-/* $Cambridge: exim/src/src/malware.c,v 1.13 2005/08/02 18:24:14 tom Exp $ */
-
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
#ifdef WITH_CONTENT_SCAN
/* declaration of private routines */
-int mksd_scan_packed(int sock);
+static int mksd_scan_packed(int sock, uschar *scan_filename);
+static int malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking);
/* SHUT_WR seems to be undefined on Unixware? */
#ifndef SHUT_WR
#define SHUT_WR 1
#endif
+
+#define MALWARE_TIMEOUT 120
+
+
#define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */
#define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */
#define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */
uschar malware_name_buffer[256];
int malware_ok = 0;
+/* Gross hacks for the -bmalware option; perhaps we should just create
+the scan directory normally for that case, but look into rigging up the
+needed header variables if not already set on the command-line? */
+extern int spool_mbox_ok;
+extern uschar spooled_message_id[17];
+
+/*************************************************
+* Scan an email for malware *
+*************************************************/
+
+/* This is the normal interface for scanning an email, which doesn't need a
+filename; it's a wrapper around the malware_file function.
+
+Arguments:
+ listptr the list of options to the "malware = ..." ACL condition
+
+Returns: Exim message processing code (OK, FAIL, DEFER, ...)
+ where true means malware was found (condition applies)
+*/
int malware(uschar **listptr) {
+ uschar scan_filename[1024];
+ BOOL fits;
+ int ret;
+
+ fits = string_format(scan_filename, sizeof(scan_filename),
+ CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
+ if (!fits)
+ {
+ av_failed = TRUE;
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware filename does not fit in buffer [malware()]");
+ return DEFER;
+ }
+
+ ret = malware_internal(listptr, scan_filename, FALSE);
+ if (ret == DEFER) av_failed = TRUE;
+
+ return ret;
+}
+
+
+/*************************************************
+* Scan a file for malware *
+*************************************************/
+
+/* This is a test wrapper for scanning an email, which is not used in
+normal processing. Scan any file, using the Exim scanning interface.
+This function tampers with various global variables so is unsafe to use
+in any other context.
+
+Arguments:
+ eml_filename a file holding the message to be scanned
+
+Returns: Exim message processing code (OK, FAIL, DEFER, ...)
+ where true means malware was found (condition applies)
+*/
+int
+malware_in_file(uschar *eml_filename) {
+ uschar *scan_options[2];
+ uschar message_id_buf[64];
+ int ret;
+
+ scan_options[0] = US"*";
+ scan_options[1] = NULL;
+
+ /* spool_mbox() assumes various parameters exist, when creating
+ the relevant directory and the email within */
+ (void) string_format(message_id_buf, sizeof(message_id_buf),
+ "dummy-%d", vaguely_random_number(INT_MAX));
+ message_id = message_id_buf;
+ sender_address = US"malware-sender@example.net";
+ return_path = US"";
+ recipients_list = NULL;
+ receive_add_recipient(US"malware-victim@example.net", -1);
+ enable_dollar_recipients = TRUE;
+
+ ret = malware_internal(scan_options, eml_filename, TRUE);
+
+ Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
+ spool_mbox_ok = 1;
+ /* don't set no_mbox_unspool; at present, there's no way for it to become
+ set, but if that changes, then it should apply to these tests too */
+ unspool_mbox();
+
+ /* silence static analysis tools */
+ message_id = NULL;
+
+ return ret;
+}
+
+
+/*************************************************
+* Scan content for malware *
+*************************************************/
+
+/* This is an internal interface for scanning an email; the normal interface
+is via malware(), or there's malware_in_file() used for testing/debugging.
+
+Arguments:
+ listptr the list of options to the "malware = ..." ACL condition
+ eml_filename the file holding the email to be scanned
+ faking whether or not we're faking this up for the -bmalware test
+
+Returns: Exim message processing code (OK, FAIL, DEFER, ...)
+ where true means malware was found (condition applies)
+*/
+static int malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) {
int sep = 0;
uschar *list = *listptr;
uschar *av_scanner_work = av_scanner;
const uschar *rerror;
/* make sure the eml mbox file is spooled up */
- mbox_file = spool_mbox(&mbox_size);
+ mbox_file = spool_mbox(&mbox_size, faking ? eml_filename : NULL);
if (mbox_file == NULL) {
/* error while spooling */
log_write(0, LOG_MAIN|LOG_PANIC,
return DEFER;
};
+ /* "f-protd" scanner type ----------------------------------------------- */
+ if (strcmpic(scanner_name, US"f-protd") == 0) {
+ uschar *fp_options, *fp_scan_option;
+ uschar fp_scan_option_buffer[1024];
+ uschar fp_options_buffer[1024];
+ uschar fp_options_default[] = "localhost 10200-10204";
+ uschar hostname[256];
+ unsigned int port, portlow, porthigh, connect_ok=0, detected=0, par_count = 0;
+ struct hostent *he;
+ struct in_addr in;
+ int sock;
+ uschar scanrequest[2048], buf[32768], *strhelper, *strhelper2;
+
+ if ((fp_options = string_nextinlist(&av_scanner_work, &sep,
+ fp_options_buffer, sizeof(fp_options_buffer))) == NULL) {
+ /* no options supplied, use default options */
+ fp_options = fp_options_default;
+ };
+
+ /* extract host and port part */
+ if ( sscanf(CS fp_options, "%s %u-%u", hostname, &portlow, &porthigh) != 3 ) {
+ if ( sscanf(CS fp_options, "%s %u", hostname, &portlow) != 2 ) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: f-protd: invalid socket '%s'", fp_options);
+ return DEFER;
+ }
+ porthigh = portlow;
+ }
+
+ /* Lookup the host */
+ if((he = gethostbyname(CS hostname)) == 0) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: f-protd: failed to lookup host '%s'", hostname);
+ return DEFER;
+ }
+
+ in = *(struct in_addr *) he->h_addr_list[0];
+ port = portlow;
+
+
+ /* Open the f-protd TCP socket */
+ if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: f-protd: unable to acquire socket (%s)",
+ strerror(errno));
+ return DEFER;
+ }
+
+ /* Try to connect to all portslow-high until connection is established */
+ for (port = portlow; !connect_ok && port < porthigh; port++) {
+ if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) >= 0) {
+ connect_ok = 1;
+ }
+ }
+
+ if ( !connect_ok ) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: f-protd: connection to %s, port %u-%u failed (%s)",
+ inet_ntoa(in), portlow, porthigh, strerror(errno));
+ (void)close(sock);
+ return DEFER;
+ }
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s GET\n", scanner_name);
+ (void)string_format(scanrequest, 1024, CS"GET %s", eml_filename);
+
+ while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
+ fp_scan_option_buffer, sizeof(fp_scan_option_buffer))) != NULL) {
+ if ( par_count ) {
+ Ustrcat(scanrequest, "%20");
+ } else {
+ Ustrcat(scanrequest, "?");
+ }
+ Ustrcat(scanrequest, fp_scan_option);
+ par_count++;
+ }
+ Ustrcat(scanrequest, " HTTP/1.0\r\n\r\n");
+
+ /* send scan request */
+ if (send(sock, &scanrequest, Ustrlen(scanrequest)+1, 0) < 0) {
+ (void)close(sock);
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: f-protd: unable to send command to socket (%s)", scanrequest);
+ return DEFER;
+ }
+
+ /* We get a lot of empty lines, so we need this hack to check for any data at all */
+ while( recv(sock, buf, 1, MSG_PEEK) > 0 ) {
+ if ( recv_line(sock, buf, 32768) > 0) {
+ if ( Ustrstr(buf, US"<detected type=\"") != NULL ) {
+ detected = 1;
+ } else if ( detected && (strhelper = Ustrstr(buf, US"<name>")) ) {
+ if ((strhelper2 = Ustrstr(buf, US"</name>")) != NULL) {
+ *strhelper2 = '\0';
+ Ustrcpy(malware_name_buffer, strhelper + 6);
+ }
+ } else if ( Ustrstr(buf, US"<summary code=\"") ) {
+ if ( Ustrstr(buf, US"<summary code=\"11\">") ) {
+ malware_name = malware_name_buffer;
+ } else {
+ malware_name = NULL;
+ }
+ }
+ }
+ }
+ (void)close(sock);
+ }
/* "drweb" scanner type ----------------------------------------------- */
/* v0.1 - added support for tcp sockets */
/* v0.0 - initial release -- support for unix sockets */
- if (strcmpic(scanner_name,US"drweb") == 0) {
+ else if (strcmpic(scanner_name,US"drweb") == 0) {
uschar *drweb_options;
uschar drweb_options_buffer[1024];
uschar drweb_options_default[] = "/usr/local/drweb/run/drwebd.sock";
int sock, result, ovector[30];
unsigned int port, fsize;
uschar tmpbuf[1024], *drweb_fbuf;
- uschar scanrequest[1024];
uschar drweb_match_string[128];
int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
drweb_vnum, drweb_slen, drweb_fin = 0x0000;
/* prepare variables */
drweb_cmd = htonl(DRWEBD_SCAN_CMD);
drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
- (void)string_format(scanrequest, 1024,CS"%s/scan/%s/%s.eml",
- spool_directory, message_id, message_id);
/* calc file size */
- drweb_fd = open(CS scanrequest, O_RDONLY);
+ drweb_fd = open(CS eml_filename, O_RDONLY);
if (drweb_fd == -1) {
(void)close(sock);
log_write(0, LOG_MAIN|LOG_PANIC,
"malware acl condition: drweb: can't open spool file %s: %s",
- scanrequest, strerror(errno));
+ eml_filename, strerror(errno));
return DEFER;
}
fsize = lseek(drweb_fd, 0, SEEK_END);
(void)close(drweb_fd);
log_write(0, LOG_MAIN|LOG_PANIC,
"malware acl condition: drweb: can't seek spool file %s: %s",
- scanrequest, strerror(errno));
+ eml_filename, strerror(errno));
return DEFER;
}
drweb_slen = htonl(fsize);
lseek(drweb_fd, 0, SEEK_SET);
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s remote scan [%s %u]\n",
+ scanner_name, hostname, port);
+
/* send scan request */
if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
(send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
(void)close(drweb_fd);
log_write(0, LOG_MAIN|LOG_PANIC,
"malware acl condition: drweb: unable to allocate memory %u for file (%s)",
- fsize, scanrequest);
+ fsize, eml_filename);
return DEFER;
}
free(drweb_fbuf);
log_write(0, LOG_MAIN|LOG_PANIC,
"malware acl condition: drweb: can't read spool file %s: %s",
- scanrequest, strerror(errno));
+ eml_filename, strerror(errno));
return DEFER;
}
(void)close(drweb_fd);
/* prepare variables */
drweb_cmd = htonl(DRWEBD_SCAN_CMD);
drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
- (void)string_format(scanrequest, 1024,CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
- drweb_slen = htonl(Ustrlen(scanrequest));
+ drweb_slen = htonl(Ustrlen(eml_filename));
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s local scan [%s]\n",
+ scanner_name, drweb_options);
/* send scan request */
if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
(send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
(send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
- (send(sock, scanrequest, Ustrlen(scanrequest), 0) < 0) ||
+ (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
(send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0)) {
(void)close(sock);
log_write(0, LOG_MAIN|LOG_PANIC,
}
}
else {
- char *drweb_s = NULL;
+ const char *drweb_s = NULL;
if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
};
/* prepare our command */
- (void)string_format(buf, 32768, "SCAN bPQRSTUW %s/scan/%s/%s.eml\r\n", spool_directory, message_id, message_id);
+ (void)string_format(buf, 32768, "SCAN bPQRSTUW %s\r\n", eml_filename);
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s SCAN\n", scanner_name);
/* and send it */
if (send(sock, buf, Ustrlen(buf), 0) < 0) {
} else if (buf[0] == '5') {
/* aveserver is having problems */
log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: unable to scan file %s/scan/%s/%s.eml (Responded: %s).",
- spool_directory, message_id, message_id, buf);
+ "malware acl condition: unable to scan file %s (Responded: %s).",
+ eml_filename, buf);
result = DEFER;
break;
} else if (Ustrncmp(buf,"322",3) == 0) {
return DEFER;
}
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
+ scanner_name, fsecure_options);
+
/* pass options */
memset(av_buffer, 0, sizeof(av_buffer));
for (i=0; i != 4; i++) {
return DEFER;
};
- bread = read(sock, av_buffer, sizeof(av_buffer));
+ bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT);
if (bread >0) av_buffer[bread]='\0';
if (bread < 0) {
(void)close(sock);
};
/* pass the mailfile to fsecure */
- (void)string_format(file_name,1024,"SCAN\t%s/scan/%s/%s.eml\n", spool_directory, message_id, message_id);
+ (void)string_format(file_name,1024,"SCAN\t%s\n", eml_filename);
/* debug_printf("send scan %s",file_name); */
if (write(sock, file_name, Ustrlen(file_name)) < 0) {
(void)close(sock);
i = 0;
memset(av_buffer, 0, sizeof(av_buffer));
do {
- bread=read(sock, &av_buffer[i], 1);
+ bread=ip_recv(sock, &av_buffer[i], 1, MALWARE_TIMEOUT);
if (bread < 0) {
(void)close(sock);
log_write(0, LOG_MAIN|LOG_PANIC,
int kav_rc;
unsigned long kav_reportlen, bread;
pcre *kav_re;
+ uschar *p;
+ int fits;
if ((kav_options = string_nextinlist(&av_scanner_work, &sep,
kav_options_buffer,
/* get current date and time, build scan request */
time(&t);
- strftime(CS tmpbuf, sizeof(tmpbuf), "<0>%d %b %H:%M:%S:%%s/scan/%%s", localtime(&t));
- (void)string_format(scanrequest, 1024,CS tmpbuf, spool_directory, message_id);
+ /* pdp note: before the eml_filename parameter, this scanned the
+ directory; not finding documentation, so we'll strip off the directory.
+ The side-effect is that the test framework scanning may end up in
+ scanning more than was requested, but for the normal interface, this is
+ fine. */
+ strftime(CS tmpbuf, sizeof(tmpbuf), "<0>%d %b %H:%M:%S:%%s", localtime(&t));
+ fits = string_format(scanrequest, 1024,CS tmpbuf, eml_filename);
+ if (!fits) {
+ (void)close(sock);
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware filename does not fit in buffer [malware_internal() kavdaemon]");
+ }
+ p = Ustrrchr(scanrequest, '/');
+ if (p)
+ *p = '\0';
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
+ scanner_name, kav_options);
/* send scan request */
if (send(sock, scanrequest, Ustrlen(scanrequest)+1, 0) < 0) {
int trigger = 0;
int result;
int ovector[30];
+ uschar *p;
+ BOOL fits;
/* find scanner command line */
if ((cmdline_scanner = string_nextinlist(&av_scanner_work, &sep,
cmdline_trigger_re = pcre_compile(CS cmdline_trigger, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
if (cmdline_trigger_re == NULL) {
log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_trigger_re, rerror, roffset);
+ "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_trigger, rerror, roffset);
return DEFER;
};
cmdline_regex_re = pcre_compile(CS cmdline_regex, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
if (cmdline_regex_re == NULL) {
log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_regex_re, rerror, roffset);
+ "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_regex, rerror, roffset);
return DEFER;
};
- /* prepare scanner call */
- (void)string_format(file_name,1024,"%s/scan/%s", spool_directory, message_id);
- (void)string_format(commandline,1024, CS cmdline_scanner,file_name);
+ /* prepare scanner call; despite the naming, file_name holds a directory
+ name which is documented as the value given to %s. */
+ if (Ustrlen(eml_filename) > sizeof(file_name) - 1)
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware filename does not fit in buffer [malware_internal() cmdline]");
+ return DEFER;
+ }
+ Ustrcpy(file_name, eml_filename);
+ p = Ustrrchr(file_name, '/');
+ if (p)
+ *p = '\0';
+ fits = string_format(commandline, sizeof(commandline), CS cmdline_scanner, file_name);
+ if (!fits)
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "cmdline scanner command-line does not fit in buffer");
+ return DEFER;
+ }
+
/* redirect STDERR too */
+ if (Ustrlen(commandline) + 5 > sizeof(commandline))
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "cmdline scanner command-line does not fit in buffer (STDERR redirect)");
+ return DEFER;
+ }
Ustrcat(commandline," 2>&1");
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", scanner_name, commandline);
+
/* store exims signal handlers */
eximsigchld = signal(SIGCHLD,SIG_DFL);
eximsigpipe = signal(SIGPIPE,SIG_DFL);
};
(void)string_format(file_name,1024,"%s/scan/%s/%s_scanner_output", spool_directory, message_id, message_id);
- scanner_record = fopen(CS file_name,"wb");
+ scanner_record = modefopen(file_name,"wb",SPOOL_MODE);
if (scanner_record == NULL) {
log_write(0, LOG_MAIN|LOG_PANIC,
uschar sophie_options_default[] = "/var/run/sophie";
int bread = 0;
struct sockaddr_un server;
- int sock;
+ int sock, len;
+ uschar *p;
uschar file_name[1024];
uschar av_buffer[1024];
}
/* pass the scan directory to sophie */
- (void)string_format(file_name,1024,"%s/scan/%s", spool_directory, message_id);
+ len = Ustrlen(eml_filename) + 1;
+ if (len > sizeof(file_name))
+ {
+ (void)close(sock);
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware filename does not fit in buffer [malware_internal() sophie]");
+ return DEFER;
+ }
+ memcpy(file_name, eml_filename, len);
+ p = Ustrrchr(file_name, '/');
+ if (p)
+ *p = '\0';
+
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
+ scanner_name, sophie_options);
+
if (write(sock, file_name, Ustrlen(file_name)) < 0) {
(void)close(sock);
log_write(0, LOG_MAIN|LOG_PANIC,
/* wait for result */
memset(av_buffer, 0, sizeof(av_buffer));
- if ((!(bread = read(sock, av_buffer, sizeof(av_buffer))) > 0)) {
+ if ((!(bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT)) > 0)) {
(void)close(sock);
log_write(0, LOG_MAIN|LOG_PANIC,
"malware acl condition: unable to read from sophie UNIX socket (%s)", sophie_options);
/* "clamd" scanner type ------------------------------------------------- */
- /* This code was contributed by David Saez */
+ /* This code was originally contributed by David Saez */
+ /* There are three scanning methods available to us:
+ * (1) Use the SCAN command, pointing to a file in the filesystem
+ * (2) Use the STREAM command, send the data on a separate port
+ * (3) Use the zINSTREAM command, send the data inline
+ * The zINSTREAM command was introduced with ClamAV 0.95, which marked
+ * STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
+ * In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
+ * the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless
+ * WITH_OLD_CLAMAV_STREAM is defined.
+ * See Exim bug 926 for details. */
else if (strcmpic(scanner_name,US"clamd") == 0) {
uschar *clamd_options;
uschar clamd_options_buffer[1024];
uschar clamd_options_default[] = "/tmp/clamd";
- uschar *p,*vname;
+ uschar *p, *vname, *result_tag, *response_end;
struct sockaddr_un server;
int sock,bread=0;
unsigned int port;
uschar *clamd_options2;
uschar clamd_options2_buffer[1024];
uschar clamd_options2_default[] = "";
- uschar av_buffer2[1024];
uschar *clamav_fbuf;
- uschar scanrequest[1024];
- int sockData, clam_fd, result;
+ int clam_fd, result;
unsigned int fsize;
+ BOOL use_scan_command, fits;
+#ifdef WITH_OLD_CLAMAV_STREAM
+ uschar av_buffer2[1024];
+ int sockData;
+#else
+ uint32_t send_size, send_final_zeroblock;
+#endif
if ((clamd_options = string_nextinlist(&av_scanner_work, &sep,
clamd_options_buffer,
clamd_options2 = clamd_options2_default;
}
+ if ((*clamd_options == '/') || (strcmpic(clamd_options2,US"local") == 0))
+ use_scan_command = TRUE;
+ else
+ use_scan_command = FALSE;
+
+ /* See the discussion of response formats below to see why we really don't
+ like colons in filenames when passing filenames to ClamAV. */
+ if (use_scan_command && Ustrchr(eml_filename, ':')) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: local/SCAN mode incompatible with" \
+ " : in path to email filename [%s]", eml_filename);
+ return DEFER;
+ }
+
/* socket does not start with '/' -> network socket */
if (*clamd_options != '/') {
+ /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd
+ * only supports AF_INET, but we should probably be looking to the
+ * future and rewriting this to be protocol-independent anyway. */
+
/* extract host and port part */
if( sscanf(CS clamd_options, "%s %u", hostname, &port) != 2 ) {
log_write(0, LOG_MAIN|LOG_PANIC,
return DEFER;
}
- if (strcmpic(clamd_options2,US"local") == 0) {
+ } else {
+ /* open the local socket */
+ if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: unable to acquire socket (%s)",
+ strerror(errno));
+ return DEFER;
+ }
- /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
+ server.sun_family = AF_UNIX;
+ Ustrcpy(server.sun_path, clamd_options);
- (void)string_format(file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id);
+ if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
+ (void)close(sock);
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: unable to connect to UNIX socket %s (%s)",
+ clamd_options, strerror(errno) );
+ return DEFER;
+ }
+ }
- if (send(sock, file_name, Ustrlen(file_name), 0) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
- strerror(errno));
- return DEFER;
- }
- } else {
+ /* have socket in variable "sock"; command to use is semi-independent of
+ * the socket protocol. We use SCAN if is local (either Unix/local
+ * domain socket, or explicitly told local) else we stream the data.
+ * How we stream the data depends upon how we were built. */
- /* Pass the string to ClamAV (7 = "STREAM\n") */
+ if (!use_scan_command) {
- if (send(sock, "STREAM\n", 7, 0) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
- strerror(errno));
- return DEFER;
- }
- memset(av_buffer2, 0, sizeof(av_buffer2));
- bread = read(sock, av_buffer2, sizeof(av_buffer2));
+#ifdef WITH_OLD_CLAMAV_STREAM
+ /* "STREAM\n" command, get back a "PORT <N>\n" response, send data to
+ * that port on a second connection; then in the scan-method-neutral
+ * part, read the response back on the original connection. */
- if (bread < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to read PORT from socket (%s)",
- strerror(errno));
- return DEFER;
- }
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s old-style remote scan (PORT)\n",
+ scanner_name);
- if (bread == sizeof(av_buffer)) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: buffer too small");
- return DEFER;
- }
+ /* Pass the string to ClamAV (7 = "STREAM\n") */
+ if (send(sock, "STREAM\n", 7, 0) < 0) {
+ log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
+ strerror(errno));
+ (void)close(sock);
+ return DEFER;
+ }
+ memset(av_buffer2, 0, sizeof(av_buffer2));
+ bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), MALWARE_TIMEOUT);
- if (!(*av_buffer2)) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: ClamAV returned null");
- return DEFER;
- }
+ if (bread < 0) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: unable to read PORT from socket (%s)",
+ strerror(errno));
+ (void)close(sock);
+ return DEFER;
+ }
- av_buffer2[bread] = '\0';
- if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 ) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: Expected port information from clamd, got '%s'", av_buffer2);
- return DEFER;
- };
+ if (bread == sizeof(av_buffer)) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: buffer too small");
+ (void)close(sock);
+ return DEFER;
+ }
- if ( (sockData = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to acquire socket (%s)",
- strerror(errno));
- return DEFER;
- }
+ if (!(*av_buffer2)) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: ClamAV returned null");
+ (void)close(sock);
+ return DEFER;
+ }
- if (ip_connect(sockData, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
- (void)close(sockData);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: connection to %s, port %u failed (%s)",
- inet_ntoa(in), port, strerror(errno));
- return DEFER;
- }
+ av_buffer2[bread] = '\0';
+ if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 ) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: Expected port information from clamd, got '%s'", av_buffer2);
+ (void)close(sock);
+ return DEFER;
+ };
- (void)string_format(scanrequest, 1024,CS"%s/scan/%s/%s.eml",
- spool_directory, message_id, message_id);
+ if ( (sockData = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: unable to acquire socket (%s)",
+ strerror(errno));
+ (void)close(sock);
+ return DEFER;
+ }
- /* calc file size */
- clam_fd = open(CS scanrequest, O_RDONLY);
- if (clam_fd == -1) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: can't open spool file %s: %s",
- scanrequest, strerror(errno));
- return DEFER;
- }
- fsize = lseek(clam_fd, 0, SEEK_END);
- if (fsize == -1) {
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: can't seek spool file %s: %s",
- scanrequest, strerror(errno));
- return DEFER;
- }
- lseek(clam_fd, 0, SEEK_SET);
+ if (ip_connect(sockData, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: connection to %s, port %u failed (%s)",
+ inet_ntoa(in), port, strerror(errno));
+ (void)close(sockData); (void)close(sock);
+ return DEFER;
+ }
- clamav_fbuf = (uschar *) malloc (fsize);
- if (!clamav_fbuf) {
- (void)close(sockData);
- (void)close(clam_fd);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to allocate memory %u for file (%s)",
- fsize, scanrequest);
- return DEFER;
- }
+#define CLOSE_SOCKDATA (void)close(sockData)
+#else /* WITH_OLD_CLAMAV_STREAM not defined */
+ /* New protocol: "zINSTREAM\n" followed by a sequence of <length><data>
+ chunks, <n> a 4-byte number (network order), terminated by a zero-length
+ chunk. */
- result = read (clam_fd, clamav_fbuf, fsize);
- if (result == -1) {
- (void)close(sockData);
- (void)close(clam_fd);
- free(clamav_fbuf);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: can't read spool file %s: %s",
- scanrequest, strerror(errno));
- return DEFER;
- }
- (void)close(clam_fd);
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
+ scanner_name);
- /* send file body to socket */
- if (send(sockData, clamav_fbuf, fsize, 0) < 0) {
- (void)close(sockData);
- free(clamav_fbuf);
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port);
- return DEFER;
- }
- free(clamav_fbuf);
- (void)close(sockData);
- }
- }
- else {
- /* open the local socket */
- if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
+ /* Pass the string to ClamAV (10 = "zINSTREAM\0") */
+ if (send(sock, "zINSTREAM", 10, 0) < 0) {
log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to acquire socket (%s)",
- strerror(errno));
+ "malware acl condition: clamd: unable to send zINSTREAM to socket (%s)",
+ strerror(errno));
+ (void)close(sock);
return DEFER;
}
- server.sun_family = AF_UNIX;
- Ustrcpy(server.sun_path, clamd_options);
+#define CLOSE_SOCKDATA /**/
+#endif
- if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
- (void)close(sock);
+ /* calc file size */
+ clam_fd = open(CS eml_filename, O_RDONLY);
+ if (clam_fd == -1) {
log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: unable to connect to UNIX socket %s (%s)",
- clamd_options, strerror(errno) );
+ "malware acl condition: clamd: can't open spool file %s: %s",
+ eml_filename, strerror(errno));
+ CLOSE_SOCKDATA; (void)close(sock);
return DEFER;
}
- }
+ fsize = lseek(clam_fd, 0, SEEK_END);
+ if (fsize == -1) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: can't seek spool file %s: %s",
+ eml_filename, strerror(errno));
+ CLOSE_SOCKDATA; (void)close(sock);
+ return DEFER;
+ }
+ lseek(clam_fd, 0, SEEK_SET);
- /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
+ clamav_fbuf = (uschar *) malloc (fsize);
+ if (!clamav_fbuf) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: unable to allocate memory %u for file (%s)",
+ fsize, eml_filename);
+ CLOSE_SOCKDATA; (void)close(sock); (void)close(clam_fd);
+ return DEFER;
+ }
- (void)string_format(file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id);
+ result = read (clam_fd, clamav_fbuf, fsize);
+ if (result == -1) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: can't read spool file %s: %s",
+ eml_filename, strerror(errno));
+ CLOSE_SOCKDATA; (void)close(sock); (void)close(clam_fd);
+ free(clamav_fbuf);
+ return DEFER;
+ }
+ (void)close(clam_fd);
- if (send(sock, file_name, Ustrlen(file_name), 0) < 0) {
- (void)close(sock);
- log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
- strerror(errno));
- return DEFER;
- }
+ /* send file body to socket */
+#ifdef WITH_OLD_CLAMAV_STREAM
+ if (send(sockData, clamav_fbuf, fsize, 0) < 0) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port);
+ CLOSE_SOCKDATA; (void)close(sock);
+ free(clamav_fbuf);
+ return DEFER;
+ }
+#else
+ send_size = htonl(fsize);
+ send_final_zeroblock = 0;
+ if ((send(sock, &send_size, sizeof(send_size), 0) < 0) ||
+ (send(sock, clamav_fbuf, fsize, 0) < 0) ||
+ (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port);
+ (void)close(sock);
+ free(clamav_fbuf);
+ return DEFER;
+ }
+#endif
- /*
- We're done sending, close socket for writing.
+ free(clamav_fbuf);
+
+ CLOSE_SOCKDATA;
+#undef CLOSE_SOCKDATA
+
+ } else { /* use scan command */
+ /* Send a SCAN command pointing to a filename; then in the then in the
+ * scan-method-neutral part, read the response back */
+
+/* ================================================================= */
+
+ /* Prior to the reworking post-Exim-4.72, this scanned a directory,
+ which dates to when ClamAV needed us to break apart the email into the
+ MIME parts (eg, with the now deprecated demime condition coming first).
+ Some time back, ClamAV gained the ability to deconstruct the emails, so
+ doing this would actually have resulted in the mail attachments being
+ scanned twice, in the broken out files and from the original .eml.
+ Since ClamAV now handles emails (and has for quite some time) we can
+ just use the email file itself. */
+ /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
+ fits = string_format(file_name, sizeof(file_name), "SCAN %s\n",
+ eml_filename);
+ if (!fits) {
+ (void)close(sock);
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware filename does not fit in buffer [malware_internal() clamd]");
+ }
- One user reported that clamd 0.70 does not like this any more ...
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s local-path scan [%s]\n",
+ scanner_name, clamd_options);
- */
+ if (send(sock, file_name, Ustrlen(file_name), 0) < 0) {
+ (void)close(sock);
+ log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
+ strerror(errno));
+ return DEFER;
+ }
- /* shutdown(sock, SHUT_WR); */
+ /* Do not shut down the socket for writing; a user report noted that
+ * clamd 0.70 does not react well to this. */
+ }
+ /* Commands have been sent, no matter which scan method or connection
+ * type we're using; now just read the result, independent of method. */
/* Read the result */
memset(av_buffer, 0, sizeof(av_buffer));
- bread = read(sock, av_buffer, sizeof(av_buffer));
+ bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT);
(void)close(sock);
if (!(bread > 0)) {
return DEFER;
}
- /* Check the result. ClamAV Returns
- infected: -> "<filename>: <virusname> FOUND"
- not-infected: -> "<filename>: OK"
- error: -> "<filename>: <errcode> ERROR */
+ /* Check the result. ClamAV returns one of two result formats.
+ In the basic mode, the response is of the form:
+ infected: -> "<filename>: <virusname> FOUND"
+ not-infected: -> "<filename>: OK"
+ error: -> "<filename>: <errcode> ERROR
+ If the ExtendedDetectionInfo option has been turned on, then we get:
+ "<filename>: <virusname>(<virushash>:<virussize>) FOUND"
+ for the infected case. Compare:
+/tmp/eicar.com: Eicar-Test-Signature FOUND
+/tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
+
+ In the streaming case, clamd uses the filename "stream" which you should
+ be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The
+ client app will replace "stream" with the original filename before returning
+ results to stdout, but the trace shows the data).
+
+ We will assume that the pathname passed to clamd from Exim does not contain
+ a colon. We will have whined loudly above if the eml_filename does (and we're
+ passing a filename to clamd). */
if (!(*av_buffer)) {
log_write(0, LOG_MAIN|LOG_PANIC,
return DEFER;
}
- /* strip newline at the end */
+ /* strip newline at the end (won't be present for zINSTREAM)
+ (also any trailing whitespace, which shouldn't exist, but we depend upon
+ this below, so double-check) */
p = av_buffer + Ustrlen(av_buffer) - 1;
- if( *p == '\n' ) *p = '\0';
+ if (*p == '\n') *p = '\0';
+
+ DEBUG(D_acl) debug_printf("Malware response: %s\n", av_buffer);
+
+ while (isspace(*--p) && (p > av_buffer))
+ *p = '\0';
+ if (*p) ++p;
+ response_end = p;
/* colon in returned output? */
- if((p = Ustrrchr(av_buffer,':')) == NULL) {
+ if((p = Ustrchr(av_buffer,':')) == NULL) {
log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: ClamAV returned malformed result: %s",
+ "malware acl condition: clamd: ClamAV returned malformed result (missing colon): %s",
av_buffer);
return DEFER;
}
/* strip filename */
- ++p;
- while (*p == ' ') ++p;
+ while (*p && isspace(*++p)) /**/;
vname = p;
- if ((p = Ustrstr(vname, "FOUND"))!=NULL) {
- *p=0;
- for (--p;p>vname && *p<=32;p--) *p=0;
- for (;*vname==32;vname++);
- Ustrcpy(malware_name_buffer,vname);
- malware_name = malware_name_buffer;
- }
- else {
- if (Ustrstr(vname, "ERROR")!=NULL) {
- /* ClamAV reports ERROR
- Find line start */
- for (;*vname!='\n' && vname>av_buffer; vname--);
- if (*vname=='\n') vname++;
-
- log_write(0, LOG_MAIN|LOG_PANIC,
- "malware acl condition: clamd: ClamAV returned %s",vname);
- return DEFER;
- }
- else {
- /* Everything should be OK */
- malware_name = NULL;
- }
+
+ /* It would be bad to encounter a virus with "FOUND" in part of the name,
+ but we should at least be resistant to it. */
+ p = Ustrrchr(vname, ' ');
+ if (p)
+ result_tag = p + 1;
+ else
+ result_tag = vname;
+
+ if (Ustrcmp(result_tag, "FOUND") == 0) {
+ /* p should still be the whitespace before the result_tag */
+ while (isspace(*p)) --p;
+ *++p = '\0';
+ /* Strip off the extended information too, which will be in parens
+ after the virus name, with no intervening whitespace. */
+ if (*--p == ')') {
+ /* "(hash:size)", so previous '(' will do; if not found, we have
+ a curious virus name, but not an error. */
+ p = Ustrrchr(vname, '(');
+ if (p)
+ *p = '\0';
+ }
+ Ustrncpy(malware_name_buffer, vname, sizeof(malware_name_buffer)-1);
+ malware_name = malware_name_buffer;
+ DEBUG(D_acl) debug_printf("Malware found, name \"%s\"\n", malware_name);
+
+ } else if (Ustrcmp(result_tag, "ERROR") == 0) {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: ClamAV returned: %s",
+ av_buffer);
+ return DEFER;
+
+ } else if (Ustrcmp(result_tag, "OK") == 0) {
+ /* Everything should be OK */
+ malware_name = NULL;
+ DEBUG(D_acl) debug_printf("Malware not found\n");
+
+ } else {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "malware acl condition: clamd: unparseable response from ClamAV: {%s}",
+ av_buffer);
+ return DEFER;
}
- }
+
+ } /* clamd */
+
/* ----------------------------------------------------------------------- */
malware_name = NULL;
- retval = mksd_scan_packed(sock);
+ DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan\n", scanner_name);
+
+ retval = mksd_scan_packed(sock, eml_filename);
if (retval != OK)
return retval;
/* match virus name against pattern (caseless ------->----------v) */
if ( (malware_name != NULL) &&
(regex_match_and_setup(re, malware_name, 0, -1)) ) {
+ DEBUG(D_acl) debug_printf("Matched regex to malware [%s] [%s]\n", malware_regex, malware_name);
return OK;
}
else {
#include <sys/uio.h>
-int mksd_writev (int sock, struct iovec *iov, int iovcnt)
+static int mksd_writev (int sock, struct iovec *iov, int iovcnt)
{
int i;
}
}
-int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size)
+static int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size)
{
int offset = 0;
int i;
return offset;
}
-int mksd_parse_line (char *line)
+static int mksd_parse_line (char *line)
{
char *p;
}
}
-int mksd_scan_packed (int sock)
+static int mksd_scan_packed(int sock, uschar *scan_filename)
{
- struct iovec iov[7];
- char *cmd = "MSQ/scan/.eml\n";
+ struct iovec iov[3];
+ const char *cmd = "MSQ\n";
uschar av_buffer[1024];
- iov[0].iov_base = cmd;
+ iov[0].iov_base = (void *) cmd;
iov[0].iov_len = 3;
- iov[1].iov_base = CS spool_directory;
- iov[1].iov_len = Ustrlen (spool_directory);
- iov[2].iov_base = cmd + 3;
- iov[2].iov_len = 6;
- iov[3].iov_base = iov[5].iov_base = CS message_id;
- iov[3].iov_len = iov[5].iov_len = Ustrlen (message_id);
- iov[4].iov_base = cmd + 3;
- iov[4].iov_len = 1;
- iov[6].iov_base = cmd + 9;
- iov[6].iov_len = 5;
-
- if (mksd_writev (sock, iov, 7) < 0)
+ iov[1].iov_base = CS scan_filename;
+ iov[1].iov_len = Ustrlen(scan_filename);
+ iov[2].iov_base = (void *) (cmd + 3);
+ iov[2].iov_len = 1;
+
+ if (mksd_writev (sock, iov, 3) < 0)
return DEFER;
if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer)) < 0)