untrusted comment: verify with openbsd-79-base.pub
RWTSdNN9A3yvWMiTHi02/iyT2h/xx4pNtE+pgqGsFCoENhcFJwvK/T+QkNdDTyqLcAVe6fFkrNR2NioA4KJMzna7HqCjdKHy4wI=

OpenBSD 7.9 errata 002, June 2, 2026:

Fixes for a variety of crashing bugs in smtpd(8).

Apply by doing:
    signify -Vep /etc/signify/openbsd-79-base.pub -x 002_smtpd.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then rebuild and install smtpd and smtpctl:
    cd /usr/src/usr.sbin/smtpd
    make obj
    make
    make install

Index: usr.sbin/smtpd/crypto.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/crypto.c,v
diff -u -p -r1.10 crypto.c
--- usr.sbin/smtpd/crypto.c	14 Jun 2021 17:58:15 -0000	1.10
+++ usr.sbin/smtpd/crypto.c	27 May 2026 11:17:29 -0000
@@ -274,8 +274,10 @@ crypto_decrypt_buffer(const char *in, si
 	int		len = 0;
 	int		ret = 0;
 
-	/* out does not have enough room */
-	if (outlen < inlen - sizeof tag + sizeof iv)
+	/* input buffer too small or out does not have enough room */
+	if (inlen < sizeof(tag) + sizeof(iv) + 1)
+		return 0;
+	if (outlen < inlen - sizeof(tag) - sizeof(iv) - 1)
 		return 0;
 
 	/* extract tag */
Index: usr.sbin/smtpd/lka.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/lka.c,v
diff -u -p -r1.251 lka.c
--- usr.sbin/smtpd/lka.c	10 Mar 2026 17:30:23 -0000	1.251
+++ usr.sbin/smtpd/lka.c	27 May 2026 11:17:29 -0000
@@ -25,6 +25,7 @@
 #include <signal.h>
 #include <stdlib.h>
 #include <unistd.h>
+#include <string.h>
 
 #include "smtpd.h"
 #include "log.h"
@@ -82,6 +83,8 @@ lka_imsg(struct mproc *p, struct imsg *i
 	size_t			 msgsz;
 	int			 ok;
 	int			 fcrdns;
+
+	memset(&userinfo, 0, sizeof userinfo);
 
 	if (imsg == NULL)
 		lka_shutdown();
Index: usr.sbin/smtpd/mproc.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/mproc.c,v
diff -u -p -r1.48 mproc.c
--- usr.sbin/smtpd/mproc.c	30 Oct 2025 16:46:19 -0000	1.48
+++ usr.sbin/smtpd/mproc.c	27 May 2026 11:17:29 -0000
@@ -589,6 +589,8 @@ m_get_sockaddr(struct msg *m, struct soc
 	size_t len;
 
 	m_get_size(m, &len);
+	if (len > sizeof(struct sockaddr_storage))
+		m_error("sockaddr size too large");
 	m_get(m, sa, len);
 }
 
Index: usr.sbin/smtpd/queue_backend.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/queue_backend.c,v
diff -u -p -r1.69 queue_backend.c
--- usr.sbin/smtpd/queue_backend.c	31 May 2023 16:51:46 -0000	1.69
+++ usr.sbin/smtpd/queue_backend.c	27 May 2026 11:17:30 -0000
@@ -309,6 +309,7 @@ queue_message_fd_r(uint32_t msgid)
 		fd = -1;
 		if ((ofp = fdopen(fdout, "w+")) == NULL)
 			goto err;
+		fdout = -1;
 
 		if (!crypto_decrypt_file(ifp, ofp))
 			goto err;
@@ -331,6 +332,7 @@ queue_message_fd_r(uint32_t msgid)
 		fd = -1;
 		if ((ofp = fdopen(fdout, "w+")) == NULL)
 			goto err;
+		fdout = -1;
 
 		if (!uncompress_file(ifp, ofp))
 			goto err;
@@ -414,6 +416,8 @@ queue_envelope_load_buffer(struct envelo
 	char		 encbuf[sizeof(struct envelope)];
 	size_t		 enclen;
 
+	memset(compbuf, 0, sizeof compbuf);
+	memset(encbuf, 0, sizeof encbuf);
 	evp = evpbuf;
 	evplen = evpbufsize;
 
Index: usr.sbin/smtpd/smtp_session.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtp_session.c,v
diff -u -p -r1.448 smtp_session.c
--- usr.sbin/smtpd/smtp_session.c	8 Apr 2026 12:04:56 -0000	1.448
+++ usr.sbin/smtpd/smtp_session.c	27 May 2026 11:17:30 -0000
@@ -2102,6 +2102,9 @@ smtp_reply(struct smtp_session *s, char 
 	va_start(ap, fmt);
 	n = vsnprintf(buf, sizeof buf, fmt, ap);
 	va_end(ap);
+	if (n >= (int)sizeof buf)
+		n = (int)sizeof buf - 1;
+
 	if (n < 0)
 		fatalx("smtp_reply: response format error");
 	if (n < 4)
@@ -2197,6 +2200,18 @@ smtp_free(struct smtp_session *s, const 
 
 	smtp_report_link_disconnect(s);
 	smtp_filter_end(s);
+
+	tree_pop(&wait_lka_helo, s->id);
+	tree_pop(&wait_lka_mail, s->id);
+	tree_pop(&wait_lka_rcpt, s->id);
+	tree_pop(&wait_parent_auth, s->id);
+	tree_pop(&wait_queue_msg, s->id);
+	tree_pop(&wait_queue_fd, s->id);
+	tree_pop(&wait_queue_commit, s->id);
+	tree_pop(&wait_ssl_init, s->id);
+	tree_pop(&wait_ssl_verify, s->id);
+	tree_pop(&wait_filters, s->id);
+	tree_pop(&wait_filter_fd, s->id);
 
 	if (s->flags & SF_SECURE && s->listener->flags & F_SMTPS)
 		stat_decrement("smtp.smtps", 1);