projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Fix DSN Final-Recipient: field
[exim.git] / src / src / spool_in.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2018 */
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Functions for reading spool files. When compiling for a utility (eximon),
9not all are needed, and some functionality can be cut out. */
10
11
12#include "exim.h"
13
14
15
16#ifndef COMPILE_UTILITY
17/*************************************************
18* Open and lock data file *
19*************************************************/
20
21/* The data file is the one that is used for locking, because the header file
22can get replaced during delivery because of header rewriting. The file has
23to opened with write access so that we can get an exclusive lock, but in
24fact it won't be written to. Just in case there's a major disaster (e.g.
25overwriting some other file descriptor with the value of this one), open it
26with append.
27
28As called by deliver_message() (at least) we are operating as root.
29
30Argument: the id of the message
31Returns: fd if file successfully opened and locked, else -1
32
33Side effect: message_subdir is set for the (possibly split) spool directory
34*/
35
36int
37spool_open_datafile(uschar *id)
38{
39struct stat statbuf;
40flock_t lock_data;
41int fd;
42
43/* If split_spool_directory is set, first look for the file in the appropriate
44sub-directory of the input directory. If it is not found there, try the input
45directory itself, to pick up leftovers from before the splitting. If split_
46spool_directory is not set, first look in the main input directory. If it is
47not found there, try the split sub-directory, in case it is left over from a
48splitting state. */
49
50for (int i = 0; i < 2; i++)
51 {
52 uschar * fname;
53 int save_errno;
54
55 message_subdir[0] = split_spool_directory == i ? '\0' : id[5];
56 fname = spool_fname(US"input", message_subdir, id, US"-D");
57 DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
58
59 /* We protect against symlink attacks both in not propagating the
60 * file-descriptor to other processes as we exec, and also ensuring that we
61 * don't even open symlinks.
62 * No -D file inside the spool area should be a symlink.
63 */
64 if ((fd = Uopen(fname,
65#ifdef O_CLOEXEC
66 O_CLOEXEC |
67#endif
68#ifdef O_NOFOLLOW
69 O_NOFOLLOW |
70#endif
71 O_RDWR | O_APPEND, 0)) >= 0)
72 break;
73 save_errno = errno;
74 if (errno == ENOENT)
75 {
76 if (i == 0) continue;
77 if (!f.queue_running)
78 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
79 *queue_name ? US" Q=" : US"",
80 *queue_name ? queue_name : US"",
81 id);
82 }
83 else
84 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
85 errno = save_errno;
86 return -1;
87 }
88
89/* File is open and message_subdir is set. Set the close-on-exec flag, and lock
90the file. We lock only the first line of the file (containing the message ID)
91because this apparently is needed for running Exim under Cygwin. If the entire
92file is locked in one process, a sub-process cannot access it, even when passed
93an open file descriptor (at least, I think that's the Cygwin story). On real
94Unix systems it doesn't make any difference as long as Exim is consistent in
95what it locks. */
96
97#ifndef O_CLOEXEC
98(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
99#endif
100
101lock_data.l_type = F_WRLCK;
102lock_data.l_whence = SEEK_SET;
103lock_data.l_start = 0;
104lock_data.l_len = SPOOL_DATA_START_OFFSET;
105
106if (fcntl(fd, F_SETLK, &lock_data) < 0)
107 {
108 log_write(L_skip_delivery,
109 LOG_MAIN,
110 "Spool file is locked (another process is handling this message)");
111 (void)close(fd);
112 errno = 0;
113 return -1;
114 }
115
116/* Get the size of the data; don't include the leading filename line
117in the count, but add one for the newline before the data. */
118
119if (fstat(fd, &statbuf) == 0)
120 {
121 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
122 message_size = message_body_size + 1;
123 }
124
125return fd;
126}
127#endif /* COMPILE_UTILITY */
128
129
130
131/*************************************************
132* Read non-recipients tree from spool file *
133*************************************************/
134
135/* The tree of non-recipients is written to the spool file in a form that
136makes it easy to read back into a tree. The format is as follows:
137
138 . Each node is preceded by two letter(Y/N) indicating whether it has left
139 or right children. There's one space after the two flags, before the name.
140
141 . The left subtree (if any) then follows, then the right subtree (if any).
142
143This function is entered with the next input line in the buffer. Note we must
144save the right flag before recursing with the same buffer.
145
146Once the tree is read, we re-construct the balance fields by scanning the tree.
147I forgot to write them out originally, and the compatible fix is to do it this
148way. This initial local recursing function does the necessary.
149
150Arguments:
151 node tree node
152
153Returns: maximum depth below the node, including the node itself
154*/
155
156static int
157count_below(tree_node *node)
158{
159int nleft, nright;
160if (node == NULL) return 0;
161nleft = count_below(node->left);
162nright = count_below(node->right);
163node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
164return 1 + ((nleft > nright)? nleft : nright);
165}
166
167/* This is the real function...
168
169Arguments:
170 connect pointer to the root of the tree
171 f FILE to read data from
172 buffer contains next input line; further lines read into it
173 buffer_size size of the buffer
174
175Returns: FALSE on format error
176*/
177
178static BOOL
179read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
180 int buffer_size)
181{
182tree_node *node;
183int n = Ustrlen(buffer);
184BOOL right = buffer[1] == 'Y';
185
186if (n < 5) return FALSE; /* malformed line */
187buffer[n-1] = 0; /* Remove \n */
188node = store_get(sizeof(tree_node) + n - 3);
189*connect = node;
190Ustrcpy(node->name, buffer + 3);
191node->data.ptr = NULL;
192
193if (buffer[0] == 'Y')
194 {
195 if (Ufgets(buffer, buffer_size, f) == NULL ||
196 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
197 return FALSE;
198 }
199else node->left = NULL;
200
201if (right)
202 {
203 if (Ufgets(buffer, buffer_size, f) == NULL ||
204 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
205 return FALSE;
206 }
207else node->right = NULL;
208
209(void) count_below(*connect);
210return TRUE;
211}
212
213
214
215
216/* Reset all the global variables to their default values. However, there is
217one exception. DO NOT change the default value of dont_deliver, because it may
218be forced by an external setting. */
219
220void
221spool_clear_header_globals(void)
222{
223acl_var_c = acl_var_m = NULL;
224authenticated_id = NULL;
225authenticated_sender = NULL;
226f.allow_unqualified_recipient = FALSE;
227f.allow_unqualified_sender = FALSE;
228body_linecount = 0;
229body_zerocount = 0;
230f.deliver_firsttime = FALSE;
231f.deliver_freeze = FALSE;
232deliver_frozen_at = 0;
233f.deliver_manual_thaw = FALSE;
234/* f.dont_deliver must NOT be reset */
235header_list = header_last = NULL;
236host_lookup_deferred = FALSE;
237host_lookup_failed = FALSE;
238interface_address = NULL;
239interface_port = 0;
240f.local_error_message = FALSE;
241#ifdef HAVE_LOCAL_SCAN
242local_scan_data = NULL;
243#endif
244max_received_linelength = 0;
245message_linecount = 0;
246received_protocol = NULL;
247received_count = 0;
248recipients_list = NULL;
249sender_address = NULL;
250sender_fullhost = NULL;
251sender_helo_name = NULL;
252sender_host_address = NULL;
253sender_host_name = NULL;
254sender_host_port = 0;
255sender_host_authenticated = NULL;
256sender_ident = NULL;
257f.sender_local = FALSE;
258f.sender_set_untrusted = FALSE;
259smtp_active_hostname = primary_hostname;
260#ifndef COMPILE_UTILITY
261f.spool_file_wireformat = FALSE;
262#endif
263tree_nonrecipients = NULL;
264
265#ifdef EXPERIMENTAL_BRIGHTMAIL
266bmi_run = 0;
267bmi_verdicts = NULL;
268#endif
269
270#ifndef DISABLE_DKIM
271dkim_signers = NULL;
272f.dkim_disable_verify = FALSE;
273dkim_collect_input = 0;
274#endif
275
276#ifndef DISABLE_TLS
277tls_in.certificate_verified = FALSE;
278# ifdef SUPPORT_DANE
279tls_in.dane_verified = FALSE;
280# endif
281tls_in.cipher = NULL;
282# ifndef COMPILE_UTILITY /* tls support fns not built in */
283tls_free_cert(&tls_in.ourcert);
284tls_free_cert(&tls_in.peercert);
285# endif
286tls_in.peerdn = NULL;
287tls_in.sni = NULL;
288tls_in.ocsp = OCSP_NOT_REQ;
289#endif
290
291#ifdef WITH_CONTENT_SCAN
292spam_bar = NULL;
293spam_score = NULL;
294spam_score_int = NULL;
295#endif
296
297#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
298message_smtputf8 = FALSE;
299message_utf8_downconvert = 0;
300#endif
301
302dsn_ret = 0;
303dsn_envid = NULL;
304}
305
306
307/*************************************************
308* Read spool header file *
309*************************************************/
310
311/* This function reads a spool header file and places the data into the
312appropriate global variables. The header portion is always read, but header
313structures are built only if read_headers is set true. It isn't, for example,
314while generating -bp output.
315
316It may be possible for blocks of nulls (binary zeroes) to get written on the
317end of a file if there is a system crash during writing. It was observed on an
318earlier version of Exim that omitted to fsync() the files - this is thought to
319have been the cause of that incident, but in any case, this code must be robust
320against such an event, and if such a file is encountered, it must be treated as
321malformed.
322
323As called from deliver_message() (at least) we are running as root.
324
325Arguments:
326 name name of the header file, including the -H
327 read_headers TRUE if in-store header structures are to be built
328 subdir_set TRUE is message_subdir is already set
329
330Returns: spool_read_OK success
331 spool_read_notopen open failed
332 spool_read_enverror error in the envelope portion
333 spool_read_hdrerror error in the header portion
334*/
335
336int
337spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
338{
339FILE * fp = NULL;
340int n;
341int rcount = 0;
342long int uid, gid;
343BOOL inheader = FALSE;
344uschar *p;
345
346/* Reset all the global variables to their default values. However, there is
347one exception. DO NOT change the default value of dont_deliver, because it may
348be forced by an external setting. */
349
350spool_clear_header_globals();
351
352/* Generate the full name and open the file. If message_subdir is already
353set, just look in the given directory. Otherwise, look in both the split
354and unsplit directories, as for the data file above. */
355
356for (int n = 0; n < 2; n++)
357 {
358 if (!subdir_set)
359 message_subdir[0] = split_spool_directory == (n == 0) ? name[5] : 0;
360
361 if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
362 break;
363 if (n != 0 || subdir_set || errno != ENOENT)
364 return spool_read_notopen;
365 }
366
367errno = 0;
368
369#ifndef COMPILE_UTILITY
370DEBUG(D_deliver) debug_printf("reading spool file %s\n", name);
371#endif /* COMPILE_UTILITY */
372
373/* The first line of a spool file contains the message id followed by -H (i.e.
374the file name), in order to make the file self-identifying. */
375
376if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
377if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
378 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
379 goto SPOOL_FORMAT_ERROR;
380
381/* The next three lines in the header file are in a fixed format. The first
382contains the login, uid, and gid of the user who caused the file to be written.
383There are known cases where a negative gid is used, so we allow for both
384negative uids and gids. The second contains the mail address of the message's
385sender, enclosed in <>. The third contains the time the message was received,
386and the number of warning messages for delivery delays that have been sent. */
387
388if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
389
390p = big_buffer + Ustrlen(big_buffer);
391while (p > big_buffer && isspace(p[-1])) p--;
392*p = 0;
393if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
394while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
395gid = Uatoi(p);
396if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
397*p = 0;
398if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
399while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
400uid = Uatoi(p);
401if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
402*p = 0;
403
404originator_login = string_copy(big_buffer);
405originator_uid = (uid_t)uid;
406originator_gid = (gid_t)gid;
407
408/* envelope from */
409if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
410n = Ustrlen(big_buffer);
411if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
412 goto SPOOL_FORMAT_ERROR;
413
414sender_address = store_get(n-2);
415Ustrncpy(sender_address, big_buffer+1, n-3);
416sender_address[n-3] = 0;
417
418/* time */
419if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
420if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
421 goto SPOOL_FORMAT_ERROR;
422received_time.tv_usec = 0;
423
424message_age = time(NULL) - received_time.tv_sec;
425
426#ifndef COMPILE_UTILITY
427DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
428 originator_login, (long int)originator_uid, (long int)originator_gid,
429 sender_address);
430#endif /* COMPILE_UTILITY */
431
432/* Now there may be a number of optional lines, each starting with "-". If you
433add a new setting here, make sure you set the default above.
434
435Because there are now quite a number of different possibilities, we use a
436switch on the first character to avoid too many failing tests. Thanks to Nico
437Erfurth for the patch that implemented this. I have made it even more efficient
438by not re-scanning the first two characters.
439
440To allow new versions of Exim that add additional flags to interwork with older
441versions that do not understand them, just ignore any lines starting with "-"
442that we don't recognize. Otherwise it wouldn't be possible to back off a new
443version that left new-style flags written on the spool. */
444
445p = big_buffer + 2;
446for (;;)
447 {
448 int len;
449 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
450 if (big_buffer[0] != '-') break;
451 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
452 && big_buffer[len-1] != '\n'
453 )
454 { /* buffer not big enough for line; certs make this possible */
455 uschar * buf;
456 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
457 buf = store_get_perm(big_buffer_size *= 2);
458 memcpy(buf, big_buffer, --len);
459 big_buffer = buf;
460 if (Ufgets(big_buffer+len, big_buffer_size-len, fp) == NULL)
461 goto SPOOL_READ_ERROR;
462 }
463 big_buffer[len-1] = 0;
464
465 switch(big_buffer[1])
466 {
467 case 'a':
468
469 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
470 variable, because Exim allows any number of them, with arbitrary names.
471 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
472 the c or m. */
473
474 if (Ustrncmp(p, "clc ", 4) == 0 ||
475 Ustrncmp(p, "clm ", 4) == 0)
476 {
477 uschar *name, *endptr;
478 int count;
479 tree_node *node;
480 endptr = Ustrchr(big_buffer + 6, ' ');
481 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
482 name = string_sprintf("%c%.*s", big_buffer[4],
483 (int)(endptr - big_buffer - 6), big_buffer + 6);
484 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
485 node = acl_var_create(name);
486 node->data.ptr = store_get(count + 1);
487 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
488 ((uschar*)node->data.ptr)[count] = 0;
489 }
490
491 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
492 f.allow_unqualified_recipient = TRUE;
493 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
494 f.allow_unqualified_sender = TRUE;
495
496 else if (Ustrncmp(p, "uth_id", 6) == 0)
497 authenticated_id = string_copy(big_buffer + 9);
498 else if (Ustrncmp(p, "uth_sender", 10) == 0)
499 authenticated_sender = string_copy(big_buffer + 13);
500 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
501 smtp_active_hostname = string_copy(big_buffer + 17);
502
503 /* For long-term backward compatibility, we recognize "-acl", which was
504 used before the number of ACL variables changed from 10 to 20. This was
505 before the subsequent change to an arbitrary number of named variables.
506 This code is retained so that upgrades from very old versions can still
507 handle old-format spool files. The value given after "-acl" is a number
508 that is 0-9 for connection variables, and 10-19 for message variables. */
509
510 else if (Ustrncmp(p, "cl ", 3) == 0)
511 {
512 unsigned index, count;
513 uschar name[20]; /* Need plenty of space for %u format */
514 tree_node * node;
515 if ( sscanf(CS big_buffer + 5, "%u %u", &index, &count) != 2
516 || index >= 20
517 || count > 16384 /* arbitrary limit on variable size */
518 )
519 goto SPOOL_FORMAT_ERROR;
520 if (index < 10)
521 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
522 else
523 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
524 node = acl_var_create(name);
525 node->data.ptr = store_get(count + 1);
526 /* We sanity-checked the count, so disable the Coverity error */
527 /* coverity[tainted_data] */
528 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
529 (US node->data.ptr)[count] = '\0';
530 }
531 break;
532
533 case 'b':
534 if (Ustrncmp(p, "ody_linecount", 13) == 0)
535 body_linecount = Uatoi(big_buffer + 15);
536 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
537 body_zerocount = Uatoi(big_buffer + 15);
538#ifdef EXPERIMENTAL_BRIGHTMAIL
539 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
540 bmi_verdicts = string_copy(big_buffer + 14);
541#endif
542 break;
543
544 case 'd':
545 if (Ustrcmp(p, "eliver_firsttime") == 0)
546 f.deliver_firsttime = TRUE;
547 /* Check if the dsn flags have been set in the header file */
548 else if (Ustrncmp(p, "sn_ret", 6) == 0)
549 dsn_ret= atoi(CS big_buffer + 8);
550 else if (Ustrncmp(p, "sn_envid", 8) == 0)
551 dsn_envid = string_copy(big_buffer + 11);
552 break;
553
554 case 'f':
555 if (Ustrncmp(p, "rozen", 5) == 0)
556 {
557 f.deliver_freeze = TRUE;
558 if (sscanf(CS big_buffer+7, TIME_T_FMT, &deliver_frozen_at) != 1)
559 goto SPOOL_READ_ERROR;
560 }
561 break;
562
563 case 'h':
564 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
565 host_lookup_deferred = TRUE;
566 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
567 host_lookup_failed = TRUE;
568 else if (Ustrncmp(p, "ost_auth", 8) == 0)
569 sender_host_authenticated = string_copy(big_buffer + 11);
570 else if (Ustrncmp(p, "ost_name", 8) == 0)
571 sender_host_name = string_copy(big_buffer + 11);
572 else if (Ustrncmp(p, "elo_name", 8) == 0)
573 sender_helo_name = string_copy(big_buffer + 11);
574
575 /* We now record the port number after the address, separated by a
576 dot. For compatibility during upgrading, do nothing if there
577 isn't a value (it gets left at zero). */
578
579 else if (Ustrncmp(p, "ost_address", 11) == 0)
580 {
581 sender_host_port = host_address_extract_port(big_buffer + 14);
582 sender_host_address = string_copy(big_buffer + 14);
583 }
584 break;
585
586 case 'i':
587 if (Ustrncmp(p, "nterface_address", 16) == 0)
588 {
589 interface_port = host_address_extract_port(big_buffer + 19);
590 interface_address = string_copy(big_buffer + 19);
591 }
592 else if (Ustrncmp(p, "dent", 4) == 0)
593 sender_ident = string_copy(big_buffer + 7);
594 break;
595
596 case 'l':
597 if (Ustrcmp(p, "ocal") == 0)
598 f.sender_local = TRUE;
599 else if (Ustrcmp(big_buffer, "-localerror") == 0)
600 f.local_error_message = TRUE;
601#ifdef HAVE_LOCAL_SCAN
602 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
603 local_scan_data = string_copy(big_buffer + 12);
604#endif
605 break;
606
607 case 'm':
608 if (Ustrcmp(p, "anual_thaw") == 0) f.deliver_manual_thaw = TRUE;
609 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
610 max_received_linelength = Uatoi(big_buffer + 24);
611 break;
612
613 case 'N':
614 if (*p == 0) f.dont_deliver = TRUE; /* -N */
615 break;
616
617 case 'r':
618 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
619 received_protocol = string_copy(big_buffer + 19);
620 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
621 {
622 unsigned usec;
623 if (sscanf(CS big_buffer + 21, "%u", &usec) == 1)
624 received_time.tv_usec = usec;
625 }
626 break;
627
628 case 's':
629 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
630 f.sender_set_untrusted = TRUE;
631#ifdef WITH_CONTENT_SCAN
632 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
633 spam_bar = string_copy(big_buffer + 10);
634 else if (Ustrncmp(p, "pam_score ", 10) == 0)
635 spam_score = string_copy(big_buffer + 12);
636 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
637 spam_score_int = string_copy(big_buffer + 16);
638#endif
639#ifndef COMPILE_UTILITY
640 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
641 f.spool_file_wireformat = TRUE;
642#endif
643#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
644 else if (Ustrncmp(p, "mtputf8", 7) == 0)
645 message_smtputf8 = TRUE;
646#endif
647 break;
648
649#ifndef DISABLE_TLS
650 case 't':
651 if (Ustrncmp(p, "ls_", 3) == 0)
652 {
653 uschar * q = p + 3;
654 if (Ustrncmp(q, "certificate_verified", 20) == 0)
655 tls_in.certificate_verified = TRUE;
656 else if (Ustrncmp(q, "cipher", 6) == 0)
657 tls_in.cipher = string_copy(big_buffer + 12);
658# ifndef COMPILE_UTILITY /* tls support fns not built in */
659 else if (Ustrncmp(q, "ourcert", 7) == 0)
660 (void) tls_import_cert(big_buffer + 13, &tls_in.ourcert);
661 else if (Ustrncmp(q, "peercert", 8) == 0)
662 (void) tls_import_cert(big_buffer + 14, &tls_in.peercert);
663# endif
664 else if (Ustrncmp(q, "peerdn", 6) == 0)
665 tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
666 else if (Ustrncmp(q, "sni", 3) == 0)
667 tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
668 else if (Ustrncmp(q, "ocsp", 4) == 0)
669 tls_in.ocsp = big_buffer[10] - '0';
670# ifdef EXPERIMENTAL_TLS_RESUME
671 else if (Ustrncmp(q, "resumption", 10) == 0)
672 tls_in.resumption = big_buffer[16] - 'A';
673# endif
674
675 }
676 break;
677#endif
678
679#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
680 case 'u':
681 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
682 message_utf8_downconvert = 1;
683 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
684 message_utf8_downconvert = -1;
685 break;
686#endif
687
688 default: /* Present because some compilers complain if all */
689 break; /* possibilities are not covered. */
690 }
691 }
692
693/* Build sender_fullhost if required */
694
695#ifndef COMPILE_UTILITY
696host_build_sender_fullhost();
697#endif /* COMPILE_UTILITY */
698
699#ifndef COMPILE_UTILITY
700DEBUG(D_deliver)
701 debug_printf("sender_local=%d ident=%s\n", f.sender_local,
702 (sender_ident == NULL)? US"unset" : sender_ident);
703#endif /* COMPILE_UTILITY */
704
705/* We now have the tree of addresses NOT to deliver to, or a line
706containing "XX", indicating no tree. */
707
708if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
709 !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
710 goto SPOOL_FORMAT_ERROR;
711
712#ifndef COMPILE_UTILITY
713DEBUG(D_deliver)
714 {
715 debug_printf("Non-recipients:\n");
716 debug_print_tree(tree_nonrecipients);
717 }
718#endif /* COMPILE_UTILITY */
719
720/* After reading the tree, the next line has not yet been read into the
721buffer. It contains the count of recipients which follow on separate lines.
722Apply an arbitrary sanity check.*/
723
724if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
725if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
726 goto SPOOL_FORMAT_ERROR;
727
728#ifndef COMPILE_UTILITY
729DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
730#endif /* COMPILE_UTILITY */
731
732recipients_list_max = rcount;
733recipients_list = store_get(rcount * sizeof(recipient_item));
734
735/* We sanitised the count and know we have enough memory, so disable
736the Coverity error on recipients_count */
737/* coverity[tainted_data] */
738
739for (recipients_count = 0; recipients_count < rcount; recipients_count++)
740 {
741 int nn;
742 int pno = -1;
743 int dsn_flags = 0;
744 uschar *orcpt = NULL;
745 uschar *errors_to = NULL;
746 uschar *p;
747
748 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
749 nn = Ustrlen(big_buffer);
750 if (nn < 2) goto SPOOL_FORMAT_ERROR;
751
752 /* Remove the newline; this terminates the address if there is no additional
753 data on the line. */
754
755 p = big_buffer + nn - 1;
756 *p-- = 0;
757
758 /* Look back from the end of the line for digits and special terminators.
759 Since an address must end with a domain, we can tell that extra data is
760 present by the presence of the terminator, which is always some character
761 that cannot exist in a domain. (If I'd thought of the need for additional
762 data early on, I'd have put it at the start, with the address at the end. As
763 it is, we have to operate backwards. Addresses are permitted to contain
764 spaces, you see.)
765
766 This code has to cope with various versions of this data that have evolved
767 over time. In all cases, the line might just contain an address, with no
768 additional data. Otherwise, the possibilities are as follows:
769
770 Exim 3 type: <address><space><digits>,<digits>,<digits>
771
772 The second set of digits is the parent number for one_time addresses. The
773 other values were remnants of earlier experiments that were abandoned.
774
775 Exim 4 first type: <address><space><digits>
776
777 The digits are the parent number for one_time addresses.
778
779 Exim 4 new type: <address><space><data>#<type bits>
780
781 The type bits indicate what the contents of the data are.
782
783 Bit 01 indicates that, reading from right to left, the data
784 ends with <errors_to address><space><len>,<pno> where pno is
785 the parent number for one_time addresses, and len is the length
786 of the errors_to address (zero meaning none).
787
788 Bit 02 indicates that, again reading from right to left, the data continues
789 with orcpt len(orcpt),dsn_flags
790 */
791
792 while (isdigit(*p)) p--;
793
794 /* Handle Exim 3 spool files */
795
796 if (*p == ',')
797 {
798 int dummy;
799 while (isdigit(*(--p)) || *p == ',');
800 if (*p == ' ')
801 {
802 *p++ = 0;
803 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
804 }
805 }
806
807 /* Handle early Exim 4 spool files */
808
809 else if (*p == ' ')
810 {
811 *p++ = 0;
812 (void)sscanf(CS p, "%d", &pno);
813 }
814
815 /* Handle current format Exim 4 spool files */
816
817 else if (*p == '#')
818 {
819 int flags;
820
821#if !defined (COMPILE_UTILITY)
822 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 4 standard format spoolfile\n");
823#endif
824
825 (void)sscanf(CS p+1, "%d", &flags);
826
827 if ((flags & 0x01) != 0) /* one_time data exists */
828 {
829 int len;
830 while (isdigit(*(--p)) || *p == ',' || *p == '-');
831 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
832 *p = 0;
833 if (len > 0)
834 {
835 p -= len;
836 errors_to = string_copy(p);
837 }
838 }
839
840 *(--p) = 0; /* Terminate address */
841 if ((flags & 0x02) != 0) /* one_time data exists */
842 {
843 int len;
844 while (isdigit(*(--p)) || *p == ',' || *p == '-');
845 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
846 *p = 0;
847 if (len > 0)
848 {
849 p -= len;
850 orcpt = string_copy(p);
851 }
852 }
853
854 *(--p) = 0; /* Terminate address */
855 }
856#if !defined(COMPILE_UTILITY)
857 else
858 { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
859
860 if ((orcpt != NULL) || (dsn_flags != 0))
861 {
862 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| orcpt: |%s| dsn_flags: %d\n",
863 big_buffer, orcpt, dsn_flags);
864 }
865 if (errors_to != NULL)
866 {
867 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| errorsto: |%s|\n",
868 big_buffer, errors_to);
869 }
870#endif
871
872 recipients_list[recipients_count].address = string_copy(big_buffer);
873 recipients_list[recipients_count].pno = pno;
874 recipients_list[recipients_count].errors_to = errors_to;
875 recipients_list[recipients_count].orcpt = orcpt;
876 recipients_list[recipients_count].dsn_flags = dsn_flags;
877 }
878
879/* The remainder of the spool header file contains the headers for the message,
880separated off from the previous data by a blank line. Each header is preceded
881by a count of its length and either a certain letter (for various identified
882headers), space (for a miscellaneous live header) or an asterisk (for a header
883that has been rewritten). Count the Received: headers. We read the headers
884always, in order to check on the format of the file, but only create a header
885list if requested to do so. */
886
887inheader = TRUE;
888if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
889if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
890
891while ((n = fgetc(fp)) != EOF)
892 {
893 header_line *h;
894 uschar flag[4];
895 int i;
896
897 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
898 if(ungetc(n, fp) == EOF || fscanf(fp, "%d%c ", &n, flag) == EOF)
899 goto SPOOL_READ_ERROR;
900 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
901
902 if (read_headers)
903 {
904 h = store_get(sizeof(header_line));
905 h->next = NULL;
906 h->type = flag[0];
907 h->slen = n;
908 h->text = store_get(n+1);
909
910 if (h->type == htype_received) received_count++;
911
912 if (header_list == NULL) header_list = h;
913 else header_last->next = h;
914 header_last = h;
915
916 for (i = 0; i < n; i++)
917 {
918 int c = fgetc(fp);
919 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
920 if (c == '\n' && h->type != htype_old) message_linecount++;
921 h->text[i] = c;
922 }
923 h->text[i] = 0;
924 }
925
926 /* Not requiring header data, just skip through the bytes */
927
928 else for (i = 0; i < n; i++)
929 {
930 int c = fgetc(fp);
931 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
932 }
933 }
934
935/* We have successfully read the data in the header file. Update the message
936line count by adding the body linecount to the header linecount. Close the file
937and give a positive response. */
938
939#ifndef COMPILE_UTILITY
940DEBUG(D_deliver) debug_printf("body_linecount=%d message_linecount=%d\n",
941 body_linecount, message_linecount);
942#endif /* COMPILE_UTILITY */
943
944message_linecount += body_linecount;
945
946fclose(fp);
947return spool_read_OK;
948
949
950/* There was an error reading the spool or there was missing data,
951or there was a format error. A "read error" with no errno means an
952unexpected EOF, which we treat as a format error. */
953
954SPOOL_READ_ERROR:
955if (errno != 0)
956 {
957 n = errno;
958
959#ifndef COMPILE_UTILITY
960 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
961#endif /* COMPILE_UTILITY */
962
963 fclose(fp);
964 errno = n;
965 return inheader? spool_read_hdrerror : spool_read_enverror;
966 }
967
968SPOOL_FORMAT_ERROR:
969
970#ifndef COMPILE_UTILITY
971DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
972#endif /* COMPILE_UTILITY */
973
974fclose(fp);
975errno = ERRNO_SPOOLFORMAT;
976return inheader? spool_read_hdrerror : spool_read_enverror;
977}
978
979/* vi: aw ai sw=2
980*/
981/* End of spool_in.c */
Unnamed repository; edit this file 'description' to name the repository.