1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Functions for reading spool files. When compiling for a utility (eximon),
10 not all are needed, and some functionality can be cut out. */
17 #ifndef COMPILE_UTILITY
18 /*************************************************
19 * Open and lock data file *
20 *************************************************/
22 /* The data file is the one that is used for locking, because the header file
23 can get replaced during delivery because of header rewriting. The file has
24 to opened with write access so that we can get an exclusive lock, but in
25 fact it won't be written to. Just in case there's a major disaster (e.g.
26 overwriting some other file descriptor with the value of this one), open it
29 As called by deliver_message() (at least) we are operating as root.
31 Argument: the id of the message
32 Returns: fd if file successfully opened and locked, else -1
34 Side effect: message_subdir is set for the (possibly split) spool directory
38 spool_open_datafile(uschar *id)
44 /* If split_spool_directory is set, first look for the file in the appropriate
45 sub-directory of the input directory. If it is not found there, try the input
46 directory itself, to pick up leftovers from before the splitting. If split_
47 spool_directory is not set, first look in the main input directory. If it is
48 not found there, try the split sub-directory, in case it is left over from a
51 for (int i = 0; i < 2; i++)
56 set_subdir_str(message_subdir, id, i);
57 fname = spool_fname(US"input", message_subdir, id, US"-D");
58 DEBUG(D_deliver) debug_printf_indent("Trying spool file %s\n", fname);
60 /* We protect against symlink attacks both in not propagating the
61 * file-descriptor to other processes as we exec, and also ensuring that we
62 * don't even open symlinks.
63 * No -D file inside the spool area should be a symlink.
65 if ((fd = Uopen(fname,
72 O_RDWR | O_APPEND, 0)) >= 0)
79 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
80 *queue_name ? US" Q=" : US"",
81 *queue_name ? queue_name : US"",
85 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
90 /* File is open and message_subdir is set. Set the close-on-exec flag, and lock
91 the file. We lock only the first line of the file (containing the message ID)
92 because this apparently is needed for running Exim under Cygwin. If the entire
93 file is locked in one process, a sub-process cannot access it, even when passed
94 an open file descriptor (at least, I think that's the Cygwin story). On real
95 Unix systems it doesn't make any difference as long as Exim is consistent in
99 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
102 lock_data.l_type = F_WRLCK;
103 lock_data.l_whence = SEEK_SET;
104 lock_data.l_start = 0;
105 lock_data.l_len = SPOOL_DATA_START_OFFSET;
107 if (fcntl(fd, F_SETLK, &lock_data) < 0)
109 log_write(L_skip_delivery, LOG_MAIN,
110 "Spool file for %s is locked (another process is handling this message)",
117 /* Get the size of the data; don't include the leading filename line
118 in the count, but add one for the newline before the data. */
120 if (fstat(fd, &statbuf) == 0)
122 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
123 message_size = message_body_size + 1;
128 #endif /* COMPILE_UTILITY */
132 /*************************************************
133 * Read non-recipients tree from spool file *
134 *************************************************/
136 /* The tree of non-recipients is written to the spool file in a form that
137 makes it easy to read back into a tree. The format is as follows:
139 . Each node is preceded by two letter(Y/N) indicating whether it has left
140 or right children. There's one space after the two flags, before the name.
142 . The left subtree (if any) then follows, then the right subtree (if any).
144 This function is entered with the next input line in the buffer. Note we must
145 save the right flag before recursing with the same buffer.
147 Once the tree is read, we re-construct the balance fields by scanning the tree.
148 I forgot to write them out originally, and the compatible fix is to do it this
149 way. This initial local recursing function does the necessary.
154 Returns: maximum depth below the node, including the node itself
158 count_below(tree_node *node)
161 if (node == NULL) return 0;
162 nleft = count_below(node->left);
163 nright = count_below(node->right);
164 node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
165 return 1 + ((nleft > nright)? nleft : nright);
168 /* This is the real function...
171 connect pointer to the root of the tree
172 f FILE to read data from
173 buffer contains next input line; further lines read into it
174 buffer_size size of the buffer
176 Returns: FALSE on format error
180 read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
184 int n = Ustrlen(buffer);
185 BOOL right = buffer[1] == 'Y';
187 if (n < 5) return FALSE; /* malformed line */
188 buffer[n-1] = 0; /* Remove \n */
189 node = store_get(sizeof(tree_node) + n - 3, TRUE); /* rcpt names tainted */
191 Ustrcpy(node->name, buffer + 3);
192 node->data.ptr = NULL;
194 if (buffer[0] == 'Y')
196 if (Ufgets(buffer, buffer_size, f) == NULL ||
197 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
200 else node->left = NULL;
204 if (Ufgets(buffer, buffer_size, f) == NULL ||
205 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
208 else node->right = NULL;
210 (void) count_below(*connect);
217 /* Reset all the global variables to their default values. However, there is
218 one exception. DO NOT change the default value of dont_deliver, because it may
219 be forced by an external setting. */
222 spool_clear_header_globals(void)
224 acl_var_c = acl_var_m = NULL;
225 authenticated_id = NULL;
226 authenticated_sender = NULL;
227 f.allow_unqualified_recipient = FALSE;
228 f.allow_unqualified_sender = FALSE;
231 f.deliver_firsttime = FALSE;
232 f.deliver_freeze = FALSE;
233 deliver_frozen_at = 0;
234 f.deliver_manual_thaw = FALSE;
235 /* f.dont_deliver must NOT be reset */
236 header_list = header_last = NULL;
237 host_lookup_deferred = FALSE;
238 host_lookup_failed = FALSE;
239 interface_address = NULL;
241 f.local_error_message = FALSE;
242 #ifdef HAVE_LOCAL_SCAN
243 local_scan_data = NULL;
245 max_received_linelength = 0;
246 message_linecount = 0;
247 received_protocol = NULL;
249 recipients_list = NULL;
250 sender_address = NULL;
251 sender_fullhost = NULL;
252 sender_helo_name = NULL;
253 sender_host_address = NULL;
254 sender_host_name = NULL;
255 sender_host_port = 0;
256 sender_host_authenticated = sender_host_auth_pubname = NULL;
258 f.sender_local = FALSE;
259 f.sender_set_untrusted = FALSE;
260 smtp_active_hostname = primary_hostname;
261 #ifndef COMPILE_UTILITY
262 f.spool_file_wireformat = FALSE;
264 tree_nonrecipients = NULL;
266 #ifdef EXPERIMENTAL_BRIGHTMAIL
273 f.dkim_disable_verify = FALSE;
274 dkim_collect_input = 0;
278 tls_in.certificate_verified = FALSE;
280 tls_in.dane_verified = FALSE;
282 tls_in.ver = tls_in.cipher = NULL;
283 # ifndef COMPILE_UTILITY /* tls support fns not built in */
284 tls_free_cert(&tls_in.ourcert);
285 tls_free_cert(&tls_in.peercert);
287 tls_in.peerdn = NULL;
289 tls_in.ocsp = OCSP_NOT_REQ;
292 #ifdef WITH_CONTENT_SCAN
295 spam_score_int = NULL;
298 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
299 message_smtputf8 = FALSE;
300 message_utf8_downconvert = 0;
308 fgets_big_buffer(FILE *fp)
313 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) return NULL;
315 while ((len = Ustrlen(big_buffer)) == big_buffer_size-1
316 && big_buffer[len-1] != '\n')
321 if (big_buffer_size >= BIG_BUFFER_SIZE * 4) return NULL;
322 newsize = big_buffer_size * 2;
323 newbuffer = store_get_perm(newsize, FALSE);
324 memcpy(newbuffer, big_buffer, len);
326 big_buffer = newbuffer;
327 big_buffer_size = newsize;
328 if (Ufgets(big_buffer + len, big_buffer_size - len, fp) == NULL) return NULL;
331 if (len <= 0 || big_buffer[len-1] != '\n') return NULL;
337 /*************************************************
338 * Read spool header file *
339 *************************************************/
341 /* This function reads a spool header file and places the data into the
342 appropriate global variables. The header portion is always read, but header
343 structures are built only if read_headers is set true. It isn't, for example,
344 while generating -bp output.
346 It may be possible for blocks of nulls (binary zeroes) to get written on the
347 end of a file if there is a system crash during writing. It was observed on an
348 earlier version of Exim that omitted to fsync() the files - this is thought to
349 have been the cause of that incident, but in any case, this code must be robust
350 against such an event, and if such a file is encountered, it must be treated as
353 As called from deliver_message() (at least) we are running as root.
356 name name of the header file, including the -H
357 read_headers TRUE if in-store header structures are to be built
358 subdir_set TRUE is message_subdir is already set
360 Returns: spool_read_OK success
361 spool_read_notopen open failed
362 spool_read_enverror error in the envelope portion
363 spool_read_hdrerror error in the header portion
367 spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
373 BOOL inheader = FALSE;
375 /* Reset all the global variables to their default values. However, there is
376 one exception. DO NOT change the default value of dont_deliver, because it may
377 be forced by an external setting. */
379 spool_clear_header_globals();
381 /* Generate the full name and open the file. If message_subdir is already
382 set, just look in the given directory. Otherwise, look in both the split
383 and unsplit directories, as for the data file above. */
385 for (int n = 0; n < 2; n++)
388 set_subdir_str(message_subdir, name, n);
390 if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
392 if (n != 0 || subdir_set || errno != ENOENT)
393 return spool_read_notopen;
398 #ifndef COMPILE_UTILITY
399 DEBUG(D_deliver) debug_printf_indent("reading spool file %s\n", name);
400 #endif /* COMPILE_UTILITY */
402 /* The first line of a spool file contains the message id followed by -H (i.e.
403 the file name), in order to make the file self-identifying. */
405 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
406 if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
407 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
408 goto SPOOL_FORMAT_ERROR;
410 /* The next three lines in the header file are in a fixed format. The first
411 contains the login, uid, and gid of the user who caused the file to be written.
412 There are known cases where a negative gid is used, so we allow for both
413 negative uids and gids. The second contains the mail address of the message's
414 sender, enclosed in <>. The third contains the time the message was received,
415 and the number of warning messages for delivery delays that have been sent. */
417 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
420 uschar *p = big_buffer + Ustrlen(big_buffer);
421 while (p > big_buffer && isspace(p[-1])) p--;
423 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
424 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
426 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
428 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
429 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
431 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
435 originator_login = string_copy(big_buffer);
436 originator_uid = (uid_t)uid;
437 originator_gid = (gid_t)gid;
440 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
441 n = Ustrlen(big_buffer);
442 if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
443 goto SPOOL_FORMAT_ERROR;
445 sender_address = store_get(n-2, TRUE); /* tainted */
446 Ustrncpy(sender_address, big_buffer+1, n-3);
447 sender_address[n-3] = 0;
450 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
451 if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
452 goto SPOOL_FORMAT_ERROR;
453 received_time.tv_usec = 0;
455 message_age = time(NULL) - received_time.tv_sec;
456 #ifndef COMPILE_UTILITY
457 if (f.running_in_test_harness)
458 message_age = test_harness_fudged_queue_time(message_age);
461 #ifndef COMPILE_UTILITY
462 DEBUG(D_deliver) debug_printf_indent("user=%s uid=%ld gid=%ld sender=%s\n",
463 originator_login, (long int)originator_uid, (long int)originator_gid,
467 /* Now there may be a number of optional lines, each starting with "-". If you
468 add a new setting here, make sure you set the default above.
470 Because there are now quite a number of different possibilities, we use a
471 switch on the first character to avoid too many failing tests. Thanks to Nico
472 Erfurth for the patch that implemented this. I have made it even more efficient
473 by not re-scanning the first two characters.
475 To allow new versions of Exim that add additional flags to interwork with older
476 versions that do not understand them, just ignore any lines starting with "-"
477 that we don't recognize. Otherwise it wouldn't be possible to back off a new
478 version that left new-style flags written on the spool.
480 If the line starts with "--" the content of the variable is tainted. */
488 if (fgets_big_buffer(fp) == NULL) goto SPOOL_READ_ERROR;
489 if (big_buffer[0] != '-') break;
490 big_buffer[Ustrlen(big_buffer)-1] = 0;
492 tainted = big_buffer[1] == '-';
493 var = big_buffer + (tainted ? 2 : 1);
500 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
501 variable, because Exim allows any number of them, with arbitrary names.
502 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
505 if (Ustrncmp(p, "clc ", 4) == 0 ||
506 Ustrncmp(p, "clm ", 4) == 0)
508 uschar *name, *endptr;
511 endptr = Ustrchr(var + 5, ' ');
512 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
513 name = string_sprintf("%c%.*s", var[3],
514 (int)(endptr - var - 5), var + 5);
515 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
516 node = acl_var_create(name);
517 node->data.ptr = store_get(count + 1, tainted);
518 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
519 ((uschar*)node->data.ptr)[count] = 0;
522 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
523 f.allow_unqualified_recipient = TRUE;
524 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
525 f.allow_unqualified_sender = TRUE;
527 else if (Ustrncmp(p, "uth_id", 6) == 0)
528 authenticated_id = string_copy_taint(var + 8, tainted);
529 else if (Ustrncmp(p, "uth_sender", 10) == 0)
530 authenticated_sender = string_copy_taint(var + 12, tainted);
531 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
532 smtp_active_hostname = string_copy_taint(var + 16, tainted);
534 /* For long-term backward compatibility, we recognize "-acl", which was
535 used before the number of ACL variables changed from 10 to 20. This was
536 before the subsequent change to an arbitrary number of named variables.
537 This code is retained so that upgrades from very old versions can still
538 handle old-format spool files. The value given after "-acl" is a number
539 that is 0-9 for connection variables, and 10-19 for message variables. */
541 else if (Ustrncmp(p, "cl ", 3) == 0)
543 unsigned index, count;
544 uschar name[20]; /* Need plenty of space for %u format */
546 if ( sscanf(CS var + 4, "%u %u", &index, &count) != 2
548 || count > 16384 /* arbitrary limit on variable size */
550 goto SPOOL_FORMAT_ERROR;
552 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
554 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
555 node = acl_var_create(name);
556 node->data.ptr = store_get(count + 1, tainted);
557 /* We sanity-checked the count, so disable the Coverity error */
558 /* coverity[tainted_data] */
559 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
560 (US node->data.ptr)[count] = '\0';
565 if (Ustrncmp(p, "ody_linecount", 13) == 0)
566 body_linecount = Uatoi(var + 14);
567 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
568 body_zerocount = Uatoi(var + 14);
569 #ifdef EXPERIMENTAL_BRIGHTMAIL
570 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
571 bmi_verdicts = string_copy_taint(var + 13, tainted);
576 if (Ustrcmp(p, "eliver_firsttime") == 0)
577 f.deliver_firsttime = TRUE;
578 /* Check if the dsn flags have been set in the header file */
579 else if (Ustrncmp(p, "sn_ret", 6) == 0)
580 dsn_ret= atoi(CS var + 7);
581 else if (Ustrncmp(p, "sn_envid", 8) == 0)
582 dsn_envid = string_copy_taint(var + 10, tainted);
586 if (Ustrncmp(p, "rozen", 5) == 0)
588 f.deliver_freeze = TRUE;
589 if (sscanf(CS var+6, TIME_T_FMT, &deliver_frozen_at) != 1)
590 goto SPOOL_READ_ERROR;
595 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
596 host_lookup_deferred = TRUE;
597 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
598 host_lookup_failed = TRUE;
599 else if (Ustrncmp(p, "ost_auth_pubname", 16) == 0)
600 sender_host_auth_pubname = string_copy_taint(var + 18, tainted);
601 else if (Ustrncmp(p, "ost_auth", 8) == 0)
602 sender_host_authenticated = string_copy_taint(var + 10, tainted);
603 else if (Ustrncmp(p, "ost_name", 8) == 0)
604 sender_host_name = string_copy_taint(var + 10, tainted);
605 else if (Ustrncmp(p, "elo_name", 8) == 0)
606 sender_helo_name = string_copy_taint(var + 10, tainted);
608 /* We now record the port number after the address, separated by a
609 dot. For compatibility during upgrading, do nothing if there
610 isn't a value (it gets left at zero). */
612 else if (Ustrncmp(p, "ost_address", 11) == 0)
614 sender_host_port = host_address_extract_port(var + 13);
615 sender_host_address = string_copy_taint(var + 13, tainted);
620 if (Ustrncmp(p, "nterface_address", 16) == 0)
622 interface_port = host_address_extract_port(var + 18);
623 interface_address = string_copy_taint(var + 18, tainted);
625 else if (Ustrncmp(p, "dent", 4) == 0)
626 sender_ident = string_copy_taint(var + 6, tainted);
630 if (Ustrcmp(p, "ocal") == 0)
631 f.sender_local = TRUE;
632 else if (Ustrcmp(var, "localerror") == 0)
633 f.local_error_message = TRUE;
634 #ifdef HAVE_LOCAL_SCAN
635 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
636 local_scan_data = string_copy_taint(var + 11, tainted);
641 if (Ustrcmp(p, "anual_thaw") == 0)
642 f.deliver_manual_thaw = TRUE;
643 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
644 max_received_linelength = Uatoi(var + 23);
648 if (*p == 0) f.dont_deliver = TRUE; /* -N */
652 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
653 received_protocol = string_copy_taint(var + 18, tainted);
654 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
657 if (sscanf(CS var + 20, "%u", &usec) == 1)
658 received_time.tv_usec = usec;
663 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
664 f.sender_set_untrusted = TRUE;
665 #ifdef WITH_CONTENT_SCAN
666 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
667 spam_bar = string_copy_taint(var + 9, tainted);
668 else if (Ustrncmp(p, "pam_score ", 10) == 0)
669 spam_score = string_copy_taint(var + 11, tainted);
670 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
671 spam_score_int = string_copy_taint(var + 15, tainted);
673 #ifndef COMPILE_UTILITY
674 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
675 f.spool_file_wireformat = TRUE;
677 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
678 else if (Ustrncmp(p, "mtputf8", 7) == 0)
679 message_smtputf8 = TRUE;
685 if (Ustrncmp(p, "ls_", 3) == 0)
687 const uschar * q = p + 3;
688 if (Ustrncmp(q, "certificate_verified", 20) == 0)
689 tls_in.certificate_verified = TRUE;
690 else if (Ustrncmp(q, "cipher", 6) == 0)
691 tls_in.cipher = string_copy_taint(q+7, tainted);
692 # ifndef COMPILE_UTILITY /* tls support fns not built in */
693 else if (Ustrncmp(q, "ourcert", 7) == 0)
694 (void) tls_import_cert(q+8, &tls_in.ourcert);
695 else if (Ustrncmp(q, "peercert", 8) == 0)
696 (void) tls_import_cert(q+9, &tls_in.peercert);
698 else if (Ustrncmp(q, "peerdn", 6) == 0)
699 tls_in.peerdn = string_unprinting(string_copy_taint(q+7, tainted));
700 else if (Ustrncmp(q, "sni", 3) == 0)
701 tls_in.sni = string_unprinting(string_copy_taint(q+4, tainted));
702 else if (Ustrncmp(q, "ocsp", 4) == 0)
703 tls_in.ocsp = q[5] - '0';
704 # ifdef EXPERIMENTAL_TLS_RESUME
705 else if (Ustrncmp(q, "resumption", 10) == 0)
706 tls_in.resumption = q[11] - 'A';
708 else if (Ustrncmp(q, "ver", 3) == 0)
709 tls_in.ver = string_copy_taint(q+4, tainted);
714 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
716 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
717 message_utf8_downconvert = 1;
718 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
719 message_utf8_downconvert = -1;
723 default: /* Present because some compilers complain if all */
724 break; /* possibilities are not covered. */
728 /* Build sender_fullhost if required */
730 #ifndef COMPILE_UTILITY
731 host_build_sender_fullhost();
732 #endif /* COMPILE_UTILITY */
734 #ifndef COMPILE_UTILITY
736 debug_printf_indent("sender_local=%d ident=%s\n", f.sender_local,
737 sender_ident ? sender_ident : US"unset");
738 #endif /* COMPILE_UTILITY */
740 /* We now have the tree of addresses NOT to deliver to, or a line
741 containing "XX", indicating no tree. */
743 if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
744 !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
745 goto SPOOL_FORMAT_ERROR;
747 #ifndef COMPILE_UTILITY
750 debug_printf("Non-recipients:\n");
751 debug_print_tree(tree_nonrecipients);
753 #endif /* COMPILE_UTILITY */
755 /* After reading the tree, the next line has not yet been read into the
756 buffer. It contains the count of recipients which follow on separate lines.
757 Apply an arbitrary sanity check.*/
759 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
760 if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
761 goto SPOOL_FORMAT_ERROR;
763 #ifndef COMPILE_UTILITY
764 DEBUG(D_deliver) debug_printf_indent("recipients_count=%d\n", rcount);
765 #endif /* COMPILE_UTILITY */
767 recipients_list_max = rcount;
768 recipients_list = store_get(rcount * sizeof(recipient_item), FALSE);
770 /* We sanitised the count and know we have enough memory, so disable
771 the Coverity error on recipients_count */
772 /* coverity[tainted_data] */
774 for (recipients_count = 0; recipients_count < rcount; recipients_count++)
779 uschar *orcpt = NULL;
780 uschar *errors_to = NULL;
783 if (fgets_big_buffer(fp) == NULL) goto SPOOL_READ_ERROR;
784 nn = Ustrlen(big_buffer);
785 if (nn < 2) goto SPOOL_FORMAT_ERROR;
787 /* Remove the newline; this terminates the address if there is no additional
790 p = big_buffer + nn - 1;
793 /* Look back from the end of the line for digits and special terminators.
794 Since an address must end with a domain, we can tell that extra data is
795 present by the presence of the terminator, which is always some character
796 that cannot exist in a domain. (If I'd thought of the need for additional
797 data early on, I'd have put it at the start, with the address at the end. As
798 it is, we have to operate backwards. Addresses are permitted to contain
801 This code has to cope with various versions of this data that have evolved
802 over time. In all cases, the line might just contain an address, with no
803 additional data. Otherwise, the possibilities are as follows:
805 Exim 3 type: <address><space><digits>,<digits>,<digits>
807 The second set of digits is the parent number for one_time addresses. The
808 other values were remnants of earlier experiments that were abandoned.
810 Exim 4 first type: <address><space><digits>
812 The digits are the parent number for one_time addresses.
814 Exim 4 new type: <address><space><data>#<type bits>
816 The type bits indicate what the contents of the data are.
818 Bit 01 indicates that, reading from right to left, the data
819 ends with <errors_to address><space><len>,<pno> where pno is
820 the parent number for one_time addresses, and len is the length
821 of the errors_to address (zero meaning none).
823 Bit 02 indicates that, again reading from right to left, the data continues
824 with orcpt len(orcpt),dsn_flags
827 while (isdigit(*p)) p--;
829 /* Handle Exim 3 spool files */
834 #if !defined (COMPILE_UTILITY)
835 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim 3 spool file\n");
837 while (isdigit(*(--p)) || *p == ',');
841 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
845 /* Handle early Exim 4 spool files */
849 #if !defined (COMPILE_UTILITY)
850 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - early Exim 4 spool file\n");
853 (void)sscanf(CS p, "%d", &pno);
856 /* Handle current format Exim 4 spool files */
862 #if !defined (COMPILE_UTILITY)
863 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim standard format spoolfile\n");
866 (void)sscanf(CS p+1, "%d", &flags);
868 if ((flags & 0x01) != 0) /* one_time data exists */
871 while (isdigit(*(--p)) || *p == ',' || *p == '-');
872 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
877 errors_to = string_copy_taint(p, TRUE);
881 *(--p) = 0; /* Terminate address */
882 if ((flags & 0x02) != 0) /* one_time data exists */
885 while (isdigit(*(--p)) || *p == ',' || *p == '-');
886 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
891 orcpt = string_copy_taint(p, TRUE);
895 *(--p) = 0; /* Terminate address */
897 #if !defined(COMPILE_UTILITY)
899 { DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - No additional fields\n"); }
901 if (orcpt || dsn_flags)
902 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
903 big_buffer, orcpt, dsn_flags);
905 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> errorsto: <%s>\n",
906 big_buffer, errors_to);
909 recipients_list[recipients_count].address = string_copy_taint(big_buffer, TRUE);
910 recipients_list[recipients_count].pno = pno;
911 recipients_list[recipients_count].errors_to = errors_to;
912 recipients_list[recipients_count].orcpt = orcpt;
913 recipients_list[recipients_count].dsn_flags = dsn_flags;
916 /* The remainder of the spool header file contains the headers for the message,
917 separated off from the previous data by a blank line. Each header is preceded
918 by a count of its length and either a certain letter (for various identified
919 headers), space (for a miscellaneous live header) or an asterisk (for a header
920 that has been rewritten). Count the Received: headers. We read the headers
921 always, in order to check on the format of the file, but only create a header
922 list if requested to do so. */
925 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
926 if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
928 while ((n = fgetc(fp)) != EOF)
934 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
935 if(ungetc(n, fp) == EOF || fscanf(fp, "%d%c ", &n, flag) == EOF)
936 goto SPOOL_READ_ERROR;
937 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
941 h = store_get(sizeof(header_line), FALSE);
945 h->text = store_get(n+1, TRUE); /* tainted */
947 if (h->type == htype_received) received_count++;
949 if (header_list) header_last->next = h;
950 else header_list = h;
953 for (i = 0; i < n; i++)
956 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
957 if (c == '\n' && h->type != htype_old) message_linecount++;
963 /* Not requiring header data, just skip through the bytes */
965 else for (i = 0; i < n; i++)
968 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
972 /* We have successfully read the data in the header file. Update the message
973 line count by adding the body linecount to the header linecount. Close the file
974 and give a positive response. */
976 #ifndef COMPILE_UTILITY
977 DEBUG(D_deliver) debug_printf_indent("body_linecount=%d message_linecount=%d\n",
978 body_linecount, message_linecount);
979 #endif /* COMPILE_UTILITY */
981 message_linecount += body_linecount;
984 return spool_read_OK;
987 /* There was an error reading the spool or there was missing data,
988 or there was a format error. A "read error" with no errno means an
989 unexpected EOF, which we treat as a format error. */
996 #ifndef COMPILE_UTILITY
997 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
998 #endif /* COMPILE_UTILITY */
1002 return inheader ? spool_read_hdrerror : spool_read_enverror;
1007 #ifndef COMPILE_UTILITY
1008 DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
1009 #endif /* COMPILE_UTILITY */
1012 errno = ERRNO_SPOOLFORMAT;
1013 return inheader? spool_read_hdrerror : spool_read_enverror;
1018 /* End of spool_in.c */