From 877bcf024a97bf9d92660d4c8a442dc6a79ddaca Mon Sep 17 00:00:00 2001 From: deraadt Date: Thu, 2 Apr 2026 17:23:04 +0000 Subject: [PATCH] If a fd satisfies both POLLIN and POLLOUT in the same cycle, but the POLLIN resulted in a file close, the POLLOUT runs incorrectly which matters in the TLS context which attempts to read after free. from James J. Lippard ok millert --- libexec/spamd/spamd.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libexec/spamd/spamd.c b/libexec/spamd/spamd.c index 53fbc72979e..487d5f683d3 100644 --- a/libexec/spamd/spamd.c +++ b/libexec/spamd/spamd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: spamd.c,v 1.163 2024/05/09 08:35:03 florian Exp $ */ +/* $OpenBSD: spamd.c,v 1.164 2026/04/02 17:23:04 deraadt Exp $ */ /* * Copyright (c) 2015 Henning Brauer @@ -761,6 +761,7 @@ closecon(struct con *cp) if (cp->cctx) { tls_close(cp->cctx); tls_free(cp->cctx); + cp->cctx = NULL; } close(cp->pfd->fd); cp->pfd->fd = -1; @@ -1653,7 +1654,8 @@ jail: else handler(&con[i]); } - if (pfd[PFD_FIRSTCON + i].revents & POLLOUT) { + if (con[i].pfd->fd != -1 && + (pfd[PFD_FIRSTCON + i].revents & POLLOUT)) { if (con[i].tlsaction == SPAMD_TLS_ACT_READ_POLLOUT) handler(&con[i]);