Commit | Line | Data |
---|---|---|
8e669ac1 | 1 | /* $Cambridge: exim/src/src/malware.c,v 1.7 2005/02/17 11:58:26 ph10 Exp $ */ |
8523533c TK |
2 | |
3 | /************************************************* | |
4 | * Exim - an Internet mail transport agent * | |
5 | *************************************************/ | |
6 | ||
7 | /* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003-???? */ | |
8 | /* License: GPL */ | |
9 | ||
10 | /* Code for calling virus (malware) scanners. Called from acl.c. */ | |
11 | ||
12 | #include "exim.h" | |
13 | #ifdef WITH_CONTENT_SCAN | |
14 | ||
15 | /* declaration of private routines */ | |
16 | int mksd_scan_packed(int sock); | |
17 | ||
18 | /* SHUT_WR seems to be undefined on Unixware? */ | |
19 | #ifndef SHUT_WR | |
20 | #define SHUT_WR 1 | |
21 | #endif | |
22 | ||
23 | #define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */ | |
24 | #define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */ | |
25 | #define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */ | |
26 | ||
2376f2f5 TK |
27 | #define DERR_READ_ERR (1<<0) /* read error */ |
28 | #define DERR_NOMEMORY (1<<2) /* no memory */ | |
29 | #define DERR_TIMEOUT (1<<9) /* scan timeout has run out */ | |
30 | #define DERR_BAD_CALL (1<<15) /* wrong command */ | |
31 | ||
8e669ac1 | 32 | /* Routine to check whether a system is big- or litte-endian. |
8523533c TK |
33 | Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html |
34 | Needed for proper kavdaemon implementation. Sigh. */ | |
35 | #define BIG_MY_ENDIAN 0 | |
36 | #define LITTLE_MY_ENDIAN 1 | |
37 | int test_byte_order(void); | |
38 | int test_byte_order() { | |
39 | short int word = 0x0001; | |
40 | char *byte = (char *) &word; | |
41 | return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN); | |
42 | } | |
43 | ||
44 | uschar malware_name_buffer[256]; | |
45 | int malware_ok = 0; | |
46 | ||
47 | int malware(uschar **listptr) { | |
48 | int sep = 0; | |
49 | uschar *list = *listptr; | |
50 | uschar *av_scanner_work = av_scanner; | |
51 | uschar *scanner_name; | |
52 | uschar scanner_name_buffer[16]; | |
53 | uschar *malware_regex; | |
54 | uschar malware_regex_buffer[64]; | |
55 | uschar malware_regex_default[] = ".+"; | |
f7b63901 | 56 | unsigned long mbox_size; |
8523533c TK |
57 | FILE *mbox_file; |
58 | int roffset; | |
59 | const pcre *re; | |
60 | const uschar *rerror; | |
8e669ac1 | 61 | |
8523533c TK |
62 | /* make sure the eml mbox file is spooled up */ |
63 | mbox_file = spool_mbox(&mbox_size); | |
64 | if (mbox_file == NULL) { | |
65 | /* error while spooling */ | |
66 | log_write(0, LOG_MAIN|LOG_PANIC, | |
67 | "malware acl condition: error while creating mbox spool file"); | |
8e669ac1 | 68 | return DEFER; |
8523533c TK |
69 | }; |
70 | /* none of our current scanners need the mbox | |
71 | file as a stream, so we can close it right away */ | |
72 | fclose(mbox_file); | |
8e669ac1 | 73 | |
8523533c TK |
74 | /* extract the malware regex to match against from the option list */ |
75 | if ((malware_regex = string_nextinlist(&list, &sep, | |
76 | malware_regex_buffer, | |
77 | sizeof(malware_regex_buffer))) != NULL) { | |
8e669ac1 | 78 | |
8523533c | 79 | /* parse 1st option */ |
8e669ac1 | 80 | if ( (strcmpic(malware_regex,US"false") == 0) || |
8523533c TK |
81 | (Ustrcmp(malware_regex,"0") == 0) ) { |
82 | /* explicitly no matching */ | |
83 | return FAIL; | |
84 | }; | |
8e669ac1 | 85 | |
8523533c | 86 | /* special cases (match anything except empty) */ |
8e669ac1 PH |
87 | if ( (strcmpic(malware_regex,US"true") == 0) || |
88 | (Ustrcmp(malware_regex,"*") == 0) || | |
8523533c TK |
89 | (Ustrcmp(malware_regex,"1") == 0) ) { |
90 | malware_regex = malware_regex_default; | |
91 | }; | |
92 | } | |
93 | else { | |
94 | /* empty means "don't match anything" */ | |
95 | return FAIL; | |
96 | }; | |
97 | ||
ee873c8c TK |
98 | /* Reset sep that is set by previous string_nextinlist() call */ |
99 | sep = 0; | |
100 | ||
8523533c TK |
101 | /* compile the regex, see if it works */ |
102 | re = pcre_compile(CS malware_regex, PCRE_COPT, (const char **)&rerror, &roffset, NULL); | |
103 | if (re == NULL) { | |
104 | log_write(0, LOG_MAIN|LOG_PANIC, | |
105 | "malware acl condition: regular expression error in '%s': %s at offset %d", malware_regex, rerror, roffset); | |
106 | return DEFER; | |
107 | }; | |
108 | ||
109 | /* if av_scanner starts with a dollar, expand it first */ | |
110 | if (*av_scanner == '$') { | |
111 | av_scanner_work = expand_string(av_scanner); | |
112 | if (av_scanner_work == NULL) { | |
113 | log_write(0, LOG_MAIN|LOG_PANIC, | |
114 | "malware acl condition: av_scanner starts with $, but expansion failed: %s", expand_string_message); | |
115 | return DEFER; | |
116 | } | |
117 | else { | |
118 | debug_printf("Expanded av_scanner global: %s\n", av_scanner_work); | |
119 | /* disable result caching in this case */ | |
120 | malware_name = NULL; | |
121 | malware_ok = 0; | |
122 | }; | |
123 | } | |
124 | ||
125 | /* Do not scan twice. */ | |
126 | if (malware_ok == 0) { | |
127 | ||
128 | /* find the scanner type from the av_scanner option */ | |
129 | if ((scanner_name = string_nextinlist(&av_scanner_work, &sep, | |
130 | scanner_name_buffer, | |
131 | sizeof(scanner_name_buffer))) == NULL) { | |
132 | /* no scanner given */ | |
133 | log_write(0, LOG_MAIN|LOG_PANIC, | |
134 | "malware acl condition: av_scanner configuration variable is empty"); | |
135 | return DEFER; | |
136 | }; | |
8e669ac1 | 137 | |
f7b63901 PH |
138 | /* "drweb" scanner type ----------------------------------------------- */ |
139 | /* v0.1 - added support for tcp sockets */ | |
140 | /* v0.0 - initial release -- support for unix sockets */ | |
141 | if (strcmpic(scanner_name,US"drweb") == 0) { | |
142 | uschar *drweb_options; | |
143 | uschar drweb_options_buffer[1024]; | |
144 | uschar drweb_options_default[] = "/usr/local/drweb/run/drwebd.sock"; | |
145 | struct sockaddr_un server; | |
146 | int sock, result, ovector[30]; | |
147 | unsigned int port, fsize; | |
148 | uschar tmpbuf[1024], *drweb_fbuf; | |
149 | uschar scanrequest[1024]; | |
150 | uschar drweb_match_string[128]; | |
151 | int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd, | |
152 | drweb_vnum, drweb_slen, drweb_fin = 0x0000; | |
153 | unsigned long bread; | |
154 | uschar hostname[256]; | |
155 | struct hostent *he; | |
156 | struct in_addr in; | |
157 | pcre *drweb_re; | |
8e669ac1 | 158 | |
f7b63901 PH |
159 | if ((drweb_options = string_nextinlist(&av_scanner_work, &sep, |
160 | drweb_options_buffer, sizeof(drweb_options_buffer))) == NULL) { | |
161 | /* no options supplied, use default options */ | |
162 | drweb_options = drweb_options_default; | |
163 | }; | |
8e669ac1 | 164 | |
f7b63901 | 165 | if (*drweb_options != '/') { |
8e669ac1 | 166 | |
f7b63901 PH |
167 | /* extract host and port part */ |
168 | if( sscanf(CS drweb_options, "%s %u", hostname, &port) != 2 ) { | |
169 | log_write(0, LOG_MAIN|LOG_PANIC, | |
170 | "malware acl condition: drweb: invalid socket '%s'", drweb_options); | |
171 | return DEFER; | |
172 | } | |
8e669ac1 | 173 | |
f7b63901 PH |
174 | /* Lookup the host */ |
175 | if((he = gethostbyname(CS hostname)) == 0) { | |
176 | log_write(0, LOG_MAIN|LOG_PANIC, | |
177 | "malware acl condition: drweb: failed to lookup host '%s'", hostname); | |
178 | return DEFER; | |
179 | } | |
8e669ac1 | 180 | |
f7b63901 | 181 | in = *(struct in_addr *) he->h_addr_list[0]; |
8e669ac1 | 182 | |
f7b63901 PH |
183 | /* Open the drwebd TCP socket */ |
184 | if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) { | |
185 | log_write(0, LOG_MAIN|LOG_PANIC, | |
186 | "malware acl condition: drweb: unable to acquire socket (%s)", | |
187 | strerror(errno)); | |
188 | return DEFER; | |
189 | } | |
8e669ac1 | 190 | |
f7b63901 | 191 | if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) { |
8e669ac1 | 192 | close(sock); |
f7b63901 PH |
193 | log_write(0, LOG_MAIN|LOG_PANIC, |
194 | "malware acl condition: drweb: connection to %s, port %u failed (%s)", | |
195 | inet_ntoa(in), port, strerror(errno)); | |
196 | return DEFER; | |
197 | } | |
8e669ac1 | 198 | |
f7b63901 PH |
199 | /* prepare variables */ |
200 | drweb_cmd = htonl(DRWEBD_SCAN_CMD); | |
201 | drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL); | |
8e669ac1 | 202 | snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml", |
f7b63901 | 203 | spool_directory, message_id, message_id); |
8e669ac1 | 204 | |
f7b63901 PH |
205 | /* calc file size */ |
206 | drweb_fd = open(CS scanrequest, O_RDONLY); | |
207 | if (drweb_fd == -1) { | |
2376f2f5 | 208 | close(sock); |
f7b63901 | 209 | log_write(0, LOG_MAIN|LOG_PANIC, |
8e669ac1 | 210 | "malware acl condition: drweb: can't open spool file %s: %s", |
f7b63901 | 211 | scanrequest, strerror(errno)); |
8e669ac1 | 212 | return DEFER; |
f7b63901 PH |
213 | } |
214 | fsize = lseek(drweb_fd, 0, SEEK_END); | |
215 | if (fsize == -1) { | |
2376f2f5 TK |
216 | close(sock); |
217 | close(drweb_fd); | |
f7b63901 | 218 | log_write(0, LOG_MAIN|LOG_PANIC, |
8e669ac1 | 219 | "malware acl condition: drweb: can't seek spool file %s: %s", |
f7b63901 | 220 | scanrequest, strerror(errno)); |
8e669ac1 | 221 | return DEFER; |
f7b63901 PH |
222 | } |
223 | drweb_slen = htonl(fsize); | |
224 | lseek(drweb_fd, 0, SEEK_SET); | |
8e669ac1 | 225 | |
f7b63901 | 226 | /* send scan request */ |
8e669ac1 | 227 | if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) || |
f7b63901 PH |
228 | (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) || |
229 | (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) || | |
230 | (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0)) { | |
8e669ac1 | 231 | close(sock); |
f7b63901 PH |
232 | close(drweb_fd); |
233 | log_write(0, LOG_MAIN|LOG_PANIC, | |
234 | "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options); | |
235 | return DEFER; | |
236 | } | |
8e669ac1 | 237 | |
f7b63901 PH |
238 | drweb_fbuf = (uschar *) malloc (fsize); |
239 | if (!drweb_fbuf) { | |
240 | close(sock); | |
241 | close(drweb_fd); | |
242 | log_write(0, LOG_MAIN|LOG_PANIC, | |
8e669ac1 | 243 | "malware acl condition: drweb: unable to allocate memory %u for file (%s)", |
f7b63901 PH |
244 | fsize, scanrequest); |
245 | return DEFER; | |
246 | } | |
8e669ac1 | 247 | |
f7b63901 PH |
248 | result = read (drweb_fd, drweb_fbuf, fsize); |
249 | if (result == -1) { | |
250 | close(sock); | |
251 | close(drweb_fd); | |
2376f2f5 | 252 | free(drweb_fbuf); |
f7b63901 PH |
253 | log_write(0, LOG_MAIN|LOG_PANIC, |
254 | "malware acl condition: drweb: can't read spool file %s: %s", | |
255 | scanrequest, strerror(errno)); | |
8e669ac1 | 256 | return DEFER; |
f7b63901 | 257 | } |
2376f2f5 | 258 | close(drweb_fd); |
8e669ac1 | 259 | |
f7b63901 PH |
260 | /* send file body to socket */ |
261 | if (send(sock, drweb_fbuf, fsize, 0) < 0) { | |
262 | close(sock); | |
2376f2f5 | 263 | free(drweb_fbuf); |
f7b63901 PH |
264 | log_write(0, LOG_MAIN|LOG_PANIC, |
265 | "malware acl condition: drweb: unable to send file body to socket (%s)", drweb_options); | |
266 | return DEFER; | |
267 | } | |
268 | close(drweb_fd); | |
f7b63901 PH |
269 | } |
270 | else { | |
271 | /* open the drwebd UNIX socket */ | |
272 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | |
273 | if (sock < 0) { | |
274 | log_write(0, LOG_MAIN|LOG_PANIC, | |
275 | "malware acl condition: drweb: can't open UNIX socket"); | |
8e669ac1 | 276 | return DEFER; |
f7b63901 PH |
277 | } |
278 | server.sun_family = AF_UNIX; | |
279 | Ustrcpy(server.sun_path, drweb_options); | |
280 | if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { | |
281 | close(sock); | |
282 | log_write(0, LOG_MAIN|LOG_PANIC, | |
283 | "malware acl condition: drweb: unable to connect to socket (%s). errno=%d", drweb_options, errno); | |
284 | return DEFER; | |
285 | } | |
8e669ac1 | 286 | |
f7b63901 PH |
287 | /* prepare variables */ |
288 | drweb_cmd = htonl(DRWEBD_SCAN_CMD); | |
289 | drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL); | |
290 | snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id); | |
291 | drweb_slen = htonl(Ustrlen(scanrequest)); | |
8e669ac1 | 292 | |
f7b63901 | 293 | /* send scan request */ |
8e669ac1 | 294 | if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) || |
f7b63901 PH |
295 | (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) || |
296 | (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) || | |
297 | (send(sock, scanrequest, Ustrlen(scanrequest), 0) < 0) || | |
298 | (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0)) { | |
299 | close(sock); | |
300 | log_write(0, LOG_MAIN|LOG_PANIC, | |
301 | "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options); | |
302 | return DEFER; | |
303 | } | |
304 | } | |
8e669ac1 | 305 | |
f7b63901 PH |
306 | /* wait for result */ |
307 | if ((bread = recv(sock, &drweb_rc, sizeof(drweb_rc), 0) != sizeof(drweb_rc))) { | |
308 | close(sock); | |
309 | log_write(0, LOG_MAIN|LOG_PANIC, | |
310 | "malware acl condition: drweb: unable to read return code"); | |
311 | return DEFER; | |
312 | } | |
313 | drweb_rc = ntohl(drweb_rc); | |
8e669ac1 | 314 | |
f7b63901 PH |
315 | if ((bread = recv(sock, &drweb_vnum, sizeof(drweb_vnum), 0) != sizeof(drweb_vnum))) { |
316 | close(sock); | |
317 | log_write(0, LOG_MAIN|LOG_PANIC, | |
318 | "malware acl condition: drweb: unable to read the number of viruses"); | |
319 | return DEFER; | |
320 | } | |
321 | drweb_vnum = ntohl(drweb_vnum); | |
8e669ac1 | 322 | |
f7b63901 PH |
323 | /* "virus(es) found" if virus number is > 0 */ |
324 | if (drweb_vnum) | |
325 | { | |
326 | int i; | |
327 | uschar pre_malware_nb[256]; | |
8e669ac1 | 328 | |
f7b63901 | 329 | malware_name = malware_name_buffer; |
8e669ac1 | 330 | |
f7b63901 PH |
331 | /* setup default virus name */ |
332 | Ustrcpy(malware_name_buffer,"unknown"); | |
8e669ac1 | 333 | |
f7b63901 PH |
334 | /* read and concatenate virus names into one string */ |
335 | for (i=0;i<drweb_vnum;i++) | |
336 | { | |
337 | /* read the size of report */ | |
338 | if ((bread = recv(sock, &drweb_slen, sizeof(drweb_slen), 0) != sizeof(drweb_slen))) { | |
339 | close(sock); | |
340 | log_write(0, LOG_MAIN|LOG_PANIC, | |
341 | "malware acl condition: drweb: cannot read report size"); | |
342 | return DEFER; | |
343 | }; | |
344 | drweb_slen = ntohl(drweb_slen); | |
8e669ac1 | 345 | |
f7b63901 PH |
346 | /* read report body */ |
347 | if ((bread = recv(sock, tmpbuf, drweb_slen, 0)) != drweb_slen) { | |
348 | close(sock); | |
349 | log_write(0, LOG_MAIN|LOG_PANIC, | |
350 | "malware acl condition: drweb: cannot read report string"); | |
351 | return DEFER; | |
352 | }; | |
353 | tmpbuf[drweb_slen] = '\0'; | |
8e669ac1 | 354 | |
f7b63901 PH |
355 | /* set up match regex, depends on retcode */ |
356 | Ustrcpy(drweb_match_string, "infected\\swith\\s*(.+?)$"); | |
8e669ac1 | 357 | |
f7b63901 PH |
358 | drweb_re = pcre_compile( CS drweb_match_string, |
359 | PCRE_COPT, | |
360 | (const char **)&rerror, | |
361 | &roffset, | |
362 | NULL ); | |
8e669ac1 | 363 | |
f7b63901 PH |
364 | /* try matcher on the line, grab substring */ |
365 | result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0, ovector, 30); | |
366 | if (result >= 2) { | |
367 | pcre_copy_substring(CS tmpbuf, ovector, result, 1, CS pre_malware_nb, 255); | |
368 | } | |
369 | /* the first name we just copy to malware_name */ | |
370 | if (i==0) | |
371 | Ustrcpy(CS malware_name_buffer, CS pre_malware_nb); | |
372 | else { | |
373 | /* concatenate each new virus name to previous */ | |
374 | int slen = Ustrlen(malware_name_buffer); | |
375 | if (slen < (slen+Ustrlen(pre_malware_nb))) { | |
376 | Ustrcat(malware_name_buffer, "/"); | |
377 | Ustrcat(malware_name_buffer, pre_malware_nb); | |
378 | } | |
379 | } | |
380 | } | |
381 | } | |
382 | else { | |
2376f2f5 TK |
383 | char *drweb_s = NULL; |
384 | ||
385 | if (drweb_rc & DERR_READ_ERR) drweb_s = "read error"; | |
386 | if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory"; | |
387 | if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout"; | |
388 | if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command"; | |
389 | /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED. | |
390 | * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM, | |
391 | * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR | |
392 | * and others are ignored */ | |
393 | if (drweb_s) { | |
3d2a6e4d PH |
394 | log_write(0, LOG_MAIN|LOG_PANIC, |
395 | "malware acl condition: drweb: drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s); | |
2376f2f5 | 396 | close(sock); |
3d2a6e4d | 397 | return DEFER; |
2376f2f5 | 398 | } |
f7b63901 PH |
399 | /* no virus found */ |
400 | malware_name = NULL; | |
401 | }; | |
402 | close(sock); | |
403 | } | |
404 | /* ----------------------------------------------------------------------- */ | |
8523533c TK |
405 | else if (strcmpic(scanner_name,US"aveserver") == 0) { |
406 | uschar *kav_options; | |
407 | uschar kav_options_buffer[1024]; | |
408 | uschar kav_options_default[] = "/var/run/aveserver"; | |
409 | uschar buf[32768]; | |
8523533c TK |
410 | struct sockaddr_un server; |
411 | int sock; | |
8e669ac1 | 412 | |
8523533c TK |
413 | if ((kav_options = string_nextinlist(&av_scanner_work, &sep, |
414 | kav_options_buffer, | |
415 | sizeof(kav_options_buffer))) == NULL) { | |
416 | /* no options supplied, use default options */ | |
417 | kav_options = kav_options_default; | |
418 | }; | |
8e669ac1 | 419 | |
8523533c TK |
420 | /* open the aveserver socket */ |
421 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | |
422 | if (sock < 0) { | |
423 | log_write(0, LOG_MAIN|LOG_PANIC, | |
424 | "malware acl condition: can't open UNIX socket."); | |
8e669ac1 | 425 | return DEFER; |
8523533c TK |
426 | } |
427 | server.sun_family = AF_UNIX; | |
428 | Ustrcpy(server.sun_path, kav_options); | |
429 | if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { | |
430 | close(sock); | |
431 | log_write(0, LOG_MAIN|LOG_PANIC, | |
432 | "malware acl condition: unable to connect to aveserver UNIX socket (%s). errno=%d", kav_options, errno); | |
433 | return DEFER; | |
434 | } | |
8e669ac1 | 435 | |
8523533c TK |
436 | /* read aveserver's greeting and see if it is ready (2xx greeting) */ |
437 | recv_line(sock, buf, 32768); | |
438 | ||
439 | if (buf[0] != '2') { | |
440 | /* aveserver is having problems */ | |
441 | close(sock); | |
442 | log_write(0, LOG_MAIN|LOG_PANIC, | |
443 | "malware acl condition: aveserver is unavailable (Responded: %s).", ((buf[0] != 0) ? buf : (uschar *)"nothing") ); | |
444 | return DEFER; | |
445 | }; | |
8e669ac1 | 446 | |
8523533c TK |
447 | /* prepare our command */ |
448 | snprintf(CS buf, 32768, "SCAN bPQRSTUW %s/scan/%s/%s.eml\r\n", spool_directory, message_id, message_id); | |
8e669ac1 | 449 | |
8523533c TK |
450 | /* and send it */ |
451 | if (send(sock, buf, Ustrlen(buf), 0) < 0) { | |
452 | close(sock); | |
453 | log_write(0, LOG_MAIN|LOG_PANIC, | |
454 | "malware acl condition: unable to write to aveserver UNIX socket (%s)", kav_options); | |
455 | return DEFER; | |
456 | } | |
8e669ac1 | 457 | |
8523533c TK |
458 | malware_name = NULL; |
459 | /* read response lines, find malware name and final response */ | |
460 | while (recv_line(sock, buf, 32768) > 0) { | |
461 | debug_printf("aveserver: %s\n", buf); | |
462 | if (buf[0] == '2') break; | |
463 | if (Ustrncmp(buf,"322",3) == 0) { | |
464 | uschar *p = Ustrchr(&buf[4],' '); | |
465 | *p = '\0'; | |
466 | Ustrcpy(malware_name_buffer,&buf[4]); | |
467 | malware_name = malware_name_buffer; | |
468 | }; | |
469 | } | |
470 | ||
471 | close(sock); | |
472 | } | |
473 | /* "fsecure" scanner type ------------------------------------------------- */ | |
474 | else if (strcmpic(scanner_name,US"fsecure") == 0) { | |
475 | uschar *fsecure_options; | |
476 | uschar fsecure_options_buffer[1024]; | |
477 | uschar fsecure_options_default[] = "/var/run/.fsav"; | |
478 | struct sockaddr_un server; | |
479 | int sock, i, j, bread = 0; | |
480 | uschar file_name[1024]; | |
481 | uschar av_buffer[1024]; | |
482 | pcre *fs_inf; | |
f7b63901 PH |
483 | static uschar *cmdoptions[] = { US"CONFIGURE\tARCHIVE\t1\n", |
484 | US"CONFIGURE\tTIMEOUT\t0\n", | |
485 | US"CONFIGURE\tMAXARCH\t5\n", | |
486 | US"CONFIGURE\tMIME\t1\n" }; | |
8e669ac1 | 487 | |
8523533c TK |
488 | malware_name = NULL; |
489 | if ((fsecure_options = string_nextinlist(&av_scanner_work, &sep, | |
490 | fsecure_options_buffer, | |
8e669ac1 | 491 | sizeof(fsecure_options_buffer))) == NULL) { |
8523533c TK |
492 | /* no options supplied, use default options */ |
493 | fsecure_options = fsecure_options_default; | |
494 | }; | |
8e669ac1 | 495 | |
8523533c TK |
496 | /* open the fsecure socket */ |
497 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | |
498 | if (sock < 0) { | |
499 | log_write(0, LOG_MAIN|LOG_PANIC, | |
500 | "malware acl condition: unable to open fsecure socket %s (%s)", | |
501 | fsecure_options, strerror(errno)); | |
502 | return DEFER; | |
503 | } | |
504 | server.sun_family = AF_UNIX; | |
505 | Ustrcpy(server.sun_path, fsecure_options); | |
506 | if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { | |
507 | close(sock); | |
508 | log_write(0, LOG_MAIN|LOG_PANIC, | |
509 | "malware acl condition: unable to connect to fsecure socket %s (%s)", | |
510 | fsecure_options, strerror(errno)); | |
511 | return DEFER; | |
512 | } | |
8e669ac1 | 513 | |
8523533c TK |
514 | /* pass options */ |
515 | memset(av_buffer, 0, sizeof(av_buffer)); | |
516 | for (i=0; i != 4; i++) { | |
517 | /* debug_printf("send option \"%s\"",cmdoptions[i]); */ | |
518 | if (write(sock, cmdoptions[i], Ustrlen(cmdoptions[i])) < 0) { | |
519 | close(sock); | |
520 | log_write(0, LOG_MAIN|LOG_PANIC, | |
521 | "malware acl condition: unable to write fsecure option %d to %s (%s)", | |
522 | i, fsecure_options, strerror(errno)); | |
8e669ac1 | 523 | return DEFER; |
8523533c | 524 | }; |
8e669ac1 | 525 | |
8523533c TK |
526 | bread = read(sock, av_buffer, sizeof(av_buffer)); |
527 | if (bread >0) av_buffer[bread]='\0'; | |
528 | if (bread < 0) { | |
529 | close(sock); | |
530 | log_write(0, LOG_MAIN|LOG_PANIC, | |
531 | "malware acl condition: unable to read fsecure answer %d (%s)", i, strerror(errno)); | |
532 | return DEFER; | |
533 | }; | |
534 | for (j=0;j<bread;j++) if((av_buffer[j]=='\r')||(av_buffer[j]=='\n')) av_buffer[j] ='@'; | |
535 | /* debug_printf("read answer %d read=%d \"%s\"\n", i, bread, av_buffer ); */ | |
536 | /* while (Ustrstr(av_buffer, "OK\tServer configured.@") == NULL); */ | |
537 | }; | |
8e669ac1 | 538 | |
8523533c TK |
539 | /* pass the mailfile to fsecure */ |
540 | snprintf(CS file_name,1024,"SCAN\t%s/scan/%s/%s.eml\n", spool_directory, message_id, message_id); | |
541 | /* debug_printf("send scan %s",file_name); */ | |
542 | if (write(sock, file_name, Ustrlen(file_name)) < 0) { | |
543 | close(sock); | |
544 | log_write(0, LOG_MAIN|LOG_PANIC, | |
545 | "malware acl condition: unable to write fsecure scan to %s (%s)", | |
546 | fsecure_options, strerror(errno)); | |
547 | return DEFER; | |
548 | }; | |
8e669ac1 | 549 | |
8523533c TK |
550 | /* set up match */ |
551 | /* todo also SUSPICION\t */ | |
552 | fs_inf = pcre_compile("\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$", PCRE_COPT, (const char **)&rerror, &roffset, NULL); | |
8e669ac1 | 553 | |
8523533c TK |
554 | /* read report, linewise */ |
555 | do { | |
556 | int ovector[30]; | |
557 | i = 0; | |
558 | memset(av_buffer, 0, sizeof(av_buffer)); | |
559 | do { | |
560 | bread=read(sock, &av_buffer[i], 1); | |
561 | if (bread < 0) { | |
562 | close(sock); | |
563 | log_write(0, LOG_MAIN|LOG_PANIC, | |
564 | "malware acl condition: unable to read fsecure result (%s)", strerror(errno)); | |
565 | return DEFER; | |
566 | }; | |
567 | i++; | |
568 | } | |
569 | while ((i < sizeof(av_buffer)-1 ) && (av_buffer[i-1] != '\n')); | |
570 | av_buffer[i-1] = '\0'; | |
571 | /* debug_printf("got line \"%s\"\n",av_buffer); */ | |
8e669ac1 | 572 | |
8523533c TK |
573 | /* Really search for virus again? */ |
574 | if (malware_name == NULL) { | |
575 | /* try matcher on the line, grab substring */ | |
576 | i = pcre_exec(fs_inf, NULL, CS av_buffer, Ustrlen(av_buffer), 0, 0, ovector, 30); | |
577 | if (i >= 2) { | |
578 | /* Got it */ | |
579 | pcre_copy_substring(CS av_buffer, ovector, i, 1, CS malware_name_buffer, 255); | |
580 | malware_name = malware_name_buffer; | |
581 | }; | |
582 | }; | |
583 | } | |
584 | while (Ustrstr(av_buffer, "OK\tScan ok.") == NULL); | |
8e669ac1 | 585 | close(sock); |
8523533c TK |
586 | } |
587 | /* ----------------------------------------------------------------------- */ | |
588 | ||
589 | /* "kavdaemon" scanner type ------------------------------------------------ */ | |
590 | else if (strcmpic(scanner_name,US"kavdaemon") == 0) { | |
591 | uschar *kav_options; | |
592 | uschar kav_options_buffer[1024]; | |
593 | uschar kav_options_default[] = "/var/run/AvpCtl"; | |
594 | struct sockaddr_un server; | |
595 | int sock; | |
596 | time_t t; | |
597 | uschar tmpbuf[1024]; | |
598 | uschar scanrequest[1024]; | |
599 | uschar kav_match_string[128]; | |
600 | int kav_rc; | |
601 | unsigned long kav_reportlen, bread; | |
602 | pcre *kav_re; | |
8e669ac1 | 603 | |
8523533c TK |
604 | if ((kav_options = string_nextinlist(&av_scanner_work, &sep, |
605 | kav_options_buffer, | |
606 | sizeof(kav_options_buffer))) == NULL) { | |
607 | /* no options supplied, use default options */ | |
608 | kav_options = kav_options_default; | |
609 | }; | |
8e669ac1 | 610 | |
8523533c TK |
611 | /* open the kavdaemon socket */ |
612 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | |
613 | if (sock < 0) { | |
614 | log_write(0, LOG_MAIN|LOG_PANIC, | |
615 | "malware acl condition: can't open UNIX socket."); | |
8e669ac1 | 616 | return DEFER; |
8523533c TK |
617 | } |
618 | server.sun_family = AF_UNIX; | |
619 | Ustrcpy(server.sun_path, kav_options); | |
620 | if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { | |
621 | close(sock); | |
622 | log_write(0, LOG_MAIN|LOG_PANIC, | |
623 | "malware acl condition: unable to connect to kavdaemon UNIX socket (%s). errno=%d", kav_options, errno); | |
624 | return DEFER; | |
625 | } | |
8e669ac1 | 626 | |
8523533c TK |
627 | /* get current date and time, build scan request */ |
628 | time(&t); | |
629 | strftime(CS tmpbuf, sizeof(tmpbuf), "<0>%d %b %H:%M:%S:%%s/scan/%%s", localtime(&t)); | |
630 | snprintf(CS scanrequest, 1024,CS tmpbuf, spool_directory, message_id); | |
8e669ac1 | 631 | |
8523533c TK |
632 | /* send scan request */ |
633 | if (send(sock, scanrequest, Ustrlen(scanrequest)+1, 0) < 0) { | |
634 | close(sock); | |
635 | log_write(0, LOG_MAIN|LOG_PANIC, | |
636 | "malware acl condition: unable to write to kavdaemon UNIX socket (%s)", kav_options); | |
637 | return DEFER; | |
638 | } | |
8e669ac1 | 639 | |
8523533c TK |
640 | /* wait for result */ |
641 | if ((bread = recv(sock, tmpbuf, 2, 0) != 2)) { | |
642 | close(sock); | |
643 | log_write(0, LOG_MAIN|LOG_PANIC, | |
644 | "malware acl condition: unable to read 2 bytes from kavdaemon socket."); | |
645 | return DEFER; | |
646 | } | |
8e669ac1 | 647 | |
8523533c TK |
648 | /* get errorcode from one nibble */ |
649 | if (test_byte_order() == LITTLE_MY_ENDIAN) { | |
650 | kav_rc = tmpbuf[0] & 0x0F; | |
651 | } | |
652 | else { | |
653 | kav_rc = tmpbuf[1] & 0x0F; | |
654 | }; | |
8e669ac1 | 655 | |
8523533c TK |
656 | /* improper kavdaemon configuration */ |
657 | if ( (kav_rc == 5) || (kav_rc == 6) ) { | |
658 | close(sock); | |
659 | log_write(0, LOG_MAIN|LOG_PANIC, | |
660 | "malware acl condition: please reconfigure kavdaemon to NOT disinfect or remove infected files."); | |
661 | return DEFER; | |
662 | }; | |
8e669ac1 | 663 | |
8523533c TK |
664 | if (kav_rc == 1) { |
665 | close(sock); | |
666 | log_write(0, LOG_MAIN|LOG_PANIC, | |
667 | "malware acl condition: kavdaemon reported 'scanning not completed' (code 1)."); | |
668 | return DEFER; | |
669 | }; | |
8e669ac1 | 670 | |
8523533c TK |
671 | if (kav_rc == 7) { |
672 | close(sock); | |
673 | log_write(0, LOG_MAIN|LOG_PANIC, | |
674 | "malware acl condition: kavdaemon reported 'kavdaemon damaged' (code 7)."); | |
675 | return DEFER; | |
676 | }; | |
8e669ac1 | 677 | |
8523533c TK |
678 | /* code 8 is not handled, since it is ambigous. It appears mostly on |
679 | bounces where part of a file has been cut off */ | |
8e669ac1 | 680 | |
8523533c TK |
681 | /* "virus found" return codes (2-4) */ |
682 | if ((kav_rc > 1) && (kav_rc < 5)) { | |
683 | int report_flag = 0; | |
8e669ac1 | 684 | |
8523533c TK |
685 | /* setup default virus name */ |
686 | Ustrcpy(malware_name_buffer,"unknown"); | |
687 | malware_name = malware_name_buffer; | |
8e669ac1 | 688 | |
8523533c TK |
689 | if (test_byte_order() == LITTLE_MY_ENDIAN) { |
690 | report_flag = tmpbuf[1]; | |
691 | } | |
692 | else { | |
693 | report_flag = tmpbuf[0]; | |
694 | }; | |
8e669ac1 | 695 | |
8523533c TK |
696 | /* read the report, if available */ |
697 | if( report_flag == 1 ) { | |
698 | /* read report size */ | |
699 | if ((bread = recv(sock, &kav_reportlen, 4, 0)) != 4) { | |
700 | close(sock); | |
701 | log_write(0, LOG_MAIN|LOG_PANIC, | |
702 | "malware acl condition: cannot read report size from kavdaemon"); | |
703 | return DEFER; | |
704 | }; | |
8e669ac1 | 705 | |
8523533c TK |
706 | /* it's possible that avp returns av_buffer[1] == 1 but the |
707 | reportsize is 0 (!?) */ | |
708 | if (kav_reportlen > 0) { | |
709 | /* set up match regex, depends on retcode */ | |
710 | if( kav_rc == 3 ) | |
711 | Ustrcpy(kav_match_string, "suspicion:\\s*(.+?)\\s*$"); | |
712 | else | |
713 | Ustrcpy(kav_match_string, "infected:\\s*(.+?)\\s*$"); | |
8e669ac1 | 714 | |
8523533c TK |
715 | kav_re = pcre_compile( CS kav_match_string, |
716 | PCRE_COPT, | |
717 | (const char **)&rerror, | |
718 | &roffset, | |
719 | NULL ); | |
8e669ac1 PH |
720 | |
721 | /* read report, linewise */ | |
8523533c TK |
722 | while (kav_reportlen > 0) { |
723 | int result = 0; | |
724 | int ovector[30]; | |
8e669ac1 | 725 | |
8523533c TK |
726 | bread = 0; |
727 | while ( recv(sock, &tmpbuf[bread], 1, 0) == 1 ) { | |
728 | kav_reportlen--; | |
729 | if ( (tmpbuf[bread] == '\n') || (bread > 1021) ) break; | |
730 | bread++; | |
731 | }; | |
732 | bread++; | |
733 | tmpbuf[bread] = '\0'; | |
8e669ac1 | 734 | |
8523533c TK |
735 | /* try matcher on the line, grab substring */ |
736 | result = pcre_exec(kav_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0, ovector, 30); | |
737 | if (result >= 2) { | |
738 | pcre_copy_substring(CS tmpbuf, ovector, result, 1, CS malware_name_buffer, 255); | |
739 | break; | |
740 | }; | |
741 | }; | |
742 | }; | |
743 | }; | |
744 | } | |
745 | else { | |
746 | /* no virus found */ | |
747 | malware_name = NULL; | |
748 | }; | |
8e669ac1 | 749 | |
8523533c TK |
750 | close(sock); |
751 | } | |
752 | /* ----------------------------------------------------------------------- */ | |
8e669ac1 PH |
753 | |
754 | ||
8523533c TK |
755 | /* "cmdline" scanner type ------------------------------------------------ */ |
756 | else if (strcmpic(scanner_name,US"cmdline") == 0) { | |
757 | uschar *cmdline_scanner; | |
758 | uschar cmdline_scanner_buffer[1024]; | |
759 | uschar *cmdline_trigger; | |
760 | uschar cmdline_trigger_buffer[1024]; | |
761 | const pcre *cmdline_trigger_re; | |
762 | uschar *cmdline_regex; | |
763 | uschar cmdline_regex_buffer[1024]; | |
764 | const pcre *cmdline_regex_re; | |
765 | uschar file_name[1024]; | |
766 | uschar commandline[1024]; | |
767 | void (*eximsigchld)(int); | |
768 | void (*eximsigpipe)(int); | |
769 | FILE *scanner_out = NULL; | |
770 | FILE *scanner_record = NULL; | |
771 | uschar linebuffer[32767]; | |
772 | int trigger = 0; | |
773 | int result; | |
774 | int ovector[30]; | |
8e669ac1 | 775 | |
8523533c TK |
776 | /* find scanner command line */ |
777 | if ((cmdline_scanner = string_nextinlist(&av_scanner_work, &sep, | |
778 | cmdline_scanner_buffer, | |
779 | sizeof(cmdline_scanner_buffer))) == NULL) { | |
780 | /* no command line supplied */ | |
781 | log_write(0, LOG_MAIN|LOG_PANIC, | |
782 | "malware acl condition: missing commandline specification for cmdline scanner type."); | |
8e669ac1 | 783 | return DEFER; |
8523533c | 784 | }; |
8e669ac1 | 785 | |
8523533c TK |
786 | /* find scanner output trigger */ |
787 | if ((cmdline_trigger = string_nextinlist(&av_scanner_work, &sep, | |
788 | cmdline_trigger_buffer, | |
789 | sizeof(cmdline_trigger_buffer))) == NULL) { | |
790 | /* no trigger regex supplied */ | |
791 | log_write(0, LOG_MAIN|LOG_PANIC, | |
792 | "malware acl condition: missing trigger specification for cmdline scanner type."); | |
8e669ac1 | 793 | return DEFER; |
8523533c | 794 | }; |
8e669ac1 | 795 | |
8523533c TK |
796 | /* precompile trigger regex */ |
797 | cmdline_trigger_re = pcre_compile(CS cmdline_trigger, PCRE_COPT, (const char **)&rerror, &roffset, NULL); | |
798 | if (cmdline_trigger_re == NULL) { | |
799 | log_write(0, LOG_MAIN|LOG_PANIC, | |
800 | "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_trigger_re, rerror, roffset); | |
801 | return DEFER; | |
802 | }; | |
8e669ac1 | 803 | |
8523533c TK |
804 | /* find scanner name regex */ |
805 | if ((cmdline_regex = string_nextinlist(&av_scanner_work, &sep, | |
806 | cmdline_regex_buffer, | |
807 | sizeof(cmdline_regex_buffer))) == NULL) { | |
808 | /* no name regex supplied */ | |
809 | log_write(0, LOG_MAIN|LOG_PANIC, | |
810 | "malware acl condition: missing virus name regex specification for cmdline scanner type."); | |
8e669ac1 | 811 | return DEFER; |
8523533c | 812 | }; |
8e669ac1 | 813 | |
8523533c TK |
814 | /* precompile name regex */ |
815 | cmdline_regex_re = pcre_compile(CS cmdline_regex, PCRE_COPT, (const char **)&rerror, &roffset, NULL); | |
816 | if (cmdline_regex_re == NULL) { | |
817 | log_write(0, LOG_MAIN|LOG_PANIC, | |
818 | "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_regex_re, rerror, roffset); | |
819 | return DEFER; | |
820 | }; | |
8e669ac1 | 821 | |
8523533c TK |
822 | /* prepare scanner call */ |
823 | snprintf(CS file_name,1024,"%s/scan/%s", spool_directory, message_id); | |
824 | snprintf(CS commandline,1024, CS cmdline_scanner,file_name); | |
825 | /* redirect STDERR too */ | |
826 | Ustrcat(commandline," 2>&1"); | |
8e669ac1 | 827 | |
8523533c TK |
828 | /* store exims signal handlers */ |
829 | eximsigchld = signal(SIGCHLD,SIG_DFL); | |
830 | eximsigpipe = signal(SIGPIPE,SIG_DFL); | |
8e669ac1 | 831 | |
8523533c TK |
832 | scanner_out = popen(CS commandline,"r"); |
833 | if (scanner_out == NULL) { | |
834 | log_write(0, LOG_MAIN|LOG_PANIC, | |
835 | "malware acl condition: calling cmdline scanner (%s) failed: %s.", commandline, strerror(errno)); | |
836 | signal(SIGCHLD,eximsigchld); | |
837 | signal(SIGPIPE,eximsigpipe); | |
838 | return DEFER; | |
839 | }; | |
8e669ac1 | 840 | |
8523533c TK |
841 | snprintf(CS file_name,1024,"%s/scan/%s/%s_scanner_output", spool_directory, message_id, message_id); |
842 | scanner_record = fopen(CS file_name,"w"); | |
8e669ac1 | 843 | |
8523533c TK |
844 | if (scanner_record == NULL) { |
845 | log_write(0, LOG_MAIN|LOG_PANIC, | |
846 | "malware acl condition: opening scanner output file (%s) failed: %s.", file_name, strerror(errno)); | |
847 | pclose(scanner_out); | |
848 | signal(SIGCHLD,eximsigchld); | |
849 | signal(SIGPIPE,eximsigpipe); | |
850 | return DEFER; | |
851 | }; | |
8e669ac1 | 852 | |
8523533c TK |
853 | /* look for trigger while recording output */ |
854 | while(fgets(CS linebuffer,32767,scanner_out) != NULL) { | |
855 | if ( Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record) ) { | |
856 | /* short write */ | |
857 | log_write(0, LOG_MAIN|LOG_PANIC, | |
858 | "malware acl condition: short write on scanner output file (%s).", file_name); | |
859 | pclose(scanner_out); | |
860 | signal(SIGCHLD,eximsigchld); | |
861 | signal(SIGPIPE,eximsigpipe); | |
862 | return DEFER; | |
863 | }; | |
864 | /* try trigger match */ | |
865 | if (!trigger && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1)) | |
866 | trigger = 1; | |
867 | }; | |
8e669ac1 | 868 | |
8523533c TK |
869 | fclose(scanner_record); |
870 | pclose(scanner_out); | |
871 | signal(SIGCHLD,eximsigchld); | |
872 | signal(SIGPIPE,eximsigpipe); | |
8e669ac1 | 873 | |
8523533c TK |
874 | if (trigger) { |
875 | /* setup default virus name */ | |
876 | Ustrcpy(malware_name_buffer,"unknown"); | |
877 | malware_name = malware_name_buffer; | |
8e669ac1 | 878 | |
8523533c TK |
879 | /* re-open the scanner output file, look for name match */ |
880 | scanner_record = fopen(CS file_name,"r"); | |
881 | while(fgets(CS linebuffer,32767,scanner_record) != NULL) { | |
882 | /* try match */ | |
883 | result = pcre_exec(cmdline_regex_re, NULL, CS linebuffer, Ustrlen(linebuffer), 0, 0, ovector, 30); | |
884 | if (result >= 2) { | |
885 | pcre_copy_substring(CS linebuffer, ovector, result, 1, CS malware_name_buffer, 255); | |
886 | }; | |
887 | }; | |
888 | fclose(scanner_record); | |
889 | } | |
890 | else { | |
891 | /* no virus found */ | |
892 | malware_name = NULL; | |
893 | }; | |
894 | } | |
895 | /* ----------------------------------------------------------------------- */ | |
8e669ac1 PH |
896 | |
897 | ||
8523533c TK |
898 | /* "sophie" scanner type ------------------------------------------------- */ |
899 | else if (strcmpic(scanner_name,US"sophie") == 0) { | |
900 | uschar *sophie_options; | |
901 | uschar sophie_options_buffer[1024]; | |
902 | uschar sophie_options_default[] = "/var/run/sophie"; | |
903 | int bread = 0; | |
904 | struct sockaddr_un server; | |
905 | int sock; | |
906 | uschar file_name[1024]; | |
907 | uschar av_buffer[1024]; | |
8e669ac1 | 908 | |
8523533c TK |
909 | if ((sophie_options = string_nextinlist(&av_scanner_work, &sep, |
910 | sophie_options_buffer, | |
911 | sizeof(sophie_options_buffer))) == NULL) { | |
912 | /* no options supplied, use default options */ | |
913 | sophie_options = sophie_options_default; | |
914 | }; | |
8e669ac1 | 915 | |
8523533c TK |
916 | /* open the sophie socket */ |
917 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | |
918 | if (sock < 0) { | |
919 | log_write(0, LOG_MAIN|LOG_PANIC, | |
920 | "malware acl condition: can't open UNIX socket."); | |
8e669ac1 | 921 | return DEFER; |
8523533c TK |
922 | } |
923 | server.sun_family = AF_UNIX; | |
924 | Ustrcpy(server.sun_path, sophie_options); | |
925 | if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { | |
926 | close(sock); | |
927 | log_write(0, LOG_MAIN|LOG_PANIC, | |
928 | "malware acl condition: unable to connect to sophie UNIX socket (%s). errno=%d", sophie_options, errno); | |
929 | return DEFER; | |
930 | } | |
8e669ac1 | 931 | |
8523533c TK |
932 | /* pass the scan directory to sophie */ |
933 | snprintf(CS file_name,1024,"%s/scan/%s", spool_directory, message_id); | |
934 | if (write(sock, file_name, Ustrlen(file_name)) < 0) { | |
935 | close(sock); | |
936 | log_write(0, LOG_MAIN|LOG_PANIC, | |
937 | "malware acl condition: unable to write to sophie UNIX socket (%s)", sophie_options); | |
8e669ac1 | 938 | return DEFER; |
8523533c | 939 | }; |
8e669ac1 | 940 | |
8523533c | 941 | write(sock, "\n", 1); |
8e669ac1 | 942 | |
8523533c TK |
943 | /* wait for result */ |
944 | memset(av_buffer, 0, sizeof(av_buffer)); | |
945 | if ((!(bread = read(sock, av_buffer, sizeof(av_buffer))) > 0)) { | |
946 | close(sock); | |
947 | log_write(0, LOG_MAIN|LOG_PANIC, | |
948 | "malware acl condition: unable to read from sophie UNIX socket (%s)", sophie_options); | |
949 | return DEFER; | |
950 | }; | |
8e669ac1 | 951 | |
8523533c | 952 | close(sock); |
8e669ac1 | 953 | |
8523533c TK |
954 | /* infected ? */ |
955 | if (av_buffer[0] == '1') { | |
956 | if (Ustrchr(av_buffer, '\n')) *Ustrchr(av_buffer, '\n') = '\0'; | |
957 | Ustrcpy(malware_name_buffer,&av_buffer[2]); | |
958 | malware_name = malware_name_buffer; | |
959 | } | |
960 | else if (!strncmp(CS av_buffer, "-1", 2)) { | |
961 | log_write(0, LOG_MAIN|LOG_PANIC, | |
962 | "malware acl condition: malware acl condition: sophie reported error"); | |
963 | return DEFER; | |
964 | } | |
965 | else { | |
966 | /* all ok, no virus */ | |
967 | malware_name = NULL; | |
968 | }; | |
969 | } | |
970 | /* ----------------------------------------------------------------------- */ | |
8e669ac1 | 971 | |
8523533c TK |
972 | |
973 | /* "clamd" scanner type ------------------------------------------------- */ | |
3d2a6e4d | 974 | /* This code was contributed by David Saez */ |
8523533c TK |
975 | else if (strcmpic(scanner_name,US"clamd") == 0) { |
976 | uschar *clamd_options; | |
977 | uschar clamd_options_buffer[1024]; | |
978 | uschar clamd_options_default[] = "/tmp/clamd"; | |
979 | uschar *p,*vname; | |
980 | struct sockaddr_un server; | |
f7b63901 | 981 | int sock,bread=0; |
8e669ac1 | 982 | unsigned int port; |
8523533c TK |
983 | uschar file_name[1024]; |
984 | uschar av_buffer[1024]; | |
985 | uschar hostname[256]; | |
986 | struct hostent *he; | |
987 | struct in_addr in; | |
2376f2f5 TK |
988 | uschar *clamd_options2; |
989 | uschar clamd_options2_buffer[1024]; | |
990 | uschar clamd_options2_default[] = ""; | |
991 | uschar av_buffer2[1024]; | |
992 | uschar *clamav_fbuf; | |
993 | uschar scanrequest[1024]; | |
994 | int sockData, clam_fd, result; | |
995 | unsigned int fsize; | |
8523533c TK |
996 | |
997 | if ((clamd_options = string_nextinlist(&av_scanner_work, &sep, | |
998 | clamd_options_buffer, | |
999 | sizeof(clamd_options_buffer))) == NULL) { | |
1000 | /* no options supplied, use default options */ | |
1001 | clamd_options = clamd_options_default; | |
1002 | } | |
2376f2f5 TK |
1003 | if ((clamd_options2 = string_nextinlist(&av_scanner_work, &sep, |
1004 | clamd_options2_buffer, | |
1005 | sizeof(clamd_options2_buffer))) == NULL) { | |
1006 | clamd_options2 = clamd_options2_default; | |
1007 | } | |
8e669ac1 | 1008 | |
8523533c TK |
1009 | /* socket does not start with '/' -> network socket */ |
1010 | if (*clamd_options != '/') { | |
8e669ac1 | 1011 | |
8523533c TK |
1012 | /* extract host and port part */ |
1013 | if( sscanf(CS clamd_options, "%s %u", hostname, &port) != 2 ) { | |
1014 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1015 | "malware acl condition: clamd: invalid socket '%s'", clamd_options); | |
1016 | return DEFER; | |
1017 | }; | |
8e669ac1 | 1018 | |
8523533c TK |
1019 | /* Lookup the host */ |
1020 | if((he = gethostbyname(CS hostname)) == 0) { | |
1021 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1022 | "malware acl condition: clamd: failed to lookup host '%s'", hostname); | |
1023 | return DEFER; | |
1024 | } | |
8e669ac1 | 1025 | |
8523533c | 1026 | in = *(struct in_addr *) he->h_addr_list[0]; |
8e669ac1 | 1027 | |
8523533c TK |
1028 | /* Open the ClamAV Socket */ |
1029 | if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) { | |
1030 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1031 | "malware acl condition: clamd: unable to acquire socket (%s)", | |
1032 | strerror(errno)); | |
1033 | return DEFER; | |
1034 | } | |
8e669ac1 | 1035 | |
8523533c | 1036 | if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) { |
8e669ac1 | 1037 | close(sock); |
8523533c TK |
1038 | log_write(0, LOG_MAIN|LOG_PANIC, |
1039 | "malware acl condition: clamd: connection to %s, port %u failed (%s)", | |
1040 | inet_ntoa(in), port, strerror(errno)); | |
1041 | return DEFER; | |
1042 | } | |
2376f2f5 TK |
1043 | |
1044 | if (strcmpic(clamd_options2,US"local") == 0) { | |
1045 | ||
1046 | /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */ | |
8e669ac1 | 1047 | |
2376f2f5 | 1048 | snprintf(CS file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id); |
8e669ac1 | 1049 | |
2376f2f5 TK |
1050 | if (send(sock, file_name, Ustrlen(file_name), 0) < 0) { |
1051 | close(sock); | |
1052 | log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)", | |
1053 | strerror(errno)); | |
1054 | return DEFER; | |
1055 | } | |
1056 | } else { | |
1057 | ||
1058 | /* Pass the string to ClamAV (7 = "STREAM\n") */ | |
1059 | ||
1060 | if (send(sock, "STREAM\n", 7, 0) < 0) { | |
1061 | close(sock); | |
1062 | log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)", | |
1063 | strerror(errno)); | |
1064 | return DEFER; | |
1065 | } | |
1066 | memset(av_buffer2, 0, sizeof(av_buffer2)); | |
1067 | bread = read(sock, av_buffer2, sizeof(av_buffer2)); | |
1068 | ||
1069 | if (bread < 0) { | |
1070 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1071 | "malware acl condition: clamd: unable to read PORT from socket (%s)", | |
1072 | strerror(errno)); | |
1073 | return DEFER; | |
1074 | } | |
8e669ac1 | 1075 | |
2376f2f5 TK |
1076 | if (bread == sizeof(av_buffer)) { |
1077 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1078 | "malware acl condition: clamd: buffer too small"); | |
1079 | return DEFER; | |
1080 | } | |
8e669ac1 | 1081 | |
2376f2f5 TK |
1082 | if (!(*av_buffer2)) { |
1083 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1084 | "malware acl condition: clamd: ClamAV returned null"); | |
1085 | return DEFER; | |
1086 | } | |
8e669ac1 | 1087 | |
2376f2f5 | 1088 | av_buffer2[bread] = '\0'; |
3d2a6e4d | 1089 | if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 ) { |
2376f2f5 TK |
1090 | log_write(0, LOG_MAIN|LOG_PANIC, |
1091 | "malware acl condition: clamd: Expected port information from clamd, got '%s'", av_buffer2); | |
1092 | return DEFER; | |
1093 | }; | |
8e669ac1 | 1094 | |
2376f2f5 TK |
1095 | if ( (sockData = ip_socket(SOCK_STREAM, AF_INET)) < 0) { |
1096 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1097 | "malware acl condition: clamd: unable to acquire socket (%s)", | |
1098 | strerror(errno)); | |
1099 | return DEFER; | |
1100 | } | |
8e669ac1 | 1101 | |
2376f2f5 TK |
1102 | if (ip_connect(sockData, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) { |
1103 | close(sockData); | |
1104 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1105 | "malware acl condition: clamd: connection to %s, port %u failed (%s)", | |
1106 | inet_ntoa(in), port, strerror(errno)); | |
1107 | return DEFER; | |
1108 | } | |
1109 | ||
3d2a6e4d | 1110 | snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml", |
2376f2f5 | 1111 | spool_directory, message_id, message_id); |
8e669ac1 | 1112 | |
3d2a6e4d PH |
1113 | /* calc file size */ |
1114 | clam_fd = open(CS scanrequest, O_RDONLY); | |
1115 | if (clam_fd == -1) { | |
1116 | log_write(0, LOG_MAIN|LOG_PANIC, | |
8e669ac1 | 1117 | "malware acl condition: clamd: can't open spool file %s: %s", |
3d2a6e4d | 1118 | scanrequest, strerror(errno)); |
8e669ac1 | 1119 | return DEFER; |
3d2a6e4d | 1120 | } |
2376f2f5 | 1121 | fsize = lseek(clam_fd, 0, SEEK_END); |
3d2a6e4d PH |
1122 | if (fsize == -1) { |
1123 | log_write(0, LOG_MAIN|LOG_PANIC, | |
8e669ac1 | 1124 | "malware acl condition: clamd: can't seek spool file %s: %s", |
3d2a6e4d | 1125 | scanrequest, strerror(errno)); |
8e669ac1 | 1126 | return DEFER; |
3d2a6e4d PH |
1127 | } |
1128 | lseek(clam_fd, 0, SEEK_SET); | |
8e669ac1 | 1129 | |
3d2a6e4d | 1130 | clamav_fbuf = (uschar *) malloc (fsize); |
2376f2f5 TK |
1131 | if (!clamav_fbuf) { |
1132 | close(sockData); | |
3d2a6e4d PH |
1133 | close(clam_fd); |
1134 | log_write(0, LOG_MAIN|LOG_PANIC, | |
8e669ac1 | 1135 | "malware acl condition: clamd: unable to allocate memory %u for file (%s)", |
3d2a6e4d PH |
1136 | fsize, scanrequest); |
1137 | return DEFER; | |
1138 | } | |
8e669ac1 | 1139 | |
3d2a6e4d PH |
1140 | result = read (clam_fd, clamav_fbuf, fsize); |
1141 | if (result == -1) { | |
1142 | close(sockData); | |
1143 | close(clam_fd); | |
1144 | free(clamav_fbuf); | |
1145 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1146 | "malware acl condition: clamd: can't read spool file %s: %s", | |
1147 | scanrequest, strerror(errno)); | |
8e669ac1 | 1148 | return DEFER; |
3d2a6e4d PH |
1149 | } |
1150 | close(clam_fd); | |
2376f2f5 | 1151 | |
3d2a6e4d PH |
1152 | /* send file body to socket */ |
1153 | if (send(sockData, clamav_fbuf, fsize, 0) < 0) { | |
1154 | close(sockData); | |
1155 | free(clamav_fbuf); | |
1156 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1157 | "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port); | |
1158 | return DEFER; | |
1159 | } | |
1160 | free(clamav_fbuf); | |
2376f2f5 TK |
1161 | close(sockData); |
1162 | } | |
8523533c TK |
1163 | } |
1164 | else { | |
1165 | /* open the local socket */ | |
1166 | if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { | |
1167 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1168 | "malware acl condition: clamd: unable to acquire socket (%s)", | |
1169 | strerror(errno)); | |
1170 | return DEFER; | |
1171 | } | |
8e669ac1 | 1172 | |
8523533c TK |
1173 | server.sun_family = AF_UNIX; |
1174 | Ustrcpy(server.sun_path, clamd_options); | |
8e669ac1 | 1175 | |
8523533c TK |
1176 | if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { |
1177 | close(sock); | |
1178 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1179 | "malware acl condition: clamd: unable to connect to UNIX socket %s (%s)", | |
1180 | clamd_options, strerror(errno) ); | |
1181 | return DEFER; | |
1182 | } | |
1183 | } | |
8e669ac1 | 1184 | |
8523533c | 1185 | /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */ |
8e669ac1 | 1186 | |
8523533c | 1187 | snprintf(CS file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id); |
8e669ac1 | 1188 | |
8523533c TK |
1189 | if (send(sock, file_name, Ustrlen(file_name), 0) < 0) { |
1190 | close(sock); | |
1191 | log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)", | |
1192 | strerror(errno)); | |
1193 | return DEFER; | |
1194 | } | |
8e669ac1 PH |
1195 | |
1196 | /* | |
8523533c | 1197 | We're done sending, close socket for writing. |
8e669ac1 | 1198 | |
8523533c | 1199 | One user reported that clamd 0.70 does not like this any more ... |
8e669ac1 | 1200 | |
8523533c | 1201 | */ |
8e669ac1 | 1202 | |
8523533c | 1203 | /* shutdown(sock, SHUT_WR); */ |
8e669ac1 | 1204 | |
8523533c TK |
1205 | /* Read the result */ |
1206 | memset(av_buffer, 0, sizeof(av_buffer)); | |
1207 | bread = read(sock, av_buffer, sizeof(av_buffer)); | |
1208 | close(sock); | |
1209 | ||
1210 | if (!(bread > 0)) { | |
1211 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1212 | "malware acl condition: clamd: unable to read from socket (%s)", | |
1213 | strerror(errno)); | |
1214 | return DEFER; | |
1215 | } | |
8e669ac1 | 1216 | |
8523533c TK |
1217 | if (bread == sizeof(av_buffer)) { |
1218 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1219 | "malware acl condition: clamd: buffer too small"); | |
1220 | return DEFER; | |
1221 | } | |
8e669ac1 | 1222 | |
8523533c TK |
1223 | /* Check the result. ClamAV Returns |
1224 | infected: -> "<filename>: <virusname> FOUND" | |
1225 | not-infected: -> "<filename>: OK" | |
f7b63901 | 1226 | error: -> "<filename>: <errcode> ERROR */ |
8e669ac1 | 1227 | |
8523533c TK |
1228 | if (!(*av_buffer)) { |
1229 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1230 | "malware acl condition: clamd: ClamAV returned null"); | |
1231 | return DEFER; | |
1232 | } | |
8e669ac1 | 1233 | |
8523533c TK |
1234 | /* colon in returned output? */ |
1235 | if((p = Ustrrchr(av_buffer,':')) == NULL) { | |
1236 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1237 | "malware acl condition: clamd: ClamAV returned malformed result: %s", | |
8e669ac1 | 1238 | av_buffer); |
8523533c TK |
1239 | return DEFER; |
1240 | } | |
8e669ac1 | 1241 | |
8523533c TK |
1242 | /* strip filename strip CR at the end */ |
1243 | ++p; | |
1244 | while (*p == ' ') ++p; | |
1245 | vname = p; | |
1246 | p = vname + Ustrlen(vname) - 1; | |
1247 | if( *p == '\n' ) *p = '\0'; | |
1248 | ||
1249 | if ((p = Ustrstr(vname, "FOUND"))!=NULL) { | |
1250 | *p=0; | |
1251 | for (--p;p>vname && *p<=32;p--) *p=0; | |
1252 | for (;*vname==32;vname++); | |
1253 | Ustrcpy(malware_name_buffer,vname); | |
1254 | malware_name = malware_name_buffer; | |
1255 | } | |
1256 | else { | |
1257 | if (Ustrstr(vname, "ERROR")!=NULL) { | |
1258 | /* ClamAV reports ERROR | |
1259 | Find line start */ | |
1260 | for (;*vname!='\n' && vname>av_buffer; vname--); | |
1261 | if (*vname=='\n') vname++; | |
1262 | ||
1263 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1264 | "malware acl condition: clamd: ClamAV returned %s",vname); | |
1265 | return DEFER; | |
1266 | } | |
1267 | else { | |
1268 | /* Everything should be OK */ | |
1269 | malware_name = NULL; | |
1270 | } | |
1271 | } | |
1272 | } | |
1273 | /* ----------------------------------------------------------------------- */ | |
8e669ac1 PH |
1274 | |
1275 | ||
8523533c TK |
1276 | /* "mksd" scanner type --------------------------------------------------- */ |
1277 | else if (strcmpic(scanner_name,US"mksd") == 0) { | |
1278 | uschar *mksd_options; | |
1279 | char *mksd_options_end; | |
1280 | uschar mksd_options_buffer[32]; | |
1281 | int mksd_maxproc = 1; /* default, if no option supplied */ | |
1282 | struct sockaddr_un server; | |
1283 | int sock; | |
1284 | int retval; | |
8e669ac1 | 1285 | |
8523533c TK |
1286 | if ((mksd_options = string_nextinlist(&av_scanner_work, &sep, |
1287 | mksd_options_buffer, | |
1288 | sizeof(mksd_options_buffer))) != NULL) { | |
1289 | mksd_maxproc = (int) strtol(CS mksd_options, &mksd_options_end, 10); | |
1290 | if ((*mksd_options == '\0') || (*mksd_options_end != '\0') || | |
f7b63901 | 1291 | (mksd_maxproc < 1) || (mksd_maxproc > 32)) { |
8523533c TK |
1292 | log_write(0, LOG_MAIN|LOG_PANIC, |
1293 | "malware acl condition: mksd: invalid option '%s'", mksd_options); | |
1294 | return DEFER; | |
1295 | } | |
1296 | } | |
8e669ac1 | 1297 | |
8523533c TK |
1298 | /* open the mksd socket */ |
1299 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | |
1300 | if (sock < 0) { | |
1301 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1302 | "malware acl condition: can't open UNIX socket."); | |
8e669ac1 | 1303 | return DEFER; |
8523533c TK |
1304 | } |
1305 | server.sun_family = AF_UNIX; | |
1306 | Ustrcpy(server.sun_path, "/var/run/mksd/socket"); | |
1307 | if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) { | |
1308 | close(sock); | |
1309 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1310 | "malware acl condition: unable to connect to mksd UNIX socket (/var/run/mksd/socket). errno=%d", errno); | |
1311 | return DEFER; | |
1312 | } | |
8e669ac1 | 1313 | |
8523533c | 1314 | malware_name = NULL; |
8e669ac1 | 1315 | |
8523533c | 1316 | retval = mksd_scan_packed(sock); |
8e669ac1 | 1317 | |
8523533c TK |
1318 | if (retval != OK) |
1319 | return retval; | |
1320 | } | |
1321 | /* ----------------------------------------------------------------------- */ | |
1322 | ||
1323 | /* "unknown" scanner type ------------------------------------------------- */ | |
1324 | else { | |
1325 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1326 | "malware condition: unknown scanner type '%s'", scanner_name); | |
1327 | return DEFER; | |
1328 | }; | |
1329 | /* ----------------------------------------------------------------------- */ | |
8e669ac1 | 1330 | |
8523533c TK |
1331 | /* set "been here, done that" marker */ |
1332 | malware_ok = 1; | |
1333 | }; | |
1334 | ||
1335 | /* match virus name against pattern (caseless ------->----------v) */ | |
1336 | if ( (malware_name != NULL) && | |
1337 | (regex_match_and_setup(re, malware_name, 0, -1)) ) { | |
1338 | return OK; | |
1339 | } | |
1340 | else { | |
1341 | return FAIL; | |
1342 | }; | |
1343 | } | |
1344 | ||
1345 | ||
1346 | /* simple wrapper for reading lines from sockets */ | |
1347 | int recv_line(int sock, uschar *buffer, int size) { | |
1348 | uschar *p = buffer; | |
1349 | ||
1350 | memset(buffer,0,size); | |
1351 | /* read until \n */ | |
1352 | while(recv(sock,p,1,0) > -1) { | |
1353 | if ((p-buffer) > (size-2)) break; | |
1354 | if (*p == '\n') break; | |
1355 | if (*p != '\r') p++; | |
1356 | }; | |
1357 | *p = '\0'; | |
1358 | ||
1359 | return (p-buffer); | |
1360 | } | |
1361 | ||
1362 | ||
1363 | /* ============= private routines for the "mksd" scanner type ============== */ | |
1364 | ||
1365 | #include <sys/uio.h> | |
1366 | ||
1367 | int mksd_writev (int sock, struct iovec *iov, int iovcnt) | |
1368 | { | |
1369 | int i; | |
8e669ac1 | 1370 | |
8523533c TK |
1371 | for (;;) { |
1372 | do | |
1373 | i = writev (sock, iov, iovcnt); | |
1374 | while ((i < 0) && (errno == EINTR)); | |
1375 | if (i <= 0) { | |
1376 | close (sock); | |
1377 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1378 | "malware acl condition: unable to write to mksd UNIX socket (/var/run/mksd/socket)"); | |
1379 | return -1; | |
1380 | } | |
8e669ac1 | 1381 | |
8523533c TK |
1382 | for (;;) |
1383 | if (i >= iov->iov_len) { | |
1384 | if (--iovcnt == 0) | |
1385 | return 0; | |
1386 | i -= iov->iov_len; | |
1387 | iov++; | |
1388 | } else { | |
1389 | iov->iov_len -= i; | |
1390 | iov->iov_base = CS iov->iov_base + i; | |
1391 | break; | |
1392 | } | |
1393 | } | |
1394 | } | |
1395 | ||
1396 | int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size) | |
1397 | { | |
1398 | int offset = 0; | |
1399 | int i; | |
8e669ac1 | 1400 | |
8523533c TK |
1401 | do { |
1402 | if ((i = recv (sock, av_buffer+offset, av_buffer_size-offset, 0)) <= 0) { | |
1403 | close (sock); | |
1404 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1405 | "malware acl condition: unable to read from mksd UNIX socket (/var/run/mksd/socket)"); | |
1406 | return -1; | |
1407 | } | |
8e669ac1 | 1408 | |
8523533c TK |
1409 | offset += i; |
1410 | /* offset == av_buffer_size -> buffer full */ | |
1411 | if (offset == av_buffer_size) { | |
1412 | close (sock); | |
1413 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1414 | "malware acl condition: malformed reply received from mksd"); | |
1415 | return -1; | |
1416 | } | |
1417 | } while (av_buffer[offset-1] != '\n'); | |
8e669ac1 | 1418 | |
8523533c TK |
1419 | av_buffer[offset] = '\0'; |
1420 | return offset; | |
1421 | } | |
1422 | ||
1423 | int mksd_parse_line (char *line) | |
1424 | { | |
1425 | char *p; | |
8e669ac1 | 1426 | |
8523533c TK |
1427 | switch (*line) { |
1428 | case 'O': | |
1429 | /* OK */ | |
1430 | return OK; | |
1431 | case 'E': | |
1432 | case 'A': | |
1433 | /* ERR */ | |
1434 | if ((p = strchr (line, '\n')) != NULL) | |
1435 | (*p) = '\0'; | |
1436 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1437 | "malware acl condition: mksd scanner failed: %s", line); | |
1438 | return DEFER; | |
1439 | default: | |
1440 | /* VIR */ | |
1441 | if ((p = strchr (line, '\n')) != NULL) { | |
1442 | (*p) = '\0'; | |
1443 | if (((p-line) > 5) && ((p-line) < sizeof (malware_name_buffer)) && (line[3] == ' ')) | |
1444 | if (((p = strchr (line+4, ' ')) != NULL) && ((p-line) > 4)) { | |
1445 | (*p) = '\0'; | |
1446 | Ustrcpy (malware_name_buffer, line+4); | |
1447 | malware_name = malware_name_buffer; | |
1448 | return OK; | |
1449 | } | |
1450 | } | |
1451 | log_write(0, LOG_MAIN|LOG_PANIC, | |
1452 | "malware acl condition: malformed reply received from mksd: %s", line); | |
1453 | return DEFER; | |
1454 | } | |
1455 | } | |
1456 | ||
1457 | int mksd_scan_packed (int sock) | |
1458 | { | |
1459 | struct iovec iov[7]; | |
1460 | char *cmd = "MSQ/scan/.eml\n"; | |
1461 | uschar av_buffer[1024]; | |
8e669ac1 | 1462 | |
8523533c TK |
1463 | iov[0].iov_base = cmd; |
1464 | iov[0].iov_len = 3; | |
1465 | iov[1].iov_base = CS spool_directory; | |
1466 | iov[1].iov_len = Ustrlen (spool_directory); | |
1467 | iov[2].iov_base = cmd + 3; | |
1468 | iov[2].iov_len = 6; | |
1469 | iov[3].iov_base = iov[5].iov_base = CS message_id; | |
1470 | iov[3].iov_len = iov[5].iov_len = Ustrlen (message_id); | |
1471 | iov[4].iov_base = cmd + 3; | |
1472 | iov[4].iov_len = 1; | |
1473 | iov[6].iov_base = cmd + 9; | |
1474 | iov[6].iov_len = 5; | |
8e669ac1 | 1475 | |
8523533c TK |
1476 | if (mksd_writev (sock, iov, 7) < 0) |
1477 | return DEFER; | |
8e669ac1 | 1478 | |
8523533c TK |
1479 | if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer)) < 0) |
1480 | return DEFER; | |
8e669ac1 | 1481 | |
8523533c | 1482 | close (sock); |
8e669ac1 | 1483 | |
8523533c TK |
1484 | return mksd_parse_line (CS av_buffer); |
1485 | } | |
1486 | ||
1487 | #endif |