1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Functions for reading spool files. When compiling for a utility (eximon),
9 not all are needed, and some functionality can be cut out. */
16 #ifndef COMPILE_UTILITY
17 /*************************************************
18 * Open and lock data file *
19 *************************************************/
21 /* The data file is the one that is used for locking, because the header file
22 can get replaced during delivery because of header rewriting. The file has
23 to opened with write access so that we can get an exclusive lock, but in
24 fact it won't be written to. Just in case there's a major disaster (e.g.
25 overwriting some other file descriptor with the value of this one), open it
28 As called by deliver_message() (at least) we are operating as root.
30 Argument: the id of the message
31 Returns: fd if file successfully opened and locked, else -1
33 Side effect: message_subdir is set for the (possibly split) spool directory
37 spool_open_datafile(uschar *id)
43 /* If split_spool_directory is set, first look for the file in the appropriate
44 sub-directory of the input directory. If it is not found there, try the input
45 directory itself, to pick up leftovers from before the splitting. If split_
46 spool_directory is not set, first look in the main input directory. If it is
47 not found there, try the split sub-directory, in case it is left over from a
50 for (int i = 0; i < 2; i++)
55 message_subdir[0] = split_spool_directory == i ? '\0' : id[5];
56 fname = spool_fname(US"input", message_subdir, id, US"-D");
57 DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
59 /* We protect against symlink attacks both in not propagating the
60 * file-descriptor to other processes as we exec, and also ensuring that we
61 * don't even open symlinks.
62 * No -D file inside the spool area should be a symlink.
64 if ((fd = Uopen(fname,
71 O_RDWR | O_APPEND, 0)) >= 0)
78 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
79 *queue_name ? US" Q=" : US"",
80 *queue_name ? queue_name : US"",
84 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
89 /* File is open and message_subdir is set. Set the close-on-exec flag, and lock
90 the file. We lock only the first line of the file (containing the message ID)
91 because this apparently is needed for running Exim under Cygwin. If the entire
92 file is locked in one process, a sub-process cannot access it, even when passed
93 an open file descriptor (at least, I think that's the Cygwin story). On real
94 Unix systems it doesn't make any difference as long as Exim is consistent in
98 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
101 lock_data.l_type = F_WRLCK;
102 lock_data.l_whence = SEEK_SET;
103 lock_data.l_start = 0;
104 lock_data.l_len = SPOOL_DATA_START_OFFSET;
106 if (fcntl(fd, F_SETLK, &lock_data) < 0)
108 log_write(L_skip_delivery,
110 "Spool file is locked (another process is handling this message)");
116 /* Get the size of the data; don't include the leading filename line
117 in the count, but add one for the newline before the data. */
119 if (fstat(fd, &statbuf) == 0)
121 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
122 message_size = message_body_size + 1;
127 #endif /* COMPILE_UTILITY */
131 /*************************************************
132 * Read non-recipients tree from spool file *
133 *************************************************/
135 /* The tree of non-recipients is written to the spool file in a form that
136 makes it easy to read back into a tree. The format is as follows:
138 . Each node is preceded by two letter(Y/N) indicating whether it has left
139 or right children. There's one space after the two flags, before the name.
141 . The left subtree (if any) then follows, then the right subtree (if any).
143 This function is entered with the next input line in the buffer. Note we must
144 save the right flag before recursing with the same buffer.
146 Once the tree is read, we re-construct the balance fields by scanning the tree.
147 I forgot to write them out originally, and the compatible fix is to do it this
148 way. This initial local recursing function does the necessary.
153 Returns: maximum depth below the node, including the node itself
157 count_below(tree_node *node)
160 if (node == NULL) return 0;
161 nleft = count_below(node->left);
162 nright = count_below(node->right);
163 node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
164 return 1 + ((nleft > nright)? nleft : nright);
167 /* This is the real function...
170 connect pointer to the root of the tree
171 f FILE to read data from
172 buffer contains next input line; further lines read into it
173 buffer_size size of the buffer
175 Returns: FALSE on format error
179 read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
183 int n = Ustrlen(buffer);
184 BOOL right = buffer[1] == 'Y';
186 if (n < 5) return FALSE; /* malformed line */
187 buffer[n-1] = 0; /* Remove \n */
188 node = store_get(sizeof(tree_node) + n - 3, is_tainted(buffer));
190 Ustrcpy(node->name, buffer + 3);
191 node->data.ptr = NULL;
193 if (buffer[0] == 'Y')
195 if (Ufgets(buffer, buffer_size, f) == NULL ||
196 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
199 else node->left = NULL;
203 if (Ufgets(buffer, buffer_size, f) == NULL ||
204 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
207 else node->right = NULL;
209 (void) count_below(*connect);
216 /* Reset all the global variables to their default values. However, there is
217 one exception. DO NOT change the default value of dont_deliver, because it may
218 be forced by an external setting. */
221 spool_clear_header_globals(void)
223 acl_var_c = acl_var_m = NULL;
224 authenticated_id = NULL;
225 authenticated_sender = NULL;
226 f.allow_unqualified_recipient = FALSE;
227 f.allow_unqualified_sender = FALSE;
230 f.deliver_firsttime = FALSE;
231 f.deliver_freeze = FALSE;
232 deliver_frozen_at = 0;
233 f.deliver_manual_thaw = FALSE;
234 /* f.dont_deliver must NOT be reset */
235 header_list = header_last = NULL;
236 host_lookup_deferred = FALSE;
237 host_lookup_failed = FALSE;
238 interface_address = NULL;
240 f.local_error_message = FALSE;
241 #ifdef HAVE_LOCAL_SCAN
242 local_scan_data = NULL;
244 max_received_linelength = 0;
245 message_linecount = 0;
246 received_protocol = NULL;
248 recipients_list = NULL;
249 sender_address = NULL;
250 sender_fullhost = NULL;
251 sender_helo_name = NULL;
252 sender_host_address = NULL;
253 sender_host_name = NULL;
254 sender_host_port = 0;
255 sender_host_authenticated = NULL;
257 f.sender_local = FALSE;
258 f.sender_set_untrusted = FALSE;
259 smtp_active_hostname = primary_hostname;
260 #ifndef COMPILE_UTILITY
261 f.spool_file_wireformat = FALSE;
263 tree_nonrecipients = NULL;
265 #ifdef EXPERIMENTAL_BRIGHTMAIL
272 f.dkim_disable_verify = FALSE;
273 dkim_collect_input = 0;
277 tls_in.certificate_verified = FALSE;
279 tls_in.dane_verified = FALSE;
281 tls_in.cipher = NULL;
282 # ifndef COMPILE_UTILITY /* tls support fns not built in */
283 tls_free_cert(&tls_in.ourcert);
284 tls_free_cert(&tls_in.peercert);
286 tls_in.peerdn = NULL;
288 tls_in.ocsp = OCSP_NOT_REQ;
291 #ifdef WITH_CONTENT_SCAN
294 spam_score_int = NULL;
297 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
298 message_smtputf8 = FALSE;
299 message_utf8_downconvert = 0;
307 /*************************************************
308 * Read spool header file *
309 *************************************************/
311 /* This function reads a spool header file and places the data into the
312 appropriate global variables. The header portion is always read, but header
313 structures are built only if read_headers is set true. It isn't, for example,
314 while generating -bp output.
316 It may be possible for blocks of nulls (binary zeroes) to get written on the
317 end of a file if there is a system crash during writing. It was observed on an
318 earlier version of Exim that omitted to fsync() the files - this is thought to
319 have been the cause of that incident, but in any case, this code must be robust
320 against such an event, and if such a file is encountered, it must be treated as
323 As called from deliver_message() (at least) we are running as root.
326 name name of the header file, including the -H
327 read_headers TRUE if in-store header structures are to be built
328 subdir_set TRUE is message_subdir is already set
330 Returns: spool_read_OK success
331 spool_read_notopen open failed
332 spool_read_enverror error in the envelope portion
333 spool_read_hdrerror error in the header portion
337 spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
343 BOOL inheader = FALSE;
346 /* Reset all the global variables to their default values. However, there is
347 one exception. DO NOT change the default value of dont_deliver, because it may
348 be forced by an external setting. */
350 spool_clear_header_globals();
352 /* Generate the full name and open the file. If message_subdir is already
353 set, just look in the given directory. Otherwise, look in both the split
354 and unsplit directories, as for the data file above. */
356 for (int n = 0; n < 2; n++)
359 message_subdir[0] = split_spool_directory == (n == 0) ? name[5] : 0;
361 if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
363 if (n != 0 || subdir_set || errno != ENOENT)
364 return spool_read_notopen;
369 #ifndef COMPILE_UTILITY
370 DEBUG(D_deliver) debug_printf("reading spool file %s\n", name);
371 #endif /* COMPILE_UTILITY */
373 /* The first line of a spool file contains the message id followed by -H (i.e.
374 the file name), in order to make the file self-identifying. */
376 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
377 if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
378 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
379 goto SPOOL_FORMAT_ERROR;
381 /* The next three lines in the header file are in a fixed format. The first
382 contains the login, uid, and gid of the user who caused the file to be written.
383 There are known cases where a negative gid is used, so we allow for both
384 negative uids and gids. The second contains the mail address of the message's
385 sender, enclosed in <>. The third contains the time the message was received,
386 and the number of warning messages for delivery delays that have been sent. */
388 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
390 p = big_buffer + Ustrlen(big_buffer);
391 while (p > big_buffer && isspace(p[-1])) p--;
393 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
394 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
396 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
398 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
399 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
401 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
404 originator_login = string_copy(big_buffer);
405 originator_uid = (uid_t)uid;
406 originator_gid = (gid_t)gid;
409 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
410 n = Ustrlen(big_buffer);
411 if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
412 goto SPOOL_FORMAT_ERROR;
414 sender_address = store_get(n-2, TRUE); /* tainted */
415 Ustrncpy(sender_address, big_buffer+1, n-3);
416 sender_address[n-3] = 0;
419 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
420 if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
421 goto SPOOL_FORMAT_ERROR;
422 received_time.tv_usec = 0;
424 message_age = time(NULL) - received_time.tv_sec;
426 #ifndef COMPILE_UTILITY
427 DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
428 originator_login, (long int)originator_uid, (long int)originator_gid,
430 #endif /* COMPILE_UTILITY */
432 /* Now there may be a number of optional lines, each starting with "-". If you
433 add a new setting here, make sure you set the default above.
435 Because there are now quite a number of different possibilities, we use a
436 switch on the first character to avoid too many failing tests. Thanks to Nico
437 Erfurth for the patch that implemented this. I have made it even more efficient
438 by not re-scanning the first two characters.
440 To allow new versions of Exim that add additional flags to interwork with older
441 versions that do not understand them, just ignore any lines starting with "-"
442 that we don't recognize. Otherwise it wouldn't be possible to back off a new
443 version that left new-style flags written on the spool.
445 If the line starts with "--" the content of the variable is tainted. */
453 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
454 if (big_buffer[0] != '-') break;
455 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
456 && big_buffer[len-1] != '\n'
458 { /* buffer not big enough for line; certs make this possible */
460 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
461 buf = store_get_perm(big_buffer_size *= 2, FALSE);
462 memcpy(buf, big_buffer, --len);
464 if (Ufgets(big_buffer+len, big_buffer_size-len, fp) == NULL)
465 goto SPOOL_READ_ERROR;
467 big_buffer[len-1] = 0;
469 tainted = big_buffer[1] == '-';
470 var = big_buffer + (tainted ? 2 : 1);
477 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
478 variable, because Exim allows any number of them, with arbitrary names.
479 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
482 if (Ustrncmp(p, "clc ", 4) == 0 ||
483 Ustrncmp(p, "clm ", 4) == 0)
485 uschar *name, *endptr;
488 endptr = Ustrchr(var + 5, ' ');
489 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
490 name = string_sprintf("%c%.*s", var[3],
491 (int)(endptr - var - 5), var + 5);
492 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
493 node = acl_var_create(name);
494 node->data.ptr = store_get(count + 1, tainted);
495 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
496 ((uschar*)node->data.ptr)[count] = 0;
499 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
500 f.allow_unqualified_recipient = TRUE;
501 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
502 f.allow_unqualified_sender = TRUE;
504 else if (Ustrncmp(p, "uth_id", 6) == 0)
505 authenticated_id = string_copy_taint(var + 8, tainted);
506 else if (Ustrncmp(p, "uth_sender", 10) == 0)
507 authenticated_sender = string_copy_taint(var + 12, tainted);
508 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
509 smtp_active_hostname = string_copy_taint(var + 16, tainted);
511 /* For long-term backward compatibility, we recognize "-acl", which was
512 used before the number of ACL variables changed from 10 to 20. This was
513 before the subsequent change to an arbitrary number of named variables.
514 This code is retained so that upgrades from very old versions can still
515 handle old-format spool files. The value given after "-acl" is a number
516 that is 0-9 for connection variables, and 10-19 for message variables. */
518 else if (Ustrncmp(p, "cl ", 3) == 0)
520 unsigned index, count;
521 uschar name[20]; /* Need plenty of space for %u format */
523 if ( sscanf(CS var + 4, "%u %u", &index, &count) != 2
525 || count > 16384 /* arbitrary limit on variable size */
527 goto SPOOL_FORMAT_ERROR;
529 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
531 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
532 node = acl_var_create(name);
533 node->data.ptr = store_get(count + 1, tainted);
534 /* We sanity-checked the count, so disable the Coverity error */
535 /* coverity[tainted_data] */
536 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
537 (US node->data.ptr)[count] = '\0';
542 if (Ustrncmp(p, "ody_linecount", 13) == 0)
543 body_linecount = Uatoi(var + 14);
544 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
545 body_zerocount = Uatoi(var + 14);
546 #ifdef EXPERIMENTAL_BRIGHTMAIL
547 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
548 bmi_verdicts = string_copy_taint(var + 13, tainted);
553 if (Ustrcmp(p, "eliver_firsttime") == 0)
554 f.deliver_firsttime = TRUE;
555 /* Check if the dsn flags have been set in the header file */
556 else if (Ustrncmp(p, "sn_ret", 6) == 0)
557 dsn_ret= atoi(CS var + 7);
558 else if (Ustrncmp(p, "sn_envid", 8) == 0)
559 dsn_envid = string_copy_taint(var + 10, tainted);
563 if (Ustrncmp(p, "rozen", 5) == 0)
565 f.deliver_freeze = TRUE;
566 if (sscanf(CS var+6, TIME_T_FMT, &deliver_frozen_at) != 1)
567 goto SPOOL_READ_ERROR;
572 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
573 host_lookup_deferred = TRUE;
574 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
575 host_lookup_failed = TRUE;
576 else if (Ustrncmp(p, "ost_auth", 8) == 0)
577 sender_host_authenticated = string_copy_taint(var + 10, tainted);
578 else if (Ustrncmp(p, "ost_name", 8) == 0)
579 sender_host_name = string_copy_taint(var + 10, tainted);
580 else if (Ustrncmp(p, "elo_name", 8) == 0)
581 sender_helo_name = string_copy_taint(var + 10, tainted);
583 /* We now record the port number after the address, separated by a
584 dot. For compatibility during upgrading, do nothing if there
585 isn't a value (it gets left at zero). */
587 else if (Ustrncmp(p, "ost_address", 11) == 0)
589 sender_host_port = host_address_extract_port(var + 13);
590 sender_host_address = string_copy_taint(var + 13, tainted);
595 if (Ustrncmp(p, "nterface_address", 16) == 0)
597 interface_port = host_address_extract_port(var + 18);
598 interface_address = string_copy_taint(var + 18, tainted);
600 else if (Ustrncmp(p, "dent", 4) == 0)
601 sender_ident = string_copy_taint(var + 6, tainted);
605 if (Ustrcmp(p, "ocal") == 0)
606 f.sender_local = TRUE;
607 else if (Ustrcmp(var, "localerror") == 0)
608 f.local_error_message = TRUE;
609 #ifdef HAVE_LOCAL_SCAN
610 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
611 local_scan_data = string_copy_taint(var + 11, tainted);
616 if (Ustrcmp(p, "anual_thaw") == 0)
617 f.deliver_manual_thaw = TRUE;
618 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
619 max_received_linelength = Uatoi(var + 23);
623 if (*p == 0) f.dont_deliver = TRUE; /* -N */
627 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
628 received_protocol = string_copy_taint(var + 18, tainted);
629 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
632 if (sscanf(CS var + 20, "%u", &usec) == 1)
633 received_time.tv_usec = usec;
638 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
639 f.sender_set_untrusted = TRUE;
640 #ifdef WITH_CONTENT_SCAN
641 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
642 spam_bar = string_copy_taint(var + 9, tainted);
643 else if (Ustrncmp(p, "pam_score ", 10) == 0)
644 spam_score = string_copy_taint(var + 11, tainted);
645 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
646 spam_score_int = string_copy_taint(var + 15, tainted);
648 #ifndef COMPILE_UTILITY
649 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
650 f.spool_file_wireformat = TRUE;
652 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
653 else if (Ustrncmp(p, "mtputf8", 7) == 0)
654 message_smtputf8 = TRUE;
660 if (Ustrncmp(p, "ls_", 3) == 0)
663 if (Ustrncmp(q, "certificate_verified", 20) == 0)
664 tls_in.certificate_verified = TRUE;
665 else if (Ustrncmp(q, "cipher", 6) == 0)
666 tls_in.cipher = string_copy_taint(var + 11, tainted);
667 # ifndef COMPILE_UTILITY /* tls support fns not built in */
668 else if (Ustrncmp(q, "ourcert", 7) == 0)
669 (void) tls_import_cert(var + 12, &tls_in.ourcert);
670 else if (Ustrncmp(q, "peercert", 8) == 0)
671 (void) tls_import_cert(var + 13, &tls_in.peercert);
673 else if (Ustrncmp(q, "peerdn", 6) == 0)
674 tls_in.peerdn = string_unprinting(string_copy_taint(var + 11, tainted));
675 else if (Ustrncmp(q, "sni", 3) == 0)
676 tls_in.sni = string_unprinting(string_copy_taint(var + 8, tainted));
677 else if (Ustrncmp(q, "ocsp", 4) == 0)
678 tls_in.ocsp = var[9] - '0';
679 # ifdef EXPERIMENTAL_TLS_RESUME
680 else if (Ustrncmp(q, "resumption", 10) == 0)
681 tls_in.resumption = var[15] - 'A';
688 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
690 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
691 message_utf8_downconvert = 1;
692 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
693 message_utf8_downconvert = -1;
697 default: /* Present because some compilers complain if all */
698 break; /* possibilities are not covered. */
702 /* Build sender_fullhost if required */
704 #ifndef COMPILE_UTILITY
705 host_build_sender_fullhost();
706 #endif /* COMPILE_UTILITY */
708 #ifndef COMPILE_UTILITY
710 debug_printf("sender_local=%d ident=%s\n", f.sender_local,
711 (sender_ident == NULL)? US"unset" : sender_ident);
712 #endif /* COMPILE_UTILITY */
714 /* We now have the tree of addresses NOT to deliver to, or a line
715 containing "XX", indicating no tree. */
717 if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
718 !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
719 goto SPOOL_FORMAT_ERROR;
721 #ifndef COMPILE_UTILITY
724 debug_printf("Non-recipients:\n");
725 debug_print_tree(tree_nonrecipients);
727 #endif /* COMPILE_UTILITY */
729 /* After reading the tree, the next line has not yet been read into the
730 buffer. It contains the count of recipients which follow on separate lines.
731 Apply an arbitrary sanity check.*/
733 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
734 if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
735 goto SPOOL_FORMAT_ERROR;
737 #ifndef COMPILE_UTILITY
738 DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
739 #endif /* COMPILE_UTILITY */
741 recipients_list_max = rcount;
742 recipients_list = store_get(rcount * sizeof(recipient_item), FALSE);
744 /* We sanitised the count and know we have enough memory, so disable
745 the Coverity error on recipients_count */
746 /* coverity[tainted_data] */
748 for (recipients_count = 0; recipients_count < rcount; recipients_count++)
753 uschar *orcpt = NULL;
754 uschar *errors_to = NULL;
757 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
758 nn = Ustrlen(big_buffer);
759 if (nn < 2) goto SPOOL_FORMAT_ERROR;
761 /* Remove the newline; this terminates the address if there is no additional
764 p = big_buffer + nn - 1;
767 /* Look back from the end of the line for digits and special terminators.
768 Since an address must end with a domain, we can tell that extra data is
769 present by the presence of the terminator, which is always some character
770 that cannot exist in a domain. (If I'd thought of the need for additional
771 data early on, I'd have put it at the start, with the address at the end. As
772 it is, we have to operate backwards. Addresses are permitted to contain
775 This code has to cope with various versions of this data that have evolved
776 over time. In all cases, the line might just contain an address, with no
777 additional data. Otherwise, the possibilities are as follows:
779 Exim 3 type: <address><space><digits>,<digits>,<digits>
781 The second set of digits is the parent number for one_time addresses. The
782 other values were remnants of earlier experiments that were abandoned.
784 Exim 4 first type: <address><space><digits>
786 The digits are the parent number for one_time addresses.
788 Exim 4 new type: <address><space><data>#<type bits>
790 The type bits indicate what the contents of the data are.
792 Bit 01 indicates that, reading from right to left, the data
793 ends with <errors_to address><space><len>,<pno> where pno is
794 the parent number for one_time addresses, and len is the length
795 of the errors_to address (zero meaning none).
797 Bit 02 indicates that, again reading from right to left, the data continues
798 with orcpt len(orcpt),dsn_flags
801 while (isdigit(*p)) p--;
803 /* Handle Exim 3 spool files */
808 #if !defined (COMPILE_UTILITY)
809 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 3 spool file\n");
811 while (isdigit(*(--p)) || *p == ',');
815 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
819 /* Handle early Exim 4 spool files */
823 #if !defined (COMPILE_UTILITY)
824 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - early Exim 4 spool file\n");
827 (void)sscanf(CS p, "%d", &pno);
830 /* Handle current format Exim 4 spool files */
836 #if !defined (COMPILE_UTILITY)
837 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim standard format spoolfile\n");
840 (void)sscanf(CS p+1, "%d", &flags);
842 if ((flags & 0x01) != 0) /* one_time data exists */
845 while (isdigit(*(--p)) || *p == ',' || *p == '-');
846 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
851 errors_to = string_copy_taint(p, TRUE);
855 *(--p) = 0; /* Terminate address */
856 if ((flags & 0x02) != 0) /* one_time data exists */
859 while (isdigit(*(--p)) || *p == ',' || *p == '-');
860 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
865 orcpt = string_copy_taint(p, TRUE);
869 *(--p) = 0; /* Terminate address */
871 #if !defined(COMPILE_UTILITY)
873 { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
875 if (orcpt || dsn_flags)
876 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
877 big_buffer, orcpt, dsn_flags);
879 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> errorsto: <%s>\n",
880 big_buffer, errors_to);
883 recipients_list[recipients_count].address = string_copy_taint(big_buffer, TRUE);
884 recipients_list[recipients_count].pno = pno;
885 recipients_list[recipients_count].errors_to = errors_to;
886 recipients_list[recipients_count].orcpt = orcpt;
887 recipients_list[recipients_count].dsn_flags = dsn_flags;
890 /* The remainder of the spool header file contains the headers for the message,
891 separated off from the previous data by a blank line. Each header is preceded
892 by a count of its length and either a certain letter (for various identified
893 headers), space (for a miscellaneous live header) or an asterisk (for a header
894 that has been rewritten). Count the Received: headers. We read the headers
895 always, in order to check on the format of the file, but only create a header
896 list if requested to do so. */
899 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
900 if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
902 while ((n = fgetc(fp)) != EOF)
908 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
909 if(ungetc(n, fp) == EOF || fscanf(fp, "%d%c ", &n, flag) == EOF)
910 goto SPOOL_READ_ERROR;
911 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
915 h = store_get(sizeof(header_line), FALSE);
919 h->text = store_get(n+1, TRUE); /* tainted */
921 if (h->type == htype_received) received_count++;
923 if (header_list == NULL) header_list = h;
924 else header_last->next = h;
927 for (i = 0; i < n; i++)
930 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
931 if (c == '\n' && h->type != htype_old) message_linecount++;
937 /* Not requiring header data, just skip through the bytes */
939 else for (i = 0; i < n; i++)
942 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
946 /* We have successfully read the data in the header file. Update the message
947 line count by adding the body linecount to the header linecount. Close the file
948 and give a positive response. */
950 #ifndef COMPILE_UTILITY
951 DEBUG(D_deliver) debug_printf("body_linecount=%d message_linecount=%d\n",
952 body_linecount, message_linecount);
953 #endif /* COMPILE_UTILITY */
955 message_linecount += body_linecount;
958 return spool_read_OK;
961 /* There was an error reading the spool or there was missing data,
962 or there was a format error. A "read error" with no errno means an
963 unexpected EOF, which we treat as a format error. */
970 #ifndef COMPILE_UTILITY
971 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
972 #endif /* COMPILE_UTILITY */
976 return inheader? spool_read_hdrerror : spool_read_enverror;
981 #ifndef COMPILE_UTILITY
982 DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
983 #endif /* COMPILE_UTILITY */
986 errno = ERRNO_SPOOLFORMAT;
987 return inheader? spool_read_hdrerror : spool_read_enverror;
992 /* End of spool_in.c */