1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Functions for reading spool files. When compiling for a utility (eximon),
9 not all are needed, and some functionality can be cut out. */
16 #ifndef COMPILE_UTILITY
17 /*************************************************
18 * Open and lock data file *
19 *************************************************/
21 /* The data file is the one that is used for locking, because the header file
22 can get replaced during delivery because of header rewriting. The file has
23 to opened with write access so that we can get an exclusive lock, but in
24 fact it won't be written to. Just in case there's a major disaster (e.g.
25 overwriting some other file descriptor with the value of this one), open it
28 As called by deliver_message() (at least) we are operating as root.
30 Argument: the id of the message
31 Returns: fd if file successfully opened and locked, else -1
33 Side effect: message_subdir is set for the (possibly split) spool directory
37 spool_open_datafile(uschar *id)
44 /* If split_spool_directory is set, first look for the file in the appropriate
45 sub-directory of the input directory. If it is not found there, try the input
46 directory itself, to pick up leftovers from before the splitting. If split_
47 spool_directory is not set, first look in the main input directory. If it is
48 not found there, try the split sub-directory, in case it is left over from a
51 for (i = 0; i < 2; i++)
56 message_subdir[0] = split_spool_directory == i ? '\0' : id[5];
57 fname = spool_fname(US"input", message_subdir, id, US"-D");
58 DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
60 /* We protect against symlink attacks both in not propagating the
61 * file-descriptor to other processes as we exec, and also ensuring that we
62 * don't even open symlinks.
63 * No -D file inside the spool area should be a symlink.
65 if ((fd = Uopen(fname,
72 O_RDWR | O_APPEND, 0)) >= 0)
79 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
80 *queue_name ? US" Q=" : US"",
81 *queue_name ? queue_name : US"",
85 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
90 /* File is open and message_subdir is set. Set the close-on-exec flag, and lock
91 the file. We lock only the first line of the file (containing the message ID)
92 because this apparently is needed for running Exim under Cygwin. If the entire
93 file is locked in one process, a sub-process cannot access it, even when passed
94 an open file descriptor (at least, I think that's the Cygwin story). On real
95 Unix systems it doesn't make any difference as long as Exim is consistent in
99 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
102 lock_data.l_type = F_WRLCK;
103 lock_data.l_whence = SEEK_SET;
104 lock_data.l_start = 0;
105 lock_data.l_len = SPOOL_DATA_START_OFFSET;
107 if (fcntl(fd, F_SETLK, &lock_data) < 0)
109 log_write(L_skip_delivery,
111 "Spool file is locked (another process is handling this message)");
117 /* Get the size of the data; don't include the leading filename line
118 in the count, but add one for the newline before the data. */
120 if (fstat(fd, &statbuf) == 0)
122 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
123 message_size = message_body_size + 1;
128 #endif /* COMPILE_UTILITY */
132 /*************************************************
133 * Read non-recipients tree from spool file *
134 *************************************************/
136 /* The tree of non-recipients is written to the spool file in a form that
137 makes it easy to read back into a tree. The format is as follows:
139 . Each node is preceded by two letter(Y/N) indicating whether it has left
140 or right children. There's one space after the two flags, before the name.
142 . The left subtree (if any) then follows, then the right subtree (if any).
144 This function is entered with the next input line in the buffer. Note we must
145 save the right flag before recursing with the same buffer.
147 Once the tree is read, we re-construct the balance fields by scanning the tree.
148 I forgot to write them out originally, and the compatible fix is to do it this
149 way. This initial local recursing function does the necessary.
154 Returns: maximum depth below the node, including the node itself
158 count_below(tree_node *node)
161 if (node == NULL) return 0;
162 nleft = count_below(node->left);
163 nright = count_below(node->right);
164 node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
165 return 1 + ((nleft > nright)? nleft : nright);
168 /* This is the real function...
171 connect pointer to the root of the tree
172 f FILE to read data from
173 buffer contains next input line; further lines read into it
174 buffer_size size of the buffer
176 Returns: FALSE on format error
180 read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
184 int n = Ustrlen(buffer);
185 BOOL right = buffer[1] == 'Y';
187 if (n < 5) return FALSE; /* malformed line */
188 buffer[n-1] = 0; /* Remove \n */
189 node = store_get(sizeof(tree_node) + n - 3);
191 Ustrcpy(node->name, buffer + 3);
192 node->data.ptr = NULL;
194 if (buffer[0] == 'Y')
196 if (Ufgets(buffer, buffer_size, f) == NULL ||
197 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
200 else node->left = NULL;
204 if (Ufgets(buffer, buffer_size, f) == NULL ||
205 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
208 else node->right = NULL;
210 (void) count_below(*connect);
217 /* Reset all the global variables to their default values. However, there is
218 one exception. DO NOT change the default value of dont_deliver, because it may
219 be forced by an external setting. */
222 spool_clear_header_globals(void)
224 acl_var_c = acl_var_m = NULL;
225 authenticated_id = NULL;
226 authenticated_sender = NULL;
227 allow_unqualified_recipient = FALSE;
228 allow_unqualified_sender = FALSE;
231 deliver_firsttime = FALSE;
232 deliver_freeze = FALSE;
233 deliver_frozen_at = 0;
234 deliver_manual_thaw = FALSE;
235 /* dont_deliver must NOT be reset */
236 header_list = header_last = NULL;
237 host_lookup_deferred = FALSE;
238 host_lookup_failed = FALSE;
239 interface_address = NULL;
241 local_error_message = FALSE;
242 #ifdef HAVE_LOCAL_SCAN
243 local_scan_data = NULL;
245 max_received_linelength = 0;
246 message_linecount = 0;
247 received_protocol = NULL;
249 recipients_list = NULL;
250 sender_address = NULL;
251 sender_fullhost = NULL;
252 sender_helo_name = NULL;
253 sender_host_address = NULL;
254 sender_host_name = NULL;
255 sender_host_port = 0;
256 sender_host_authenticated = NULL;
258 sender_local = FALSE;
259 sender_set_untrusted = FALSE;
260 smtp_active_hostname = primary_hostname;
261 #ifndef COMPILE_UTILITY
262 spool_file_wireformat = FALSE;
264 tree_nonrecipients = NULL;
266 #ifdef EXPERIMENTAL_BRIGHTMAIL
273 dkim_disable_verify = FALSE;
274 dkim_collect_input = 0;
278 tls_in.certificate_verified = FALSE;
280 tls_in.dane_verified = FALSE;
282 tls_in.cipher = NULL;
283 # ifndef COMPILE_UTILITY /* tls support fns not built in */
284 tls_free_cert(&tls_in.ourcert);
285 tls_free_cert(&tls_in.peercert);
287 tls_in.peerdn = NULL;
289 tls_in.ocsp = OCSP_NOT_REQ;
290 # if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
295 #ifdef WITH_CONTENT_SCAN
298 spam_score_int = NULL;
301 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
302 message_smtputf8 = FALSE;
303 message_utf8_downconvert = 0;
311 /*************************************************
312 * Read spool header file *
313 *************************************************/
315 /* This function reads a spool header file and places the data into the
316 appropriate global variables. The header portion is always read, but header
317 structures are built only if read_headers is set true. It isn't, for example,
318 while generating -bp output.
320 It may be possible for blocks of nulls (binary zeroes) to get written on the
321 end of a file if there is a system crash during writing. It was observed on an
322 earlier version of Exim that omitted to fsync() the files - this is thought to
323 have been the cause of that incident, but in any case, this code must be robust
324 against such an event, and if such a file is encountered, it must be treated as
327 As called from deliver_message() (at least) we are running as root.
330 name name of the header file, including the -H
331 read_headers TRUE if in-store header structures are to be built
332 subdir_set TRUE is message_subdir is already set
334 Returns: spool_read_OK success
335 spool_read_notopen open failed
336 spool_read_enverror error in the envelope portion
337 spool_read_hdrerror error in the header portion
341 spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
347 BOOL inheader = FALSE;
350 /* Reset all the global variables to their default values. However, there is
351 one exception. DO NOT change the default value of dont_deliver, because it may
352 be forced by an external setting. */
354 spool_clear_header_globals();
356 /* Generate the full name and open the file. If message_subdir is already
357 set, just look in the given directory. Otherwise, look in both the split
358 and unsplit directories, as for the data file above. */
360 for (n = 0; n < 2; n++)
363 message_subdir[0] = split_spool_directory == (n == 0) ? name[5] : 0;
365 if ((f = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
367 if (n != 0 || subdir_set || errno != ENOENT)
368 return spool_read_notopen;
373 #ifndef COMPILE_UTILITY
374 DEBUG(D_deliver) debug_printf("reading spool file %s\n", name);
375 #endif /* COMPILE_UTILITY */
377 /* The first line of a spool file contains the message id followed by -H (i.e.
378 the file name), in order to make the file self-identifying. */
380 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
381 if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
382 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
383 goto SPOOL_FORMAT_ERROR;
385 /* The next three lines in the header file are in a fixed format. The first
386 contains the login, uid, and gid of the user who caused the file to be written.
387 There are known cases where a negative gid is used, so we allow for both
388 negative uids and gids. The second contains the mail address of the message's
389 sender, enclosed in <>. The third contains the time the message was received,
390 and the number of warning messages for delivery delays that have been sent. */
392 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
394 p = big_buffer + Ustrlen(big_buffer);
395 while (p > big_buffer && isspace(p[-1])) p--;
397 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
398 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
400 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
402 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
403 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
405 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
408 originator_login = string_copy(big_buffer);
409 originator_uid = (uid_t)uid;
410 originator_gid = (gid_t)gid;
413 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
414 n = Ustrlen(big_buffer);
415 if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
416 goto SPOOL_FORMAT_ERROR;
418 sender_address = store_get(n-2);
419 Ustrncpy(sender_address, big_buffer+1, n-3);
420 sender_address[n-3] = 0;
423 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
424 if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
425 goto SPOOL_FORMAT_ERROR;
426 received_time.tv_usec = 0;
428 message_age = time(NULL) - received_time.tv_sec;
430 #ifndef COMPILE_UTILITY
431 DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
432 originator_login, (long int)originator_uid, (long int)originator_gid,
434 #endif /* COMPILE_UTILITY */
436 /* Now there may be a number of optional lines, each starting with "-". If you
437 add a new setting here, make sure you set the default above.
439 Because there are now quite a number of different possibilities, we use a
440 switch on the first character to avoid too many failing tests. Thanks to Nico
441 Erfurth for the patch that implemented this. I have made it even more efficient
442 by not re-scanning the first two characters.
444 To allow new versions of Exim that add additional flags to interwork with older
445 versions that do not understand them, just ignore any lines starting with "-"
446 that we don't recognize. Otherwise it wouldn't be possible to back off a new
447 version that left new-style flags written on the spool. */
453 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
454 if (big_buffer[0] != '-') break;
455 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
456 && big_buffer[len-1] != '\n'
458 { /* buffer not big enough for line; certs make this possible */
460 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
461 buf = store_get_perm(big_buffer_size *= 2);
462 memcpy(buf, big_buffer, --len);
464 if (Ufgets(big_buffer+len, big_buffer_size-len, f) == NULL)
465 goto SPOOL_READ_ERROR;
467 big_buffer[len-1] = 0;
469 switch(big_buffer[1])
473 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
474 variable, because Exim allows any number of them, with arbitrary names.
475 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
478 if (Ustrncmp(p, "clc ", 4) == 0 ||
479 Ustrncmp(p, "clm ", 4) == 0)
481 uschar *name, *endptr;
484 endptr = Ustrchr(big_buffer + 6, ' ');
485 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
486 name = string_sprintf("%c%.*s", big_buffer[4],
487 (int)(endptr - big_buffer - 6), big_buffer + 6);
488 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
489 node = acl_var_create(name);
490 node->data.ptr = store_get(count + 1);
491 if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
492 ((uschar*)node->data.ptr)[count] = 0;
495 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
496 allow_unqualified_recipient = TRUE;
497 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
498 allow_unqualified_sender = TRUE;
500 else if (Ustrncmp(p, "uth_id", 6) == 0)
501 authenticated_id = string_copy(big_buffer + 9);
502 else if (Ustrncmp(p, "uth_sender", 10) == 0)
503 authenticated_sender = string_copy(big_buffer + 13);
504 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
505 smtp_active_hostname = string_copy(big_buffer + 17);
507 /* For long-term backward compatibility, we recognize "-acl", which was
508 used before the number of ACL variables changed from 10 to 20. This was
509 before the subsequent change to an arbitrary number of named variables.
510 This code is retained so that upgrades from very old versions can still
511 handle old-format spool files. The value given after "-acl" is a number
512 that is 0-9 for connection variables, and 10-19 for message variables. */
514 else if (Ustrncmp(p, "cl ", 3) == 0)
516 unsigned index, count;
517 uschar name[20]; /* Need plenty of space for %u format */
519 if ( sscanf(CS big_buffer + 5, "%u %u", &index, &count) != 2
521 || count > 16384 /* arbitrary limit on variable size */
523 goto SPOOL_FORMAT_ERROR;
525 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
527 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
528 node = acl_var_create(name);
529 node->data.ptr = store_get(count + 1);
530 /* We sanity-checked the count, so disable the Coverity error */
531 /* coverity[tainted_data] */
532 if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
533 (US node->data.ptr)[count] = '\0';
538 if (Ustrncmp(p, "ody_linecount", 13) == 0)
539 body_linecount = Uatoi(big_buffer + 15);
540 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
541 body_zerocount = Uatoi(big_buffer + 15);
542 #ifdef EXPERIMENTAL_BRIGHTMAIL
543 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
544 bmi_verdicts = string_copy(big_buffer + 14);
549 if (Ustrcmp(p, "eliver_firsttime") == 0)
550 deliver_firsttime = TRUE;
551 /* Check if the dsn flags have been set in the header file */
552 else if (Ustrncmp(p, "sn_ret", 6) == 0)
553 dsn_ret= atoi(CS big_buffer + 8);
554 else if (Ustrncmp(p, "sn_envid", 8) == 0)
555 dsn_envid = string_copy(big_buffer + 11);
559 if (Ustrncmp(p, "rozen", 5) == 0)
561 deliver_freeze = TRUE;
562 if (sscanf(CS big_buffer+7, TIME_T_FMT, &deliver_frozen_at) != 1)
563 goto SPOOL_READ_ERROR;
568 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
569 host_lookup_deferred = TRUE;
570 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
571 host_lookup_failed = TRUE;
572 else if (Ustrncmp(p, "ost_auth", 8) == 0)
573 sender_host_authenticated = string_copy(big_buffer + 11);
574 else if (Ustrncmp(p, "ost_name", 8) == 0)
575 sender_host_name = string_copy(big_buffer + 11);
576 else if (Ustrncmp(p, "elo_name", 8) == 0)
577 sender_helo_name = string_copy(big_buffer + 11);
579 /* We now record the port number after the address, separated by a
580 dot. For compatibility during upgrading, do nothing if there
581 isn't a value (it gets left at zero). */
583 else if (Ustrncmp(p, "ost_address", 11) == 0)
585 sender_host_port = host_address_extract_port(big_buffer + 14);
586 sender_host_address = string_copy(big_buffer + 14);
591 if (Ustrncmp(p, "nterface_address", 16) == 0)
593 interface_port = host_address_extract_port(big_buffer + 19);
594 interface_address = string_copy(big_buffer + 19);
596 else if (Ustrncmp(p, "dent", 4) == 0)
597 sender_ident = string_copy(big_buffer + 7);
601 if (Ustrcmp(p, "ocal") == 0)
603 else if (Ustrcmp(big_buffer, "-localerror") == 0)
604 local_error_message = TRUE;
605 #ifdef HAVE_LOCAL_SCAN
606 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
607 local_scan_data = string_copy(big_buffer + 12);
612 if (Ustrcmp(p, "anual_thaw") == 0) deliver_manual_thaw = TRUE;
613 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
614 max_received_linelength = Uatoi(big_buffer + 24);
618 if (*p == 0) dont_deliver = TRUE; /* -N */
622 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
623 received_protocol = string_copy(big_buffer + 19);
624 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
627 if (sscanf(CS big_buffer + 21, "%u", &usec) == 1)
628 received_time.tv_usec = usec;
633 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
634 sender_set_untrusted = TRUE;
635 #ifdef WITH_CONTENT_SCAN
636 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
637 spam_bar = string_copy(big_buffer + 10);
638 else if (Ustrncmp(p, "pam_score ", 10) == 0)
639 spam_score = string_copy(big_buffer + 12);
640 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
641 spam_score_int = string_copy(big_buffer + 16);
643 #ifndef COMPILE_UTILITY
644 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
645 spool_file_wireformat = TRUE;
647 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
648 else if (Ustrncmp(p, "mtputf8", 7) == 0)
649 message_smtputf8 = TRUE;
655 if (Ustrncmp(p, "ls_", 3) == 0)
658 if (Ustrncmp(q, "certificate_verified", 20) == 0)
659 tls_in.certificate_verified = TRUE;
660 else if (Ustrncmp(q, "cipher", 6) == 0)
661 tls_in.cipher = string_copy(big_buffer + 12);
662 # ifndef COMPILE_UTILITY /* tls support fns not built in */
663 else if (Ustrncmp(q, "ourcert", 7) == 0)
664 (void) tls_import_cert(big_buffer + 13, &tls_in.ourcert);
665 else if (Ustrncmp(q, "peercert", 8) == 0)
666 (void) tls_import_cert(big_buffer + 14, &tls_in.peercert);
668 else if (Ustrncmp(q, "peerdn", 6) == 0)
669 tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
670 else if (Ustrncmp(q, "sni", 3) == 0)
671 tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
672 else if (Ustrncmp(q, "ocsp", 4) == 0)
673 tls_in.ocsp = big_buffer[10] - '0';
674 # if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
675 else if (Ustrncmp(q, "requiretls", 10) == 0)
676 tls_requiretls = strtol(CS big_buffer+16, NULL, 0);
682 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
684 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
685 message_utf8_downconvert = 1;
686 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
687 message_utf8_downconvert = -1;
691 default: /* Present because some compilers complain if all */
692 break; /* possibilities are not covered. */
696 /* Build sender_fullhost if required */
698 #ifndef COMPILE_UTILITY
699 host_build_sender_fullhost();
700 #endif /* COMPILE_UTILITY */
702 #ifndef COMPILE_UTILITY
704 debug_printf("sender_local=%d ident=%s\n", sender_local,
705 (sender_ident == NULL)? US"unset" : sender_ident);
706 #endif /* COMPILE_UTILITY */
708 /* We now have the tree of addresses NOT to deliver to, or a line
709 containing "XX", indicating no tree. */
711 if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
712 !read_nonrecipients_tree(&tree_nonrecipients, f, big_buffer, big_buffer_size))
713 goto SPOOL_FORMAT_ERROR;
715 #ifndef COMPILE_UTILITY
718 debug_printf("Non-recipients:\n");
719 debug_print_tree(tree_nonrecipients);
721 #endif /* COMPILE_UTILITY */
723 /* After reading the tree, the next line has not yet been read into the
724 buffer. It contains the count of recipients which follow on separate lines.
725 Apply an arbitrary sanity check.*/
727 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
728 if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
729 goto SPOOL_FORMAT_ERROR;
731 #ifndef COMPILE_UTILITY
732 DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
733 #endif /* COMPILE_UTILITY */
735 recipients_list_max = rcount;
736 recipients_list = store_get(rcount * sizeof(recipient_item));
738 /* We sanitised the count and know we have enough memory, so disable
739 the Coverity error on recipients_count */
740 /* coverity[tainted_data] */
742 for (recipients_count = 0; recipients_count < rcount; recipients_count++)
747 uschar *orcpt = NULL;
748 uschar *errors_to = NULL;
751 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
752 nn = Ustrlen(big_buffer);
753 if (nn < 2) goto SPOOL_FORMAT_ERROR;
755 /* Remove the newline; this terminates the address if there is no additional
758 p = big_buffer + nn - 1;
761 /* Look back from the end of the line for digits and special terminators.
762 Since an address must end with a domain, we can tell that extra data is
763 present by the presence of the terminator, which is always some character
764 that cannot exist in a domain. (If I'd thought of the need for additional
765 data early on, I'd have put it at the start, with the address at the end. As
766 it is, we have to operate backwards. Addresses are permitted to contain
769 This code has to cope with various versions of this data that have evolved
770 over time. In all cases, the line might just contain an address, with no
771 additional data. Otherwise, the possibilities are as follows:
773 Exim 3 type: <address><space><digits>,<digits>,<digits>
775 The second set of digits is the parent number for one_time addresses. The
776 other values were remnants of earlier experiments that were abandoned.
778 Exim 4 first type: <address><space><digits>
780 The digits are the parent number for one_time addresses.
782 Exim 4 new type: <address><space><data>#<type bits>
784 The type bits indicate what the contents of the data are.
786 Bit 01 indicates that, reading from right to left, the data
787 ends with <errors_to address><space><len>,<pno> where pno is
788 the parent number for one_time addresses, and len is the length
789 of the errors_to address (zero meaning none).
791 Bit 02 indicates that, again reading from right to left, the data continues
792 with orcpt len(orcpt),dsn_flags
795 while (isdigit(*p)) p--;
797 /* Handle Exim 3 spool files */
802 while (isdigit(*(--p)) || *p == ',');
806 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
810 /* Handle early Exim 4 spool files */
815 (void)sscanf(CS p, "%d", &pno);
818 /* Handle current format Exim 4 spool files */
824 #if !defined (COMPILE_UTILITY)
825 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 4 standard format spoolfile\n");
828 (void)sscanf(CS p+1, "%d", &flags);
830 if ((flags & 0x01) != 0) /* one_time data exists */
833 while (isdigit(*(--p)) || *p == ',' || *p == '-');
834 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
839 errors_to = string_copy(p);
843 *(--p) = 0; /* Terminate address */
844 if ((flags & 0x02) != 0) /* one_time data exists */
847 while (isdigit(*(--p)) || *p == ',' || *p == '-');
848 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
853 orcpt = string_copy(p);
857 *(--p) = 0; /* Terminate address */
859 #if !defined(COMPILE_UTILITY)
861 { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
863 if ((orcpt != NULL) || (dsn_flags != 0))
865 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| orcpt: |%s| dsn_flags: %d\n",
866 big_buffer, orcpt, dsn_flags);
868 if (errors_to != NULL)
870 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| errorsto: |%s|\n",
871 big_buffer, errors_to);
875 recipients_list[recipients_count].address = string_copy(big_buffer);
876 recipients_list[recipients_count].pno = pno;
877 recipients_list[recipients_count].errors_to = errors_to;
878 recipients_list[recipients_count].orcpt = orcpt;
879 recipients_list[recipients_count].dsn_flags = dsn_flags;
882 /* The remainder of the spool header file contains the headers for the message,
883 separated off from the previous data by a blank line. Each header is preceded
884 by a count of its length and either a certain letter (for various identified
885 headers), space (for a miscellaneous live header) or an asterisk (for a header
886 that has been rewritten). Count the Received: headers. We read the headers
887 always, in order to check on the format of the file, but only create a header
888 list if requested to do so. */
891 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
892 if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
894 while ((n = fgetc(f)) != EOF)
900 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
901 if(ungetc(n, f) == EOF || fscanf(f, "%d%c ", &n, flag) == EOF)
902 goto SPOOL_READ_ERROR;
903 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
907 h = store_get(sizeof(header_line));
911 h->text = store_get(n+1);
913 if (h->type == htype_received) received_count++;
915 if (header_list == NULL) header_list = h;
916 else header_last->next = h;
919 for (i = 0; i < n; i++)
922 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
923 if (c == '\n' && h->type != htype_old) message_linecount++;
929 /* Not requiring header data, just skip through the bytes */
931 else for (i = 0; i < n; i++)
934 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
938 /* We have successfully read the data in the header file. Update the message
939 line count by adding the body linecount to the header linecount. Close the file
940 and give a positive response. */
942 #ifndef COMPILE_UTILITY
943 DEBUG(D_deliver) debug_printf("body_linecount=%d message_linecount=%d\n",
944 body_linecount, message_linecount);
945 #endif /* COMPILE_UTILITY */
947 message_linecount += body_linecount;
950 return spool_read_OK;
953 /* There was an error reading the spool or there was missing data,
954 or there was a format error. A "read error" with no errno means an
955 unexpected EOF, which we treat as a format error. */
962 #ifndef COMPILE_UTILITY
963 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
964 #endif /* COMPILE_UTILITY */
968 return inheader? spool_read_hdrerror : spool_read_enverror;
973 #ifndef COMPILE_UTILITY
974 DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
975 #endif /* COMPILE_UTILITY */
978 errno = ERRNO_SPOOLFORMAT;
979 return inheader? spool_read_hdrerror : spool_read_enverror;
984 /* End of spool_in.c */