overwriting some other file descriptor with the value of this one), open it
with append.
+As called by deliver_message() (at least) we are operating as root.
+
Argument: the id of the message
Returns: fd if file successfully opened and locked, else -1
uschar * fname;
int save_errno;
- message_subdir[0] = split_spool_directory == i == 0 ? id[5] : 0;
+ message_subdir[0] = split_spool_directory == i ? '\0' : id[5];
fname = spool_fname(US"input", message_subdir, id, US"-D");
DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
- if ((fd = Uopen(fname, O_RDWR | O_APPEND, 0)) >= 0)
+ if ((fd = Uopen(fname,
+#ifdef O_CLOEXEC
+ O_CLOEXEC |
+#endif
+ O_RDWR | O_APPEND, 0)) >= 0)
break;
save_errno = errno;
if (errno == ENOENT)
Unix systems it doesn't make any difference as long as Exim is consistent in
what it locks. */
-(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) |
- FD_CLOEXEC);
+#ifndef O_CLOEXEC
+(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#endif
lock_data.l_type = F_WRLCK;
lock_data.l_whence = SEEK_SET;
against such an event, and if such a file is encountered, it must be treated as
malformed.
+As called from deliver_message() (at least) we are running as root.
+
Arguments:
name name of the header file, including the -H
read_headers TRUE if in-store header structures are to be built
else if (Ustrncmp(p, "cl ", 3) == 0)
{
- int index, count;
- uschar name[20]; /* Need plenty of space for %d format */
- tree_node *node;
- if ( sscanf(CS big_buffer + 5, "%d %d", &index, &count) != 2
+ unsigned index, count;
+ uschar name[20]; /* Need plenty of space for %u format */
+ tree_node * node;
+ if ( sscanf(CS big_buffer + 5, "%u %u", &index, &count) != 2
|| index >= 20
+ || count > 16384 /* arbitrary limit on variable size */
)
goto SPOOL_FORMAT_ERROR;
if (index < 10)
- (void) string_format(name, sizeof(name), "%c%d", 'c', index);
+ (void) string_format(name, sizeof(name), "%c%u", 'c', index);
else
- (void) string_format(name, sizeof(name), "%c%d", 'm', index - 10);
+ (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
node = acl_var_create(name);
node->data.ptr = store_get(count + 1);
+ /* We sanity-checked the count, so disable the Coverity error */
+ /* coverity[tainted_data] */
if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
- ((uschar*)node->data.ptr)[count] = 0;
+ (US node->data.ptr)[count] = '\0';
}
break;
#endif /* COMPILE_UTILITY */
/* After reading the tree, the next line has not yet been read into the
-buffer. It contains the count of recipients which follow on separate lines. */
+buffer. It contains the count of recipients which follow on separate lines.
+Apply an arbitrary sanity check.*/
if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
-if (sscanf(CS big_buffer, "%d", &rcount) != 1) goto SPOOL_FORMAT_ERROR;
+if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
+ goto SPOOL_FORMAT_ERROR;
#ifndef COMPILE_UTILITY
DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
recipients_list_max = rcount;
recipients_list = store_get(rcount * sizeof(recipient_item));
+/* We sanitised the count and know we have enough memory, so disable
+the Coverity error on recipients_count */
+/* coverity[tainted_data] */
+
for (recipients_count = 0; recipients_count < rcount; recipients_count++)
{
int nn;
git://git.exim.org / users / jgh / exim.git / blobdiff