X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/3d2a6e4d79f5227d66356409ff86fe0cda4cb7ab..9e949f00f404d3672b1ecd7c1bfd5e8927a3301d:/src/src/malware.c diff --git a/src/src/malware.c b/src/src/malware.c index 9e32ed59f..864564ffc 100644 --- a/src/src/malware.c +++ b/src/src/malware.c @@ -1,5 +1,3 @@ -/* $Cambridge: exim/src/src/malware.c,v 1.6 2005/01/13 10:09:36 ph10 Exp $ */ - /************************************************* * Exim - an Internet mail transport agent * *************************************************/ @@ -13,13 +11,18 @@ #ifdef WITH_CONTENT_SCAN /* declaration of private routines */ -int mksd_scan_packed(int sock); +static int mksd_scan_packed(int sock, uschar *scan_filename); +static int malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking); /* SHUT_WR seems to be undefined on Unixware? */ #ifndef SHUT_WR #define SHUT_WR 1 #endif + +#define MALWARE_TIMEOUT 120 + + #define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */ #define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */ #define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */ @@ -29,7 +32,7 @@ int mksd_scan_packed(int sock); #define DERR_TIMEOUT (1<<9) /* scan timeout has run out */ #define DERR_BAD_CALL (1<<15) /* wrong command */ -/* Routine to check whether a system is big- or litte-endian. +/* Routine to check whether a system is big- or litte-endian. Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html Needed for proper kavdaemon implementation. Sigh. */ #define BIG_MY_ENDIAN 0 @@ -44,7 +47,110 @@ int test_byte_order() { uschar malware_name_buffer[256]; int malware_ok = 0; +/* Gross hacks for the -bmalware option; perhaps we should just create +the scan directory normally for that case, but look into rigging up the +needed header variables if not already set on the command-line? */ +extern int spool_mbox_ok; +extern uschar spooled_message_id[17]; + +/************************************************* +* Scan an email for malware * +*************************************************/ + +/* This is the normal interface for scanning an email, which doesn't need a +filename; it's a wrapper around the malware_file function. + +Arguments: + listptr the list of options to the "malware = ..." ACL condition + +Returns: Exim message processing code (OK, FAIL, DEFER, ...) + where true means malware was found (condition applies) +*/ int malware(uschar **listptr) { + uschar scan_filename[1024]; + BOOL fits; + int ret; + + fits = string_format(scan_filename, sizeof(scan_filename), + CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id); + if (!fits) + { + av_failed = TRUE; + log_write(0, LOG_MAIN|LOG_PANIC, + "malware filename does not fit in buffer [malware()]"); + return DEFER; + } + + ret = malware_internal(listptr, scan_filename, FALSE); + if (ret == DEFER) av_failed = TRUE; + + return ret; +} + + +/************************************************* +* Scan a file for malware * +*************************************************/ + +/* This is a test wrapper for scanning an email, which is not used in +normal processing. Scan any file, using the Exim scanning interface. +This function tampers with various global variables so is unsafe to use +in any other context. + +Arguments: + eml_filename a file holding the message to be scanned + +Returns: Exim message processing code (OK, FAIL, DEFER, ...) + where true means malware was found (condition applies) +*/ +int +malware_in_file(uschar *eml_filename) { + uschar *scan_options[2]; + uschar message_id_buf[64]; + int ret; + + scan_options[0] = US"*"; + scan_options[1] = NULL; + + /* spool_mbox() assumes various parameters exist, when creating + the relevant directory and the email within */ + (void) string_format(message_id_buf, sizeof(message_id_buf), + "dummy-%d", pseudo_random_number(INT_MAX)); + message_id = message_id_buf; + sender_address = US"malware-sender@example.net"; + return_path = US""; + recipients_list = NULL; + receive_add_recipient(US"malware-victim@example.net", -1); + enable_dollar_recipients = TRUE; + + ret = malware_internal(scan_options, eml_filename, TRUE); + + Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id)); + spool_mbox_ok = 1; + /* don't set no_mbox_unspool; at present, there's no way for it to become + set, but if that changes, then it should apply to these tests too */ + unspool_mbox(); + + return ret; +} + + +/************************************************* +* Scan content for malware * +*************************************************/ + +/* This is an internal interface for scanning an email; the normal interface +is via malware(), or there's malware_in_file() used for testing/debugging. + +Arguments: + listptr the list of options to the "malware = ..." ACL condition + eml_filename the file holding the email to be scanned + faking whether or not we're faking this up for the -bmalware test + +Returns: Exim message processing code (OK, FAIL, DEFER, ...) + where true means malware was found (condition applies) +*/ +static int malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) { int sep = 0; uschar *list = *listptr; uschar *av_scanner_work = av_scanner; @@ -58,34 +164,34 @@ int malware(uschar **listptr) { int roffset; const pcre *re; const uschar *rerror; - + /* make sure the eml mbox file is spooled up */ - mbox_file = spool_mbox(&mbox_size); + mbox_file = spool_mbox(&mbox_size, faking ? eml_filename : NULL); if (mbox_file == NULL) { /* error while spooling */ log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: error while creating mbox spool file"); - return DEFER; + return DEFER; }; /* none of our current scanners need the mbox file as a stream, so we can close it right away */ - fclose(mbox_file); - + (void)fclose(mbox_file); + /* extract the malware regex to match against from the option list */ if ((malware_regex = string_nextinlist(&list, &sep, malware_regex_buffer, sizeof(malware_regex_buffer))) != NULL) { - + /* parse 1st option */ - if ( (strcmpic(malware_regex,US"false") == 0) || + if ( (strcmpic(malware_regex,US"false") == 0) || (Ustrcmp(malware_regex,"0") == 0) ) { /* explicitly no matching */ return FAIL; }; - + /* special cases (match anything except empty) */ - if ( (strcmpic(malware_regex,US"true") == 0) || - (Ustrcmp(malware_regex,"*") == 0) || + if ( (strcmpic(malware_regex,US"true") == 0) || + (Ustrcmp(malware_regex,"*") == 0) || (Ustrcmp(malware_regex,"1") == 0) ) { malware_regex = malware_regex_default; }; @@ -134,274 +240,383 @@ int malware(uschar **listptr) { "malware acl condition: av_scanner configuration variable is empty"); return DEFER; }; - - /* "drweb" scanner type ----------------------------------------------- */ - /* v0.1 - added support for tcp sockets */ - /* v0.0 - initial release -- support for unix sockets */ - if (strcmpic(scanner_name,US"drweb") == 0) { - uschar *drweb_options; - uschar drweb_options_buffer[1024]; - uschar drweb_options_default[] = "/usr/local/drweb/run/drwebd.sock"; - struct sockaddr_un server; - int sock, result, ovector[30]; - unsigned int port, fsize; - uschar tmpbuf[1024], *drweb_fbuf; - uschar scanrequest[1024]; - uschar drweb_match_string[128]; - int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd, - drweb_vnum, drweb_slen, drweb_fin = 0x0000; - unsigned long bread; - uschar hostname[256]; - struct hostent *he; - struct in_addr in; - pcre *drweb_re; - - if ((drweb_options = string_nextinlist(&av_scanner_work, &sep, - drweb_options_buffer, sizeof(drweb_options_buffer))) == NULL) { - /* no options supplied, use default options */ - drweb_options = drweb_options_default; - }; - - if (*drweb_options != '/') { - - /* extract host and port part */ - if( sscanf(CS drweb_options, "%s %u", hostname, &port) != 2 ) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: invalid socket '%s'", drweb_options); - return DEFER; - } - - /* Lookup the host */ - if((he = gethostbyname(CS hostname)) == 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: failed to lookup host '%s'", hostname); - return DEFER; - } - - in = *(struct in_addr *) he->h_addr_list[0]; - - /* Open the drwebd TCP socket */ - if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to acquire socket (%s)", - strerror(errno)); - return DEFER; - } - - if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) { - close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: connection to %s, port %u failed (%s)", - inet_ntoa(in), port, strerror(errno)); - return DEFER; - } - - /* prepare variables */ - drweb_cmd = htonl(DRWEBD_SCAN_CMD); - drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL); - snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml", - spool_directory, message_id, message_id); - - /* calc file size */ - drweb_fd = open(CS scanrequest, O_RDONLY); - if (drweb_fd == -1) { - close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: can't open spool file %s: %s", - scanrequest, strerror(errno)); - return DEFER; - } - fsize = lseek(drweb_fd, 0, SEEK_END); - if (fsize == -1) { - close(sock); - close(drweb_fd); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: can't seek spool file %s: %s", - scanrequest, strerror(errno)); - return DEFER; - } - drweb_slen = htonl(fsize); - lseek(drweb_fd, 0, SEEK_SET); - - /* send scan request */ - if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) || - (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) || - (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) || - (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0)) { - close(sock); - close(drweb_fd); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options); - return DEFER; - } - - drweb_fbuf = (uschar *) malloc (fsize); - if (!drweb_fbuf) { - close(sock); - close(drweb_fd); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to allocate memory %u for file (%s)", - fsize, scanrequest); - return DEFER; - } - - result = read (drweb_fd, drweb_fbuf, fsize); - if (result == -1) { - close(sock); - close(drweb_fd); - free(drweb_fbuf); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: can't read spool file %s: %s", - scanrequest, strerror(errno)); - return DEFER; - } - close(drweb_fd); - - /* send file body to socket */ - if (send(sock, drweb_fbuf, fsize, 0) < 0) { - close(sock); - free(drweb_fbuf); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to send file body to socket (%s)", drweb_options); - return DEFER; - } - close(drweb_fd); - } - else { - /* open the drwebd UNIX socket */ - sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: can't open UNIX socket"); - return DEFER; - } - server.sun_family = AF_UNIX; - Ustrcpy(server.sun_path, drweb_options); - if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to connect to socket (%s). errno=%d", drweb_options, errno); - return DEFER; - } - - /* prepare variables */ - drweb_cmd = htonl(DRWEBD_SCAN_CMD); - drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL); - snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id); - drweb_slen = htonl(Ustrlen(scanrequest)); - - /* send scan request */ - if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) || - (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) || - (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) || - (send(sock, scanrequest, Ustrlen(scanrequest), 0) < 0) || - (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0)) { - close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options); - return DEFER; - } - } - - /* wait for result */ - if ((bread = recv(sock, &drweb_rc, sizeof(drweb_rc), 0) != sizeof(drweb_rc))) { - close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to read return code"); - return DEFER; - } - drweb_rc = ntohl(drweb_rc); - - if ((bread = recv(sock, &drweb_vnum, sizeof(drweb_vnum), 0) != sizeof(drweb_vnum))) { - close(sock); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: unable to read the number of viruses"); - return DEFER; - } - drweb_vnum = ntohl(drweb_vnum); - - /* "virus(es) found" if virus number is > 0 */ - if (drweb_vnum) - { - int i; - uschar pre_malware_nb[256]; - - malware_name = malware_name_buffer; - - /* setup default virus name */ - Ustrcpy(malware_name_buffer,"unknown"); - - /* read and concatenate virus names into one string */ - for (i=0;i= 2) { - pcre_copy_substring(CS tmpbuf, ovector, result, 1, CS pre_malware_nb, 255); - } - /* the first name we just copy to malware_name */ - if (i==0) - Ustrcpy(CS malware_name_buffer, CS pre_malware_nb); - else { - /* concatenate each new virus name to previous */ - int slen = Ustrlen(malware_name_buffer); - if (slen < (slen+Ustrlen(pre_malware_nb))) { - Ustrcat(malware_name_buffer, "/"); - Ustrcat(malware_name_buffer, pre_malware_nb); - } - } - } - } - else { - char *drweb_s = NULL; - - if (drweb_rc & DERR_READ_ERR) drweb_s = "read error"; - if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory"; - if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout"; - if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command"; - /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED. - * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM, - * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR - * and others are ignored */ - if (drweb_s) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: drweb: drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s); - close(sock); - return DEFER; - } - /* no virus found */ - malware_name = NULL; - }; - close(sock); - } - /* ----------------------------------------------------------------------- */ + + /* "f-protd" scanner type ----------------------------------------------- */ + if (strcmpic(scanner_name, US"f-protd") == 0) { + uschar *fp_options, *fp_scan_option; + uschar fp_scan_option_buffer[1024]; + uschar fp_options_buffer[1024]; + uschar fp_options_default[] = "localhost 10200-10204"; + uschar hostname[256]; + unsigned int port, portlow, porthigh, connect_ok=0, detected=0, par_count = 0; + struct hostent *he; + struct in_addr in; + int sock; + uschar scanrequest[2048], buf[32768], *strhelper, *strhelper2; + + if ((fp_options = string_nextinlist(&av_scanner_work, &sep, + fp_options_buffer, sizeof(fp_options_buffer))) == NULL) { + /* no options supplied, use default options */ + fp_options = fp_options_default; + }; + + /* extract host and port part */ + if ( sscanf(CS fp_options, "%s %u-%u", hostname, &portlow, &porthigh) != 3 ) { + if ( sscanf(CS fp_options, "%s %u", hostname, &portlow) != 2 ) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: f-protd: invalid socket '%s'", fp_options); + return DEFER; + } + porthigh = portlow; + } + + /* Lookup the host */ + if((he = gethostbyname(CS hostname)) == 0) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: f-protd: failed to lookup host '%s'", hostname); + return DEFER; + } + + in = *(struct in_addr *) he->h_addr_list[0]; + port = portlow; + + + /* Open the f-protd TCP socket */ + if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: f-protd: unable to acquire socket (%s)", + strerror(errno)); + return DEFER; + } + + /* Try to connect to all portslow-high until connection is established */ + for (port = portlow; !connect_ok && port < porthigh; port++) { + if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) >= 0) { + connect_ok = 1; + } + } + + if ( !connect_ok ) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: f-protd: connection to %s, port %u-%u failed (%s)", + inet_ntoa(in), portlow, porthigh, strerror(errno)); + (void)close(sock); + return DEFER; + } + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s GET\n", scanner_name); + (void)string_format(scanrequest, 1024, CS"GET %s", eml_filename); + + while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep, + fp_scan_option_buffer, sizeof(fp_scan_option_buffer))) != NULL) { + if ( par_count ) { + Ustrcat(scanrequest, "%20"); + } else { + Ustrcat(scanrequest, "?"); + } + Ustrcat(scanrequest, fp_scan_option); + par_count++; + } + Ustrcat(scanrequest, " HTTP/1.0\r\n\r\n"); + + /* send scan request */ + if (send(sock, &scanrequest, Ustrlen(scanrequest)+1, 0) < 0) { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: f-protd: unable to send command to socket (%s)", scanrequest); + return DEFER; + } + + /* We get a lot of empty lines, so we need this hack to check for any data at all */ + while( recv(sock, buf, 1, MSG_PEEK) > 0 ) { + if ( recv_line(sock, buf, 32768) > 0) { + if ( Ustrstr(buf, US"")) ) { + if ((strhelper2 = Ustrstr(buf, US"")) != NULL) { + *strhelper2 = '\0'; + Ustrcpy(malware_name_buffer, strhelper + 6); + } + } else if ( Ustrstr(buf, US"") ) { + malware_name = malware_name_buffer; + } else { + malware_name = NULL; + } + } + } + } + (void)close(sock); + } + /* "drweb" scanner type ----------------------------------------------- */ + /* v0.1 - added support for tcp sockets */ + /* v0.0 - initial release -- support for unix sockets */ + else if (strcmpic(scanner_name,US"drweb") == 0) { + uschar *drweb_options; + uschar drweb_options_buffer[1024]; + uschar drweb_options_default[] = "/usr/local/drweb/run/drwebd.sock"; + struct sockaddr_un server; + int sock, result, ovector[30]; + unsigned int port, fsize; + uschar tmpbuf[1024], *drweb_fbuf; + uschar drweb_match_string[128]; + int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd, + drweb_vnum, drweb_slen, drweb_fin = 0x0000; + unsigned long bread; + uschar hostname[256]; + struct hostent *he; + struct in_addr in; + pcre *drweb_re; + + if ((drweb_options = string_nextinlist(&av_scanner_work, &sep, + drweb_options_buffer, sizeof(drweb_options_buffer))) == NULL) { + /* no options supplied, use default options */ + drweb_options = drweb_options_default; + }; + + if (*drweb_options != '/') { + + /* extract host and port part */ + if( sscanf(CS drweb_options, "%s %u", hostname, &port) != 2 ) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: invalid socket '%s'", drweb_options); + return DEFER; + } + + /* Lookup the host */ + if((he = gethostbyname(CS hostname)) == 0) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: failed to lookup host '%s'", hostname); + return DEFER; + } + + in = *(struct in_addr *) he->h_addr_list[0]; + + /* Open the drwebd TCP socket */ + if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: unable to acquire socket (%s)", + strerror(errno)); + return DEFER; + } + + if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: connection to %s, port %u failed (%s)", + inet_ntoa(in), port, strerror(errno)); + return DEFER; + } + + /* prepare variables */ + drweb_cmd = htonl(DRWEBD_SCAN_CMD); + drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL); + + /* calc file size */ + drweb_fd = open(CS eml_filename, O_RDONLY); + if (drweb_fd == -1) { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: can't open spool file %s: %s", + eml_filename, strerror(errno)); + return DEFER; + } + fsize = lseek(drweb_fd, 0, SEEK_END); + if (fsize == -1) { + (void)close(sock); + (void)close(drweb_fd); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: can't seek spool file %s: %s", + eml_filename, strerror(errno)); + return DEFER; + } + drweb_slen = htonl(fsize); + lseek(drweb_fd, 0, SEEK_SET); + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s remote scan [%s %u]\n", + scanner_name, hostname, port); + + /* send scan request */ + if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) || + (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) || + (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) || + (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0)) { + (void)close(sock); + (void)close(drweb_fd); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options); + return DEFER; + } + + drweb_fbuf = (uschar *) malloc (fsize); + if (!drweb_fbuf) { + (void)close(sock); + (void)close(drweb_fd); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: unable to allocate memory %u for file (%s)", + fsize, eml_filename); + return DEFER; + } + + result = read (drweb_fd, drweb_fbuf, fsize); + if (result == -1) { + (void)close(sock); + (void)close(drweb_fd); + free(drweb_fbuf); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: can't read spool file %s: %s", + eml_filename, strerror(errno)); + return DEFER; + } + (void)close(drweb_fd); + + /* send file body to socket */ + if (send(sock, drweb_fbuf, fsize, 0) < 0) { + (void)close(sock); + free(drweb_fbuf); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: unable to send file body to socket (%s)", drweb_options); + return DEFER; + } + (void)close(drweb_fd); + } + else { + /* open the drwebd UNIX socket */ + sock = socket(AF_UNIX, SOCK_STREAM, 0); + if (sock < 0) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: can't open UNIX socket"); + return DEFER; + } + server.sun_family = AF_UNIX; + Ustrcpy(server.sun_path, drweb_options); + if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: unable to connect to socket (%s). errno=%d", drweb_options, errno); + return DEFER; + } + + /* prepare variables */ + drweb_cmd = htonl(DRWEBD_SCAN_CMD); + drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL); + drweb_slen = htonl(Ustrlen(eml_filename)); + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s local scan [%s]\n", + scanner_name, drweb_options); + + /* send scan request */ + if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) || + (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) || + (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) || + (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) || + (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0)) { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options); + return DEFER; + } + } + + /* wait for result */ + if ((bread = recv(sock, &drweb_rc, sizeof(drweb_rc), 0) != sizeof(drweb_rc))) { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: unable to read return code"); + return DEFER; + } + drweb_rc = ntohl(drweb_rc); + + if ((bread = recv(sock, &drweb_vnum, sizeof(drweb_vnum), 0) != sizeof(drweb_vnum))) { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: unable to read the number of viruses"); + return DEFER; + } + drweb_vnum = ntohl(drweb_vnum); + + /* "virus(es) found" if virus number is > 0 */ + if (drweb_vnum) + { + int i; + uschar pre_malware_nb[256]; + + malware_name = malware_name_buffer; + + /* setup default virus name */ + Ustrcpy(malware_name_buffer,"unknown"); + + /* read and concatenate virus names into one string */ + for (i=0;i= 2) { + pcre_copy_substring(CS tmpbuf, ovector, result, 1, CS pre_malware_nb, 255); + } + /* the first name we just copy to malware_name */ + if (i==0) + Ustrcpy(CS malware_name_buffer, CS pre_malware_nb); + else { + /* concatenate each new virus name to previous */ + int slen = Ustrlen(malware_name_buffer); + if (slen < (slen+Ustrlen(pre_malware_nb))) { + Ustrcat(malware_name_buffer, "/"); + Ustrcat(malware_name_buffer, pre_malware_nb); + } + } + } + } + else { + const char *drweb_s = NULL; + + if (drweb_rc & DERR_READ_ERR) drweb_s = "read error"; + if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory"; + if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout"; + if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command"; + /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED. + * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM, + * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR + * and others are ignored */ + if (drweb_s) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: drweb: drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s); + (void)close(sock); + return DEFER; + } + /* no virus found */ + malware_name = NULL; + }; + (void)close(sock); + } + /* ----------------------------------------------------------------------- */ else if (strcmpic(scanner_name,US"aveserver") == 0) { uschar *kav_options; uschar kav_options_buffer[1024]; @@ -409,66 +624,102 @@ int malware(uschar **listptr) { uschar buf[32768]; struct sockaddr_un server; int sock; - + int result; + if ((kav_options = string_nextinlist(&av_scanner_work, &sep, kav_options_buffer, sizeof(kav_options_buffer))) == NULL) { /* no options supplied, use default options */ kav_options = kav_options_default; }; - + /* open the aveserver socket */ sock = socket(AF_UNIX, SOCK_STREAM, 0); if (sock < 0) { log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: can't open UNIX socket."); - return DEFER; + return DEFER; } server.sun_family = AF_UNIX; Ustrcpy(server.sun_path, kav_options); if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to connect to aveserver UNIX socket (%s). errno=%d", kav_options, errno); return DEFER; } - + /* read aveserver's greeting and see if it is ready (2xx greeting) */ recv_line(sock, buf, 32768); if (buf[0] != '2') { /* aveserver is having problems */ - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: aveserver is unavailable (Responded: %s).", ((buf[0] != 0) ? buf : (uschar *)"nothing") ); return DEFER; }; - + /* prepare our command */ - snprintf(CS buf, 32768, "SCAN bPQRSTUW %s/scan/%s/%s.eml\r\n", spool_directory, message_id, message_id); - + (void)string_format(buf, 32768, "SCAN bPQRSTUW %s\r\n", eml_filename); + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s SCAN\n", scanner_name); + /* and send it */ if (send(sock, buf, Ustrlen(buf), 0) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to write to aveserver UNIX socket (%s)", kav_options); return DEFER; } - + malware_name = NULL; + result = 0; /* read response lines, find malware name and final response */ while (recv_line(sock, buf, 32768) > 0) { debug_printf("aveserver: %s\n", buf); - if (buf[0] == '2') break; - if (Ustrncmp(buf,"322",3) == 0) { + if (buf[0] == '2') { + break; + } else if (buf[0] == '5') { + /* aveserver is having problems */ + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: unable to scan file %s (Responded: %s).", + eml_filename, buf); + result = DEFER; + break; + } else if (Ustrncmp(buf,"322",3) == 0) { uschar *p = Ustrchr(&buf[4],' '); *p = '\0'; Ustrcpy(malware_name_buffer,&buf[4]); malware_name = malware_name_buffer; - }; + }; } - close(sock); + /* prepare our command */ + (void)string_format(buf, 32768, "quit\r\n"); + + /* and send it */ + if (send(sock, buf, Ustrlen(buf), 0) < 0) { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: unable to write to aveserver UNIX socket (%s)", kav_options); + return DEFER; + } + + /* read aveserver's greeting and see if it is ready (2xx greeting) */ + recv_line(sock, buf, 32768); + + if (buf[0] != '2') { + /* aveserver is having problems */ + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: unable to quit aveserver dialogue (Responded: %s).", ((buf[0] != 0) ? buf : (uschar *)"nothing") ); + return DEFER; + }; + + (void)close(sock); + + if (result == DEFER) return DEFER; } /* "fsecure" scanner type ------------------------------------------------- */ else if (strcmpic(scanner_name,US"fsecure") == 0) { @@ -484,15 +735,15 @@ int malware(uschar **listptr) { US"CONFIGURE\tTIMEOUT\t0\n", US"CONFIGURE\tMAXARCH\t5\n", US"CONFIGURE\tMIME\t1\n" }; - + malware_name = NULL; if ((fsecure_options = string_nextinlist(&av_scanner_work, &sep, fsecure_options_buffer, - sizeof(fsecure_options_buffer))) == NULL) { + sizeof(fsecure_options_buffer))) == NULL) { /* no options supplied, use default options */ fsecure_options = fsecure_options_default; }; - + /* open the fsecure socket */ sock = socket(AF_UNIX, SOCK_STREAM, 0); if (sock < 0) { @@ -504,29 +755,32 @@ int malware(uschar **listptr) { server.sun_family = AF_UNIX; Ustrcpy(server.sun_path, fsecure_options); if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to connect to fsecure socket %s (%s)", fsecure_options, strerror(errno)); return DEFER; } - + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", + scanner_name, fsecure_options); + /* pass options */ memset(av_buffer, 0, sizeof(av_buffer)); for (i=0; i != 4; i++) { /* debug_printf("send option \"%s\"",cmdoptions[i]); */ if (write(sock, cmdoptions[i], Ustrlen(cmdoptions[i])) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to write fsecure option %d to %s (%s)", i, fsecure_options, strerror(errno)); - return DEFER; + return DEFER; }; - - bread = read(sock, av_buffer, sizeof(av_buffer)); + + bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT); if (bread >0) av_buffer[bread]='\0'; if (bread < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to read fsecure answer %d (%s)", i, strerror(errno)); return DEFER; @@ -535,31 +789,31 @@ int malware(uschar **listptr) { /* debug_printf("read answer %d read=%d \"%s\"\n", i, bread, av_buffer ); */ /* while (Ustrstr(av_buffer, "OK\tServer configured.@") == NULL); */ }; - + /* pass the mailfile to fsecure */ - snprintf(CS file_name,1024,"SCAN\t%s/scan/%s/%s.eml\n", spool_directory, message_id, message_id); + (void)string_format(file_name,1024,"SCAN\t%s\n", eml_filename); /* debug_printf("send scan %s",file_name); */ if (write(sock, file_name, Ustrlen(file_name)) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to write fsecure scan to %s (%s)", fsecure_options, strerror(errno)); return DEFER; }; - + /* set up match */ /* todo also SUSPICION\t */ fs_inf = pcre_compile("\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$", PCRE_COPT, (const char **)&rerror, &roffset, NULL); - + /* read report, linewise */ do { int ovector[30]; i = 0; memset(av_buffer, 0, sizeof(av_buffer)); do { - bread=read(sock, &av_buffer[i], 1); + bread=ip_recv(sock, &av_buffer[i], 1, MALWARE_TIMEOUT); if (bread < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to read fsecure result (%s)", strerror(errno)); return DEFER; @@ -569,7 +823,7 @@ int malware(uschar **listptr) { while ((i < sizeof(av_buffer)-1 ) && (av_buffer[i-1] != '\n')); av_buffer[i-1] = '\0'; /* debug_printf("got line \"%s\"\n",av_buffer); */ - + /* Really search for virus again? */ if (malware_name == NULL) { /* try matcher on the line, grab substring */ @@ -582,7 +836,7 @@ int malware(uschar **listptr) { }; } while (Ustrstr(av_buffer, "OK\tScan ok.") == NULL); - close(sock); + (void)close(sock); } /* ----------------------------------------------------------------------- */ @@ -600,51 +854,69 @@ int malware(uschar **listptr) { int kav_rc; unsigned long kav_reportlen, bread; pcre *kav_re; - + uschar *p; + int fits; + if ((kav_options = string_nextinlist(&av_scanner_work, &sep, kav_options_buffer, sizeof(kav_options_buffer))) == NULL) { /* no options supplied, use default options */ kav_options = kav_options_default; }; - + /* open the kavdaemon socket */ sock = socket(AF_UNIX, SOCK_STREAM, 0); if (sock < 0) { log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: can't open UNIX socket."); - return DEFER; + return DEFER; } server.sun_family = AF_UNIX; Ustrcpy(server.sun_path, kav_options); if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to connect to kavdaemon UNIX socket (%s). errno=%d", kav_options, errno); return DEFER; } - + /* get current date and time, build scan request */ time(&t); - strftime(CS tmpbuf, sizeof(tmpbuf), "<0>%d %b %H:%M:%S:%%s/scan/%%s", localtime(&t)); - snprintf(CS scanrequest, 1024,CS tmpbuf, spool_directory, message_id); - + /* pdp note: before the eml_filename parameter, this scanned the + directory; not finding documentation, so we'll strip off the directory. + The side-effect is that the test framework scanning may end up in + scanning more than was requested, but for the normal interface, this is + fine. */ + strftime(CS tmpbuf, sizeof(tmpbuf), "<0>%d %b %H:%M:%S:%%s", localtime(&t)); + fits = string_format(scanrequest, 1024,CS tmpbuf, eml_filename); + if (!fits) { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware filename does not fit in buffer [malware_internal() kavdaemon]"); + } + p = Ustrrchr(scanrequest, '/'); + if (p) + *p = '\0'; + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", + scanner_name, kav_options); + /* send scan request */ if (send(sock, scanrequest, Ustrlen(scanrequest)+1, 0) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to write to kavdaemon UNIX socket (%s)", kav_options); return DEFER; } - + /* wait for result */ if ((bread = recv(sock, tmpbuf, 2, 0) != 2)) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to read 2 bytes from kavdaemon socket."); return DEFER; } - + /* get errorcode from one nibble */ if (test_byte_order() == LITTLE_MY_ENDIAN) { kav_rc = tmpbuf[0] & 0x0F; @@ -652,57 +924,57 @@ int malware(uschar **listptr) { else { kav_rc = tmpbuf[1] & 0x0F; }; - + /* improper kavdaemon configuration */ if ( (kav_rc == 5) || (kav_rc == 6) ) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: please reconfigure kavdaemon to NOT disinfect or remove infected files."); return DEFER; }; - + if (kav_rc == 1) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: kavdaemon reported 'scanning not completed' (code 1)."); return DEFER; }; - + if (kav_rc == 7) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: kavdaemon reported 'kavdaemon damaged' (code 7)."); return DEFER; }; - + /* code 8 is not handled, since it is ambigous. It appears mostly on bounces where part of a file has been cut off */ - + /* "virus found" return codes (2-4) */ if ((kav_rc > 1) && (kav_rc < 5)) { int report_flag = 0; - + /* setup default virus name */ Ustrcpy(malware_name_buffer,"unknown"); malware_name = malware_name_buffer; - + if (test_byte_order() == LITTLE_MY_ENDIAN) { report_flag = tmpbuf[1]; } else { report_flag = tmpbuf[0]; }; - + /* read the report, if available */ if( report_flag == 1 ) { /* read report size */ if ((bread = recv(sock, &kav_reportlen, 4, 0)) != 4) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: cannot read report size from kavdaemon"); return DEFER; }; - + /* it's possible that avp returns av_buffer[1] == 1 but the reportsize is 0 (!?) */ if (kav_reportlen > 0) { @@ -711,18 +983,18 @@ int malware(uschar **listptr) { Ustrcpy(kav_match_string, "suspicion:\\s*(.+?)\\s*$"); else Ustrcpy(kav_match_string, "infected:\\s*(.+?)\\s*$"); - + kav_re = pcre_compile( CS kav_match_string, PCRE_COPT, (const char **)&rerror, &roffset, NULL ); - - /* read report, linewise */ + + /* read report, linewise */ while (kav_reportlen > 0) { int result = 0; int ovector[30]; - + bread = 0; while ( recv(sock, &tmpbuf[bread], 1, 0) == 1 ) { kav_reportlen--; @@ -731,7 +1003,7 @@ int malware(uschar **listptr) { }; bread++; tmpbuf[bread] = '\0'; - + /* try matcher on the line, grab substring */ result = pcre_exec(kav_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0, ovector, 30); if (result >= 2) { @@ -746,12 +1018,12 @@ int malware(uschar **listptr) { /* no virus found */ malware_name = NULL; }; - - close(sock); + + (void)close(sock); } /* ----------------------------------------------------------------------- */ - - + + /* "cmdline" scanner type ------------------------------------------------ */ else if (strcmpic(scanner_name,US"cmdline") == 0) { uschar *cmdline_scanner; @@ -772,7 +1044,9 @@ int malware(uschar **listptr) { int trigger = 0; int result; int ovector[30]; - + uschar *p; + BOOL fits; + /* find scanner command line */ if ((cmdline_scanner = string_nextinlist(&av_scanner_work, &sep, cmdline_scanner_buffer, @@ -780,9 +1054,9 @@ int malware(uschar **listptr) { /* no command line supplied */ log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: missing commandline specification for cmdline scanner type."); - return DEFER; + return DEFER; }; - + /* find scanner output trigger */ if ((cmdline_trigger = string_nextinlist(&av_scanner_work, &sep, cmdline_trigger_buffer, @@ -790,9 +1064,9 @@ int malware(uschar **listptr) { /* no trigger regex supplied */ log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: missing trigger specification for cmdline scanner type."); - return DEFER; + return DEFER; }; - + /* precompile trigger regex */ cmdline_trigger_re = pcre_compile(CS cmdline_trigger, PCRE_COPT, (const char **)&rerror, &roffset, NULL); if (cmdline_trigger_re == NULL) { @@ -800,7 +1074,7 @@ int malware(uschar **listptr) { "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_trigger_re, rerror, roffset); return DEFER; }; - + /* find scanner name regex */ if ((cmdline_regex = string_nextinlist(&av_scanner_work, &sep, cmdline_regex_buffer, @@ -808,9 +1082,9 @@ int malware(uschar **listptr) { /* no name regex supplied */ log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: missing virus name regex specification for cmdline scanner type."); - return DEFER; + return DEFER; }; - + /* precompile name regex */ cmdline_regex_re = pcre_compile(CS cmdline_regex, PCRE_COPT, (const char **)&rerror, &roffset, NULL); if (cmdline_regex_re == NULL) { @@ -818,17 +1092,42 @@ int malware(uschar **listptr) { "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_regex_re, rerror, roffset); return DEFER; }; - - /* prepare scanner call */ - snprintf(CS file_name,1024,"%s/scan/%s", spool_directory, message_id); - snprintf(CS commandline,1024, CS cmdline_scanner,file_name); + + /* prepare scanner call; despite the naming, file_name holds a directory + name which is documented as the value given to %s. */ + if (Ustrlen(eml_filename) > sizeof(file_name) - 1) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware filename does not fit in buffer [malware_internal() cmdline]"); + return DEFER; + } + Ustrcpy(file_name, eml_filename); + p = Ustrrchr(file_name, '/'); + if (p) + *p = '\0'; + fits = string_format(commandline, sizeof(commandline), CS cmdline_scanner, file_name); + if (!fits) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "cmdline scanner command-line does not fit in buffer"); + return DEFER; + } + /* redirect STDERR too */ + if (Ustrlen(commandline) + 5 > sizeof(commandline)) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "cmdline scanner command-line does not fit in buffer (STDERR redirect)"); + return DEFER; + } Ustrcat(commandline," 2>&1"); - + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", scanner_name, commandline); + /* store exims signal handlers */ eximsigchld = signal(SIGCHLD,SIG_DFL); eximsigpipe = signal(SIGPIPE,SIG_DFL); - + scanner_out = popen(CS commandline,"r"); if (scanner_out == NULL) { log_write(0, LOG_MAIN|LOG_PANIC, @@ -837,10 +1136,10 @@ int malware(uschar **listptr) { signal(SIGPIPE,eximsigpipe); return DEFER; }; - - snprintf(CS file_name,1024,"%s/scan/%s/%s_scanner_output", spool_directory, message_id, message_id); - scanner_record = fopen(CS file_name,"w"); - + + (void)string_format(file_name,1024,"%s/scan/%s/%s_scanner_output", spool_directory, message_id, message_id); + scanner_record = modefopen(file_name,"wb",SPOOL_MODE); + if (scanner_record == NULL) { log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: opening scanner output file (%s) failed: %s.", file_name, strerror(errno)); @@ -849,7 +1148,7 @@ int malware(uschar **listptr) { signal(SIGPIPE,eximsigpipe); return DEFER; }; - + /* look for trigger while recording output */ while(fgets(CS linebuffer,32767,scanner_out) != NULL) { if ( Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record) ) { @@ -865,19 +1164,19 @@ int malware(uschar **listptr) { if (!trigger && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1)) trigger = 1; }; - - fclose(scanner_record); + + (void)fclose(scanner_record); pclose(scanner_out); signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe); - + if (trigger) { /* setup default virus name */ Ustrcpy(malware_name_buffer,"unknown"); malware_name = malware_name_buffer; - + /* re-open the scanner output file, look for name match */ - scanner_record = fopen(CS file_name,"r"); + scanner_record = fopen(CS file_name,"rb"); while(fgets(CS linebuffer,32767,scanner_record) != NULL) { /* try match */ result = pcre_exec(cmdline_regex_re, NULL, CS linebuffer, Ustrlen(linebuffer), 0, 0, ovector, 30); @@ -885,7 +1184,7 @@ int malware(uschar **listptr) { pcre_copy_substring(CS linebuffer, ovector, result, 1, CS malware_name_buffer, 255); }; }; - fclose(scanner_record); + (void)fclose(scanner_record); } else { /* no virus found */ @@ -893,8 +1192,8 @@ int malware(uschar **listptr) { }; } /* ----------------------------------------------------------------------- */ - - + + /* "sophie" scanner type ------------------------------------------------- */ else if (strcmpic(scanner_name,US"sophie") == 0) { uschar *sophie_options; @@ -902,55 +1201,71 @@ int malware(uschar **listptr) { uschar sophie_options_default[] = "/var/run/sophie"; int bread = 0; struct sockaddr_un server; - int sock; + int sock, len; + uschar *p; uschar file_name[1024]; uschar av_buffer[1024]; - + if ((sophie_options = string_nextinlist(&av_scanner_work, &sep, sophie_options_buffer, sizeof(sophie_options_buffer))) == NULL) { /* no options supplied, use default options */ sophie_options = sophie_options_default; }; - + /* open the sophie socket */ sock = socket(AF_UNIX, SOCK_STREAM, 0); if (sock < 0) { log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: can't open UNIX socket."); - return DEFER; + return DEFER; } server.sun_family = AF_UNIX; Ustrcpy(server.sun_path, sophie_options); if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to connect to sophie UNIX socket (%s). errno=%d", sophie_options, errno); return DEFER; } - + /* pass the scan directory to sophie */ - snprintf(CS file_name,1024,"%s/scan/%s", spool_directory, message_id); + len = Ustrlen(eml_filename) + 1; + if (len > sizeof(file_name)) + { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware filename does not fit in buffer [malware_internal() sophie]"); + return DEFER; + } + memcpy(file_name, eml_filename, len); + p = Ustrrchr(file_name, '/'); + if (p) + *p = '\0'; + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n", + scanner_name, sophie_options); + if (write(sock, file_name, Ustrlen(file_name)) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to write to sophie UNIX socket (%s)", sophie_options); - return DEFER; + return DEFER; }; - - write(sock, "\n", 1); - + + (void)write(sock, "\n", 1); + /* wait for result */ memset(av_buffer, 0, sizeof(av_buffer)); - if ((!(bread = read(sock, av_buffer, sizeof(av_buffer))) > 0)) { - close(sock); + if ((!(bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT)) > 0)) { + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to read from sophie UNIX socket (%s)", sophie_options); return DEFER; }; - - close(sock); - + + (void)close(sock); + /* infected ? */ if (av_buffer[0] == '1') { if (Ustrchr(av_buffer, '\n')) *Ustrchr(av_buffer, '\n') = '\0'; @@ -968,18 +1283,28 @@ int malware(uschar **listptr) { }; } /* ----------------------------------------------------------------------- */ - + /* "clamd" scanner type ------------------------------------------------- */ - /* This code was contributed by David Saez */ + /* This code was originally contributed by David Saez */ + /* There are three scanning methods available to us: + * (1) Use the SCAN command, pointing to a file in the filesystem + * (2) Use the STREAM command, send the data on a separate port + * (3) Use the zINSTREAM command, send the data inline + * The zINSTREAM command was introduced with ClamAV 0.95, which marked + * STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095 + * In Exim, we use SCAN if using a Unix-domain socket or explicitly told that + * the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless + * WITH_OLD_CLAMAV_STREAM is defined. + * See Exim bug 926 for details. */ else if (strcmpic(scanner_name,US"clamd") == 0) { uschar *clamd_options; uschar clamd_options_buffer[1024]; uschar clamd_options_default[] = "/tmp/clamd"; - uschar *p,*vname; + uschar *p, *vname, *result_tag, *response_end; struct sockaddr_un server; int sock,bread=0; - unsigned int port; + unsigned int port; uschar file_name[1024]; uschar av_buffer[1024]; uschar hostname[256]; @@ -988,11 +1313,16 @@ int malware(uschar **listptr) { uschar *clamd_options2; uschar clamd_options2_buffer[1024]; uschar clamd_options2_default[] = ""; - uschar av_buffer2[1024]; uschar *clamav_fbuf; - uschar scanrequest[1024]; - int sockData, clam_fd, result; + int clam_fd, result; unsigned int fsize; + BOOL use_scan_command, fits; +#ifdef WITH_OLD_CLAMAV_STREAM + uschar av_buffer2[1024]; + int sockData; +#else + uint32_t send_size, send_final_zeroblock; +#endif if ((clamd_options = string_nextinlist(&av_scanner_work, &sep, clamd_options_buffer, @@ -1005,26 +1335,44 @@ int malware(uschar **listptr) { sizeof(clamd_options2_buffer))) == NULL) { clamd_options2 = clamd_options2_default; } - + + if ((*clamd_options == '/') || (strcmpic(clamd_options2,US"local") == 0)) + use_scan_command = TRUE; + else + use_scan_command = FALSE; + + /* See the discussion of response formats below to see why we really don't + like colons in filenames when passing filenames to ClamAV. */ + if (use_scan_command && Ustrchr(eml_filename, ':')) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: local/SCAN mode incompatible with" \ + " : in path to email filename [%s]", eml_filename); + return DEFER; + } + /* socket does not start with '/' -> network socket */ if (*clamd_options != '/') { - + + /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd + * only supports AF_INET, but we should probably be looking to the + * future and rewriting this to be protocol-independent anyway. */ + /* extract host and port part */ if( sscanf(CS clamd_options, "%s %u", hostname, &port) != 2 ) { log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: clamd: invalid socket '%s'", clamd_options); return DEFER; }; - + /* Lookup the host */ if((he = gethostbyname(CS hostname)) == 0) { log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: clamd: failed to lookup host '%s'", hostname); return DEFER; } - + in = *(struct in_addr *) he->h_addr_list[0]; - + /* Open the ClamAV Socket */ if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) { log_write(0, LOG_MAIN|LOG_PANIC, @@ -1032,136 +1380,16 @@ int malware(uschar **listptr) { strerror(errno)); return DEFER; } - + if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: clamd: connection to %s, port %u failed (%s)", inet_ntoa(in), port, strerror(errno)); return DEFER; } - if (strcmpic(clamd_options2,US"local") == 0) { - - /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */ - - snprintf(CS file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id); - - if (send(sock, file_name, Ustrlen(file_name), 0) < 0) { - close(sock); - log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)", - strerror(errno)); - return DEFER; - } - } else { - - /* Pass the string to ClamAV (7 = "STREAM\n") */ - - if (send(sock, "STREAM\n", 7, 0) < 0) { - close(sock); - log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)", - strerror(errno)); - return DEFER; - } - memset(av_buffer2, 0, sizeof(av_buffer2)); - bread = read(sock, av_buffer2, sizeof(av_buffer2)); - - if (bread < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to read PORT from socket (%s)", - strerror(errno)); - return DEFER; - } - - if (bread == sizeof(av_buffer)) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: buffer too small"); - return DEFER; - } - - if (!(*av_buffer2)) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: ClamAV returned null"); - return DEFER; - } - - av_buffer2[bread] = '\0'; - if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 ) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: Expected port information from clamd, got '%s'", av_buffer2); - return DEFER; - }; - - if ( (sockData = ip_socket(SOCK_STREAM, AF_INET)) < 0) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to acquire socket (%s)", - strerror(errno)); - return DEFER; - } - - if (ip_connect(sockData, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) { - close(sockData); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: connection to %s, port %u failed (%s)", - inet_ntoa(in), port, strerror(errno)); - return DEFER; - } - - snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml", - spool_directory, message_id, message_id); - - /* calc file size */ - clam_fd = open(CS scanrequest, O_RDONLY); - if (clam_fd == -1) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: can't open spool file %s: %s", - scanrequest, strerror(errno)); - return DEFER; - } - fsize = lseek(clam_fd, 0, SEEK_END); - if (fsize == -1) { - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: can't seek spool file %s: %s", - scanrequest, strerror(errno)); - return DEFER; - } - lseek(clam_fd, 0, SEEK_SET); - - clamav_fbuf = (uschar *) malloc (fsize); - if (!clamav_fbuf) { - close(sockData); - close(clam_fd); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to allocate memory %u for file (%s)", - fsize, scanrequest); - return DEFER; - } - - result = read (clam_fd, clamav_fbuf, fsize); - if (result == -1) { - close(sockData); - close(clam_fd); - free(clamav_fbuf); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: can't read spool file %s: %s", - scanrequest, strerror(errno)); - return DEFER; - } - close(clam_fd); - - /* send file body to socket */ - if (send(sockData, clamav_fbuf, fsize, 0) < 0) { - close(sockData); - free(clamav_fbuf); - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port); - return DEFER; - } - free(clamav_fbuf); - close(sockData); - } - } - else { + } else { /* open the local socket */ if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { log_write(0, LOG_MAIN|LOG_PANIC, @@ -1169,43 +1397,222 @@ int malware(uschar **listptr) { strerror(errno)); return DEFER; } - + server.sun_family = AF_UNIX; Ustrcpy(server.sun_path, clamd_options); - + if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: clamd: unable to connect to UNIX socket %s (%s)", clamd_options, strerror(errno) ); return DEFER; } } - - /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */ - - snprintf(CS file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id); - - if (send(sock, file_name, Ustrlen(file_name), 0) < 0) { - close(sock); - log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)", + + /* have socket in variable "sock"; command to use is semi-independent of + * the socket protocol. We use SCAN if is local (either Unix/local + * domain socket, or explicitly told local) else we stream the data. + * How we stream the data depends upon how we were built. */ + + if (!use_scan_command) { + +#ifdef WITH_OLD_CLAMAV_STREAM + /* "STREAM\n" command, get back a "PORT \n" response, send data to + * that port on a second connection; then in the scan-method-neutral + * part, read the response back on the original connection. */ + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s old-style remote scan (PORT)\n", + scanner_name); + + /* Pass the string to ClamAV (7 = "STREAM\n") */ + if (send(sock, "STREAM\n", 7, 0) < 0) { + log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)", + strerror(errno)); + (void)close(sock); + return DEFER; + } + memset(av_buffer2, 0, sizeof(av_buffer2)); + bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), MALWARE_TIMEOUT); + + if (bread < 0) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: unable to read PORT from socket (%s)", + strerror(errno)); + (void)close(sock); + return DEFER; + } + + if (bread == sizeof(av_buffer)) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: buffer too small"); + (void)close(sock); + return DEFER; + } + + if (!(*av_buffer2)) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: ClamAV returned null"); + (void)close(sock); + return DEFER; + } + + av_buffer2[bread] = '\0'; + if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 ) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: Expected port information from clamd, got '%s'", av_buffer2); + (void)close(sock); + return DEFER; + }; + + if ( (sockData = ip_socket(SOCK_STREAM, AF_INET)) < 0) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: unable to acquire socket (%s)", strerror(errno)); - return DEFER; + (void)close(sock); + return DEFER; + } + + if (ip_connect(sockData, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: connection to %s, port %u failed (%s)", + inet_ntoa(in), port, strerror(errno)); + (void)close(sockData); (void)close(sock); + return DEFER; + } + +#define CLOSE_SOCKDATA (void)close(sockData) +#else /* WITH_OLD_CLAMAV_STREAM not defined */ + /* New protocol: "zINSTREAM\n" followed by a sequence of + chunks, a 4-byte number (network order), terminated by a zero-length + chunk. */ + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s new-style remote scan (zINSTREAM)\n", + scanner_name); + + /* Pass the string to ClamAV (10 = "zINSTREAM\0") */ + if (send(sock, "zINSTREAM", 10, 0) < 0) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: unable to send zINSTREAM to socket (%s)", + strerror(errno)); + (void)close(sock); + return DEFER; + } + +#define CLOSE_SOCKDATA /**/ +#endif + + /* calc file size */ + clam_fd = open(CS eml_filename, O_RDONLY); + if (clam_fd == -1) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: can't open spool file %s: %s", + eml_filename, strerror(errno)); + CLOSE_SOCKDATA; (void)close(sock); + return DEFER; + } + fsize = lseek(clam_fd, 0, SEEK_END); + if (fsize == -1) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: can't seek spool file %s: %s", + eml_filename, strerror(errno)); + CLOSE_SOCKDATA; (void)close(sock); + return DEFER; + } + lseek(clam_fd, 0, SEEK_SET); + + clamav_fbuf = (uschar *) malloc (fsize); + if (!clamav_fbuf) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: unable to allocate memory %u for file (%s)", + fsize, eml_filename); + CLOSE_SOCKDATA; (void)close(sock); (void)close(clam_fd); + return DEFER; + } + + result = read (clam_fd, clamav_fbuf, fsize); + if (result == -1) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: can't read spool file %s: %s", + eml_filename, strerror(errno)); + CLOSE_SOCKDATA; (void)close(sock); (void)close(clam_fd); + free(clamav_fbuf); + return DEFER; + } + (void)close(clam_fd); + + /* send file body to socket */ +#ifdef WITH_OLD_CLAMAV_STREAM + if (send(sockData, clamav_fbuf, fsize, 0) < 0) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port); + CLOSE_SOCKDATA; (void)close(sock); + free(clamav_fbuf); + return DEFER; + } +#else + send_size = htonl(fsize); + send_final_zeroblock = 0; + if ((send(sock, &send_size, sizeof(send_size), 0) < 0) || + (send(sock, clamav_fbuf, fsize, 0) < 0) || + (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0)) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port); + (void)close(sock); + free(clamav_fbuf); + return DEFER; + } +#endif + + free(clamav_fbuf); + + CLOSE_SOCKDATA; +#undef CLOSE_SOCKDATA + + } else { /* use scan command */ + /* Send a SCAN command pointing to a filename; then in the then in the + * scan-method-neutral part, read the response back */ + +/* ================================================================= */ + + /* Prior to the reworking post-Exim-4.72, this scanned a directory, + which dates to when ClamAV needed us to break apart the email into the + MIME parts (eg, with the now deprecated demime condition coming first). + Some time back, ClamAV gained the ability to deconstruct the emails, so + doing this would actually have resulted in the mail attachments being + scanned twice, in the broken out files and from the original .eml. + Since ClamAV now handles emails (and has for quite some time) we can + just use the email file itself. */ + /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */ + fits = string_format(file_name, sizeof(file_name), "SCAN %s\n", + eml_filename); + if (!fits) { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC, + "malware filename does not fit in buffer [malware_internal() clamd]"); + } + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s local-path scan [%s]\n", + scanner_name, clamd_options); + + if (send(sock, file_name, Ustrlen(file_name), 0) < 0) { + (void)close(sock); + log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)", + strerror(errno)); + return DEFER; + } + + /* Do not shut down the socket for writing; a user report noted that + * clamd 0.70 does not react well to this. */ } - - /* - We're done sending, close socket for writing. - - One user reported that clamd 0.70 does not like this any more ... - - */ - - /* shutdown(sock, SHUT_WR); */ - + /* Commands have been sent, no matter which scan method or connection + * type we're using; now just read the result, independent of method. */ + /* Read the result */ memset(av_buffer, 0, sizeof(av_buffer)); - bread = read(sock, av_buffer, sizeof(av_buffer)); - close(sock); + bread = ip_recv(sock, av_buffer, sizeof(av_buffer), MALWARE_TIMEOUT); + (void)close(sock); if (!(bread > 0)) { log_write(0, LOG_MAIN|LOG_PANIC, @@ -1213,66 +1620,112 @@ int malware(uschar **listptr) { strerror(errno)); return DEFER; } - + if (bread == sizeof(av_buffer)) { log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: clamd: buffer too small"); return DEFER; } - - /* Check the result. ClamAV Returns - infected: -> ": FOUND" - not-infected: -> ": OK" - error: -> ": ERROR */ - + + /* Check the result. ClamAV returns one of two result formats. + In the basic mode, the response is of the form: + infected: -> ": FOUND" + not-infected: -> ": OK" + error: -> ": ERROR + If the ExtendedDetectionInfo option has been turned on, then we get: + ": (:) FOUND" + for the infected case. Compare: +/tmp/eicar.com: Eicar-Test-Signature FOUND +/tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND + + In the streaming case, clamd uses the filename "stream" which you should + be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The + client app will replace "stream" with the original filename before returning + results to stdout, but the trace shows the data). + + We will assume that the pathname passed to clamd from Exim does not contain + a colon. We will have whined loudly above if the eml_filename does (and we're + passing a filename to clamd). */ + if (!(*av_buffer)) { log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: clamd: ClamAV returned null"); return DEFER; } - + + /* strip newline at the end (won't be present for zINSTREAM) + (also any trailing whitespace, which shouldn't exist, but we depend upon + this below, so double-check) */ + p = av_buffer + Ustrlen(av_buffer) - 1; + if (*p == '\n') *p = '\0'; + + DEBUG(D_acl) debug_printf("Malware response: %s\n", av_buffer); + + while (isspace(*--p) && (p > av_buffer)) + *p = '\0'; + if (*p) ++p; + response_end = p; + /* colon in returned output? */ - if((p = Ustrrchr(av_buffer,':')) == NULL) { + if((p = Ustrchr(av_buffer,':')) == NULL) { log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: ClamAV returned malformed result: %s", - av_buffer); + "malware acl condition: clamd: ClamAV returned malformed result (missing colon): %s", + av_buffer); return DEFER; } - - /* strip filename strip CR at the end */ - ++p; - while (*p == ' ') ++p; + + /* strip filename */ + while (*p && isspace(*++p)) /**/; vname = p; - p = vname + Ustrlen(vname) - 1; - if( *p == '\n' ) *p = '\0'; - - if ((p = Ustrstr(vname, "FOUND"))!=NULL) { - *p=0; - for (--p;p>vname && *p<=32;p--) *p=0; - for (;*vname==32;vname++); - Ustrcpy(malware_name_buffer,vname); - malware_name = malware_name_buffer; - } - else { - if (Ustrstr(vname, "ERROR")!=NULL) { - /* ClamAV reports ERROR - Find line start */ - for (;*vname!='\n' && vname>av_buffer; vname--); - if (*vname=='\n') vname++; - - log_write(0, LOG_MAIN|LOG_PANIC, - "malware acl condition: clamd: ClamAV returned %s",vname); - return DEFER; - } - else { - /* Everything should be OK */ - malware_name = NULL; - } + + /* It would be bad to encounter a virus with "FOUND" in part of the name, + but we should at least be resistant to it. */ + p = Ustrrchr(vname, ' '); + if (p) + result_tag = p + 1; + else + result_tag = vname; + + if (Ustrcmp(result_tag, "FOUND") == 0) { + /* p should still be the whitespace before the result_tag */ + while (isspace(*p)) --p; + *++p = '\0'; + /* Strip off the extended information too, which will be in parens + after the virus name, with no intervening whitespace. */ + if (*--p == ')') { + /* "(hash:size)", so previous '(' will do; if not found, we have + a curious virus name, but not an error. */ + p = Ustrrchr(vname, '('); + if (p) + *p = '\0'; + } + Ustrncpy(malware_name_buffer, vname, sizeof(malware_name_buffer)-1); + malware_name = malware_name_buffer; + DEBUG(D_acl) debug_printf("Malware found, name \"%s\"\n", malware_name); + + } else if (Ustrcmp(result_tag, "ERROR") == 0) { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: ClamAV returned: %s", + av_buffer); + return DEFER; + + } else if (Ustrcmp(result_tag, "OK") == 0) { + /* Everything should be OK */ + malware_name = NULL; + DEBUG(D_acl) debug_printf("Malware not found\n"); + + } else { + log_write(0, LOG_MAIN|LOG_PANIC, + "malware acl condition: clamd: unparseable response from ClamAV: {%s}", + av_buffer); + return DEFER; } - } + + } /* clamd */ + /* ----------------------------------------------------------------------- */ - - + + /* "mksd" scanner type --------------------------------------------------- */ else if (strcmpic(scanner_name,US"mksd") == 0) { uschar *mksd_options; @@ -1282,39 +1735,41 @@ int malware(uschar **listptr) { struct sockaddr_un server; int sock; int retval; - + if ((mksd_options = string_nextinlist(&av_scanner_work, &sep, mksd_options_buffer, sizeof(mksd_options_buffer))) != NULL) { mksd_maxproc = (int) strtol(CS mksd_options, &mksd_options_end, 10); - if ((*mksd_options == '\0') || (*mksd_options_end != '\0') || - (mksd_maxproc < 1) || (mksd_maxproc > 32)) { + if ((*mksd_options == '\0') || (*mksd_options_end != '\0') || + (mksd_maxproc < 1) || (mksd_maxproc > 32)) { log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: mksd: invalid option '%s'", mksd_options); return DEFER; } } - + /* open the mksd socket */ sock = socket(AF_UNIX, SOCK_STREAM, 0); if (sock < 0) { log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: can't open UNIX socket."); - return DEFER; + return DEFER; } server.sun_family = AF_UNIX; Ustrcpy(server.sun_path, "/var/run/mksd/socket"); if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { - close(sock); + (void)close(sock); log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: unable to connect to mksd UNIX socket (/var/run/mksd/socket). errno=%d", errno); return DEFER; } - + malware_name = NULL; - - retval = mksd_scan_packed(sock); - + + DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan\n", scanner_name); + + retval = mksd_scan_packed(sock, eml_filename); + if (retval != OK) return retval; } @@ -1327,7 +1782,7 @@ int malware(uschar **listptr) { return DEFER; }; /* ----------------------------------------------------------------------- */ - + /* set "been here, done that" marker */ malware_ok = 1; }; @@ -1335,6 +1790,7 @@ int malware(uschar **listptr) { /* match virus name against pattern (caseless ------->----------v) */ if ( (malware_name != NULL) && (regex_match_and_setup(re, malware_name, 0, -1)) ) { + DEBUG(D_acl) debug_printf("Matched regex to malware [%s] [%s]\n", malware_regex, malware_name); return OK; } else { @@ -1364,10 +1820,10 @@ int recv_line(int sock, uschar *buffer, int size) { #include -int mksd_writev (int sock, struct iovec *iov, int iovcnt) +static int mksd_writev (int sock, struct iovec *iov, int iovcnt) { int i; - + for (;;) { do i = writev (sock, iov, iovcnt); @@ -1378,7 +1834,7 @@ int mksd_writev (int sock, struct iovec *iov, int iovcnt) "malware acl condition: unable to write to mksd UNIX socket (/var/run/mksd/socket)"); return -1; } - + for (;;) if (i >= iov->iov_len) { if (--iovcnt == 0) @@ -1393,11 +1849,11 @@ int mksd_writev (int sock, struct iovec *iov, int iovcnt) } } -int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size) +static int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size) { int offset = 0; int i; - + do { if ((i = recv (sock, av_buffer+offset, av_buffer_size-offset, 0)) <= 0) { close (sock); @@ -1405,7 +1861,7 @@ int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size) "malware acl condition: unable to read from mksd UNIX socket (/var/run/mksd/socket)"); return -1; } - + offset += i; /* offset == av_buffer_size -> buffer full */ if (offset == av_buffer_size) { @@ -1415,15 +1871,15 @@ int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size) return -1; } } while (av_buffer[offset-1] != '\n'); - + av_buffer[offset] = '\0'; return offset; } -int mksd_parse_line (char *line) +static int mksd_parse_line (char *line) { char *p; - + switch (*line) { case 'O': /* OK */ @@ -1444,7 +1900,7 @@ int mksd_parse_line (char *line) if (((p = strchr (line+4, ' ')) != NULL) && ((p-line) > 4)) { (*p) = '\0'; Ustrcpy (malware_name_buffer, line+4); - malware_name = malware_name_buffer; + malware_name = malware_name_buffer; return OK; } } @@ -1454,33 +1910,27 @@ int mksd_parse_line (char *line) } } -int mksd_scan_packed (int sock) +static int mksd_scan_packed(int sock, uschar *scan_filename) { - struct iovec iov[7]; - char *cmd = "MSQ/scan/.eml\n"; + struct iovec iov[3]; + const char *cmd = "MSQ\n"; uschar av_buffer[1024]; - - iov[0].iov_base = cmd; + + iov[0].iov_base = (void *) cmd; iov[0].iov_len = 3; - iov[1].iov_base = CS spool_directory; - iov[1].iov_len = Ustrlen (spool_directory); - iov[2].iov_base = cmd + 3; - iov[2].iov_len = 6; - iov[3].iov_base = iov[5].iov_base = CS message_id; - iov[3].iov_len = iov[5].iov_len = Ustrlen (message_id); - iov[4].iov_base = cmd + 3; - iov[4].iov_len = 1; - iov[6].iov_base = cmd + 9; - iov[6].iov_len = 5; - - if (mksd_writev (sock, iov, 7) < 0) + iov[1].iov_base = CS scan_filename; + iov[1].iov_len = Ustrlen(scan_filename); + iov[2].iov_base = (void *) (cmd + 3); + iov[2].iov_len = 1; + + if (mksd_writev (sock, iov, 3) < 0) return DEFER; - + if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer)) < 0) return DEFER; - + close (sock); - + return mksd_parse_line (CS av_buffer); }