are + never written; the test is there just in case something is + broken, so that Postfix will not blindly march on and create + chaos. The sanity check tested pointer values, instead of + dereferencing the pointers. Found by Coverity. File: + verify/verify.c. + + Bugfix in sanity check: when the maildir delivery routine + opens an output file it looks up the file attributes via + the file handle it just got. There is a sanity check that + detects if the attribute lookup fails, an error that never + happens. The code that handles the impossible error did not + close the output file. This would cause a virtual or local + delivery agent to waste up to 100 file descriptors. But + for that error to happen the system would have to be so + sick that you would have more serious problems than a file + descriptor leak. Found by Coverity. Files: local/maildir.c, + virtual/maildir.c. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 722d61199..faad697b6 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change the patchlevel and the release date. Snapshots change the * release date only. */ -#define MAIL_RELEASE_DATE "20060403" -#define MAIL_VERSION_NUMBER "2.2.10-RC2" +#define MAIL_RELEASE_DATE "20060405" +#define MAIL_VERSION_NUMBER "2.2.10" #define VAR_MAIL_VERSION "mail_version" #ifdef SNAPSHOT diff --git a/postfix/src/local/maildir.c b/postfix/src/local/maildir.c index 5d0ab04af..d44d46332 100644 --- a/postfix/src/local/maildir.c +++ b/postfix/src/local/maildir.c @@ -189,7 +189,13 @@ int deliver_maildir(LOCAL_STATE state, USER_ATTR usr_attr, char *path) || (dst = vstream_fopen(tmpfile, O_WRONLY | O_CREAT | O_EXCL, 0600)) == 0)) { vstring_sprintf(why, "create %s: %m", tmpfile); } else if (fstat(vstream_fileno(dst), &st) < 0) { - vstring_sprintf(why, "create %s: %m", tmpfile); + + /* + * Coverity 200604: file descriptor leak in code that never executes. + * Code replaced by msg_fatal(), as it is not worthwhile to continue + * after an impossible error condition. + */ + msg_fatal("fstat %s: %m", tmpfile); } else { vstring_sprintf(buf, "%lu.V%lxI%lxM%lu.%s", (unsigned long) starttime.tv_sec, diff --git a/postfix/src/verify/verify.c b/postfix/src/verify/verify.c index 71f32dcb0..cf4d1d3d2 100644 --- a/postfix/src/verify/verify.c +++ b/postfix/src/verify/verify.c @@ -266,11 +266,18 @@ static int verify_parse_entry(char *buf, int *status, long *probed, *probed = atol(probed_text); *updated = atol(updated_text); *status = atoi(buf); + + /* + * Coverity 200604: the code incorrectly tested (probed || updated), + * so that the sanity check never detected all-zero time stamps. Such + * records are never written. If we read a record with all-zero time + * stamps, then something is badly broken. + */ if ((*status == DEL_RCPT_STAT_OK || *status == DEL_RCPT_STAT_DEFER || *status == DEL_RCPT_STAT_BOUNCE || *status == DEL_RCPT_STAT_TODO) - && (probed || updated)) + && (*probed || *updated)) return (0); } msg_warn("bad address verify table entry: %.100s", buf); diff --git a/postfix/src/virtual/maildir.c b/postfix/src/virtual/maildir.c index b7f46bddd..6b7a08203 100644 --- a/postfix/src/virtual/maildir.c +++ b/postfix/src/virtual/maildir.c @@ -187,7 +187,13 @@ int deliver_maildir(LOCAL_STATE state, USER_ATTR usr_attr) || (dst = vstream_fopen(tmpfile, O_WRONLY | O_CREAT | O_EXCL, 0600)) == 0)) { vstring_sprintf(why, "create %s: %m", tmpfile); } else if (fstat(vstream_fileno(dst), &st) < 0) { - vstring_sprintf(why, "create %s: %m", tmpfile); + + /* + * Coverity 200604: file descriptor leak in code that never executes. + * Code replaced by msg_fatal(), as it is not worthwhile to continue + * after an impossible error condition. + */ + msg_fatal("fstat %s: %m", tmpfile); } else { vstring_sprintf(buf, "%lu.V%lxI%lxM%lu.%s", (unsigned long) starttime.tv_sec,