Zero the temporary envelope parsing buffers before use.

While current parsing paths do not expose uninitialized data, keeping stack residue
in these transient buffers unnecessarily weakens compartmentalization and may aid
lateral movement inside the privsep environment after another bug.

The diff also fixes a theoretical double close race bug which can't really happen in
smtpd due to requiring concurrency in our single threaded event loop, and which would
have very limited reliability impact if it was triggered (forcing a mail to fail on a
schedule tick and be retried at next tick). This is still incorrect so let's avoid a
copy of this code in more problematic places.

diff by Stuart Thomas <stuart.thomas@triageforge.co.uk>

Author: poolpOrg

usr.sbin/smtpd/queue_backend.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: queue_backend.c,v 1.69 2023/05/31 16:51:46 op Exp $	*/
+/*	$OpenBSD: queue_backend.c,v 1.70 2026/05/26 22:44:17 gilles Exp $	*/
 
 /*
  * Copyright (c) 2011 Gilles Chehade <gilles@poolp.org>
@@ -309,6 +309,7 @@ queue_message_fd_r(uint32_t msgid)
 		fd = -1;
 		if ((ofp = fdopen(fdout, "w+")) == NULL)
 			goto err;
+		fdout = -1;
 
 		if (!crypto_decrypt_file(ifp, ofp))
 			goto err;
@@ -331,6 +332,7 @@ queue_message_fd_r(uint32_t msgid)
 		fd = -1;
 		if ((ofp = fdopen(fdout, "w+")) == NULL)
 			goto err;
+		fdout = -1;
 
 		if (!uncompress_file(ifp, ofp))
 			goto err;
@@ -414,6 +416,8 @@ queue_envelope_load_buffer(struct envelope *ep, char *evpbuf, size_t evpbufsize)
 	char		 encbuf[sizeof(struct envelope)];
 	size_t		 enclen;
 
+	memset(compbuf, 0, sizeof compbuf);
+	memset(encbuf, 0, sizeof encbuf);
 	evp = evpbuf;
 	evplen = evpbufsize;