postfix-3.5.10

postfix/HISTORY

@@ -24905,3 +24905,24 @@ Apologies for any names omitted.
         causing unnecessary dnssec_probe activity. The default is now
         "dane" when smtp_tls_security_level is "dane", otherwise it is
         "may". File: global/mail_params.h.
+
+20210411
+
+	Missing null pointer checks (introduced: Postfix 3.4) after
+	an internal I/O error during the smtp(8) to tlsproxy(8)
+	handshake. Found by Coverity, reported by Jaroslav Skarvada.
+	Based on fix by Viktor Dukhovni. File: tls/tls_proxy_client_scan.c.
+
+	Null pointer bug (introduced: Postfix 3.0) and memory leak
+	(introduced: Postfix 3.4) after an inline: table syntax
+	error in main.cf or master.cf. Found by Coverity, reported
+	by Jaroslav Skarvada. Based on fix by Viktor Dukhovni. File:
+	util/dict_inline.c.
+
+	Incomplete null pointer check (introduced: Postfix 2.10)
+	after truncated HaProxy version 1 handshake message. Found
+	by Coverity, reported by Jaroslav Skarvada. Fix by Viktor
+	Dukhovni. File: global/haproxy_srvr.c.
+
+	Missing null pointer check (introduced: Postfix alpha) after
+	null argv[0] value. File: global/mail_task.c.

postfix/src/global/haproxy_srvr.c

@@ -201,6 +201,8 @@ static int haproxy_srvr_parse_proto(const char *str, int *addr_family)
     if (msg_verbose)
 	msg_info("haproxy_srvr_parse: proto=%s", STR_OR_NULL(str));
 
+    if (str == 0)
+	return (-1);
 #ifdef AF_INET6
     if (strcasecmp(str, "TCP6") == 0) {
 	if (strchr((char *) proto_info->sa_family_list, AF_INET6) != 0) {

postfix/src/global/mail_task.c

@@ -17,8 +17,8 @@
 /*
 /*	The result is overwritten with each call.
 /*
-/*	A null argv0 argument requests that the current
-/*	result is returned.
+/*	A null argv0 argument requests that the current result is
+/*	returned, or "unknown" when no current result exists.
 /* LICENSE
 /* .ad
 /* .fi
@@ -59,6 +59,8 @@ const char *mail_task(const char *argv0)
     const char *slash;
     const char *tag;
 
+    if (argv0 == 0 && canon_name == 0)
+	argv0 = "unknown";
     if (argv0) {
 	if (canon_name == 0)
 	    canon_name = vstring_alloc(10);

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20210117"
-#define MAIL_VERSION_NUMBER	"3.5.9"
+#define MAIL_RELEASE_DATE	"20210411"
+#define MAIL_VERSION_NUMBER	"3.5.10"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE

postfix/src/tls/tls_proxy_client_scan.c

@@ -430,6 +430,7 @@ static int tls_proxy_client_certs_scan(ATTR_SCAN_MASTER_FN scan_fn,
     if (buf)
 	vstring_free(buf);
     if (ret != 1) {
+	if (head)
 	    tls_proxy_client_certs_free(head);
 	head = 0;
     }
@@ -489,6 +490,7 @@ static int tls_proxy_client_pkeys_scan(ATTR_SCAN_MASTER_FN scan_fn,
     if (buf)
 	vstring_free(buf);
     if (ret != 1) {
+	if (head)
 	    tls_proxy_client_pkeys_free(head);
 	head = 0;
     }
@@ -538,6 +540,7 @@ static int tls_proxy_client_tlsa_scan(ATTR_SCAN_MASTER_FN scan_fn,
 	ret = (ret == 3 ? 1 : -1);
     }
     if (ret != 1) {
+	if (head)
 	    tls_proxy_client_tlsa_free(head);
 	head = 0;
     }

postfix/src/util/dict_inline.c

@@ -113,9 +113,9 @@ DICT   *dict_inline_open(const char *name, int open_flags, int dict_flags)
     dict = dict_open3(DICT_TYPE_HT, name, open_flags, dict_flags);
     dict_type_override(dict, DICT_TYPE_INLINE);
     while ((nameval = mystrtokq(&cp, CHARS_COMMA_SP, CHARS_BRACE)) != 0) {
-	if ((nameval[0] != CHARS_BRACE[0]
-	     || (err = free_me = extpar(&nameval, CHARS_BRACE, EXTPAR_FLAG_STRIP)) == 0)
-	    && (err = split_qnameval(nameval, &vname, &value)) != 0)
+	if (nameval[0] == CHARS_BRACE[0])
+	    err = free_me = extpar(&nameval, CHARS_BRACE, EXTPAR_FLAG_STRIP);
+	if (err != 0 || (err = split_qnameval(nameval, &vname, &value)) != 0)
 	    break;
 
 	if ((dict->flags & DICT_FLAG_SRC_RHS_IS_FILE) != 0) {