* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015 */
-/* License: GPL */
+/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
+ * License: GPL
+ * Copyright (c) The Exim Maintainers 2016
+ */
/* Code for calling virus (malware) scanners. Called from acl.c. */
#ifdef WITH_CONTENT_SCAN
typedef enum {M_FPROTD, M_DRWEB, M_AVES, M_FSEC, M_KAVD, M_CMDL,
- M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD, M_AVAST} scanner_t;
+ M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD, M_AVAST, M_FPROT6D} scanner_t;
typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
static struct scan
{
{ M_SOCK, US"sock", US"/tmp/malware.sock", MC_STRM },
{ M_MKSD, US"mksd", NULL, MC_NONE },
{ M_AVAST, US"avast", US"/var/run/avast/scan.sock", MC_STRM },
+ { M_FPROT6D, US"f-prot6d", US"localhost 10200", MC_TCP },
{ -1, NULL, NULL, MC_NONE } /* end-marker */
};
static const pcre * ava_re_clean = NULL;
static const pcre * ava_re_virus = NULL;
+static const uschar * fprot6d_re_error_str = US "^\\d+\\s<(.+?)>$";
+static const uschar * fprot6d_re_virus_str = US "^\\d+\\s<infected:\\s+(.+?)>\\s+.+$";
+static const pcre * fprot6d_re_error = NULL;
+static const pcre * fprot6d_re_virus = NULL;
+
/******************************************************************************/
the scan directory normally for that case, but look into rigging up the
needed header variables if not already set on the command-line? */
extern int spool_mbox_ok;
-extern uschar spooled_message_id[17];
+extern uschar spooled_message_id[MESSAGE_ID_LENGTH+1];
if (!(list_ele = string_nextinlist(list, sep, NULL, 0)))
*errstr = US listerr;
else
+ {
+ DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "RE: ",
+ string_printing(list_ele));
cre = m_pcre_compile(CUS list_ele, errstr);
+ }
return cre;
}
}
if (!ok)
{
- DEBUG(D_acl) debug_printf("Malware scan: read %s (%s)\n",
+ DEBUG(D_acl) debug_printf_indent("Malware scan: read %s (%s)\n",
rcv==0 ? "EOF" : "error", strerror(errno));
return rcv==0 ? -1 : -2;
}
*p = '\0';
-DEBUG(D_acl) debug_printf("Malware scan: read '%s'\n", buffer);
+DEBUG(D_acl) debug_printf_indent("Malware scan: read '%s'\n", buffer);
return p - buffer;
}
Arguments:
malware_re match condition for "malware="
- eml_filename the file holding the email to be scanned
+ scan_filename the file holding the email to be scanned, if we're faking
+ this up for the -bmalware test, else NULL
timeout if nonzero, non-default timeoutl
- faking whether or not we're faking this up for the -bmalware test
Returns: Exim message processing code (OK, FAIL, DEFER, ...)
where true means malware was found (condition applies)
*/
static int
-malware_internal(const uschar * malware_re, const uschar * eml_filename,
- int timeout, BOOL faking)
+malware_internal(const uschar * malware_re, const uschar * scan_filename,
+ int timeout)
{
int sep = 0;
const uschar *av_scanner_work = av_scanner;
const uschar * scanner_options;
int sock = -1;
time_t tmo;
+uschar * eml_filename, * eml_dir;
+
+if (!malware_re)
+ return FAIL; /* empty means "don't match anything" */
-/* make sure the eml mbox file is spooled up */
-if (!(mbox_file = spool_mbox(&mbox_size, faking ? eml_filename : NULL)))
+/* Ensure the eml mbox file is spooled up */
+
+if (!(mbox_file = spool_mbox(&mbox_size, scan_filename, &eml_filename)))
return malware_errlog_defer(US"error while creating mbox spool file");
-/* none of our current scanners need the mbox
- file as a stream, so we can close it right away */
-(void)fclose(mbox_file);
+/* None of our current scanners need the mbox file as a stream (they use
+the name), so we can close it right away. Get the directory too. */
-if (!malware_re)
- return FAIL; /* empty means "don't match anything" */
+(void) fclose(mbox_file);
+eml_dir = string_copyn(eml_filename, Ustrrchr(eml_filename, '/') - eml_filename);
/* parse 1st option */
- if ( (strcmpic(malware_re, US"false") == 0) ||
- (Ustrcmp(malware_re,"0") == 0) )
+if (strcmpic(malware_re, US"false") == 0 || Ustrcmp(malware_re,"0") == 0)
return FAIL; /* explicitly no matching */
/* special cases (match anything except empty) */
else if (!(re = m_pcre_compile(malware_re, &errstr)))
return malware_errlog_defer(errstr);
-/* Reset sep that is set by previous string_nextinlist() call */
-sep = 0;
-
/* if av_scanner starts with a dollar, expand it first */
if (*av_scanner == '$')
{
expand_string_message));
DEBUG(D_acl)
- debug_printf("Expanded av_scanner global: %s\n", av_scanner_work);
+ debug_printf_indent("Expanded av_scanner global: %s\n", av_scanner_work);
/* disable result caching in this case */
malware_name = NULL;
malware_ok = FALSE;
scanner_name));
if (strcmpic(scanner_name, US scanent->name) != 0)
continue;
+ DEBUG(D_acl) debug_printf_indent("Malware scan: %s tmo=%s\n",
+ scanner_name, readconf_printtime(timeout));
+
if (!(scanner_options = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
scanner_options = scanent->options_default;
if (scanent->conn == MC_NONE)
break;
+
+ DEBUG(D_acl) debug_printf_indent("%15s%10s%s\n", "", "socket: ", scanner_options);
switch(scanent->conn)
{
- case MC_TCP: sock = ip_tcpsocket(scanner_options, &errstr, 5); break;
- case MC_UNIX: sock = ip_unixsocket(scanner_options, &errstr); break;
+ case MC_TCP: sock = ip_tcpsocket(scanner_options, &errstr, 5); break;
+ case MC_UNIX: sock = ip_unixsocket(scanner_options, &errstr); break;
case MC_STRM: sock = ip_streamsocket(scanner_options, &errstr, 5); break;
default: /* compiler quietening */ break;
}
return m_errlog_defer(scanent, CUS callout_address, errstr);
break;
}
- DEBUG(D_acl) debug_printf("Malware scan: %s tmo %s\n", scanner_name, readconf_printtime(timeout));
switch (scanent->scancode)
{
par_count++;
}
scanrequest = string_sprintf("%s HTTP/1.0\r\n\r\n", scanrequest);
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s: %s\n",
+ DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
scanner_name, scanrequest);
/* send scan request */
if ((fsize = lseek(drweb_fd, 0, SEEK_END)) == -1)
{
- int err = errno;
+ int err;
+badseek: err = errno;
(void)close(drweb_fd);
return m_errlog_defer_3(scanent, NULL,
string_sprintf("can't seek spool file %s: %s",
sock);
}
drweb_slen = htonl(fsize);
- lseek(drweb_fd, 0, SEEK_SET);
+ if (lseek(drweb_fd, 0, SEEK_SET) < 0)
+ goto badseek;
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s remote scan [%s]\n",
+ DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s remote scan [%s]\n",
scanner_name, scanner_options);
/* send scan request */
sock);
}
- if (!(drweb_fbuf = (uschar *) malloc (fsize_uint)))
+ if (!(drweb_fbuf = US malloc(fsize_uint)))
{
(void)close(drweb_fd);
return m_errlog_defer_3(scanent, NULL,
"unable to send file body to socket (%s)", scanner_options),
sock);
}
- (void)close(drweb_fd);
}
else
{
drweb_slen = htonl(Ustrlen(eml_filename));
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s local scan [%s]\n",
+ DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s local scan [%s]\n",
scanner_name, scanner_options);
/* send scan request */
eml_filename);
/* and send it */
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s %s\n",
+ DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s %s\n",
scanner_name, buf);
if (m_sock_send(sock, buf, Ustrlen(buf), &errstr) < 0)
return m_errlog_defer(scanent, CUS callout_address, errstr);
malware_name = NULL;
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
+ DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
scanner_name, scanner_options);
/* pass options */
memset(av_buffer, 0, sizeof(av_buffer));
if (p)
*p = '\0';
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
+ DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
scanner_name, scanner_options);
/* send scan request */
US"reported 'kavdaemon damaged' (code 7).", sock);
}
- /* code 8 is not handled, since it is ambigous. It appears mostly on
+ /* code 8 is not handled, since it is ambiguous. It appears mostly on
bounces where part of a file has been cut off */
/* "virus found" return codes (2-4) */
kav_re = kav_re_inf;
}
- /* read report, linewise */
+ /* read report, linewise. Using size from stream to read amount of data
+ from same stream is safe enough. */
+ /* coverity[tainted_data] */
while (kav_reportlen > 0)
{
if ((bread = recv_line(sock, tmpbuf, sizeof(tmpbuf), tmo)) < 0)
/* redirect STDERR too */
commandline = string_sprintf("%s 2>&1", commandline);
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
+ DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
scanner_name, commandline);
/* store exims signal handlers */
}
scanner_fd = fileno(scanner_out);
- file_name = string_sprintf("%s/scan/%s/%s_scanner_output",
- spool_directory, message_id, message_id);
+ file_name = string_sprintf("%s/%s_scanner_output", eml_dir, message_id);
if (!(scanner_record = modefopen(file_name, "wb", SPOOL_MODE)))
{
if ((p = Ustrrchr(file_name, '/')))
*p = '\0';
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
+ DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
scanner_name, scanner_options);
if ( write(sock, file_name, Ustrlen(file_name)) < 0
/* parse options */
/*XXX should these options be common over scanner types? */
if (clamd_option(cd, sublist, &subsep) != OK)
- {
return m_errlog_defer(scanent, NULL,
string_sprintf("bad option '%s'", scanner_options));
- continue;
- }
cv[num_servers++] = cd;
if (num_servers >= MAX_CLAMD_SERVERS)
int i = random_number( num_servers );
clamd_address * cd = cv[i];
- DEBUG(D_acl) debug_printf("trying server name %s, port %u\n",
+ DEBUG(D_acl) debug_printf_indent("trying server name %s, port %u\n",
cd->hostspec, cd->tcp_port);
/* Lookup the host. This is to ensure that we connect to the same IP
* that port on a second connection; then in the scan-method-neutral
* part, read the response back on the original connection. */
- DEBUG(D_acl) debug_printf(
+ DEBUG(D_acl) debug_printf_indent(
"Malware scan: issuing %s old-style remote scan (PORT)\n",
scanner_name);
chunks, <n> a 4-byte number (network order), terminated by a zero-length
chunk. */
- DEBUG(D_acl) debug_printf(
+ DEBUG(D_acl) debug_printf_indent(
"Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
scanner_name);
}
if ((fsize = lseek(clam_fd, 0, SEEK_END)) < 0)
{
- int err = errno;
+ int err;
+b_seek: err = errno;
CLOSE_SOCKDATA; (void)close(clam_fd);
return m_errlog_defer_3(scanent, NULL,
string_sprintf("can't seek spool file %s: %s",
eml_filename),
sock);
}
- lseek(clam_fd, 0, SEEK_SET);
+ if (lseek(clam_fd, 0, SEEK_SET) < 0)
+ goto b_seek;
- if (!(clamav_fbuf = (uschar *) malloc (fsize_uint)))
+ if (!(clamav_fbuf = US malloc(fsize_uint)))
{
CLOSE_SOCKDATA; (void)close(clam_fd);
return m_errlog_defer_3(scanent, NULL,
/* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
file_name = string_sprintf("SCAN %s\n", eml_filename);
- DEBUG(D_acl) debug_printf(
+ DEBUG(D_acl) debug_printf_indent(
"Malware scan: issuing %s local-path scan [%s]\n",
scanner_name, scanner_options);
p = av_buffer + Ustrlen(av_buffer) - 1;
if (*p == '\n') *p = '\0';
- DEBUG(D_acl) debug_printf("Malware response: %s\n", av_buffer);
+ DEBUG(D_acl) debug_printf_indent("Malware response: %s\n", av_buffer);
while (isspace(*--p) && (p > av_buffer))
*p = '\0';
*p = '\0';
}
malware_name = string_copy(vname);
- DEBUG(D_acl) debug_printf("Malware found, name \"%s\"\n", malware_name);
+ DEBUG(D_acl) debug_printf_indent("Malware found, name \"%s\"\n", malware_name);
}
else if (Ustrcmp(result_tag, "ERROR") == 0)
{
/* Everything should be OK */
malware_name = NULL;
- DEBUG(D_acl) debug_printf("Malware not found\n");
+ DEBUG(D_acl) debug_printf_indent("Malware not found\n");
}
else
const pcre *sockline_name_re;
/* find scanner command line */
- if ((sockline_scanner = string_nextinlist(&av_scanner_work, &sep,
- NULL, 0)))
+ if ( (sockline_scanner = string_nextinlist(&av_scanner_work, &sep,
+ NULL, 0))
+ && *sockline_scanner
+ )
{ /* check for no expansions apart from one %s */
uschar * s = Ustrchr(sockline_scanner, '%');
if (s++)
}
else
sockline_scanner = sockline_scanner_default;
+ DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "cmdline: ",
+ string_printing(sockline_scanner));
/* find scanner output trigger */
sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep,
return m_errlog_defer_3(scanent, NULL, errstr, sock);
/* prepare scanner call - security depends on expansions check above */
- commandline = string_sprintf("%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
- commandline = string_sprintf( CS sockline_scanner, CS commandline);
-
+ commandline = string_sprintf( CS sockline_scanner, CS eml_filename);
+ DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "expanded: ",
+ string_printing(commandline));
/* Pass the command string to the socket */
if (m_sock_send(sock, commandline, Ustrlen(commandline), &errstr) < 0)
US"buffer too small", sock);
av_buffer[bread] = '\0';
linebuffer = string_copy(av_buffer);
+ DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "answer: ",
+ string_printing(linebuffer));
/* try trigger match */
if (regex_match_and_setup(sockline_trig_re, linebuffer, 0, -1))
{
if (!(malware_name = m_pcre_exec(sockline_name_re, av_buffer)))
malware_name = US "unknown";
+ DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "name: ",
+ string_printing(malware_name));
}
else /* no virus found */
malware_name = NULL;
malware_name = NULL;
- DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan\n", scanner_name);
+ DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan\n", scanner_name);
if ((retval = mksd_scan_packed(scanent, sock, eml_filename, tmo)) != OK)
{
int slen = Ustrlen(buf);
if (slen >= 1)
{
- DEBUG(D_acl) debug_printf("got from avast: %s\n", buf);
+ DEBUG(D_acl) debug_printf_indent("got from avast: %s\n", buf);
switch (avast_stage)
{
case AVA_HELO:
}
else
{
- scanrequest = string_sprintf("SCAN %s/scan/%s\n",
- spool_directory, message_id);
+ scanrequest = string_sprintf("SCAN %s\n", eml_dir);
avast_stage = AVA_RSP; /* just sent command */
}
sock);
default: break;
}
+ break;
}
+
+ case M_FPROT6D: /* "f-prot6d" scanner type ----------------------------------- */
+ {
+ int bread;
+ uschar * e;
+ uschar * linebuffer;
+ uschar * scanrequest;
+ uschar av_buffer[1024];
+
+ if ((!fprot6d_re_virus && !(fprot6d_re_virus = m_pcre_compile(fprot6d_re_virus_str, &errstr)))
+ || (!fprot6d_re_error && !(fprot6d_re_error = m_pcre_compile(fprot6d_re_error_str, &errstr))))
+ return malware_errlog_defer(errstr);
+
+ scanrequest = string_sprintf("SCAN FILE %s\n", eml_filename);
+ DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
+ scanner_name, scanrequest);
+
+ if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest), &errstr) < 0)
+ return m_errlog_defer(scanent, CUS callout_address, errstr);
+
+ bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
+
+ if (bread <= 0)
+ return m_errlog_defer_3(scanent, CUS callout_address,
+ string_sprintf("unable to read from socket (%s)", strerror(errno)),
+ sock);
+
+ if (bread == sizeof(av_buffer))
+ return m_errlog_defer_3(scanent, CUS callout_address,
+ US"buffer too small", sock);
+
+ av_buffer[bread] = '\0';
+ linebuffer = string_copy(av_buffer);
+
+ m_sock_send(sock, US"QUIT\n", 5, 0);
+
+ if ((e = m_pcre_exec(fprot6d_re_error, linebuffer)))
+ return m_errlog_defer_3(scanent, CUS callout_address,
+ string_sprintf("scanner reported error (%s)", e), sock);
+
+ if (!(malware_name = m_pcre_exec(fprot6d_re_virus, linebuffer)))
+ malware_name = NULL;
+
break;
+ } /* f-prot6d */
} /* scanner type switch */
if (sock >= 0)
/* match virus name against pattern (caseless ------->----------v) */
if (malware_name && regex_match_and_setup(re, malware_name, 0, -1))
{
- DEBUG(D_acl) debug_printf(
+ DEBUG(D_acl) debug_printf_indent(
"Matched regex to malware [%s] [%s]\n", malware_re, malware_name);
return OK;
}
int
malware(const uschar * malware_re, int timeout)
{
- uschar * scan_filename;
- int ret;
+int ret = malware_internal(malware_re, NULL, timeout);
- scan_filename = string_sprintf("%s/scan/%s/%s.eml",
- spool_directory, message_id, message_id);
- ret = malware_internal(malware_re, scan_filename, timeout, FALSE);
- if (ret == DEFER) av_failed = TRUE;
-
- return ret;
+if (ret == DEFER) av_failed = TRUE;
+return ret;
}
int
malware_in_file(uschar *eml_filename)
{
- uschar message_id_buf[64];
- int ret;
-
- /* spool_mbox() assumes various parameters exist, when creating
- the relevant directory and the email within */
- (void) string_format(message_id_buf, sizeof(message_id_buf),
- "dummy-%d", vaguely_random_number(INT_MAX));
- message_id = message_id_buf;
- sender_address = US"malware-sender@example.net";
- return_path = US"";
- recipients_list = NULL;
- receive_add_recipient(US"malware-victim@example.net", -1);
- enable_dollar_recipients = TRUE;
-
- ret = malware_internal(US"*", eml_filename, 0, TRUE);
-
- Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
- spool_mbox_ok = 1;
- /* don't set no_mbox_unspool; at present, there's no way for it to become
- set, but if that changes, then it should apply to these tests too */
- unspool_mbox();
-
- /* silence static analysis tools */
- message_id = NULL;
-
- return ret;
+uschar message_id_buf[64];
+int ret;
+
+/* spool_mbox() assumes various parameters exist, when creating
+the relevant directory and the email within */
+
+(void) string_format(message_id_buf, sizeof(message_id_buf),
+ "dummy-%d", vaguely_random_number(INT_MAX));
+message_id = message_id_buf;
+sender_address = US"malware-sender@example.net";
+return_path = US"";
+recipients_list = NULL;
+receive_add_recipient(US"malware-victim@example.net", -1);
+enable_dollar_recipients = TRUE;
+
+ret = malware_internal(US"*", eml_filename, 0);
+
+Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
+spool_mbox_ok = 1;
+
+/* don't set no_mbox_unspool; at present, there's no way for it to become
+set, but if that changes, then it should apply to these tests too */
+
+unspool_mbox();
+
+/* silence static analysis tools */
+message_id = NULL;
+
+return ret;
}
ava_re_clean = regex_must_compile(ava_re_clean_str, FALSE, TRUE);
if (!ava_re_virus)
ava_re_virus = regex_must_compile(ava_re_virus_str, FALSE, TRUE);
+if (!fprot6d_re_error)
+ fprot6d_re_error = regex_must_compile(fprot6d_re_error_str, FALSE, TRUE);
+if (!fprot6d_re_virus)
+ fprot6d_re_virus = regex_must_compile(fprot6d_re_virus_str, FALSE, TRUE);
}
#endif /*WITH_CONTENT_SCAN*/