* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for reading spool files. When compiling for a utility (eximon),
overwriting some other file descriptor with the value of this one), open it
with append.
+As called by deliver_message() (at least) we are operating as root.
+
Argument: the id of the message
-Returns: TRUE if file successfully opened and locked
+Returns: fd if file successfully opened and locked, else -1
-Side effect: deliver_datafile is set to the fd of the open file.
+Side effect: message_subdir is set for the (possibly split) spool directory
*/
-BOOL
+int
spool_open_datafile(uschar *id)
{
-int i;
struct stat statbuf;
flock_t lock_data;
-uschar spoolname[256];
+int fd;
/* If split_spool_directory is set, first look for the file in the appropriate
sub-directory of the input directory. If it is not found there, try the input
not found there, try the split sub-directory, in case it is left over from a
splitting state. */
-for (i = 0; i < 2; i++)
+for (int i = 0; i < 2; i++)
{
+ uschar * fname;
int save_errno;
- message_subdir[0] = (split_spool_directory == (i == 0))? id[5] : 0;
- sprintf(CS spoolname, "%s/input/%s/%s-D", spool_directory, message_subdir, id);
- deliver_datafile = Uopen(spoolname, O_RDWR | O_APPEND, 0);
- if (deliver_datafile >= 0) break;
+
+ set_subdir_str(message_subdir, id, i);
+ fname = spool_fname(US"input", message_subdir, id, US"-D");
+ DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
+
+ /* We protect against symlink attacks both in not propagating the
+ * file-descriptor to other processes as we exec, and also ensuring that we
+ * don't even open symlinks.
+ * No -D file inside the spool area should be a symlink.
+ */
+ if ((fd = Uopen(fname,
+#ifdef O_CLOEXEC
+ O_CLOEXEC |
+#endif
+#ifdef O_NOFOLLOW
+ O_NOFOLLOW |
+#endif
+ O_RDWR | O_APPEND, 0)) >= 0)
+ break;
save_errno = errno;
if (errno == ENOENT)
{
if (i == 0) continue;
- if (!queue_running)
- log_write(0, LOG_MAIN, "Spool file %s-D not found", id);
+ if (!f.queue_running)
+ log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
+ *queue_name ? US" Q=" : US"",
+ *queue_name ? queue_name : US"",
+ id);
}
- else log_write(0, LOG_MAIN, "Spool error for %s: %s", spoolname,
- strerror(errno));
+ else
+ log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
errno = save_errno;
- return FALSE;
+ return -1;
}
/* File is open and message_subdir is set. Set the close-on-exec flag, and lock
Unix systems it doesn't make any difference as long as Exim is consistent in
what it locks. */
-(void)fcntl(deliver_datafile, F_SETFD, fcntl(deliver_datafile, F_GETFD) |
- FD_CLOEXEC);
+#ifndef O_CLOEXEC
+(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#endif
lock_data.l_type = F_WRLCK;
lock_data.l_whence = SEEK_SET;
lock_data.l_start = 0;
lock_data.l_len = SPOOL_DATA_START_OFFSET;
-if (fcntl(deliver_datafile, F_SETLK, &lock_data) < 0)
+if (fcntl(fd, F_SETLK, &lock_data) < 0)
{
log_write(L_skip_delivery,
LOG_MAIN,
"Spool file is locked (another process is handling this message)");
- (void)close(deliver_datafile);
- deliver_datafile = -1;
+ (void)close(fd);
errno = 0;
- return FALSE;
+ return -1;
}
/* Get the size of the data; don't include the leading filename line
in the count, but add one for the newline before the data. */
-if (fstat(deliver_datafile, &statbuf) == 0)
+if (fstat(fd, &statbuf) == 0)
{
message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
message_size = message_body_size + 1;
}
-return TRUE;
+return fd;
}
#endif /* COMPILE_UTILITY */
if (n < 5) return FALSE; /* malformed line */
buffer[n-1] = 0; /* Remove \n */
-node = store_get(sizeof(tree_node) + n - 3);
+node = store_get(sizeof(tree_node) + n - 3, TRUE); /* rcpt names tainted */
*connect = node;
Ustrcpy(node->name, buffer + 3);
node->data.ptr = NULL;
-/*************************************************
-* Read spool header file *
-*************************************************/
-
-/* This function reads a spool header file and places the data into the
-appropriate global variables. The header portion is always read, but header
-structures are built only if read_headers is set true. It isn't, for example,
-while generating -bp output.
-
-It may be possible for blocks of nulls (binary zeroes) to get written on the
-end of a file if there is a system crash during writing. It was observed on an
-earlier version of Exim that omitted to fsync() the files - this is thought to
-have been the cause of that incident, but in any case, this code must be robust
-against such an event, and if such a file is encountered, it must be treated as
-malformed.
-
-Arguments:
- name name of the header file, including the -H
- read_headers TRUE if in-store header structures are to be built
- subdir_set TRUE is message_subdir is already set
-
-Returns: spool_read_OK success
- spool_read_notopen open failed
- spool_read_enverror error in the envelope portion
- spool_read_hdrdrror error in the header portion
-*/
-
-int
-spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
-{
-FILE *f = NULL;
-int n;
-int rcount = 0;
-long int uid, gid;
-BOOL inheader = FALSE;
-uschar *p;
-
/* Reset all the global variables to their default values. However, there is
one exception. DO NOT change the default value of dont_deliver, because it may
be forced by an external setting. */
+void
+spool_clear_header_globals(void)
+{
acl_var_c = acl_var_m = NULL;
authenticated_id = NULL;
authenticated_sender = NULL;
-allow_unqualified_recipient = FALSE;
-allow_unqualified_sender = FALSE;
+f.allow_unqualified_recipient = FALSE;
+f.allow_unqualified_sender = FALSE;
body_linecount = 0;
body_zerocount = 0;
-deliver_firsttime = FALSE;
-deliver_freeze = FALSE;
+f.deliver_firsttime = FALSE;
+f.deliver_freeze = FALSE;
deliver_frozen_at = 0;
-deliver_manual_thaw = FALSE;
-/* dont_deliver must NOT be reset */
+f.deliver_manual_thaw = FALSE;
+/* f.dont_deliver must NOT be reset */
header_list = header_last = NULL;
host_lookup_deferred = FALSE;
host_lookup_failed = FALSE;
interface_address = NULL;
interface_port = 0;
-local_error_message = FALSE;
+f.local_error_message = FALSE;
+#ifdef HAVE_LOCAL_SCAN
local_scan_data = NULL;
+#endif
max_received_linelength = 0;
message_linecount = 0;
received_protocol = NULL;
sender_host_port = 0;
sender_host_authenticated = NULL;
sender_ident = NULL;
-sender_local = FALSE;
-sender_set_untrusted = FALSE;
+f.sender_local = FALSE;
+f.sender_set_untrusted = FALSE;
smtp_active_hostname = primary_hostname;
+#ifndef COMPILE_UTILITY
+f.spool_file_wireformat = FALSE;
+#endif
tree_nonrecipients = NULL;
#ifdef EXPERIMENTAL_BRIGHTMAIL
#ifndef DISABLE_DKIM
dkim_signers = NULL;
-dkim_disable_verify = FALSE;
-dkim_collect_input = FALSE;
+f.dkim_disable_verify = FALSE;
+dkim_collect_input = 0;
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_in.certificate_verified = FALSE;
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
tls_in.dane_verified = FALSE;
# endif
tls_in.cipher = NULL;
#endif
#ifdef WITH_CONTENT_SCAN
+spam_bar = NULL;
+spam_score = NULL;
spam_score_int = NULL;
#endif
-#if defined(EXPERIMENTAL_INTERNATIONAL) && !defined(COMPILE_UTILITY)
+#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
message_smtputf8 = FALSE;
message_utf8_downconvert = 0;
#endif
dsn_ret = 0;
dsn_envid = NULL;
+}
+
+
+/*************************************************
+* Read spool header file *
+*************************************************/
+
+/* This function reads a spool header file and places the data into the
+appropriate global variables. The header portion is always read, but header
+structures are built only if read_headers is set true. It isn't, for example,
+while generating -bp output.
+
+It may be possible for blocks of nulls (binary zeroes) to get written on the
+end of a file if there is a system crash during writing. It was observed on an
+earlier version of Exim that omitted to fsync() the files - this is thought to
+have been the cause of that incident, but in any case, this code must be robust
+against such an event, and if such a file is encountered, it must be treated as
+malformed.
+
+As called from deliver_message() (at least) we are running as root.
+
+Arguments:
+ name name of the header file, including the -H
+ read_headers TRUE if in-store header structures are to be built
+ subdir_set TRUE is message_subdir is already set
+
+Returns: spool_read_OK success
+ spool_read_notopen open failed
+ spool_read_enverror error in the envelope portion
+ spool_read_hdrerror error in the header portion
+*/
+
+int
+spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
+{
+FILE * fp = NULL;
+int n;
+int rcount = 0;
+long int uid, gid;
+BOOL inheader = FALSE;
+
+/* Reset all the global variables to their default values. However, there is
+one exception. DO NOT change the default value of dont_deliver, because it may
+be forced by an external setting. */
+
+spool_clear_header_globals();
/* Generate the full name and open the file. If message_subdir is already
set, just look in the given directory. Otherwise, look in both the split
and unsplit directories, as for the data file above. */
-for (n = 0; n < 2; n++)
+for (int n = 0; n < 2; n++)
{
if (!subdir_set)
- message_subdir[0] = (split_spool_directory == (n == 0))? name[5] : 0;
- sprintf(CS big_buffer, "%s/input/%s/%s", spool_directory, message_subdir,
- name);
- f = Ufopen(big_buffer, "rb");
- if (f != NULL) break;
- if (n != 0 || subdir_set || errno != ENOENT) return spool_read_notopen;
+ set_subdir_str(message_subdir, name, n);
+
+ if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
+ break;
+ if (n != 0 || subdir_set || errno != ENOENT)
+ return spool_read_notopen;
}
errno = 0;
/* The first line of a spool file contains the message id followed by -H (i.e.
the file name), in order to make the file self-identifying. */
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
goto SPOOL_FORMAT_ERROR;
sender, enclosed in <>. The third contains the time the message was received,
and the number of warning messages for delivery delays that have been sent. */
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
-p = big_buffer + Ustrlen(big_buffer);
+{
+uschar *p = big_buffer + Ustrlen(big_buffer);
while (p > big_buffer && isspace(p[-1])) p--;
*p = 0;
if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
uid = Uatoi(p);
if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
*p = 0;
+}
originator_login = string_copy(big_buffer);
originator_uid = (uid_t)uid;
originator_gid = (gid_t)gid;
/* envelope from */
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
n = Ustrlen(big_buffer);
if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
goto SPOOL_FORMAT_ERROR;
-sender_address = store_get(n-2);
+sender_address = store_get(n-2, TRUE); /* tainted */
Ustrncpy(sender_address, big_buffer+1, n-3);
sender_address[n-3] = 0;
/* time */
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
-if (sscanf(CS big_buffer, "%d %d", &received_time, &warning_count) != 2)
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
+if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
goto SPOOL_FORMAT_ERROR;
+received_time.tv_usec = 0;
-message_age = time(NULL) - received_time;
+message_age = time(NULL) - received_time.tv_sec;
#ifndef COMPILE_UTILITY
DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
To allow new versions of Exim that add additional flags to interwork with older
versions that do not understand them, just ignore any lines starting with "-"
that we don't recognize. Otherwise it wouldn't be possible to back off a new
-version that left new-style flags written on the spool. */
+version that left new-style flags written on the spool.
+
+If the line starts with "--" the content of the variable is tainted. */
-p = big_buffer + 2;
for (;;)
{
int len;
- if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+ BOOL tainted;
+ uschar * var;
+ const uschar * p;
+
+ if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
if (big_buffer[0] != '-') break;
while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
&& big_buffer[len-1] != '\n'
{ /* buffer not big enough for line; certs make this possible */
uschar * buf;
if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
- buf = store_get_perm(big_buffer_size *= 2);
+ buf = store_get_perm(big_buffer_size *= 2, FALSE);
memcpy(buf, big_buffer, --len);
big_buffer = buf;
- if (Ufgets(big_buffer+len, big_buffer_size-len, f) == NULL)
+ if (Ufgets(big_buffer+len, big_buffer_size-len, fp) == NULL)
goto SPOOL_READ_ERROR;
}
big_buffer[len-1] = 0;
- switch(big_buffer[1])
+ tainted = big_buffer[1] == '-';
+ var = big_buffer + (tainted ? 2 : 1);
+ p = var + 1;
+
+ switch(*var)
{
case 'a':
uschar *name, *endptr;
int count;
tree_node *node;
- endptr = Ustrchr(big_buffer + 6, ' ');
+ endptr = Ustrchr(var + 5, ' ');
if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
- name = string_sprintf("%c%.*s", big_buffer[4], endptr - big_buffer - 6,
- big_buffer + 6);
+ name = string_sprintf("%c%.*s", var[3],
+ (int)(endptr - var - 5), var + 5);
if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
node = acl_var_create(name);
- node->data.ptr = store_get(count + 1);
- if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
+ node->data.ptr = store_get(count + 1, tainted);
+ if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
((uschar*)node->data.ptr)[count] = 0;
}
else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
- allow_unqualified_recipient = TRUE;
+ f.allow_unqualified_recipient = TRUE;
else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
- allow_unqualified_sender = TRUE;
+ f.allow_unqualified_sender = TRUE;
else if (Ustrncmp(p, "uth_id", 6) == 0)
- authenticated_id = string_copy(big_buffer + 9);
+ authenticated_id = string_copy_taint(var + 8, tainted);
else if (Ustrncmp(p, "uth_sender", 10) == 0)
- authenticated_sender = string_copy(big_buffer + 13);
+ authenticated_sender = string_copy_taint(var + 12, tainted);
else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
- smtp_active_hostname = string_copy(big_buffer + 17);
+ smtp_active_hostname = string_copy_taint(var + 16, tainted);
/* For long-term backward compatibility, we recognize "-acl", which was
used before the number of ACL variables changed from 10 to 20. This was
else if (Ustrncmp(p, "cl ", 3) == 0)
{
- int index, count;
- uschar name[20]; /* Need plenty of space for %d format */
- tree_node *node;
- if (sscanf(CS big_buffer + 5, "%d %d", &index, &count) != 2)
+ unsigned index, count;
+ uschar name[20]; /* Need plenty of space for %u format */
+ tree_node * node;
+ if ( sscanf(CS var + 4, "%u %u", &index, &count) != 2
+ || index >= 20
+ || count > 16384 /* arbitrary limit on variable size */
+ )
goto SPOOL_FORMAT_ERROR;
if (index < 10)
- (void) string_format(name, sizeof(name), "%c%d", 'c', index);
- else if (index < 20) /* ignore out-of-range index */
- (void) string_format(name, sizeof(name), "%c%d", 'm', index - 10);
+ (void) string_format(name, sizeof(name), "%c%u", 'c', index);
+ else
+ (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
node = acl_var_create(name);
- node->data.ptr = store_get(count + 1);
- if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
- ((uschar*)node->data.ptr)[count] = 0;
+ node->data.ptr = store_get(count + 1, tainted);
+ /* We sanity-checked the count, so disable the Coverity error */
+ /* coverity[tainted_data] */
+ if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
+ (US node->data.ptr)[count] = '\0';
}
break;
case 'b':
if (Ustrncmp(p, "ody_linecount", 13) == 0)
- body_linecount = Uatoi(big_buffer + 15);
+ body_linecount = Uatoi(var + 14);
else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
- body_zerocount = Uatoi(big_buffer + 15);
+ body_zerocount = Uatoi(var + 14);
#ifdef EXPERIMENTAL_BRIGHTMAIL
else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
- bmi_verdicts = string_copy(big_buffer + 14);
+ bmi_verdicts = string_copy_taint(var + 13, tainted);
#endif
break;
case 'd':
if (Ustrcmp(p, "eliver_firsttime") == 0)
- deliver_firsttime = TRUE;
+ f.deliver_firsttime = TRUE;
/* Check if the dsn flags have been set in the header file */
else if (Ustrncmp(p, "sn_ret", 6) == 0)
- dsn_ret= atoi(CS big_buffer + 8);
+ dsn_ret= atoi(CS var + 7);
else if (Ustrncmp(p, "sn_envid", 8) == 0)
- dsn_envid = string_copy(big_buffer + 11);
+ dsn_envid = string_copy_taint(var + 10, tainted);
break;
case 'f':
if (Ustrncmp(p, "rozen", 5) == 0)
{
- deliver_freeze = TRUE;
- sscanf(CS big_buffer+7, TIME_T_FMT, &deliver_frozen_at);
+ f.deliver_freeze = TRUE;
+ if (sscanf(CS var+6, TIME_T_FMT, &deliver_frozen_at) != 1)
+ goto SPOOL_READ_ERROR;
}
break;
else if (Ustrcmp(p, "ost_lookup_failed") == 0)
host_lookup_failed = TRUE;
else if (Ustrncmp(p, "ost_auth", 8) == 0)
- sender_host_authenticated = string_copy(big_buffer + 11);
+ sender_host_authenticated = string_copy_taint(var + 10, tainted);
else if (Ustrncmp(p, "ost_name", 8) == 0)
- sender_host_name = string_copy(big_buffer + 11);
+ sender_host_name = string_copy_taint(var + 10, tainted);
else if (Ustrncmp(p, "elo_name", 8) == 0)
- sender_helo_name = string_copy(big_buffer + 11);
+ sender_helo_name = string_copy_taint(var + 10, tainted);
/* We now record the port number after the address, separated by a
dot. For compatibility during upgrading, do nothing if there
else if (Ustrncmp(p, "ost_address", 11) == 0)
{
- sender_host_port = host_address_extract_port(big_buffer + 14);
- sender_host_address = string_copy(big_buffer + 14);
+ sender_host_port = host_address_extract_port(var + 13);
+ sender_host_address = string_copy_taint(var + 13, tainted);
}
break;
case 'i':
if (Ustrncmp(p, "nterface_address", 16) == 0)
{
- interface_port = host_address_extract_port(big_buffer + 19);
- interface_address = string_copy(big_buffer + 19);
+ interface_port = host_address_extract_port(var + 18);
+ interface_address = string_copy_taint(var + 18, tainted);
}
else if (Ustrncmp(p, "dent", 4) == 0)
- sender_ident = string_copy(big_buffer + 7);
+ sender_ident = string_copy_taint(var + 6, tainted);
break;
case 'l':
- if (Ustrcmp(p, "ocal") == 0) sender_local = TRUE;
- else if (Ustrcmp(big_buffer, "-localerror") == 0)
- local_error_message = TRUE;
+ if (Ustrcmp(p, "ocal") == 0)
+ f.sender_local = TRUE;
+ else if (Ustrcmp(var, "localerror") == 0)
+ f.local_error_message = TRUE;
+#ifdef HAVE_LOCAL_SCAN
else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
- local_scan_data = string_copy(big_buffer + 12);
+ local_scan_data = string_copy_taint(var + 11, tainted);
+#endif
break;
case 'm':
- if (Ustrcmp(p, "anual_thaw") == 0) deliver_manual_thaw = TRUE;
+ if (Ustrcmp(p, "anual_thaw") == 0)
+ f.deliver_manual_thaw = TRUE;
else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
- max_received_linelength = Uatoi(big_buffer + 24);
+ max_received_linelength = Uatoi(var + 23);
break;
case 'N':
- if (*p == 0) dont_deliver = TRUE; /* -N */
+ if (*p == 0) f.dont_deliver = TRUE; /* -N */
break;
case 'r':
if (Ustrncmp(p, "eceived_protocol", 16) == 0)
- received_protocol = string_copy(big_buffer + 19);
+ received_protocol = string_copy_taint(var + 18, tainted);
+ else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
+ {
+ unsigned usec;
+ if (sscanf(CS var + 20, "%u", &usec) == 1)
+ received_time.tv_usec = usec;
+ }
break;
case 's':
if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
- sender_set_untrusted = TRUE;
+ f.sender_set_untrusted = TRUE;
#ifdef WITH_CONTENT_SCAN
+ else if (Ustrncmp(p, "pam_bar ", 8) == 0)
+ spam_bar = string_copy_taint(var + 9, tainted);
+ else if (Ustrncmp(p, "pam_score ", 10) == 0)
+ spam_score = string_copy_taint(var + 11, tainted);
else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
- spam_score_int = string_copy(big_buffer + 16);
+ spam_score_int = string_copy_taint(var + 15, tainted);
+#endif
+#ifndef COMPILE_UTILITY
+ else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
+ f.spool_file_wireformat = TRUE;
#endif
-#if defined(EXPERIMENTAL_INTERNATIONAL) && !defined(COMPILE_UTILITY)
+#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
else if (Ustrncmp(p, "mtputf8", 7) == 0)
message_smtputf8 = TRUE;
#endif
break;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
case 't':
- if (Ustrncmp(p, "ls_certificate_verified", 23) == 0)
- tls_in.certificate_verified = TRUE;
- else if (Ustrncmp(p, "ls_cipher", 9) == 0)
- tls_in.cipher = string_copy(big_buffer + 12);
+ if (Ustrncmp(p, "ls_", 3) == 0)
+ {
+ const uschar * q = p + 3;
+ if (Ustrncmp(q, "certificate_verified", 20) == 0)
+ tls_in.certificate_verified = TRUE;
+ else if (Ustrncmp(q, "cipher", 6) == 0)
+ tls_in.cipher = string_copy_taint(var + 11, tainted);
# ifndef COMPILE_UTILITY /* tls support fns not built in */
- else if (Ustrncmp(p, "ls_ourcert", 10) == 0)
- (void) tls_import_cert(big_buffer + 13, &tls_in.ourcert);
- else if (Ustrncmp(p, "ls_peercert", 11) == 0)
- (void) tls_import_cert(big_buffer + 14, &tls_in.peercert);
+ else if (Ustrncmp(q, "ourcert", 7) == 0)
+ (void) tls_import_cert(var + 12, &tls_in.ourcert);
+ else if (Ustrncmp(q, "peercert", 8) == 0)
+ (void) tls_import_cert(var + 13, &tls_in.peercert);
+# endif
+ else if (Ustrncmp(q, "peerdn", 6) == 0)
+ tls_in.peerdn = string_unprinting(string_copy_taint(var + 11, tainted));
+ else if (Ustrncmp(q, "sni", 3) == 0)
+ tls_in.sni = string_unprinting(string_copy_taint(var + 8, tainted));
+ else if (Ustrncmp(q, "ocsp", 4) == 0)
+ tls_in.ocsp = var[9] - '0';
+# ifdef EXPERIMENTAL_TLS_RESUME
+ else if (Ustrncmp(q, "resumption", 10) == 0)
+ tls_in.resumption = var[15] - 'A';
# endif
- else if (Ustrncmp(p, "ls_peerdn", 9) == 0)
- tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
- else if (Ustrncmp(p, "ls_sni", 6) == 0)
- tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
- else if (Ustrncmp(p, "ls_ocsp", 7) == 0)
- tls_in.ocsp = big_buffer[10] - '0';
+
+ }
break;
#endif
-#if defined(EXPERIMENTAL_INTERNATIONAL) && !defined(COMPILE_UTILITY)
+#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
case 'u':
if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
message_utf8_downconvert = 1;
#ifndef COMPILE_UTILITY
DEBUG(D_deliver)
- debug_printf("sender_local=%d ident=%s\n", sender_local,
- (sender_ident == NULL)? US"unset" : sender_ident);
+ debug_printf("sender_local=%d ident=%s\n", f.sender_local,
+ sender_ident ? sender_ident : US"unset");
#endif /* COMPILE_UTILITY */
/* We now have the tree of addresses NOT to deliver to, or a line
containing "XX", indicating no tree. */
if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
- !read_nonrecipients_tree(&tree_nonrecipients, f, big_buffer, big_buffer_size))
+ !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
goto SPOOL_FORMAT_ERROR;
#ifndef COMPILE_UTILITY
#endif /* COMPILE_UTILITY */
/* After reading the tree, the next line has not yet been read into the
-buffer. It contains the count of recipients which follow on separate lines. */
+buffer. It contains the count of recipients which follow on separate lines.
+Apply an arbitrary sanity check.*/
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
-if (sscanf(CS big_buffer, "%d", &rcount) != 1) goto SPOOL_FORMAT_ERROR;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
+if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
+ goto SPOOL_FORMAT_ERROR;
#ifndef COMPILE_UTILITY
DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
#endif /* COMPILE_UTILITY */
recipients_list_max = rcount;
-recipients_list = store_get(rcount * sizeof(recipient_item));
+recipients_list = store_get(rcount * sizeof(recipient_item), FALSE);
+
+/* We sanitised the count and know we have enough memory, so disable
+the Coverity error on recipients_count */
+/* coverity[tainted_data] */
for (recipients_count = 0; recipients_count < rcount; recipients_count++)
{
uschar *errors_to = NULL;
uschar *p;
- if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+ if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
nn = Ustrlen(big_buffer);
if (nn < 2) goto SPOOL_FORMAT_ERROR;
if (*p == ',')
{
int dummy;
+#if !defined (COMPILE_UTILITY)
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 3 spool file\n");
+#endif
while (isdigit(*(--p)) || *p == ',');
if (*p == ' ')
{
else if (*p == ' ')
{
+#if !defined (COMPILE_UTILITY)
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - early Exim 4 spool file\n");
+#endif
*p++ = 0;
(void)sscanf(CS p, "%d", &pno);
}
int flags;
#if !defined (COMPILE_UTILITY)
- DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 4 standard format spoolfile\n");
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim standard format spoolfile\n");
#endif
(void)sscanf(CS p+1, "%d", &flags);
if (len > 0)
{
p -= len;
- errors_to = string_copy(p);
- }
+ errors_to = string_copy_taint(p, TRUE);
+ }
}
*(--p) = 0; /* Terminate address */
if (len > 0)
{
p -= len;
- orcpt = string_copy(p);
- }
+ orcpt = string_copy_taint(p, TRUE);
+ }
}
*(--p) = 0; /* Terminate address */
else
{ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
- if ((orcpt != NULL) || (dsn_flags != 0))
- {
- DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| orcpt: |%s| dsn_flags: %d\n",
+ if (orcpt || dsn_flags)
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
big_buffer, orcpt, dsn_flags);
- }
- if (errors_to != NULL)
- {
- DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| errorsto: |%s|\n",
+ if (errors_to)
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> errorsto: <%s>\n",
big_buffer, errors_to);
- }
#endif
- recipients_list[recipients_count].address = string_copy(big_buffer);
+ recipients_list[recipients_count].address = string_copy_taint(big_buffer, TRUE);
recipients_list[recipients_count].pno = pno;
recipients_list[recipients_count].errors_to = errors_to;
recipients_list[recipients_count].orcpt = orcpt;
list if requested to do so. */
inheader = TRUE;
-if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
+if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
-while ((n = fgetc(f)) != EOF)
+while ((n = fgetc(fp)) != EOF)
{
header_line *h;
uschar flag[4];
int i;
if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
- if(ungetc(n, f) == EOF || fscanf(f, "%d%c ", &n, flag) == EOF)
+ if(ungetc(n, fp) == EOF || fscanf(fp, "%d%c ", &n, flag) == EOF)
goto SPOOL_READ_ERROR;
if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
if (read_headers)
{
- h = store_get(sizeof(header_line));
+ h = store_get(sizeof(header_line), FALSE);
h->next = NULL;
h->type = flag[0];
h->slen = n;
- h->text = store_get(n+1);
+ h->text = store_get(n+1, TRUE); /* tainted */
if (h->type == htype_received) received_count++;
- if (header_list == NULL) header_list = h;
- else header_last->next = h;
+ if (header_list) header_last->next = h;
+ else header_list = h;
header_last = h;
for (i = 0; i < n; i++)
{
- int c = fgetc(f);
+ int c = fgetc(fp);
if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
if (c == '\n' && h->type != htype_old) message_linecount++;
h->text[i] = c;
else for (i = 0; i < n; i++)
{
- int c = fgetc(f);
+ int c = fgetc(fp);
if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
}
}
message_linecount += body_linecount;
-fclose(f);
+fclose(fp);
return spool_read_OK;
DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
#endif /* COMPILE_UTILITY */
- fclose(f);
+ fclose(fp);
errno = n;
- return inheader? spool_read_hdrerror : spool_read_enverror;
+ return inheader ? spool_read_hdrerror : spool_read_enverror;
}
SPOOL_FORMAT_ERROR:
DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
#endif /* COMPILE_UTILITY */
-fclose(f);
+fclose(fp);
errno = ERRNO_SPOOLFORMAT;
return inheader? spool_read_hdrerror : spool_read_enverror;
}