From a0f5040c4d5878342bc6d391d692cf88007d06c0 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 14 Dec 2019 19:39:15 +0000
Subject: [PATCH] Zero smtp context structure after allocation

---
 doc/doc-txt/ChangeLog                    |  3 ++
 src/src/transports/smtp.c                | 43 ++++++++++++------------
 src/src/verify.c                         |  5 ++-
 test/scripts/4062-pipe-conn-openssl/4062 |  2 +-
 test/stderr/4052                         |  2 +-
 5 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 8e096face..de6166d8e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -32,6 +32,9 @@ JH/11 Bug 2494: Unset the default for dmarc_tld_file.  Previously a naiive
       should both provide the file and set the option.
       Also enforce no DMARC verification for command-line sourced messages.
 
+JH/12 Fix an uninitialised flag in early-pipelining.  Previously connections
+      could, depending on the platform, hang at the STARTTLS response.
+
 
 Exim version 4.93
 -----------------
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index bb5fda1f4..8fd9ff94a 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -895,8 +895,9 @@ else
     sx->ehlo_resp = er->data;
     dbfn_close(dbm_file);
     DEBUG(D_transport) debug_printf(
-	"EHLO response bits from cache: cleartext 0x%04x crypted 0x%04x\n",
-	er->data.cleartext_features, er->data.crypted_features);
+	"EHLO response bits from cache: cleartext 0x%04x/0x%04x crypted 0x%04x/0x%04x\n",
+	er->data.cleartext_features, er->data.cleartext_auths,
+	er->data.crypted_features, er->data.crypted_auths);
     return TRUE;
     }
   dbfn_close(dbm_file);
@@ -1904,39 +1905,39 @@ sx->conn_args.ob = ob;
 
 sx->lmtp = strcmpic(ob->protocol, US"lmtp") == 0;
 sx->smtps = strcmpic(ob->protocol, US"smtps") == 0;
-sx->ok = FALSE;
+/* sx->ok = FALSE; */
 sx->send_rset = TRUE;
 sx->send_quit = TRUE;
 sx->setting_up = TRUE;
 sx->esmtp = TRUE;
-sx->esmtp_sent = FALSE;
+/* sx->esmtp_sent = FALSE; */
 #ifdef SUPPORT_I18N
-sx->utf8_needed = FALSE;
+/* sx->utf8_needed = FALSE; */
 #endif
 sx->dsn_all_lasthop = TRUE;
 #ifdef SUPPORT_DANE
-sx->conn_args.dane = FALSE;
+/* sx->conn_args.dane = FALSE; */
 sx->dane_required =
   verify_check_given_host(CUSS &ob->hosts_require_dane, sx->conn_args.host) == OK;
 #endif
 #ifdef SUPPORT_PIPE_CONNECT
-sx->early_pipe_active = sx->early_pipe_ok = FALSE;
-sx->ehlo_resp.cleartext_features = sx->ehlo_resp.crypted_features = 0;
-sx->pending_BANNER = sx->pending_EHLO = FALSE;
+/* sx->early_pipe_active = sx->early_pipe_ok = FALSE; */
+/* sx->ehlo_resp.cleartext_features = sx->ehlo_resp.crypted_features = 0; */
+/* sx->pending_BANNER = sx->pending_EHLO = sx->pending_MAIL = FALSE; */
 #endif
 
 if ((sx->max_rcpt = sx->conn_args.tblock->max_addresses) == 0) sx->max_rcpt = 999999;
-sx->peer_offered = 0;
-sx->avoid_option = 0;
+/* sx->peer_offered = 0; */
+/* sx->avoid_option = 0; */
 sx->igquotstr = US"";
 if (!sx->helo_data) sx->helo_data = ob->helo_data;
 #ifdef EXPERIMENTAL_DSN_INFO
-sx->smtp_greeting = NULL;
-sx->helo_response = NULL;
+/* sx->smtp_greeting = NULL; */
+/* sx->helo_response = NULL; */
 #endif
 
 smtp_command = US"initial connection";
-sx->buffer[0] = '\0';
+/* sx->buffer[0] = '\0'; */
 
 /* Set up the buffer for reading SMTP response packets. */
 
@@ -1950,9 +1951,9 @@ sx->inblock.ptrend = sx->inbuffer;
 sx->outblock.buffer = sx->outbuffer;
 sx->outblock.buffersize = sizeof(sx->outbuffer);
 sx->outblock.ptr = sx->outbuffer;
-sx->outblock.cmd_count = 0;
-sx->outblock.authenticating = FALSE;
-sx->outblock.conn_args = NULL;
+/* sx->outblock.cmd_count = 0; */
+/* sx->outblock.authenticating = FALSE; */
+/* sx->outblock.conn_args = NULL; */
 
 /* Reset the parameters of a TLS session. */
 
@@ -3410,13 +3411,13 @@ struct timeval start_delivery_time;
 BOOL pass_message = FALSE;
 uschar *message = NULL;
 uschar new_message_id[MESSAGE_ID_LENGTH + 1];
-
 smtp_context * sx = store_get(sizeof(*sx), TRUE);	/* tainted, for the data buffers */
 
 gettimeofday(&start_delivery_time, NULL);
 suppress_tls = suppress_tls;  /* stop compiler warning when no TLS support */
 *message_defer = FALSE;
 
+memset(sx, 0, sizeof(*sx));
 sx->addrlist = addrlist;
 sx->conn_args.host = host;
 sx->conn_args.host_af = host_af,
@@ -3424,7 +3425,7 @@ sx->port = defport;
 sx->conn_args.interface = interface;
 sx->helo_data = NULL;
 sx->conn_args.tblock = tblock;
-sx->verify = FALSE;
+/* sx->verify = FALSE; */
 sx->sync_addr = sx->first_addr = addrlist;
 
 /* Get the channel set up ready for a message (MAIL FROM being the next
@@ -3488,9 +3489,9 @@ always has a sequence number greater than one. */
 if (continue_hostname && continue_sequence == 1)
   {
   sx->peer_offered = smtp_peer_options;
-  sx->pending_MAIL = FALSE;
+  /* sx->pending_MAIL = FALSE; */
   sx->ok = TRUE;
-  sx->next_addr = NULL;
+  /* sx->next_addr = NULL; */
 
   for (address_item * addr = addrlist; addr; addr = addr->next)
     addr->transport_return = PENDING_OK;
diff --git a/src/src/verify.c b/src/src/verify.c
index 5c0678c4b..edc4869ac 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -574,6 +574,7 @@ else
   {
   smtp_transport_options_block *ob =
     (smtp_transport_options_block *)addr->transport->options_block;
+  smtp_context * sx = NULL;
 
   /* The information wasn't available in the cache, so we have to do a real
   callout and save the result in the cache for next time, unless no_cache is set,
@@ -626,7 +627,6 @@ coding means skipping this whole loop and doing the append separately.  */
     int host_af;
     int port = 25;
     uschar * interface = NULL;  /* Outgoing interface to use; NULL => any */
-    smtp_context * sx = store_get(sizeof(*sx), TRUE);	/* tainted buffers */
 
     if (!host->address)
       {
@@ -666,6 +666,9 @@ coding means skipping this whole loop and doing the append separately.  */
       log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
         addr->message);
 
+    if (!sx) sx = store_get(sizeof(*sx), TRUE);	/* tainted buffers */
+    memset(sx, 0, sizeof(*sx));
+
     sx->addrlist = addr;
     sx->conn_args.host = host;
     sx->conn_args.host_af = host_af,
diff --git a/test/scripts/4062-pipe-conn-openssl/4062 b/test/scripts/4062-pipe-conn-openssl/4062
index 87b156c6c..bd0fe5725 100644
--- a/test/scripts/4062-pipe-conn-openssl/4062
+++ b/test/scripts/4062-pipe-conn-openssl/4062
@@ -1,4 +1,4 @@
-# starttls
+# early-pipe & starttls
 #
 # Not attempted without a cache entry
 exim -bd -DSERVER=server -oX PORT_D
diff --git a/test/stderr/4052 b/test/stderr/4052
index 261c73ba7..cc5ee7384 100644
--- a/test/stderr/4052
+++ b/test/stderr/4052
@@ -20,7 +20,7 @@ no message retry record
 127.0.0.1 [127.0.0.1]:1111 retry-status = usable
 delivering 10HmbG-0005vi-00 to 127.0.0.1 [127.0.0.1] (extchange@test.ex)
 Transport port=25 replaced by host-specific port=1225
-EHLO response bits from cache: cleartext 0x0120 crypted 0x0000
+EHLO response bits from cache: cleartext 0x0120/0x0000 crypted 0x0000/0x0000
 Using cached cleartext PIPE_CONNECT
   SMTP>> EHLO the.local.host.name
 using PIPELINING
-- 
2.25.1