Bugfix (defect introduced: Postfix 3.1, date 20150607): null pointer read and heap data overread in the Postfix SMTP client's smtp_dns_reply_filter. Problem reported by TristanInSec, found with ASAN. Also reported by other people. Reproduction and real-world impact researched by Wietse. File: dns/dns_strrecord.c. This is a different problem than the one that was introduced later in Postfix 3.6. The root cause is a missing 'break' statement after the code that converts a TLSA record to string. Reproduction: ============= The problem happens when smtp_dns_reply_filter is configured (this is disabled by default); the Postfix SMTP client is configured to use opportunistic or mandatory DANE authentication (this is disabled by default); the destination domain publishes a TLSA record that is empty or shorter than 20 bytes; and the OS is configured to use a resolver that passes such a TLSA record. For example, a zero-length TLSA record is blocked by BIND, Google DNS, OpenDNS, and by configurations that use systemd-resolved (the default on many LINUX systems); it is passed by Cloudflare, Quad9 DNS, and unbound, as long as these resolvers are used without systemd-resolved. Impact statement: ================= SMTP client termination with a null pointer read crash when the TLSA record length is zero; or an SMTP client data overread (or rarely, SMTP client termination with a read segfault crash) when 0 < record length < 20 bytes. The overread content is not disclosed. The impact of SMTP client crashes is easily overstated. That said, crashes must be eliminated regardless of their impact. On systems that deliver fewer than one message per minute, an SMTP client crash can result in a delay of up to one minute for email delivery to other destination domains. On systems with a larger traffic volume, the impact of a null pointer or other segfault crash on deliveries to other destination domains is minor because Postfix reuses SMTP client processes and replaces a failed process within seconds (self-healing); the practical impact is believed to be no worse than that of an uncooperative receiver that tarpits SMTP connections from Postfix to one or more destination domains under their control (by replying within Postfix SMTP client read time limits which are several minutes by default). diff '--exclude=man' '--exclude=html' '--exclude=README_FILES' '--exclude=INSTALL' --no-dereference -r -ur --new-file /var/tmp/postfix-3.12-20260516/src/dns/dns_strrecord.c ./src/dns/dns_strrecord.c --- /var/tmp/postfix-3.12-20260516/src/dns/dns_strrecord.c 2023-02-13 15:58:00.000000000 -0500 +++ ./src/dns/dns_strrecord.c 2026-05-20 17:20:10.150886351 -0400 @@ -99,6 +99,8 @@ } else { vstring_sprintf_append(buf, "[truncated record]"); } + /* 202605 Missing break found by TristanInSec using ASAN. */ + break; /* * We use the SOA record TTL to determine the negative reply TTL. We