From e5ba8aa79be1a0abc55e5265f0195d43711f0aac Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 1 Jan 2018 17:41:56 +0000 Subject: [PATCH] Content scan: Remove support for the 7-year deprecated ClamAV "STREAM" method --- doc/doc-txt/ChangeLog | 6 ++- src/src/EDITME | 11 ------ src/src/config.h.defaults | 1 - src/src/malware.c | 83 +++------------------------------------ 4 files changed, 9 insertions(+), 92 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 4390cd4fb..43446d8c2 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -50,8 +50,10 @@ JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL. JH/08 The "support for" informational output now, which built with Content Scanning support, has a line for the malware scanner interfaces compiled in. Interface can be individually included or not at build time. - The "aveserver", "kavdaemon" and "mksd" interfaces are now not included - by the template makefile "src/EDITME". + +JH/09 The "aveserver", "kavdaemon" and "mksd" interfaces are now not included + by the template makefile "src/EDITME". The "STREAM" support for an older + ClamAV interface method is removed. Exim version 4.90 diff --git a/src/src/EDITME b/src/src/EDITME index 933f1ac18..3a57fab11 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -418,17 +418,6 @@ DISABLE_MAL_KAV=yes DISABLE_MAL_MKS=yes -#------------------------------------------------------------------------------ -# If you're using ClamAV and are backporting fixes to an old version, instead -# of staying current (which is the more usual approach) then you may need to -# use an older API which uses a STREAM command, now deprecated, instead of -# zINSTREAM. If you need to set this, please let the Exim developers know, as -# if nobody reports a need for it, we'll remove this option and clean up the -# code. zINSTREAM was introduced with ClamAV 0.95. -# -# WITH_OLD_CLAMAV_STREAM=yes - - #------------------------------------------------------------------------------ # If built with TLS, Exim includes code to support DKIM (DomainKeys Identified # Mail, RFC4871) signing and verification. Verification of signatures is diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index 08dc446f6..a9d071765 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -186,7 +186,6 @@ Do not put spaces between # and the 'define'. #define DISABLE_MAL_AVAST #define DISABLE_MAL_SOCK #define DISABLE_MAL_CMDLINE -#define WITH_OLD_CLAMAV_STREAM /* EXPERIMENTAL features */ #define EXPERIMENTAL_BRIGHTMAIL diff --git a/src/src/malware.c b/src/src/malware.c index fa1a7aaba..27bcc9225 100644 --- a/src/src/malware.c +++ b/src/src/malware.c @@ -1361,8 +1361,7 @@ badseek: err = errno; * The zINSTREAM command was introduced with ClamAV 0.95, which marked * STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095 * In Exim, we use SCAN if using a Unix-domain socket or explicitly told that -* the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless -* WITH_OLD_CLAMAV_STREAM is defined. +* the TCP-connected daemon is actually local; otherwise we use zINSTREAM * See Exim bug 926 for details. */ uschar *p, *vname, *result_tag; @@ -1377,13 +1376,7 @@ badseek: err = errno; BOOL use_scan_command = FALSE; clamd_address * cv[MAX_CLAMD_SERVERS]; int num_servers = 0; -#ifdef WITH_OLD_CLAMAV_STREAM - unsigned int port; - uschar av_buffer2[1024]; - int sockData; -#else uint32_t send_size, send_final_zeroblock; -#endif blob cmd_str; /*XXX if unixdomain socket, only one server supported. Needs fixing; @@ -1482,11 +1475,7 @@ badseek: err = errno; /* Set up the very first data we will be sending */ if (!use_scan_command) -#ifdef WITH_OLD_CLAMAV_STREAM - { cmd_str.data = US"STREAM\n"; cmd_str.len = 7; } -#else { cmd_str.data = US"zINSTREAM"; cmd_str.len = 10; } -#endif else { cmd_str.data = string_sprintf("SCAN %s\n", eml_filename); @@ -1557,50 +1546,6 @@ badseek: err = errno; if (!use_scan_command) { -#ifdef WITH_OLD_CLAMAV_STREAM - /* "STREAM\n" command, get back a "PORT \n" response, send data to - * that port on a second connection; then in the scan-method-neutral - * part, read the response back on the original connection. */ - - DEBUG(D_acl) debug_printf_indent( - "Malware scan: issuing %s old-style remote scan (PORT)\n", - scanner_name); - - /* Pass the string to ClamAV (7 = "STREAM\n"), if not already sent */ - if (cmd_str.len) - if (m_sock_send(sock, cmd_str.data, cmd_str.len, &errstr) < 0) - return m_errlog_defer(scanent, CUS callout_address, errstr); - - memset(av_buffer2, 0, sizeof(av_buffer2)); - bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), tmo-time(NULL)); - - if (bread < 0) - return m_errlog_defer_3(scanent, CUS callout_address, - string_sprintf("unable to read PORT from socket (%s)", - strerror(errno)), - sock); - - if (bread == sizeof(av_buffer2)) - return m_errlog_defer_3(scanent, CUS callout_address, - "buffer too small", sock); - - if (!(*av_buffer2)) - return m_errlog_defer_3(scanent, CUS callout_address, - "ClamAV returned null", sock); - - av_buffer2[bread] = '\0'; - if(sscanf(CS av_buffer2, "PORT %u\n", &port) != 1) - return m_errlog_defer_3(scanent, CUS callout_address, - string_sprintf("Expected port information from clamd, got '%s'", - av_buffer2), - sock); - - sockData = m_tcpsocket(connhost.address, port, NULL, &errstr, NULL); - if (sockData < 0) - return m_errlog_defer_3(scanent, CUS callout_address, errstr, sock); - -# define CLOSE_SOCKDATA (void)close(sockData) -#else /* WITH_OLD_CLAMAV_STREAM not defined */ /* New protocol: "zINSTREAM\n" followed by a sequence of chunks, a 4-byte number (network order), terminated by a zero-length chunk. */ @@ -1617,14 +1562,10 @@ badseek: err = errno; strerror(errno)), sock); -# define CLOSE_SOCKDATA /**/ -#endif - /* calc file size */ if ((clam_fd = open(CS eml_filename, O_RDONLY)) < 0) { int err = errno; - CLOSE_SOCKDATA; return m_errlog_defer_3(scanent, NULL, string_sprintf("can't open spool file %s: %s", eml_filename, strerror(err)), @@ -1634,7 +1575,7 @@ badseek: err = errno; { int err; b_seek: err = errno; - CLOSE_SOCKDATA; (void)close(clam_fd); + (void)close(clam_fd); return m_errlog_defer_3(scanent, NULL, string_sprintf("can't seek spool file %s: %s", eml_filename, strerror(err)), @@ -1643,7 +1584,7 @@ b_seek: err = errno; fsize_uint = (unsigned int) fsize; if ((off_t)fsize_uint != fsize) { - CLOSE_SOCKDATA; (void)close(clam_fd); + (void)close(clam_fd); return m_errlog_defer_3(scanent, NULL, string_sprintf("seeking spool file %s, size overflow", eml_filename), @@ -1654,7 +1595,7 @@ b_seek: err = errno; if (!(clamav_fbuf = US malloc(fsize_uint))) { - CLOSE_SOCKDATA; (void)close(clam_fd); + (void)close(clam_fd); return m_errlog_defer_3(scanent, NULL, string_sprintf("unable to allocate memory %u for file (%s)", fsize_uint, eml_filename), @@ -1664,7 +1605,7 @@ b_seek: err = errno; if ((result = read(clam_fd, clamav_fbuf, fsize_uint)) < 0) { int err = errno; - free(clamav_fbuf); CLOSE_SOCKDATA; (void)close(clam_fd); + free(clamav_fbuf); (void)close(clam_fd); return m_errlog_defer_3(scanent, NULL, string_sprintf("can't read spool file %s: %s", eml_filename, strerror(err)), @@ -1673,16 +1614,6 @@ b_seek: err = errno; (void)close(clam_fd); /* send file body to socket */ -#ifdef WITH_OLD_CLAMAV_STREAM - if (send(sockData, clamav_fbuf, fsize_uint, 0) < 0) - { - free(clamav_fbuf); CLOSE_SOCKDATA; - return m_errlog_defer_3(scanent, NULL, - string_sprintf("unable to send file body to socket (%s:%u)", - hostname, port), - sock); - } -#else send_size = htonl(fsize_uint); send_final_zeroblock = 0; if ((send(sock, &send_size, sizeof(send_size), 0) < 0) || @@ -1694,12 +1625,8 @@ b_seek: err = errno; string_sprintf("unable to send file body to socket (%s)", hostname), sock); } -#endif free(clamav_fbuf); - - CLOSE_SOCKDATA; -#undef CLOSE_SOCKDATA } else { /* use scan command */ -- 2.25.1