-/* $Cambridge: exim/src/src/spool_in.c,v 1.22 2008/07/28 18:46:44 fanf2 Exp $ */
-
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2007 */
+/* Copyright (c) University of Cambridge 1995 - 2016 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for reading spool files. When compiling for a utility (eximon),
overwriting some other file descriptor with the value of this one), open it
with append.
+As called by deliver_message() (at least) we are operating as root.
+
Argument: the id of the message
-Returns: TRUE if file successfully opened and locked
+Returns: fd if file successfully opened and locked, else -1
-Side effect: deliver_datafile is set to the fd of the open file.
+Side effect: message_subdir is set for the (possibly split) spool directory
*/
-BOOL
+int
spool_open_datafile(uschar *id)
{
int i;
struct stat statbuf;
flock_t lock_data;
-uschar spoolname[256];
+int fd;
/* If split_spool_directory is set, first look for the file in the appropriate
sub-directory of the input directory. If it is not found there, try the input
for (i = 0; i < 2; i++)
{
+ uschar * fname;
int save_errno;
- message_subdir[0] = (split_spool_directory == (i == 0))? id[5] : 0;
- sprintf(CS spoolname, "%s/input/%s/%s-D", spool_directory, message_subdir, id);
- deliver_datafile = Uopen(spoolname, O_RDWR | O_APPEND, 0);
- if (deliver_datafile >= 0) break;
+
+ message_subdir[0] = split_spool_directory == i ? '\0' : id[5];
+ fname = spool_fname(US"input", message_subdir, id, US"-D");
+ DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
+
+ if ((fd = Uopen(fname,
+#ifdef O_CLOEXEC
+ O_CLOEXEC |
+#endif
+ O_RDWR | O_APPEND, 0)) >= 0)
+ break;
save_errno = errno;
if (errno == ENOENT)
{
if (i == 0) continue;
if (!queue_running)
- log_write(0, LOG_MAIN, "Spool file %s-D not found", id);
+ log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
+ *queue_name ? US" Q=" : US"",
+ *queue_name ? queue_name : US"",
+ id);
}
- else log_write(0, LOG_MAIN, "Spool error for %s: %s", spoolname,
- strerror(errno));
+ else
+ log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
errno = save_errno;
- return FALSE;
+ return -1;
}
/* File is open and message_subdir is set. Set the close-on-exec flag, and lock
Unix systems it doesn't make any difference as long as Exim is consistent in
what it locks. */
-(void)fcntl(deliver_datafile, F_SETFD, fcntl(deliver_datafile, F_GETFD) |
- FD_CLOEXEC);
+#ifndef O_CLOEXEC
+(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#endif
lock_data.l_type = F_WRLCK;
lock_data.l_whence = SEEK_SET;
lock_data.l_start = 0;
lock_data.l_len = SPOOL_DATA_START_OFFSET;
-if (fcntl(deliver_datafile, F_SETLK, &lock_data) < 0)
+if (fcntl(fd, F_SETLK, &lock_data) < 0)
{
log_write(L_skip_delivery,
LOG_MAIN,
"Spool file is locked (another process is handling this message)");
- (void)close(deliver_datafile);
- deliver_datafile = -1;
+ (void)close(fd);
errno = 0;
- return FALSE;
+ return -1;
}
/* Get the size of the data; don't include the leading filename line
in the count, but add one for the newline before the data. */
-if (fstat(deliver_datafile, &statbuf) == 0)
+if (fstat(fd, &statbuf) == 0)
{
message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
message_size = message_body_size + 1;
}
-return TRUE;
+return fd;
}
#endif /* COMPILE_UTILITY */
against such an event, and if such a file is encountered, it must be treated as
malformed.
+As called from deliver_message() (at least) we are running as root.
+
Arguments:
name name of the header file, including the -H
read_headers TRUE if in-store header structures are to be built
bmi_verdicts = NULL;
#endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
-dk_do_verify = 0;
-#endif
-
-#ifdef EXPERIMENTAL_DKIM
-dkim_do_verify = 0;
+#ifndef DISABLE_DKIM
+dkim_signers = NULL;
+dkim_disable_verify = FALSE;
+dkim_collect_input = FALSE;
#endif
#ifdef SUPPORT_TLS
-tls_certificate_verified = FALSE;
-tls_cipher = NULL;
-tls_peerdn = NULL;
+tls_in.certificate_verified = FALSE;
+# ifdef EXPERIMENTAL_DANE
+tls_in.dane_verified = FALSE;
+# endif
+tls_in.cipher = NULL;
+# ifndef COMPILE_UTILITY /* tls support fns not built in */
+tls_free_cert(&tls_in.ourcert);
+tls_free_cert(&tls_in.peercert);
+# endif
+tls_in.peerdn = NULL;
+tls_in.sni = NULL;
+tls_in.ocsp = OCSP_NOT_REQ;
#endif
#ifdef WITH_CONTENT_SCAN
+spam_bar = NULL;
+spam_score = NULL;
spam_score_int = NULL;
#endif
+#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
+message_smtputf8 = FALSE;
+message_utf8_downconvert = 0;
+#endif
+
+dsn_ret = 0;
+dsn_envid = NULL;
+
/* Generate the full name and open the file. If message_subdir is already
set, just look in the given directory. Otherwise, look in both the split
and unsplit directories, as for the data file above. */
for (n = 0; n < 2; n++)
{
if (!subdir_set)
- message_subdir[0] = (split_spool_directory == (n == 0))? name[5] : 0;
- sprintf(CS big_buffer, "%s/input/%s/%s", spool_directory, message_subdir,
- name);
- f = Ufopen(big_buffer, "rb");
- if (f != NULL) break;
- if (n != 0 || subdir_set || errno != ENOENT) return spool_read_notopen;
+ message_subdir[0] = split_spool_directory == (n == 0) ? name[5] : 0;
+
+ if ((f = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
+ break;
+ if (n != 0 || subdir_set || errno != ENOENT)
+ return spool_read_notopen;
}
errno = 0;
originator_uid = (uid_t)uid;
originator_gid = (gid_t)gid;
+/* envelope from */
if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
n = Ustrlen(big_buffer);
if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
Ustrncpy(sender_address, big_buffer+1, n-3);
sender_address[n-3] = 0;
+/* time */
if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
if (sscanf(CS big_buffer, "%d %d", &received_time, &warning_count) != 2)
goto SPOOL_FORMAT_ERROR;
p = big_buffer + 2;
for (;;)
{
+ int len;
if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
if (big_buffer[0] != '-') break;
- big_buffer[Ustrlen(big_buffer) - 1] = 0;
+ while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
+ && big_buffer[len-1] != '\n'
+ )
+ { /* buffer not big enough for line; certs make this possible */
+ uschar * buf;
+ if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
+ buf = store_get_perm(big_buffer_size *= 2);
+ memcpy(buf, big_buffer, --len);
+ big_buffer = buf;
+ if (Ufgets(big_buffer+len, big_buffer_size-len, f) == NULL)
+ goto SPOOL_READ_ERROR;
+ }
+ big_buffer[len-1] = 0;
switch(big_buffer[1])
{
else if (Ustrncmp(p, "cl ", 3) == 0)
{
- int index, count;
- uschar name[20]; /* Need plenty of space for %d format */
- tree_node *node;
- if (sscanf(CS big_buffer + 5, "%d %d", &index, &count) != 2)
+ unsigned index, count;
+ uschar name[20]; /* Need plenty of space for %u format */
+ tree_node * node;
+ if ( sscanf(CS big_buffer + 5, "%u %u", &index, &count) != 2
+ || index >= 20
+ || count > 16384 /* arbitrary limit on variable size */
+ )
goto SPOOL_FORMAT_ERROR;
if (index < 10)
- (void) string_format(name, sizeof(name), "%c%d", 'c', index);
- else if (index < 20) /* ignore out-of-range index */
- (void) string_format(name, sizeof(name), "%c%d", 'm', index - 10);
+ (void) string_format(name, sizeof(name), "%c%u", 'c', index);
+ else
+ (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
node = acl_var_create(name);
node->data.ptr = store_get(count + 1);
+ /* We sanity-checked the count, so disable the Coverity error */
+ /* coverity[tainted_data] */
if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
- ((uschar*)node->data.ptr)[count] = 0;
+ (US node->data.ptr)[count] = '\0';
}
break;
body_linecount = Uatoi(big_buffer + 15);
else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
body_zerocount = Uatoi(big_buffer + 15);
- #ifdef EXPERIMENTAL_BRIGHTMAIL
+#ifdef EXPERIMENTAL_BRIGHTMAIL
else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
bmi_verdicts = string_copy(big_buffer + 14);
- #endif
+#endif
break;
case 'd':
if (Ustrcmp(p, "eliver_firsttime") == 0)
deliver_firsttime = TRUE;
+ /* Check if the dsn flags have been set in the header file */
+ else if (Ustrncmp(p, "sn_ret", 6) == 0)
+ dsn_ret= atoi(CS big_buffer + 8);
+ else if (Ustrncmp(p, "sn_envid", 8) == 0)
+ dsn_envid = string_copy(big_buffer + 11);
break;
case 'f':
if (Ustrncmp(p, "rozen", 5) == 0)
{
deliver_freeze = TRUE;
- deliver_frozen_at = Uatoi(big_buffer + 7);
+ if (sscanf(CS big_buffer+7, TIME_T_FMT, &deliver_frozen_at) != 1)
+ goto SPOOL_READ_ERROR;
}
break;
case 's':
if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
sender_set_untrusted = TRUE;
- #ifdef WITH_CONTENT_SCAN
- else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
- spam_score_int = string_copy(big_buffer + 16);
- else if (Ustrncmp(p, "pam_score ", 10) == 0)
- spam_score = string_copy(big_buffer + 12);
+#ifdef WITH_CONTENT_SCAN
else if (Ustrncmp(p, "pam_bar ", 8) == 0)
spam_bar = string_copy(big_buffer + 10);
- else if (Ustrncmp(p, "pam_report ", 11) == 0)
- spam_report = string_copy(big_buffer + 13);
- #endif
+ else if (Ustrncmp(p, "pam_score ", 10) == 0)
+ spam_score = string_copy(big_buffer + 12);
+ else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
+ spam_score_int = string_copy(big_buffer + 16);
+#endif
+#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
+ else if (Ustrncmp(p, "mtputf8", 7) == 0)
+ message_smtputf8 = TRUE;
+#endif
break;
- #ifdef SUPPORT_TLS
+#ifdef SUPPORT_TLS
case 't':
if (Ustrncmp(p, "ls_certificate_verified", 23) == 0)
- tls_certificate_verified = TRUE;
+ tls_in.certificate_verified = TRUE;
else if (Ustrncmp(p, "ls_cipher", 9) == 0)
- tls_cipher = string_copy(big_buffer + 12);
+ tls_in.cipher = string_copy(big_buffer + 12);
+# ifndef COMPILE_UTILITY /* tls support fns not built in */
+ else if (Ustrncmp(p, "ls_ourcert", 10) == 0)
+ (void) tls_import_cert(big_buffer + 13, &tls_in.ourcert);
+ else if (Ustrncmp(p, "ls_peercert", 11) == 0)
+ (void) tls_import_cert(big_buffer + 14, &tls_in.peercert);
+# endif
else if (Ustrncmp(p, "ls_peerdn", 9) == 0)
- tls_peerdn = string_copy(big_buffer + 12);
+ tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
+ else if (Ustrncmp(p, "ls_sni", 6) == 0)
+ tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
+ else if (Ustrncmp(p, "ls_ocsp", 7) == 0)
+ tls_in.ocsp = big_buffer[10] - '0';
+ break;
+#endif
+
+#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
+ case 'u':
+ if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
+ message_utf8_downconvert = 1;
+ else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
+ message_utf8_downconvert = -1;
break;
- #endif
+#endif
default: /* Present because some compilers complain if all */
break; /* possibilities are not covered. */
#endif /* COMPILE_UTILITY */
/* After reading the tree, the next line has not yet been read into the
-buffer. It contains the count of recipients which follow on separate lines. */
+buffer. It contains the count of recipients which follow on separate lines.
+Apply an arbitrary sanity check.*/
if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
-if (sscanf(CS big_buffer, "%d", &rcount) != 1) goto SPOOL_FORMAT_ERROR;
+if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
+ goto SPOOL_FORMAT_ERROR;
#ifndef COMPILE_UTILITY
DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
recipients_list_max = rcount;
recipients_list = store_get(rcount * sizeof(recipient_item));
+/* We sanitised the count and know we have enough memory, so disable
+the Coverity error on recipients_count */
+/* coverity[tainted_data] */
+
for (recipients_count = 0; recipients_count < rcount; recipients_count++)
{
int nn;
int pno = -1;
+ int dsn_flags = 0;
+ uschar *orcpt = NULL;
uschar *errors_to = NULL;
uschar *p;
ends with <errors_to address><space><len>,<pno> where pno is
the parent number for one_time addresses, and len is the length
of the errors_to address (zero meaning none).
+
+ Bit 02 indicates that, again reading from right to left, the data continues
+ with orcpt len(orcpt),dsn_flags
*/
while (isdigit(*p)) p--;
else if (*p == '#')
{
int flags;
+
+#if !defined (COMPILE_UTILITY)
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 4 standard format spoolfile\n");
+#endif
+
(void)sscanf(CS p+1, "%d", &flags);
if ((flags & 0x01) != 0) /* one_time data exists */
}
*(--p) = 0; /* Terminate address */
+ if ((flags & 0x02) != 0) /* one_time data exists */
+ {
+ int len;
+ while (isdigit(*(--p)) || *p == ',' || *p == '-');
+ (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
+ *p = 0;
+ if (len > 0)
+ {
+ p -= len;
+ orcpt = string_copy(p);
+ }
+ }
+
+ *(--p) = 0; /* Terminate address */
+ }
+#if !defined(COMPILE_UTILITY)
+ else
+ { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
+
+ if ((orcpt != NULL) || (dsn_flags != 0))
+ {
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| orcpt: |%s| dsn_flags: %d\n",
+ big_buffer, orcpt, dsn_flags);
+ }
+ if (errors_to != NULL)
+ {
+ DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| errorsto: |%s|\n",
+ big_buffer, errors_to);
}
+#endif
recipients_list[recipients_count].address = string_copy(big_buffer);
recipients_list[recipients_count].pno = pno;
recipients_list[recipients_count].errors_to = errors_to;
+ recipients_list[recipients_count].orcpt = orcpt;
+ recipients_list[recipients_count].dsn_flags = dsn_flags;
}
/* The remainder of the spool header file contains the headers for the message,
int i;
if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
- (void)ungetc(n, f);
- (void)fscanf(f, "%d%c ", &n, flag);
+ if(ungetc(n, f) == EOF || fscanf(f, "%d%c ", &n, flag) == EOF)
+ goto SPOOL_READ_ERROR;
if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
if (read_headers)
{
n = errno;
- #ifndef COMPILE_UTILITY
+#ifndef COMPILE_UTILITY
DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
- #endif /* COMPILE_UTILITY */
+#endif /* COMPILE_UTILITY */
fclose(f);
errno = n;
return inheader? spool_read_hdrerror : spool_read_enverror;
}
+/* vi: aw ai sw=2
+*/
/* End of spool_in.c */