Ignore null deferred postings

All-null transactions (i.e. a transaction where all postings have a null
amount) are discarded during parsing and the `xact` object is free'd.
But if the transaction contains a deferred posting this results in a
use-after-free vulnerability because a reference to the deferred posting
is stored in the account object which is later read when deferred
postings are applied after parsing is finished.

Ignore null deferred postings to prevent this – they should not have any
effect any way.

Thanks to Cory Duplantis for reporting this issue and providing an
initial analysis.

Ref TALOS-2017-0304, CVE-2017-2808
Fixes #1723

3 files changed, 13 insertions, 3 deletions

diff --git a/doc/NEWS b/doc/NEWS
index 80617b08..5152ad7c 100644
--- a/doc/NEWS
+++ b/doc/NEWS
@@ -45,6 +45,9 @@
 - Fix parsing issue of effective dates (bug #1722, TALOS-2017-0303,
   CVE-2017-2807)
 
+- Fix use-after-free issue with deferred postings (bug #1723, TALOS-2017-0304,
+  CVE-2017-2808)
+
 - Python: Removed double quotes from Unicode values.
 
 - Python: Ensure that parse errors produce useful RuntimeErrors
diff --git a/src/xact.cc b/src/xact.cc
index 5df9ebc5..10a7106a 100644
--- a/src/xact.cc
+++ b/src/xact.cc
@@ -395,10 +395,12 @@ bool xact_base_t::finalize()
         some_null = true;
       }
 
-      if (post->has_flags(POST_DEFERRED))
-        post->account->add_deferred_post(id(), post);
-      else
+      if (post->has_flags(POST_DEFERRED)) {
+        if (!post->amount.is_null())
+            post->account->add_deferred_post(id(), post);
+      } else {
         post->account->add_post(post);
+      }
 
       post->xdata().add_flags(POST_EXT_VISITED);
       post->account->xdata().add_flags(ACCOUNT_EXT_VISITED);
diff --git a/test/regress/1723.test b/test/regress/1723.test
new file mode 100644
index 00000000..62a50386
--- /dev/null
+++ b/test/regress/1723.test
@@ -0,0 +1,5 @@
+2017/3/17 deferred posting
+    <deferred posting>
+
+test reg
+end test