From b40590cc8da278fbc266ec749098a1b05784de1e Mon Sep 17 00:00:00 2001
From: Rob Swindell <rob@synchro.net>
Date: Fri, 23 Apr 2021 23:36:24 -0700
Subject: [PATCH] Fix observed crashes at end of pop3_thread() and
 smtp_thread()

"startup" was being deref'd after the caller free'd it because these thread functions were calling thread_down() before calling mail_close_socket(), which deref's startup which was subject to a race condition.
---
 src/sbbs3/mailsrvr.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/sbbs3/mailsrvr.c b/src/sbbs3/mailsrvr.c
index a2dd7d4c95..412b36a06c 100644
--- a/src/sbbs3/mailsrvr.c
+++ b/src/sbbs3/mailsrvr.c
@@ -1747,15 +1747,15 @@ static void pop3_thread(void* arg)
 	update_clients();
 	client_off(socket);
 
+	SOCKET sock = socket;
+	mail_close_socket(&socket, &session);
+	/* Must be last */
 	{ 
 		int32_t remain = thread_down();
 		if(startup->options&MAIL_OPT_DEBUG_POP3)
 			lprintf(LOG_DEBUG,"%04d %s [%s] session thread terminated (%u threads remain, %lu clients served)"
-				,socket, client.protocol, host_ip, remain, ++stats.pop3_served);
+				,sock, client.protocol, host_ip, remain, ++stats.pop3_served);
 	}
-
-	/* Must be last */
-	mail_close_socket(&socket, &session);
 }
 
 static ulong rblchk(SOCKET sock, const char* prot, union xp_sockaddr *addr, const char* rbl_addr)
@@ -5028,22 +5028,22 @@ static void smtp_thread(void* arg)
 	update_clients();
 	client_off(socket);
 
-	{
-		int32_t remain = thread_down();
-		lprintf(LOG_INFO,"%04d %s %s Session thread terminated (%u threads remain, %lu clients served)"
-			,socket, client.protocol, client_id, remain, ++stats.smtp_served);
-	}
-	free(mailproc_to_match);
-
 #ifdef _WIN32
 	if(relay_user.number) {
 		if(startup->sound.logout[0] && !sound_muted(&scfg)) 
 			PlaySound(startup->sound.logout, NULL, SND_ASYNC|SND_FILENAME);
 	}
 #endif
+	SOCKET sock = socket;
+	mail_close_socket(&socket, &session);
 
 	/* Must be last */
-	mail_close_socket(&socket, &session);
+	{
+		int32_t remain = thread_down();
+		lprintf(LOG_INFO,"%04d %s %s Session thread terminated (%u threads remain, %lu clients served)"
+			,sock, client.protocol, client_id, remain, ++stats.smtp_served);
+	}
+	free(mailproc_to_match);
 }
 
 BOOL bounce(SOCKET sock, smb_t* smb, smbmsg_t* msg, char* err, BOOL immediate)
-- 
GitLab