projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
GnuTLS: fix non-OCSP bulid
[exim.git] / src / src / spool_in.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2018 */
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Functions for reading spool files. When compiling for a utility (eximon),
9not all are needed, and some functionality can be cut out. */
10
11
12#include "exim.h"
13
14
15
16#ifndef COMPILE_UTILITY
17/*************************************************
18* Open and lock data file *
19*************************************************/
20
21/* The data file is the one that is used for locking, because the header file
22can get replaced during delivery because of header rewriting. The file has
23to opened with write access so that we can get an exclusive lock, but in
24fact it won't be written to. Just in case there's a major disaster (e.g.
25overwriting some other file descriptor with the value of this one), open it
26with append.
27
28As called by deliver_message() (at least) we are operating as root.
29
30Argument: the id of the message
31Returns: fd if file successfully opened and locked, else -1
32
33Side effect: message_subdir is set for the (possibly split) spool directory
34*/
35
36int
37spool_open_datafile(uschar *id)
38{
39struct stat statbuf;
40flock_t lock_data;
41int fd;
42
43/* If split_spool_directory is set, first look for the file in the appropriate
44sub-directory of the input directory. If it is not found there, try the input
45directory itself, to pick up leftovers from before the splitting. If split_
46spool_directory is not set, first look in the main input directory. If it is
47not found there, try the split sub-directory, in case it is left over from a
48splitting state. */
49
50for (int i = 0; i < 2; i++)
51 {
52 uschar * fname;
53 int save_errno;
54
55 set_subdir_str(message_subdir, id, i);
56 fname = spool_fname(US"input", message_subdir, id, US"-D");
57 DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
58
59 /* We protect against symlink attacks both in not propagating the
60 * file-descriptor to other processes as we exec, and also ensuring that we
61 * don't even open symlinks.
62 * No -D file inside the spool area should be a symlink.
63 */
64 if ((fd = Uopen(fname,
65#ifdef O_CLOEXEC
66 O_CLOEXEC |
67#endif
68#ifdef O_NOFOLLOW
69 O_NOFOLLOW |
70#endif
71 O_RDWR | O_APPEND, 0)) >= 0)
72 break;
73 save_errno = errno;
74 if (errno == ENOENT)
75 {
76 if (i == 0) continue;
77 if (!f.queue_running)
78 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
79 *queue_name ? US" Q=" : US"",
80 *queue_name ? queue_name : US"",
81 id);
82 }
83 else
84 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
85 errno = save_errno;
86 return -1;
87 }
88
89/* File is open and message_subdir is set. Set the close-on-exec flag, and lock
90the file. We lock only the first line of the file (containing the message ID)
91because this apparently is needed for running Exim under Cygwin. If the entire
92file is locked in one process, a sub-process cannot access it, even when passed
93an open file descriptor (at least, I think that's the Cygwin story). On real
94Unix systems it doesn't make any difference as long as Exim is consistent in
95what it locks. */
96
97#ifndef O_CLOEXEC
98(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
99#endif
100
101lock_data.l_type = F_WRLCK;
102lock_data.l_whence = SEEK_SET;
103lock_data.l_start = 0;
104lock_data.l_len = SPOOL_DATA_START_OFFSET;
105
106if (fcntl(fd, F_SETLK, &lock_data) < 0)
107 {
108 log_write(L_skip_delivery,
109 LOG_MAIN,
110 "Spool file is locked (another process is handling this message)");
111 (void)close(fd);
112 errno = 0;
113 return -1;
114 }
115
116/* Get the size of the data; don't include the leading filename line
117in the count, but add one for the newline before the data. */
118
119if (fstat(fd, &statbuf) == 0)
120 {
121 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
122 message_size = message_body_size + 1;
123 }
124
125return fd;
126}
127#endif /* COMPILE_UTILITY */
128
129
130
131/*************************************************
132* Read non-recipients tree from spool file *
133*************************************************/
134
135/* The tree of non-recipients is written to the spool file in a form that
136makes it easy to read back into a tree. The format is as follows:
137
138 . Each node is preceded by two letter(Y/N) indicating whether it has left
139 or right children. There's one space after the two flags, before the name.
140
141 . The left subtree (if any) then follows, then the right subtree (if any).
142
143This function is entered with the next input line in the buffer. Note we must
144save the right flag before recursing with the same buffer.
145
146Once the tree is read, we re-construct the balance fields by scanning the tree.
147I forgot to write them out originally, and the compatible fix is to do it this
148way. This initial local recursing function does the necessary.
149
150Arguments:
151 node tree node
152
153Returns: maximum depth below the node, including the node itself
154*/
155
156static int
157count_below(tree_node *node)
158{
159int nleft, nright;
160if (node == NULL) return 0;
161nleft = count_below(node->left);
162nright = count_below(node->right);
163node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
164return 1 + ((nleft > nright)? nleft : nright);
165}
166
167/* This is the real function...
168
169Arguments:
170 connect pointer to the root of the tree
171 f FILE to read data from
172 buffer contains next input line; further lines read into it
173 buffer_size size of the buffer
174
175Returns: FALSE on format error
176*/
177
178static BOOL
179read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
180 int buffer_size)
181{
182tree_node *node;
183int n = Ustrlen(buffer);
184BOOL right = buffer[1] == 'Y';
185
186if (n < 5) return FALSE; /* malformed line */
187buffer[n-1] = 0; /* Remove \n */
188node = store_get(sizeof(tree_node) + n - 3, TRUE); /* rcpt names tainted */
189*connect = node;
190Ustrcpy(node->name, buffer + 3);
191node->data.ptr = NULL;
192
193if (buffer[0] == 'Y')
194 {
195 if (Ufgets(buffer, buffer_size, f) == NULL ||
196 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
197 return FALSE;
198 }
199else node->left = NULL;
200
201if (right)
202 {
203 if (Ufgets(buffer, buffer_size, f) == NULL ||
204 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
205 return FALSE;
206 }
207else node->right = NULL;
208
209(void) count_below(*connect);
210return TRUE;
211}
212
213
214
215
216/* Reset all the global variables to their default values. However, there is
217one exception. DO NOT change the default value of dont_deliver, because it may
218be forced by an external setting. */
219
220void
221spool_clear_header_globals(void)
222{
223acl_var_c = acl_var_m = NULL;
224authenticated_id = NULL;
225authenticated_sender = NULL;
226f.allow_unqualified_recipient = FALSE;
227f.allow_unqualified_sender = FALSE;
228body_linecount = 0;
229body_zerocount = 0;
230f.deliver_firsttime = FALSE;
231f.deliver_freeze = FALSE;
232deliver_frozen_at = 0;
233f.deliver_manual_thaw = FALSE;
234/* f.dont_deliver must NOT be reset */
235header_list = header_last = NULL;
236host_lookup_deferred = FALSE;
237host_lookup_failed = FALSE;
238interface_address = NULL;
239interface_port = 0;
240f.local_error_message = FALSE;
241#ifdef HAVE_LOCAL_SCAN
242local_scan_data = NULL;
243#endif
244max_received_linelength = 0;
245message_linecount = 0;
246received_protocol = NULL;
247received_count = 0;
248recipients_list = NULL;
249sender_address = NULL;
250sender_fullhost = NULL;
251sender_helo_name = NULL;
252sender_host_address = NULL;
253sender_host_name = NULL;
254sender_host_port = 0;
255sender_host_authenticated = NULL;
256sender_ident = NULL;
257f.sender_local = FALSE;
258f.sender_set_untrusted = FALSE;
259smtp_active_hostname = primary_hostname;
260#ifndef COMPILE_UTILITY
261f.spool_file_wireformat = FALSE;
262#endif
263tree_nonrecipients = NULL;
264
265#ifdef EXPERIMENTAL_BRIGHTMAIL
266bmi_run = 0;
267bmi_verdicts = NULL;
268#endif
269
270#ifndef DISABLE_DKIM
271dkim_signers = NULL;
272f.dkim_disable_verify = FALSE;
273dkim_collect_input = 0;
274#endif
275
276#ifndef DISABLE_TLS
277tls_in.certificate_verified = FALSE;
278# ifdef SUPPORT_DANE
279tls_in.dane_verified = FALSE;
280# endif
281tls_in.cipher = NULL;
282# ifndef COMPILE_UTILITY /* tls support fns not built in */
283tls_free_cert(&tls_in.ourcert);
284tls_free_cert(&tls_in.peercert);
285# endif
286tls_in.peerdn = NULL;
287tls_in.sni = NULL;
288tls_in.ocsp = OCSP_NOT_REQ;
289#endif
290
291#ifdef WITH_CONTENT_SCAN
292spam_bar = NULL;
293spam_score = NULL;
294spam_score_int = NULL;
295#endif
296
297#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
298message_smtputf8 = FALSE;
299message_utf8_downconvert = 0;
300#endif
301
302dsn_ret = 0;
303dsn_envid = NULL;
304}
305
306
307/*************************************************
308* Read spool header file *
309*************************************************/
310
311/* This function reads a spool header file and places the data into the
312appropriate global variables. The header portion is always read, but header
313structures are built only if read_headers is set true. It isn't, for example,
314while generating -bp output.
315
316It may be possible for blocks of nulls (binary zeroes) to get written on the
317end of a file if there is a system crash during writing. It was observed on an
318earlier version of Exim that omitted to fsync() the files - this is thought to
319have been the cause of that incident, but in any case, this code must be robust
320against such an event, and if such a file is encountered, it must be treated as
321malformed.
322
323As called from deliver_message() (at least) we are running as root.
324
325Arguments:
326 name name of the header file, including the -H
327 read_headers TRUE if in-store header structures are to be built
328 subdir_set TRUE is message_subdir is already set
329
330Returns: spool_read_OK success
331 spool_read_notopen open failed
332 spool_read_enverror error in the envelope portion
333 spool_read_hdrerror error in the header portion
334*/
335
336int
337spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
338{
339FILE * fp = NULL;
340int n;
341int rcount = 0;
342long int uid, gid;
343BOOL inheader = FALSE;
344
345/* Reset all the global variables to their default values. However, there is
346one exception. DO NOT change the default value of dont_deliver, because it may
347be forced by an external setting. */
348
349spool_clear_header_globals();
350
351/* Generate the full name and open the file. If message_subdir is already
352set, just look in the given directory. Otherwise, look in both the split
353and unsplit directories, as for the data file above. */
354
355for (int n = 0; n < 2; n++)
356 {
357 if (!subdir_set)
358 set_subdir_str(message_subdir, name, n);
359
360 if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
361 break;
362 if (n != 0 || subdir_set || errno != ENOENT)
363 return spool_read_notopen;
364 }
365
366errno = 0;
367
368#ifndef COMPILE_UTILITY
369DEBUG(D_deliver) debug_printf("reading spool file %s\n", name);
370#endif /* COMPILE_UTILITY */
371
372/* The first line of a spool file contains the message id followed by -H (i.e.
373the file name), in order to make the file self-identifying. */
374
375if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
376if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
377 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
378 goto SPOOL_FORMAT_ERROR;
379
380/* The next three lines in the header file are in a fixed format. The first
381contains the login, uid, and gid of the user who caused the file to be written.
382There are known cases where a negative gid is used, so we allow for both
383negative uids and gids. The second contains the mail address of the message's
384sender, enclosed in <>. The third contains the time the message was received,
385and the number of warning messages for delivery delays that have been sent. */
386
387if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
388
389{
390uschar *p = big_buffer + Ustrlen(big_buffer);
391while (p > big_buffer && isspace(p[-1])) p--;
392*p = 0;
393if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
394while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
395gid = Uatoi(p);
396if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
397*p = 0;
398if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
399while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
400uid = Uatoi(p);
401if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
402*p = 0;
403}
404
405originator_login = string_copy(big_buffer);
406originator_uid = (uid_t)uid;
407originator_gid = (gid_t)gid;
408
409/* envelope from */
410if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
411n = Ustrlen(big_buffer);
412if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
413 goto SPOOL_FORMAT_ERROR;
414
415sender_address = store_get(n-2, TRUE); /* tainted */
416Ustrncpy(sender_address, big_buffer+1, n-3);
417sender_address[n-3] = 0;
418
419/* time */
420if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
421if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
422 goto SPOOL_FORMAT_ERROR;
423received_time.tv_usec = 0;
424
425message_age = time(NULL) - received_time.tv_sec;
426
427#ifndef COMPILE_UTILITY
428DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
429 originator_login, (long int)originator_uid, (long int)originator_gid,
430 sender_address);
431#endif /* COMPILE_UTILITY */
432
433/* Now there may be a number of optional lines, each starting with "-". If you
434add a new setting here, make sure you set the default above.
435
436Because there are now quite a number of different possibilities, we use a
437switch on the first character to avoid too many failing tests. Thanks to Nico
438Erfurth for the patch that implemented this. I have made it even more efficient
439by not re-scanning the first two characters.
440
441To allow new versions of Exim that add additional flags to interwork with older
442versions that do not understand them, just ignore any lines starting with "-"
443that we don't recognize. Otherwise it wouldn't be possible to back off a new
444version that left new-style flags written on the spool.
445
446If the line starts with "--" the content of the variable is tainted. */
447
448for (;;)
449 {
450 int len;
451 BOOL tainted;
452 uschar * var;
453 const uschar * p;
454
455 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
456 if (big_buffer[0] != '-') break;
457 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
458 && big_buffer[len-1] != '\n'
459 )
460 { /* buffer not big enough for line; certs make this possible */
461 uschar * buf;
462 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
463 buf = store_get_perm(big_buffer_size *= 2, FALSE);
464 memcpy(buf, big_buffer, --len);
465 big_buffer = buf;
466 if (Ufgets(big_buffer+len, big_buffer_size-len, fp) == NULL)
467 goto SPOOL_READ_ERROR;
468 }
469 big_buffer[len-1] = 0;
470
471 tainted = big_buffer[1] == '-';
472 var = big_buffer + (tainted ? 2 : 1);
473 p = var + 1;
474
475 switch(*var)
476 {
477 case 'a':
478
479 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
480 variable, because Exim allows any number of them, with arbitrary names.
481 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
482 the c or m. */
483
484 if (Ustrncmp(p, "clc ", 4) == 0 ||
485 Ustrncmp(p, "clm ", 4) == 0)
486 {
487 uschar *name, *endptr;
488 int count;
489 tree_node *node;
490 endptr = Ustrchr(var + 5, ' ');
491 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
492 name = string_sprintf("%c%.*s", var[3],
493 (int)(endptr - var - 5), var + 5);
494 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
495 node = acl_var_create(name);
496 node->data.ptr = store_get(count + 1, tainted);
497 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
498 ((uschar*)node->data.ptr)[count] = 0;
499 }
500
501 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
502 f.allow_unqualified_recipient = TRUE;
503 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
504 f.allow_unqualified_sender = TRUE;
505
506 else if (Ustrncmp(p, "uth_id", 6) == 0)
507 authenticated_id = string_copy_taint(var + 8, tainted);
508 else if (Ustrncmp(p, "uth_sender", 10) == 0)
509 authenticated_sender = string_copy_taint(var + 12, tainted);
510 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
511 smtp_active_hostname = string_copy_taint(var + 16, tainted);
512
513 /* For long-term backward compatibility, we recognize "-acl", which was
514 used before the number of ACL variables changed from 10 to 20. This was
515 before the subsequent change to an arbitrary number of named variables.
516 This code is retained so that upgrades from very old versions can still
517 handle old-format spool files. The value given after "-acl" is a number
518 that is 0-9 for connection variables, and 10-19 for message variables. */
519
520 else if (Ustrncmp(p, "cl ", 3) == 0)
521 {
522 unsigned index, count;
523 uschar name[20]; /* Need plenty of space for %u format */
524 tree_node * node;
525 if ( sscanf(CS var + 4, "%u %u", &index, &count) != 2
526 || index >= 20
527 || count > 16384 /* arbitrary limit on variable size */
528 )
529 goto SPOOL_FORMAT_ERROR;
530 if (index < 10)
531 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
532 else
533 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
534 node = acl_var_create(name);
535 node->data.ptr = store_get(count + 1, tainted);
536 /* We sanity-checked the count, so disable the Coverity error */
537 /* coverity[tainted_data] */
538 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
539 (US node->data.ptr)[count] = '\0';
540 }
541 break;
542
543 case 'b':
544 if (Ustrncmp(p, "ody_linecount", 13) == 0)
545 body_linecount = Uatoi(var + 14);
546 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
547 body_zerocount = Uatoi(var + 14);
548#ifdef EXPERIMENTAL_BRIGHTMAIL
549 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
550 bmi_verdicts = string_copy_taint(var + 13, tainted);
551#endif
552 break;
553
554 case 'd':
555 if (Ustrcmp(p, "eliver_firsttime") == 0)
556 f.deliver_firsttime = TRUE;
557 /* Check if the dsn flags have been set in the header file */
558 else if (Ustrncmp(p, "sn_ret", 6) == 0)
559 dsn_ret= atoi(CS var + 7);
560 else if (Ustrncmp(p, "sn_envid", 8) == 0)
561 dsn_envid = string_copy_taint(var + 10, tainted);
562 break;
563
564 case 'f':
565 if (Ustrncmp(p, "rozen", 5) == 0)
566 {
567 f.deliver_freeze = TRUE;
568 if (sscanf(CS var+6, TIME_T_FMT, &deliver_frozen_at) != 1)
569 goto SPOOL_READ_ERROR;
570 }
571 break;
572
573 case 'h':
574 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
575 host_lookup_deferred = TRUE;
576 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
577 host_lookup_failed = TRUE;
578 else if (Ustrncmp(p, "ost_auth", 8) == 0)
579 sender_host_authenticated = string_copy_taint(var + 10, tainted);
580 else if (Ustrncmp(p, "ost_name", 8) == 0)
581 sender_host_name = string_copy_taint(var + 10, tainted);
582 else if (Ustrncmp(p, "elo_name", 8) == 0)
583 sender_helo_name = string_copy_taint(var + 10, tainted);
584
585 /* We now record the port number after the address, separated by a
586 dot. For compatibility during upgrading, do nothing if there
587 isn't a value (it gets left at zero). */
588
589 else if (Ustrncmp(p, "ost_address", 11) == 0)
590 {
591 sender_host_port = host_address_extract_port(var + 13);
592 sender_host_address = string_copy_taint(var + 13, tainted);
593 }
594 break;
595
596 case 'i':
597 if (Ustrncmp(p, "nterface_address", 16) == 0)
598 {
599 interface_port = host_address_extract_port(var + 18);
600 interface_address = string_copy_taint(var + 18, tainted);
601 }
602 else if (Ustrncmp(p, "dent", 4) == 0)
603 sender_ident = string_copy_taint(var + 6, tainted);
604 break;
605
606 case 'l':
607 if (Ustrcmp(p, "ocal") == 0)
608 f.sender_local = TRUE;
609 else if (Ustrcmp(var, "localerror") == 0)
610 f.local_error_message = TRUE;
611#ifdef HAVE_LOCAL_SCAN
612 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
613 local_scan_data = string_copy_taint(var + 11, tainted);
614#endif
615 break;
616
617 case 'm':
618 if (Ustrcmp(p, "anual_thaw") == 0)
619 f.deliver_manual_thaw = TRUE;
620 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
621 max_received_linelength = Uatoi(var + 23);
622 break;
623
624 case 'N':
625 if (*p == 0) f.dont_deliver = TRUE; /* -N */
626 break;
627
628 case 'r':
629 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
630 received_protocol = string_copy_taint(var + 18, tainted);
631 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
632 {
633 unsigned usec;
634 if (sscanf(CS var + 20, "%u", &usec) == 1)
635 received_time.tv_usec = usec;
636 }
637 break;
638
639 case 's':
640 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
641 f.sender_set_untrusted = TRUE;
642#ifdef WITH_CONTENT_SCAN
643 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
644 spam_bar = string_copy_taint(var + 9, tainted);
645 else if (Ustrncmp(p, "pam_score ", 10) == 0)
646 spam_score = string_copy_taint(var + 11, tainted);
647 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
648 spam_score_int = string_copy_taint(var + 15, tainted);
649#endif
650#ifndef COMPILE_UTILITY
651 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
652 f.spool_file_wireformat = TRUE;
653#endif
654#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
655 else if (Ustrncmp(p, "mtputf8", 7) == 0)
656 message_smtputf8 = TRUE;
657#endif
658 break;
659
660#ifndef DISABLE_TLS
661 case 't':
662 if (Ustrncmp(p, "ls_", 3) == 0)
663 {
664 const uschar * q = p + 3;
665 if (Ustrncmp(q, "certificate_verified", 20) == 0)
666 tls_in.certificate_verified = TRUE;
667 else if (Ustrncmp(q, "cipher", 6) == 0)
668 tls_in.cipher = string_copy_taint(var + 11, tainted);
669# ifndef COMPILE_UTILITY /* tls support fns not built in */
670 else if (Ustrncmp(q, "ourcert", 7) == 0)
671 (void) tls_import_cert(var + 12, &tls_in.ourcert);
672 else if (Ustrncmp(q, "peercert", 8) == 0)
673 (void) tls_import_cert(var + 13, &tls_in.peercert);
674# endif
675 else if (Ustrncmp(q, "peerdn", 6) == 0)
676 tls_in.peerdn = string_unprinting(string_copy_taint(var + 11, tainted));
677 else if (Ustrncmp(q, "sni", 3) == 0)
678 tls_in.sni = string_unprinting(string_copy_taint(var + 8, tainted));
679 else if (Ustrncmp(q, "ocsp", 4) == 0)
680 tls_in.ocsp = var[9] - '0';
681# ifdef EXPERIMENTAL_TLS_RESUME
682 else if (Ustrncmp(q, "resumption", 10) == 0)
683 tls_in.resumption = var[15] - 'A';
684# endif
685
686 }
687 break;
688#endif
689
690#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
691 case 'u':
692 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
693 message_utf8_downconvert = 1;
694 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
695 message_utf8_downconvert = -1;
696 break;
697#endif
698
699 default: /* Present because some compilers complain if all */
700 break; /* possibilities are not covered. */
701 }
702 }
703
704/* Build sender_fullhost if required */
705
706#ifndef COMPILE_UTILITY
707host_build_sender_fullhost();
708#endif /* COMPILE_UTILITY */
709
710#ifndef COMPILE_UTILITY
711DEBUG(D_deliver)
712 debug_printf("sender_local=%d ident=%s\n", f.sender_local,
713 sender_ident ? sender_ident : US"unset");
714#endif /* COMPILE_UTILITY */
715
716/* We now have the tree of addresses NOT to deliver to, or a line
717containing "XX", indicating no tree. */
718
719if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
720 !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
721 goto SPOOL_FORMAT_ERROR;
722
723#ifndef COMPILE_UTILITY
724DEBUG(D_deliver)
725 {
726 debug_printf("Non-recipients:\n");
727 debug_print_tree(tree_nonrecipients);
728 }
729#endif /* COMPILE_UTILITY */
730
731/* After reading the tree, the next line has not yet been read into the
732buffer. It contains the count of recipients which follow on separate lines.
733Apply an arbitrary sanity check.*/
734
735if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
736if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
737 goto SPOOL_FORMAT_ERROR;
738
739#ifndef COMPILE_UTILITY
740DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
741#endif /* COMPILE_UTILITY */
742
743recipients_list_max = rcount;
744recipients_list = store_get(rcount * sizeof(recipient_item), FALSE);
745
746/* We sanitised the count and know we have enough memory, so disable
747the Coverity error on recipients_count */
748/* coverity[tainted_data] */
749
750for (recipients_count = 0; recipients_count < rcount; recipients_count++)
751 {
752 int nn;
753 int pno = -1;
754 int dsn_flags = 0;
755 uschar *orcpt = NULL;
756 uschar *errors_to = NULL;
757 uschar *p;
758
759 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
760 nn = Ustrlen(big_buffer);
761 if (nn < 2) goto SPOOL_FORMAT_ERROR;
762
763 /* Remove the newline; this terminates the address if there is no additional
764 data on the line. */
765
766 p = big_buffer + nn - 1;
767 *p-- = 0;
768
769 /* Look back from the end of the line for digits and special terminators.
770 Since an address must end with a domain, we can tell that extra data is
771 present by the presence of the terminator, which is always some character
772 that cannot exist in a domain. (If I'd thought of the need for additional
773 data early on, I'd have put it at the start, with the address at the end. As
774 it is, we have to operate backwards. Addresses are permitted to contain
775 spaces, you see.)
776
777 This code has to cope with various versions of this data that have evolved
778 over time. In all cases, the line might just contain an address, with no
779 additional data. Otherwise, the possibilities are as follows:
780
781 Exim 3 type: <address><space><digits>,<digits>,<digits>
782
783 The second set of digits is the parent number for one_time addresses. The
784 other values were remnants of earlier experiments that were abandoned.
785
786 Exim 4 first type: <address><space><digits>
787
788 The digits are the parent number for one_time addresses.
789
790 Exim 4 new type: <address><space><data>#<type bits>
791
792 The type bits indicate what the contents of the data are.
793
794 Bit 01 indicates that, reading from right to left, the data
795 ends with <errors_to address><space><len>,<pno> where pno is
796 the parent number for one_time addresses, and len is the length
797 of the errors_to address (zero meaning none).
798
799 Bit 02 indicates that, again reading from right to left, the data continues
800 with orcpt len(orcpt),dsn_flags
801 */
802
803 while (isdigit(*p)) p--;
804
805 /* Handle Exim 3 spool files */
806
807 if (*p == ',')
808 {
809 int dummy;
810#if !defined (COMPILE_UTILITY)
811 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 3 spool file\n");
812#endif
813 while (isdigit(*(--p)) || *p == ',');
814 if (*p == ' ')
815 {
816 *p++ = 0;
817 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
818 }
819 }
820
821 /* Handle early Exim 4 spool files */
822
823 else if (*p == ' ')
824 {
825#if !defined (COMPILE_UTILITY)
826 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - early Exim 4 spool file\n");
827#endif
828 *p++ = 0;
829 (void)sscanf(CS p, "%d", &pno);
830 }
831
832 /* Handle current format Exim 4 spool files */
833
834 else if (*p == '#')
835 {
836 int flags;
837
838#if !defined (COMPILE_UTILITY)
839 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim standard format spoolfile\n");
840#endif
841
842 (void)sscanf(CS p+1, "%d", &flags);
843
844 if ((flags & 0x01) != 0) /* one_time data exists */
845 {
846 int len;
847 while (isdigit(*(--p)) || *p == ',' || *p == '-');
848 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
849 *p = 0;
850 if (len > 0)
851 {
852 p -= len;
853 errors_to = string_copy_taint(p, TRUE);
854 }
855 }
856
857 *(--p) = 0; /* Terminate address */
858 if ((flags & 0x02) != 0) /* one_time data exists */
859 {
860 int len;
861 while (isdigit(*(--p)) || *p == ',' || *p == '-');
862 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
863 *p = 0;
864 if (len > 0)
865 {
866 p -= len;
867 orcpt = string_copy_taint(p, TRUE);
868 }
869 }
870
871 *(--p) = 0; /* Terminate address */
872 }
873#if !defined(COMPILE_UTILITY)
874 else
875 { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
876
877 if (orcpt || dsn_flags)
878 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
879 big_buffer, orcpt, dsn_flags);
880 if (errors_to)
881 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> errorsto: <%s>\n",
882 big_buffer, errors_to);
883#endif
884
885 recipients_list[recipients_count].address = string_copy_taint(big_buffer, TRUE);
886 recipients_list[recipients_count].pno = pno;
887 recipients_list[recipients_count].errors_to = errors_to;
888 recipients_list[recipients_count].orcpt = orcpt;
889 recipients_list[recipients_count].dsn_flags = dsn_flags;
890 }
891
892/* The remainder of the spool header file contains the headers for the message,
893separated off from the previous data by a blank line. Each header is preceded
894by a count of its length and either a certain letter (for various identified
895headers), space (for a miscellaneous live header) or an asterisk (for a header
896that has been rewritten). Count the Received: headers. We read the headers
897always, in order to check on the format of the file, but only create a header
898list if requested to do so. */
899
900inheader = TRUE;
901if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
902if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
903
904while ((n = fgetc(fp)) != EOF)
905 {
906 header_line *h;
907 uschar flag[4];
908 int i;
909
910 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
911 if(ungetc(n, fp) == EOF || fscanf(fp, "%d%c ", &n, flag) == EOF)
912 goto SPOOL_READ_ERROR;
913 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
914
915 if (read_headers)
916 {
917 h = store_get(sizeof(header_line), FALSE);
918 h->next = NULL;
919 h->type = flag[0];
920 h->slen = n;
921 h->text = store_get(n+1, TRUE); /* tainted */
922
923 if (h->type == htype_received) received_count++;
924
925 if (header_list) header_last->next = h;
926 else header_list = h;
927 header_last = h;
928
929 for (i = 0; i < n; i++)
930 {
931 int c = fgetc(fp);
932 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
933 if (c == '\n' && h->type != htype_old) message_linecount++;
934 h->text[i] = c;
935 }
936 h->text[i] = 0;
937 }
938
939 /* Not requiring header data, just skip through the bytes */
940
941 else for (i = 0; i < n; i++)
942 {
943 int c = fgetc(fp);
944 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
945 }
946 }
947
948/* We have successfully read the data in the header file. Update the message
949line count by adding the body linecount to the header linecount. Close the file
950and give a positive response. */
951
952#ifndef COMPILE_UTILITY
953DEBUG(D_deliver) debug_printf("body_linecount=%d message_linecount=%d\n",
954 body_linecount, message_linecount);
955#endif /* COMPILE_UTILITY */
956
957message_linecount += body_linecount;
958
959fclose(fp);
960return spool_read_OK;
961
962
963/* There was an error reading the spool or there was missing data,
964or there was a format error. A "read error" with no errno means an
965unexpected EOF, which we treat as a format error. */
966
967SPOOL_READ_ERROR:
968if (errno != 0)
969 {
970 n = errno;
971
972#ifndef COMPILE_UTILITY
973 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
974#endif /* COMPILE_UTILITY */
975
976 fclose(fp);
977 errno = n;
978 return inheader ? spool_read_hdrerror : spool_read_enverror;
979 }
980
981SPOOL_FORMAT_ERROR:
982
983#ifndef COMPILE_UTILITY
984DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
985#endif /* COMPILE_UTILITY */
986
987fclose(fp);
988errno = ERRNO_SPOOLFORMAT;
989return inheader? spool_read_hdrerror : spool_read_enverror;
990}
991
992/* vi: aw ai sw=2
993*/
994/* End of spool_in.c */
Unnamed repository; edit this file 'description' to name the repository.