Fix a potential NULL dereference in the unpriv child expanding %{mda}.

It is not legal to use %{mda} in anything but an mda wrapper.
mda_expand_token() will now return an error when %{mda} is used and
mda_command is NULL.  OK op@

1 files changed, 4 insertions, 2 deletions

diff --git a/usr.sbin/smtpd/mda_variables.c b/usr.sbin/smtpd/mda_variables.c
index 3592ca9938b..7c14d2eb551 100644
--- a/usr.sbin/smtpd/mda_variables.c
+++ b/usr.sbin/smtpd/mda_variables.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mda_variables.c,v 1.7 2021/06/14 17:58:15 eric Exp $	*/
+/*	$OpenBSD: mda_variables.c,v 1.8 2023/03/19 01:43:11 millert Exp $	*/
 
 /*
  * Copyright (c) 2011-2017 Gilles Chehade <gilles@poolp.org>
@@ -51,7 +51,7 @@ mda_expand_token(char *dest, size_t len, const char *token,
 {
 	char		rtoken[MAXTOKENLEN];
 	char		tmp[EXPAND_BUFFER];
-	const char     *string;
+	const char     *string = NULL;
 	char	       *lbracket, *rbracket, *content, *sep, *mods;
 	ssize_t		i;
 	ssize_t		begoff, endoff;
@@ -159,6 +159,8 @@ mda_expand_token(char *dest, size_t len, const char *token,
 		return -1;
 
 	if (string != tmp) {
+		if (string == NULL)
+			return -1;
 		if (strlcpy(tmp, string, sizeof tmp) >= sizeof tmp)
 			return -1;
 		string = tmp;