Fix signed/unsigned and UTF errors Fixes: #901

[exim.git] / src / src / malware.c

diff --git a/src/src/malware.c b/src/src/malware.c
index 153670d0e3a736a7ee93f5f03b3f5e2761beab64..9b1bd334d8f82b612aff0cd88f420478f087135d 100644 (file)
--- a/src/src/malware.c
+++ b/src/src/malware.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/malware.c,v 1.8 2005/05/24 08:15:02 tom Exp $ */
+/* $Cambridge: exim/src/src/malware.c,v 1.17 2009/11/05 19:40:51 nm4 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -20,6 +20,10 @@ int mksd_scan_packed(int sock);
 #define SHUT_WR 1
 #endif
 
+
+#define        MALWARE_TIMEOUT             120
+
+
 #define DRWEBD_SCAN_CMD             (1)     /* scan file, buffer or diskfile */
 #define DRWEBD_RETURN_VIRUSES       (1<<0)   /* ask daemon return to us viruses names from report */
 #define DRWEBD_IS_MAIL              (1<<19)  /* say to daemon that format is "archive MAIL" */
@@ -69,7 +73,7 @@ int malware(uschar **listptr) {
   };
   /* none of our current scanners need the mbox
      file as a stream, so we can close it right away */
-  fclose(mbox_file);
+  (void)fclose(mbox_file);
 
   /* extract the malware regex to match against from the option list */
   if ((malware_regex = string_nextinlist(&list, &sep,
@@ -135,10 +139,117 @@ int malware(uschar **listptr) {
       return DEFER;
     };
 
+  /* "f-protd" scanner type ----------------------------------------------- */
+  if (strcmpic(scanner_name, US"f-protd") == 0) {
+    uschar *fp_options, *fp_scan_option;
+    uschar fp_scan_option_buffer[1024];
+    uschar fp_options_buffer[1024];
+    uschar fp_options_default[] = "localhost 10200-10204";
+    uschar hostname[256];
+    unsigned int port, portlow, porthigh, connect_ok=0, detected=0, par_count = 0;
+    struct hostent *he;
+    struct in_addr in;
+    int sock;
+    uschar scanrequest[2048], buf[32768], *strhelper, *strhelper2;
+
+    if ((fp_options = string_nextinlist(&av_scanner_work, &sep,
+      fp_options_buffer, sizeof(fp_options_buffer))) == NULL) {
+      /* no options supplied, use default options */
+      fp_options = fp_options_default;
+    };
+
+    /* extract host and port part */
+    if ( sscanf(CS fp_options, "%s %u-%u", hostname, &portlow, &porthigh) != 3 ) {
+      if ( sscanf(CS fp_options, "%s %u", hostname, &portlow) != 2 ) {
+        log_write(0, LOG_MAIN|LOG_PANIC,
+          "malware acl condition: f-protd: invalid socket '%s'", fp_options);
+        return DEFER;
+      }
+      porthigh = portlow;
+    }
+
+    /* Lookup the host */
+    if((he = gethostbyname(CS hostname)) == 0) {
+      log_write(0, LOG_MAIN|LOG_PANIC,
+        "malware acl condition: f-protd: failed to lookup host '%s'", hostname);
+      return DEFER;
+    }
+
+    in = *(struct in_addr *) he->h_addr_list[0];
+    port = portlow;
+
+
+    /* Open the f-protd TCP socket */
+    if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
+      log_write(0, LOG_MAIN|LOG_PANIC,
+        "malware acl condition: f-protd: unable to acquire socket (%s)",
+        strerror(errno));
+      return DEFER;
+    }
+
+    /* Try to connect to all portslow-high until connection is established */
+    for (port = portlow; !connect_ok && port < porthigh; port++) {
+      if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) >= 0) {
+        connect_ok = 1;
+      }
+    }
+
+    if ( !connect_ok ) {
+      log_write(0, LOG_MAIN|LOG_PANIC,
+        "malware acl condition: f-protd: connection to %s, port %u-%u failed (%s)",
+        inet_ntoa(in), portlow, porthigh, strerror(errno));
+      (void)close(sock);
+      return DEFER;
+    }
+
+    (void)string_format(scanrequest, 1024, CS"GET %s/scan/%s/%s.eml",
+          spool_directory, message_id, message_id);
+
+    while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
+      fp_scan_option_buffer, sizeof(fp_scan_option_buffer))) != NULL) {
+      if ( par_count ) {
+        Ustrcat(scanrequest, "%20");
+      } else {
+        Ustrcat(scanrequest, "?");
+      }
+      Ustrcat(scanrequest, fp_scan_option);
+      par_count++;
+    }
+    Ustrcat(scanrequest, " HTTP/1.0\r\n\r\n");
+
+    /* send scan request */
+    if (send(sock, &scanrequest, Ustrlen(scanrequest)+1, 0) < 0) {
+      (void)close(sock);
+      log_write(0, LOG_MAIN|LOG_PANIC,
+        "malware acl condition: f-protd: unable to send command to socket (%s)", scanrequest);
+      return DEFER;
+    }
+
+    /* We get a lot of empty lines, so we need this hack to check for any data at all */
+    while( recv(sock, buf, 1, MSG_PEEK) > 0 ) {
+      if ( recv_line(sock, buf, 32768) > 0) {
+        if ( Ustrstr(buf, US"<detected type=\"") != NULL ) {
+          detected = 1;
+        } else if ( detected && (strhelper = Ustrstr(buf, US"<name>")) ) {
+          if (strhelper2 = (Ustrstr(buf, US"</name>"))) {
+            *strhelper2 = '\0';
+            Ustrcpy(malware_name_buffer, strhelper + 6);
+          }
+        } else if ( Ustrstr(buf, US"<summary code=\"") ) {
+          if ( Ustrstr(buf, US"<summary code=\"11\">") ) {
+            malware_name = malware_name_buffer;
+          } else {
+            malware_name = NULL;
+          }
+        }
+      }
+    }
+    (void)close(sock);
+  }
   /* "drweb" scanner type ----------------------------------------------- */
   /* v0.1 - added support for tcp sockets          */
   /* v0.0 - initial release -- support for unix sockets      */
-  if (strcmpic(scanner_name,US"drweb") == 0) {
+  else if (strcmpic(scanner_name,US"drweb") == 0) {
     uschar *drweb_options;
     uschar drweb_options_buffer[1024];
     uschar drweb_options_default[] = "/usr/local/drweb/run/drwebd.sock";
@@ -189,7 +300,7 @@ int malware(uschar **listptr) {
       }
 
       if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
           "malware acl condition: drweb: connection to %s, port %u failed (%s)",
           inet_ntoa(in), port, strerror(errno));
@@ -199,13 +310,13 @@ int malware(uschar **listptr) {
       /* prepare variables */
       drweb_cmd = htonl(DRWEBD_SCAN_CMD);
       drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
-      snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml",
+      (void)string_format(scanrequest, 1024,CS"%s/scan/%s/%s.eml",
             spool_directory, message_id, message_id);
 
       /* calc file size */
       drweb_fd = open(CS scanrequest, O_RDONLY);
       if (drweb_fd == -1) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
           "malware acl condition: drweb: can't open spool file %s: %s",
           scanrequest, strerror(errno));
@@ -213,8 +324,8 @@ int malware(uschar **listptr) {
       }
       fsize = lseek(drweb_fd, 0, SEEK_END);
       if (fsize == -1) {
-        close(sock);
-        close(drweb_fd);
+        (void)close(sock);
+        (void)close(drweb_fd);
         log_write(0, LOG_MAIN|LOG_PANIC,
           "malware acl condition: drweb: can't seek spool file %s: %s",
           scanrequest, strerror(errno));
@@ -228,8 +339,8 @@ int malware(uschar **listptr) {
           (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
           (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
           (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0)) {
-        close(sock);
-        close(drweb_fd);
+        (void)close(sock);
+        (void)close(drweb_fd);
         log_write(0, LOG_MAIN|LOG_PANIC,
           "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options);
         return DEFER;
@@ -237,8 +348,8 @@ int malware(uschar **listptr) {
 
       drweb_fbuf = (uschar *) malloc (fsize);
       if (!drweb_fbuf) {
-        close(sock);
-        close(drweb_fd);
+        (void)close(sock);
+        (void)close(drweb_fd);
         log_write(0, LOG_MAIN|LOG_PANIC,
           "malware acl condition: drweb: unable to allocate memory %u for file (%s)",
           fsize, scanrequest);
@@ -247,25 +358,25 @@ int malware(uschar **listptr) {
 
       result = read (drweb_fd, drweb_fbuf, fsize);
       if (result == -1) {
-        close(sock);
-        close(drweb_fd);
+        (void)close(sock);
+        (void)close(drweb_fd);
         free(drweb_fbuf);
         log_write(0, LOG_MAIN|LOG_PANIC,
           "malware acl condition: drweb: can't read spool file %s: %s",
           scanrequest, strerror(errno));
         return DEFER;
       }
-      close(drweb_fd);
+      (void)close(drweb_fd);
 
       /* send file body to socket */
       if (send(sock, drweb_fbuf, fsize, 0) < 0) {
-        close(sock);
+        (void)close(sock);
         free(drweb_fbuf);
         log_write(0, LOG_MAIN|LOG_PANIC,
           "malware acl condition: drweb: unable to send file body to socket (%s)", drweb_options);
         return DEFER;
       }
-      close(drweb_fd);
+      (void)close(drweb_fd);
     }
     else {
       /* open the drwebd UNIX socket */
@@ -278,7 +389,7 @@ int malware(uschar **listptr) {
       server.sun_family = AF_UNIX;
       Ustrcpy(server.sun_path, drweb_options);
       if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
           "malware acl condition: drweb: unable to connect to socket (%s). errno=%d", drweb_options, errno);
         return DEFER;
@@ -287,7 +398,7 @@ int malware(uschar **listptr) {
       /* prepare variables */
       drweb_cmd = htonl(DRWEBD_SCAN_CMD);
       drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
-      snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
+      (void)string_format(scanrequest, 1024,CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
       drweb_slen = htonl(Ustrlen(scanrequest));
 
       /* send scan request */
@@ -296,7 +407,7 @@ int malware(uschar **listptr) {
           (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
           (send(sock, scanrequest, Ustrlen(scanrequest), 0) < 0) ||
           (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0)) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
           "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options);
         return DEFER;
@@ -305,7 +416,7 @@ int malware(uschar **listptr) {
 
     /* wait for result */
     if ((bread = recv(sock, &drweb_rc, sizeof(drweb_rc), 0) != sizeof(drweb_rc))) {
-      close(sock);
+      (void)close(sock);
       log_write(0, LOG_MAIN|LOG_PANIC,
         "malware acl condition: drweb: unable to read return code");
       return DEFER;
@@ -313,7 +424,7 @@ int malware(uschar **listptr) {
     drweb_rc = ntohl(drweb_rc);
 
     if ((bread = recv(sock, &drweb_vnum, sizeof(drweb_vnum), 0) != sizeof(drweb_vnum))) {
-      close(sock);
+      (void)close(sock);
       log_write(0, LOG_MAIN|LOG_PANIC,
         "malware acl condition: drweb: unable to read the number of viruses");
       return DEFER;
@@ -336,7 +447,7 @@ int malware(uschar **listptr) {
       {
         /* read the size of report */
         if ((bread = recv(sock, &drweb_slen, sizeof(drweb_slen), 0) != sizeof(drweb_slen))) {
-          close(sock);
+          (void)close(sock);
           log_write(0, LOG_MAIN|LOG_PANIC,
             "malware acl condition: drweb: cannot read report size");
           return DEFER;
@@ -345,7 +456,7 @@ int malware(uschar **listptr) {
 
         /* read report body */
         if ((bread = recv(sock, tmpbuf, drweb_slen, 0)) != drweb_slen) {
-          close(sock);
+          (void)close(sock);
           log_write(0, LOG_MAIN|LOG_PANIC,
             "malware acl condition: drweb: cannot read report string");
           return DEFER;
@@ -393,13 +504,13 @@ int malware(uschar **listptr) {
       if (drweb_s) {
         log_write(0, LOG_MAIN|LOG_PANIC,
           "malware acl condition: drweb: drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s);
-        close(sock);
+        (void)close(sock);
         return DEFER;
       }
       /* no virus found */
       malware_name = NULL;
     };
-    close(sock);
+    (void)close(sock);
   }
   /* ----------------------------------------------------------------------- */
     else if (strcmpic(scanner_name,US"aveserver") == 0) {
@@ -409,6 +520,7 @@ int malware(uschar **listptr) {
       uschar buf[32768];
       struct sockaddr_un server;
       int sock;
+      int result;
 
       if ((kav_options = string_nextinlist(&av_scanner_work, &sep,
                                            kav_options_buffer,
@@ -427,7 +539,7 @@ int malware(uschar **listptr) {
       server.sun_family = AF_UNIX;
       Ustrcpy(server.sun_path, kav_options);
       if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: unable to connect to aveserver UNIX socket (%s). errno=%d", kav_options, errno);
         return DEFER;
@@ -438,37 +550,70 @@ int malware(uschar **listptr) {
 
       if (buf[0] != '2') {
         /* aveserver is having problems */
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: aveserver is unavailable (Responded: %s).", ((buf[0] != 0) ? buf : (uschar *)"nothing") );
         return DEFER;
       };
 
       /* prepare our command */
-      snprintf(CS buf, 32768, "SCAN bPQRSTUW %s/scan/%s/%s.eml\r\n", spool_directory, message_id, message_id);
+      (void)string_format(buf, 32768, "SCAN bPQRSTUW %s/scan/%s/%s.eml\r\n", spool_directory, message_id, message_id);
 
       /* and send it */
       if (send(sock, buf, Ustrlen(buf), 0) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: unable to write to aveserver UNIX socket (%s)", kav_options);
         return DEFER;
       }
 
       malware_name = NULL;
+      result = 0;
       /* read response lines, find malware name and final response */
       while (recv_line(sock, buf, 32768) > 0) {
         debug_printf("aveserver: %s\n", buf);
-        if (buf[0] == '2') break;
-        if (Ustrncmp(buf,"322",3) == 0) {
+        if (buf[0] == '2') {
+    break;
+  } else if (buf[0] == '5') {
+          /* aveserver is having problems */
+          log_write(0, LOG_MAIN|LOG_PANIC,
+             "malware acl condition: unable to scan file %s/scan/%s/%s.eml (Responded: %s).",
+       spool_directory, message_id, message_id, buf);
+          result = DEFER;
+    break;
+  } else if (Ustrncmp(buf,"322",3) == 0) {
           uschar *p = Ustrchr(&buf[4],' ');
           *p = '\0';
           Ustrcpy(malware_name_buffer,&buf[4]);
           malware_name = malware_name_buffer;
-        };
+  };
       }
 
-      close(sock);
+      /* prepare our command */
+      (void)string_format(buf, 32768, "quit\r\n");
+
+      /* and send it */
+      if (send(sock, buf, Ustrlen(buf), 0) < 0) {
+        (void)close(sock);
+        log_write(0, LOG_MAIN|LOG_PANIC,
+             "malware acl condition: unable to write to aveserver UNIX socket (%s)", kav_options);
+        return DEFER;
+      }
+
+      /* read aveserver's greeting and see if it is ready (2xx greeting) */
+      recv_line(sock, buf, 32768);
+
+      if (buf[0] != '2') {
+        /* aveserver is having problems */
+        (void)close(sock);
+        log_write(0, LOG_MAIN|LOG_PANIC,
+             "malware acl condition: unable to quit aveserver dialogue (Responded: %s).", ((buf[0] != 0) ? buf : (uschar *)"nothing") );
+        return DEFER;
+      };
+
+      (void)close(sock);
+
+      if (result == DEFER) return DEFER;
     }
     /* "fsecure" scanner type ------------------------------------------------- */
     else if (strcmpic(scanner_name,US"fsecure") == 0) {
@@ -504,7 +649,7 @@ int malware(uschar **listptr) {
       server.sun_family = AF_UNIX;
       Ustrcpy(server.sun_path, fsecure_options);
       if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
                   "malware acl condition: unable to connect to fsecure socket %s (%s)",
                   fsecure_options, strerror(errno));
@@ -516,17 +661,17 @@ int malware(uschar **listptr) {
       for (i=0; i != 4; i++) {
         /* debug_printf("send option \"%s\"",cmdoptions[i]); */
         if (write(sock, cmdoptions[i], Ustrlen(cmdoptions[i])) < 0) {
-          close(sock);
+          (void)close(sock);
           log_write(0, LOG_MAIN|LOG_PANIC,
                     "malware acl condition: unable to write fsecure option %d to %s (%s)",
                     i, fsecure_options, strerror(errno));
           return DEFER;
         };
 
-        bread = read(sock, av_buffer, sizeof(av_buffer));
+        bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT);
         if (bread >0) av_buffer[bread]='\0';
         if (bread < 0) {
-          close(sock);
+          (void)close(sock);
           log_write(0, LOG_MAIN|LOG_PANIC,
                     "malware acl condition: unable to read fsecure answer %d (%s)", i, strerror(errno));
           return DEFER;
@@ -537,10 +682,10 @@ int malware(uschar **listptr) {
       };
 
       /* pass the mailfile to fsecure */
-      snprintf(CS file_name,1024,"SCAN\t%s/scan/%s/%s.eml\n", spool_directory, message_id, message_id);
+      (void)string_format(file_name,1024,"SCAN\t%s/scan/%s/%s.eml\n", spool_directory, message_id, message_id);
       /* debug_printf("send scan %s",file_name); */
       if (write(sock, file_name, Ustrlen(file_name)) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
                   "malware acl condition: unable to write fsecure scan to %s (%s)",
                   fsecure_options, strerror(errno));
@@ -557,9 +702,9 @@ int malware(uschar **listptr) {
         i = 0;
         memset(av_buffer, 0, sizeof(av_buffer));
         do {
-          bread=read(sock, &av_buffer[i], 1);
+          bread=ip_recv(sock, &av_buffer[i], 1, MALWARE_TIMEOUT);
           if (bread < 0) {
-            close(sock);
+            (void)close(sock);
             log_write(0, LOG_MAIN|LOG_PANIC,
                       "malware acl condition: unable to read fsecure result (%s)", strerror(errno));
             return DEFER;
@@ -582,7 +727,7 @@ int malware(uschar **listptr) {
         };
       }
       while (Ustrstr(av_buffer, "OK\tScan ok.") == NULL);
-      close(sock);
+      (void)close(sock);
     }
     /* ----------------------------------------------------------------------- */
 
@@ -618,7 +763,7 @@ int malware(uschar **listptr) {
       server.sun_family = AF_UNIX;
       Ustrcpy(server.sun_path, kav_options);
       if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: unable to connect to kavdaemon UNIX socket (%s). errno=%d", kav_options, errno);
         return DEFER;
@@ -627,11 +772,11 @@ int malware(uschar **listptr) {
       /* get current date and time, build scan request */
       time(&t);
       strftime(CS tmpbuf, sizeof(tmpbuf), "<0>%d %b %H:%M:%S:%%s/scan/%%s", localtime(&t));
-      snprintf(CS scanrequest, 1024,CS tmpbuf, spool_directory, message_id);
+      (void)string_format(scanrequest, 1024,CS tmpbuf, spool_directory, message_id);
 
       /* send scan request */
       if (send(sock, scanrequest, Ustrlen(scanrequest)+1, 0) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: unable to write to kavdaemon UNIX socket (%s)", kav_options);
         return DEFER;
@@ -639,7 +784,7 @@ int malware(uschar **listptr) {
 
       /* wait for result */
       if ((bread = recv(sock, tmpbuf, 2, 0) != 2)) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: unable to read 2 bytes from kavdaemon socket.");
         return DEFER;
@@ -655,21 +800,21 @@ int malware(uschar **listptr) {
 
       /* improper kavdaemon configuration */
       if ( (kav_rc == 5) || (kav_rc == 6) ) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: please reconfigure kavdaemon to NOT disinfect or remove infected files.");
         return DEFER;
       };
 
       if (kav_rc == 1) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: kavdaemon reported 'scanning not completed' (code 1).");
         return DEFER;
       };
 
       if (kav_rc == 7) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: kavdaemon reported 'kavdaemon damaged' (code 7).");
         return DEFER;
@@ -697,7 +842,7 @@ int malware(uschar **listptr) {
         if( report_flag == 1 ) {
           /* read report size */
           if ((bread = recv(sock, &kav_reportlen, 4, 0)) != 4) {
-            close(sock);
+            (void)close(sock);
             log_write(0, LOG_MAIN|LOG_PANIC,
                   "malware acl condition: cannot read report size from kavdaemon");
             return DEFER;
@@ -747,7 +892,7 @@ int malware(uschar **listptr) {
         malware_name = NULL;
       };
 
-      close(sock);
+      (void)close(sock);
     }
     /* ----------------------------------------------------------------------- */
 
@@ -820,8 +965,8 @@ int malware(uschar **listptr) {
       };
 
       /* prepare scanner call */
-      snprintf(CS file_name,1024,"%s/scan/%s", spool_directory, message_id);
-      snprintf(CS commandline,1024, CS cmdline_scanner,file_name);
+      (void)string_format(file_name,1024,"%s/scan/%s", spool_directory, message_id);
+      (void)string_format(commandline,1024, CS cmdline_scanner,file_name);
       /* redirect STDERR too */
       Ustrcat(commandline," 2>&1");
 
@@ -838,8 +983,8 @@ int malware(uschar **listptr) {
         return DEFER;
       };
 
-      snprintf(CS file_name,1024,"%s/scan/%s/%s_scanner_output", spool_directory, message_id, message_id);
-      scanner_record = fopen(CS file_name,"w");
+      (void)string_format(file_name,1024,"%s/scan/%s/%s_scanner_output", spool_directory, message_id, message_id);
+      scanner_record = modefopen(file_name,"wb",SPOOL_MODE);
 
       if (scanner_record == NULL) {
         log_write(0, LOG_MAIN|LOG_PANIC,
@@ -866,7 +1011,7 @@ int malware(uschar **listptr) {
           trigger = 1;
       };
 
-      fclose(scanner_record);
+      (void)fclose(scanner_record);
       pclose(scanner_out);
       signal(SIGCHLD,eximsigchld);
       signal(SIGPIPE,eximsigpipe);
@@ -877,7 +1022,7 @@ int malware(uschar **listptr) {
         malware_name = malware_name_buffer;
 
         /* re-open the scanner output file, look for name match */
-        scanner_record = fopen(CS file_name,"r");
+        scanner_record = fopen(CS file_name,"rb");
         while(fgets(CS linebuffer,32767,scanner_record) != NULL) {
           /* try match */
           result = pcre_exec(cmdline_regex_re, NULL, CS linebuffer, Ustrlen(linebuffer), 0, 0, ovector, 30);
@@ -885,7 +1030,7 @@ int malware(uschar **listptr) {
             pcre_copy_substring(CS linebuffer, ovector, result, 1, CS malware_name_buffer, 255);
           };
         };
-        fclose(scanner_record);
+        (void)fclose(scanner_record);
       }
       else {
         /* no virus found */
@@ -923,33 +1068,33 @@ int malware(uschar **listptr) {
       server.sun_family = AF_UNIX;
       Ustrcpy(server.sun_path, sophie_options);
       if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: unable to connect to sophie UNIX socket (%s). errno=%d", sophie_options, errno);
         return DEFER;
       }
 
       /* pass the scan directory to sophie */
-      snprintf(CS file_name,1024,"%s/scan/%s", spool_directory, message_id);
+      (void)string_format(file_name,1024,"%s/scan/%s", spool_directory, message_id);
       if (write(sock, file_name, Ustrlen(file_name)) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: unable to write to sophie UNIX socket (%s)", sophie_options);
         return DEFER;
       };
 
-      write(sock, "\n", 1);
+      (void)write(sock, "\n", 1);
 
       /* wait for result */
       memset(av_buffer, 0, sizeof(av_buffer));
-      if ((!(bread = read(sock, av_buffer, sizeof(av_buffer))) > 0)) {
-        close(sock);
+      if ((!(bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT)) > 0)) {
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: unable to read from sophie UNIX socket (%s)", sophie_options);
         return DEFER;
       };
 
-      close(sock);
+      (void)close(sock);
 
       /* infected ? */
       if (av_buffer[0] == '1') {
@@ -1034,7 +1179,7 @@ int malware(uschar **listptr) {
         }
 
         if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
-          close(sock);
+          (void)close(sock);
           log_write(0, LOG_MAIN|LOG_PANIC,
                     "malware acl condition: clamd: connection to %s, port %u failed (%s)",
                     inet_ntoa(in), port, strerror(errno));
@@ -1045,10 +1190,10 @@ int malware(uschar **listptr) {
 
       /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
 
-          snprintf(CS file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id);
+          (void)string_format(file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id);
 
           if (send(sock, file_name, Ustrlen(file_name), 0) < 0) {
-            close(sock);
+            (void)close(sock);
             log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
                   strerror(errno));
             return DEFER;
@@ -1058,13 +1203,13 @@ int malware(uschar **listptr) {
       /* Pass the string to ClamAV (7 = "STREAM\n") */
 
           if (send(sock, "STREAM\n", 7, 0) < 0) {
-            close(sock);
+            (void)close(sock);
             log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
                   strerror(errno));
             return DEFER;
           }
           memset(av_buffer2, 0, sizeof(av_buffer2));
-          bread = read(sock, av_buffer2, sizeof(av_buffer2));
+          bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), MALWARE_TIMEOUT);
 
           if (bread < 0) {
             log_write(0, LOG_MAIN|LOG_PANIC,
@@ -1100,14 +1245,14 @@ int malware(uschar **listptr) {
           }
 
           if (ip_connect(sockData, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
-            close(sockData);
+            (void)close(sockData);
             log_write(0, LOG_MAIN|LOG_PANIC,
                     "malware acl condition: clamd: connection to %s, port %u failed (%s)",
                     inet_ntoa(in), port, strerror(errno));
             return DEFER;
           }
 
-    snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml",
+      (void)string_format(scanrequest, 1024,CS"%s/scan/%s/%s.eml",
       spool_directory, message_id, message_id);
 
     /* calc file size */
@@ -1129,8 +1274,8 @@ int malware(uschar **listptr) {
 
     clamav_fbuf = (uschar *) malloc (fsize);
     if (!clamav_fbuf) {
-      close(sockData);
-      close(clam_fd);
+      (void)close(sockData);
+      (void)close(clam_fd);
       log_write(0, LOG_MAIN|LOG_PANIC,
         "malware acl condition: clamd: unable to allocate memory %u for file (%s)",
         fsize, scanrequest);
@@ -1139,26 +1284,26 @@ int malware(uschar **listptr) {
 
     result = read (clam_fd, clamav_fbuf, fsize);
     if (result == -1) {
-      close(sockData);
-      close(clam_fd);
+      (void)close(sockData);
+      (void)close(clam_fd);
       free(clamav_fbuf);
       log_write(0, LOG_MAIN|LOG_PANIC,
         "malware acl condition: clamd: can't read spool file %s: %s",
         scanrequest, strerror(errno));
       return DEFER;
     }
-    close(clam_fd);
+    (void)close(clam_fd);
 
     /* send file body to socket */
     if (send(sockData, clamav_fbuf, fsize, 0) < 0) {
-      close(sockData);
+      (void)close(sockData);
       free(clamav_fbuf);
       log_write(0, LOG_MAIN|LOG_PANIC,
         "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port);
       return DEFER;
     }
     free(clamav_fbuf);
-          close(sockData);
+          (void)close(sockData);
         }
       }
       else {
@@ -1174,7 +1319,7 @@ int malware(uschar **listptr) {
         Ustrcpy(server.sun_path, clamd_options);
 
         if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
-          close(sock);
+          (void)close(sock);
           log_write(0, LOG_MAIN|LOG_PANIC,
                     "malware acl condition: clamd: unable to connect to UNIX socket %s (%s)",
                     clamd_options, strerror(errno) );
@@ -1184,10 +1329,10 @@ int malware(uschar **listptr) {
 
       /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
 
-      snprintf(CS file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id);
+      (void)string_format(file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id);
 
       if (send(sock, file_name, Ustrlen(file_name), 0) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
                   strerror(errno));
         return DEFER;
@@ -1204,8 +1349,8 @@ int malware(uschar **listptr) {
 
       /* Read the result */
       memset(av_buffer, 0, sizeof(av_buffer));
-      bread = read(sock, av_buffer, sizeof(av_buffer));
-      close(sock);
+      bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT);
+      (void)close(sock);
 
       if (!(bread  > 0)) {
         log_write(0, LOG_MAIN|LOG_PANIC,
@@ -1231,6 +1376,10 @@ int malware(uschar **listptr) {
         return DEFER;
       }
 
+      /* strip newline at the end */
+      p = av_buffer + Ustrlen(av_buffer) - 1;
+      if( *p == '\n' ) *p = '\0';
+
       /* colon in returned output? */
       if((p = Ustrrchr(av_buffer,':')) == NULL) {
         log_write(0, LOG_MAIN|LOG_PANIC,
@@ -1239,13 +1388,10 @@ int malware(uschar **listptr) {
         return DEFER;
       }
 
-      /* strip filename strip CR at the end */
+      /* strip filename */
       ++p;
       while (*p == ' ') ++p;
       vname = p;
-      p = vname + Ustrlen(vname) - 1;
-      if( *p == '\n' ) *p = '\0';
-
       if ((p = Ustrstr(vname, "FOUND"))!=NULL) {
            *p=0;
            for (--p;p>vname && *p<=32;p--) *p=0;
@@ -1305,7 +1451,7 @@ int malware(uschar **listptr) {
       server.sun_family = AF_UNIX;
       Ustrcpy(server.sun_path, "/var/run/mksd/socket");
       if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
-        close(sock);
+        (void)close(sock);
         log_write(0, LOG_MAIN|LOG_PANIC,
              "malware acl condition: unable to connect to mksd UNIX socket (/var/run/mksd/socket). errno=%d", errno);
         return DEFER;