projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix mariadb/mysql macro confusion
[exim.git] / src / src / malware.c
CommitLineData
8523533c
TK		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873
JH		 5/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
6 * License: GPL
7 * Copyright (c) The Exim Maintainers 2016
8 */
8523533c
TK		 9
10/* Code for calling virus (malware) scanners. Called from acl.c. */
11
12#include "exim.h"
13#ifdef WITH_CONTENT_SCAN
14
b1f8e4f8 15typedef enum {M_FPROTD, M_DRWEB, M_AVES, M_FSEC, M_KAVD, M_CMDL,
71b32d41 16 M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD, M_AVAST, M_FPROT6D} scanner_t;
b1f8e4f8
JH		 17typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
18static struct scan
19{
20 scanner_t scancode;
21 const uschar * name;
22 const uschar * options_default;
23 contype_t conn;
24} m_scans[] =
25{
26 { M_FPROTD, US"f-protd", US"localhost 10200-10204", MC_TCP },
27 { M_DRWEB, US"drweb", US"/usr/local/drweb/run/drwebd.sock", MC_STRM },
28 { M_AVES, US"aveserver", US"/var/run/aveserver", MC_UNIX },
29 { M_FSEC, US"fsecure", US"/var/run/.fsav", MC_UNIX },
30 { M_KAVD, US"kavdaemon", US"/var/run/AvpCtl", MC_UNIX },
31 { M_CMDL, US"cmdline", NULL, MC_NONE },
32 { M_SOPHIE, US"sophie", US"/var/run/sophie", MC_UNIX },
33 { M_CLAMD, US"clamd", US"/tmp/clamd", MC_NONE },
34 { M_SOCK, US"sock", US"/tmp/malware.sock", MC_STRM },
35 { M_MKSD, US"mksd", NULL, MC_NONE },
b6fbf22d 36 { M_AVAST, US"avast", US"/var/run/avast/scan.sock", MC_STRM },
71b32d41 37 { M_FPROT6D, US"f-prot6d", US"localhost 10200", MC_TCP },
b1f8e4f8
JH		 38 { -1, NULL, NULL, MC_NONE } /* end-marker */
39};
40
599dcb77
TL		 41/* The maximum number of clamd servers that are supported in the configuration */
42#define MAX_CLAMD_SERVERS 32
43#define MAX_CLAMD_SERVERS_S "32"
599dcb77 44
8a512ed5
JH		 45typedef struct clamd_address {
46 uschar * hostspec;
47 unsigned tcp_port;
48 unsigned retry;
49} clamd_address;
599dcb77 50
b1f8e4f8
JH		 51#ifndef nelements
52# define nelements(arr) (sizeof(arr) / sizeof(arr[0]))
8523533c
TK		 53#endif
54
a9ccd69a 55
0f0c8159 56#define MALWARE_TIMEOUT 120 /* default timeout, seconds */
a9ccd69a
PH		 57
58
8523533c
TK		 59#define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */
60#define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */
61#define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */
62
2376f2f5
TK		 63#define DERR_READ_ERR (1<<0) /* read error */
64#define DERR_NOMEMORY (1<<2) /* no memory */
65#define DERR_TIMEOUT (1<<9) /* scan timeout has run out */
66#define DERR_BAD_CALL (1<<15) /* wrong command */
67
476be7e2
JH		 68
69static const uschar * malware_regex_default = US ".+";
70static const pcre * malware_default_re = NULL;
71
72static const uschar * drweb_re_str = US "infected\\swith\\s*(.+?)$";
73static const pcre * drweb_re = NULL;
74
75static const uschar * fsec_re_str = US "\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$";
76static const pcre * fsec_re = NULL;
77
78static const uschar * kav_re_sus_str = US "suspicion:\\s*(.+?)\\s*$";
79static const uschar * kav_re_inf_str = US "infected:\\s*(.+?)\\s*$";
80static const pcre * kav_re_sus = NULL;
81static const pcre * kav_re_inf = NULL;
82
83static const uschar * ava_re_clean_str = US "(?!\\\\)\\t\\[\\+\\]";
84static const uschar * ava_re_virus_str = US "(?!\\\\)\\t\\[L\\]\\d\\.\\d\\t\\d\\s(.*)";
85static const pcre * ava_re_clean = NULL;
86static const pcre * ava_re_virus = NULL;
87
71b32d41
ACK		 88static const uschar * fprot6d_re_error_str = US "^\\d+\\s<(.+?)>$";
89static const uschar * fprot6d_re_virus_str = US "^\\d+\\s<infected:\\s+(.+?)>\\s+.+$";
90static const pcre * fprot6d_re_error = NULL;
91static const pcre * fprot6d_re_virus = NULL;
92
476be7e2
JH		 93
94
95/******************************************************************************/
96
b1f8e4f8 97/* Routine to check whether a system is big- or little-endian.
8523533c
TK		 98 Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
99 Needed for proper kavdaemon implementation. Sigh. */
100#define BIG_MY_ENDIAN 0
101#define LITTLE_MY_ENDIAN 1
b1f8e4f8
JH		 102static int test_byte_order(void);
103static inline int
104test_byte_order()
105{
106 short int word = 0x0001;
5903c6ff 107 char *byte = CS &word;
b1f8e4f8 108 return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
8523533c
TK		 109}
110
b1f8e4f8 111BOOL malware_ok = FALSE;
8523533c 112
8544e77a
PP		 113/* Gross hacks for the -bmalware option; perhaps we should just create
114the scan directory normally for that case, but look into rigging up the
115needed header variables if not already set on the command-line? */
116extern int spool_mbox_ok;
55240832 117extern uschar spooled_message_id[MESSAGE_ID_LENGTH+1];
8544e77a 118
8544e77a
PP		 119
120
b1f8e4f8
JH		 121static inline int
122malware_errlog_defer(const uschar * str)
123{
8a512ed5
JH		 124log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: %s", str);
125return DEFER;
b1f8e4f8
JH		 126}
127
128static int
0ea02355
JH		 129m_errlog_defer(struct scan * scanent, const uschar * hostport,
130 const uschar * str)
b1f8e4f8 131{
0ea02355
JH		 132return malware_errlog_defer(string_sprintf("%s %s : %s",
133 scanent->name, hostport ? hostport : CUS"", str));
b1f8e4f8
JH		 134}
135static int
0ea02355
JH		 136m_errlog_defer_3(struct scan * scanent, const uschar * hostport,
137 const uschar * str, int fd_to_close)
b1f8e4f8 138{
8a512ed5 139(void) close(fd_to_close);
0ea02355 140return m_errlog_defer(scanent, hostport, str);
b1f8e4f8
JH		 141}
142
143/*************************************************/
144
145/* Only used by the Clamav code, which is working from a list of servers and
146uses the returned in_addr to get a second connection to the same system.
147*/
148static inline int
149m_tcpsocket(const uschar * hostname, unsigned int port,
10ac8d7f 150 host_item * host, uschar ** errstr, const blob * fastopen_blob)
b1f8e4f8 151{
4a5cbaff 152return ip_connectedsocket(SOCK_STREAM, hostname, port, port, 5,
10ac8d7f 153 host, errstr, fastopen_blob);
b1f8e4f8
JH		 154}
155
b1f8e4f8
JH		 156static int
157m_sock_send(int sock, uschar * buf, int cnt, uschar ** errstr)
158{
8a512ed5
JH		 159if (send(sock, buf, cnt, 0) < 0)
160 {
161 int err = errno;
162 (void)close(sock);
163 *errstr = string_sprintf("unable to send to socket (%s): %s",
164 buf, strerror(err));
165 return -1;
166 }
167return sock;
b1f8e4f8
JH		 168}
169
170static const pcre *
171m_pcre_compile(const uschar * re, uschar ** errstr)
172{
8a512ed5
JH		 173const uschar * rerror;
174int roffset;
175const pcre * cre;
176
177cre = pcre_compile(CS re, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
178if (!cre)
179 *errstr= string_sprintf("regular expression error in '%s': %s at offset %d",
180 re, rerror, roffset);
181return cre;
b1f8e4f8
JH		 182}
183
184uschar *
185m_pcre_exec(const pcre * cre, uschar * text)
186{
8a512ed5
JH		 187int ovector[10*3];
188int i = pcre_exec(cre, NULL, CS text, Ustrlen(text), 0, 0,
189 ovector, nelements(ovector));
190uschar * substr = NULL;
191if (i >= 2) /* Got it */
192 pcre_get_substring(CS text, ovector, i, 1, (const char **) &substr);
193return substr;
b1f8e4f8
JH		 194}
195
196static const pcre *
55414b25
JH		 197m_pcre_nextinlist(const uschar ** list, int * sep,
198 char * listerr, uschar ** errstr)
b1f8e4f8 199{
8a512ed5
JH		 200const uschar * list_ele;
201const pcre * cre = NULL;
202
203if (!(list_ele = string_nextinlist(list, sep, NULL, 0)))
204 *errstr = US listerr;
205else
ac4d558b
JH		 206 {
207 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "RE: ",
208 string_printing(list_ele));
8a512ed5 209 cre = m_pcre_compile(CUS list_ele, errstr);
ac4d558b 210 }
8a512ed5 211return cre;
b1f8e4f8
JH		 212}
213
4e71661f
JH		 214/*
215 Simple though inefficient wrapper for reading a line. Drop CRs and the
216 trailing newline. Can return early on buffer full. Null-terminate.
217 Apply initial timeout if no data ready.
218
0f0c8159
JH		 219 Return: number of chars - zero for an empty line
220 -1 on EOF
221 -2 on timeout or error
4e71661f
JH		 222*/
223static int
224recv_line(int fd, uschar * buffer, int bsize, int tmo)
225{
226uschar * p = buffer;
227ssize_t rcv;
0f0c8159 228BOOL ok = FALSE;
4e71661f
JH		 229
230if (!fd_ready(fd, tmo-time(NULL)))
0f0c8159 231 return -2;
4e71661f 232
0f0c8159 233/*XXX tmo handling assumes we always get a whole line */
4e71661f 234/* read until \n */
0f0c8159 235errno = 0;
4e71661f
JH		 236while ((rcv = read(fd, p, 1)) > 0)
237 {
0f0c8159 238 ok = TRUE;
4e71661f
JH		 239 if (p-buffer > bsize-2) break;
240 if (*p == '\n') break;
241 if (*p != '\r') p++;
242 }
0f0c8159
JH		 243if (!ok)
244 {
e1d04f48 245 DEBUG(D_acl) debug_printf_indent("Malware scan: read %s (%s)\n",
0f0c8159
JH		 246 rcv==0 ? "EOF" : "error", strerror(errno));
247 return rcv==0 ? -1 : -2;
248 }
4e71661f
JH		 249*p = '\0';
250
e1d04f48 251DEBUG(D_acl) debug_printf_indent("Malware scan: read '%s'\n", buffer);
4e71661f
JH		 252return p - buffer;
253}
254
255/* return TRUE iff size as requested */
256static BOOL
257recv_len(int sock, void * buf, int size, int tmo)
258{
259return fd_ready(sock, tmo-time(NULL))
260 ? recv(sock, buf, size, 0) == size
261 : FALSE;
262}
263
264
0f0c8159
JH		 265
266/* ============= private routines for the "mksd" scanner type ============== */
267
268#include <sys/uio.h>
269
270static inline int
271mksd_writev (int sock, struct iovec * iov, int iovcnt)
272{
273int i;
274
275for (;;)
276 {
277 do
278 i = writev (sock, iov, iovcnt);
279 while (i < 0 && errno == EINTR);
280 if (i <= 0)
281 {
282 (void) malware_errlog_defer(
283 US"unable to write to mksd UNIX socket (/var/run/mksd/socket)");
284 return -1;
285 }
286 for (;;) /* check for short write */
287 if (i >= iov->iov_len)
288 {
289 if (--iovcnt == 0)
290 return 0;
291 i -= iov->iov_len;
292 iov++;
293 }
294 else
295 {
296 iov->iov_len -= i;
297 iov->iov_base = CS iov->iov_base + i;
298 break;
299 }
300 }
301}
302
303static inline int
304mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size, int tmo)
305{
306int offset = 0;
307int i;
308
309do
310 {
311 i = ip_recv(sock, av_buffer+offset, av_buffer_size-offset, tmo-time(NULL));
312 if (i <= 0)
313 {
314 (void) malware_errlog_defer(US"unable to read from mksd UNIX socket (/var/run/mksd/socket)");
315 return -1;
316 }
317
318 offset += i;
319 /* offset == av_buffer_size -> buffer full */
320 if (offset == av_buffer_size)
321 {
322 (void) malware_errlog_defer(US"malformed reply received from mksd");
323 return -1;
324 }
325 } while (av_buffer[offset-1] != '\n');
326
327av_buffer[offset] = '\0';
328return offset;
329}
330
331static inline int
332mksd_parse_line(struct scan * scanent, char * line)
333{
334char *p;
335
336switch (*line)
337 {
338 case 'O': /* OK */
339 return OK;
340
341 case 'E':
342 case 'A': /* ERR */
343 if ((p = strchr (line, '\n')) != NULL)
344 *p = '\0';
0ea02355 345 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 346 string_sprintf("scanner failed: %s", line));
347
348 default: /* VIR */
349 if ((p = strchr (line, '\n')) != NULL)
350 {
351 *p = '\0';
352 if ( p-line > 5
353 && line[3] == ' '
354 && (p = strchr(line+4, ' ')) != NULL
355 && p-line > 4
356 )
357 {
358 *p = '\0';
359 malware_name = string_copy(US line+4);
360 return OK;
361 }
362 }
0ea02355 363 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 364 string_sprintf("malformed reply received: %s", line));
365 }
366}
367
368static int
369mksd_scan_packed(struct scan * scanent, int sock, const uschar * scan_filename,
370 int tmo)
371{
372struct iovec iov[3];
373const char *cmd = "MSQ\n";
374uschar av_buffer[1024];
375
376iov[0].iov_base = (void *) cmd;
377iov[0].iov_len = 3;
378iov[1].iov_base = (void *) scan_filename;
379iov[1].iov_len = Ustrlen(scan_filename);
380iov[2].iov_base = (void *) (cmd + 3);
381iov[2].iov_len = 1;
382
383if (mksd_writev (sock, iov, 3) < 0)
384 return DEFER;
385
386if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer), tmo) < 0)
387 return DEFER;
388
389return mksd_parse_line (scanent, CS av_buffer);
390}
391
8a512ed5
JH		 392
393static int
394clamd_option(clamd_address * cd, const uschar * optstr, int * subsep)
395{
396uschar * s;
397
398cd->retry = 0;
399while ((s = string_nextinlist(&optstr, subsep, NULL, 0)))
8a512ed5
JH		 400 if (Ustrncmp(s, "retry=", 6) == 0)
401 {
402 int sec = readconf_readtime((s += 6), '\0', FALSE);
403 if (sec < 0)
404 return FAIL;
405 cd->retry = sec;
406 }
407 else
408 return FAIL;
93a6fce2 409return OK;
8a512ed5
JH		 410}
411
8544e77a
PP		 412/*************************************************
413* Scan content for malware *
414*************************************************/
415
416/* This is an internal interface for scanning an email; the normal interface
417is via malware(), or there's malware_in_file() used for testing/debugging.
418
419Arguments:
0f0c8159 420 malware_re match condition for "malware="
040721f2
JH		 421 scan_filename the file holding the email to be scanned, if we're faking
422 this up for the -bmalware test, else NULL
0f0c8159 423 timeout if nonzero, non-default timeoutl
8544e77a
PP		 424
425Returns: Exim message processing code (OK, FAIL, DEFER, ...)
426 where true means malware was found (condition applies)
427*/
b1f8e4f8 428static int
040721f2
JH		 429malware_internal(const uschar * malware_re, const uschar * scan_filename,
430 int timeout)
b1f8e4f8 431{
0f0c8159 432int sep = 0;
55414b25 433const uschar *av_scanner_work = av_scanner;
0f0c8159 434uschar *scanner_name;
0f0c8159
JH		 435unsigned long mbox_size;
436FILE *mbox_file;
437const pcre *re;
438uschar * errstr;
439struct scan * scanent;
440const uschar * scanner_options;
441int sock = -1;
442time_t tmo;
040721f2 443uschar * eml_filename, * eml_dir;
0f0c8159 444
040721f2
JH		 445if (!malware_re)
446 return FAIL; /* empty means "don't match anything" */
447
448/* Ensure the eml mbox file is spooled up */
449
450if (!(mbox_file = spool_mbox(&mbox_size, scan_filename, &eml_filename)))
0f0c8159
JH		 451 return malware_errlog_defer(US"error while creating mbox spool file");
452
040721f2
JH		 453/* None of our current scanners need the mbox file as a stream (they use
454the name), so we can close it right away. Get the directory too. */
0f0c8159 455
040721f2
JH		 456(void) fclose(mbox_file);
457eml_dir = string_copyn(eml_filename, Ustrrchr(eml_filename, '/') - eml_filename);
0f0c8159
JH		 458
459/* parse 1st option */
040721f2 460if (strcmpic(malware_re, US"false") == 0 || Ustrcmp(malware_re,"0") == 0)
0f0c8159
JH		 461 return FAIL; /* explicitly no matching */
462
463/* special cases (match anything except empty) */
476be7e2
JH		 464if ( strcmpic(malware_re,US"true") == 0
465 || Ustrcmp(malware_re,"*") == 0
466 || Ustrcmp(malware_re,"1") == 0
467 )
468 {
469 if ( !malware_default_re
470 && !(malware_default_re = m_pcre_compile(malware_regex_default, &errstr)))
471 return malware_errlog_defer(errstr);
0f0c8159 472 malware_re = malware_regex_default;
476be7e2
JH		 473 re = malware_default_re;
474 }
0f0c8159
JH		 475
476/* compile the regex, see if it works */
476be7e2 477else if (!(re = m_pcre_compile(malware_re, &errstr)))
0f0c8159
JH		 478 return malware_errlog_defer(errstr);
479
480/* if av_scanner starts with a dollar, expand it first */
481if (*av_scanner == '$')
482 {
483 if (!(av_scanner_work = expand_string(av_scanner)))
484 return malware_errlog_defer(
485 string_sprintf("av_scanner starts with $, but expansion failed: %s",
486 expand_string_message));
b1f8e4f8 487
0f0c8159 488 DEBUG(D_acl)
e1d04f48 489 debug_printf_indent("Expanded av_scanner global: %s\n", av_scanner_work);
0f0c8159
JH		 490 /* disable result caching in this case */
491 malware_name = NULL;
492 malware_ok = FALSE;
8523533c
TK		 493 }
494
0f0c8159
JH		 495/* Do not scan twice (unless av_scanner is dynamic). */
496if (!malware_ok)
497 {
498 /* find the scanner type from the av_scanner option */
499 if (!(scanner_name = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
500 return malware_errlog_defer(US"av_scanner configuration variable is empty");
501 if (!timeout) timeout = MALWARE_TIMEOUT;
502 tmo = time(NULL) + timeout;
503
3e60dd41
JH		 504 for (scanent = m_scans; ; scanent++)
505 {
0f0c8159
JH		 506 if (!scanent->name)
507 return malware_errlog_defer(string_sprintf("unknown scanner type '%s'",
508 scanner_name));
509 if (strcmpic(scanner_name, US scanent->name) != 0)
510 continue;
ac4d558b
JH		 511 DEBUG(D_acl) debug_printf_indent("Malware scan: %s tmo=%s\n",
512 scanner_name, readconf_printtime(timeout));
513
0f0c8159
JH		 514 if (!(scanner_options = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
515 scanner_options = scanent->options_default;
516 if (scanent->conn == MC_NONE)
b1f8e4f8 517 break;
ac4d558b
JH		 518
519 DEBUG(D_acl) debug_printf_indent("%15s%10s%s\n", "", "socket: ", scanner_options);
0f0c8159
JH		 520 switch(scanent->conn)
521 {
8c0d5ae8
JH		 522 case MC_TCP: sock = ip_tcpsocket(scanner_options, &errstr, 5); break;
523 case MC_UNIX: sock = ip_unixsocket(scanner_options, &errstr); break;
3e60dd41 524 case MC_STRM: sock = ip_streamsocket(scanner_options, &errstr, 5); break;
0f0c8159 525 default: /* compiler quietening */ break;
384152a6 526 }
0f0c8159 527 if (sock < 0)
0ea02355 528 return m_errlog_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 529 break;
530 }
8e669ac1 531
0f0c8159
JH		 532 switch (scanent->scancode)
533 {
534 case M_FPROTD: /* "f-protd" scanner type -------------------------------- */
b1f8e4f8 535 {
0f0c8159
JH		 536 uschar *fp_scan_option;
537 unsigned int detected=0, par_count=0;
538 uschar * scanrequest;
539 uschar buf[32768], *strhelper, *strhelper2;
540 uschar * malware_name_internal = NULL;
541 int len;
b1f8e4f8 542
0f0c8159 543 scanrequest = string_sprintf("GET %s", eml_filename);
b1f8e4f8 544
0f0c8159
JH		 545 while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
546 NULL, 0)))
547 {
548 scanrequest = string_sprintf("%s%s%s", scanrequest,
549 par_count ? "%20" : "?", fp_scan_option);
550 par_count++;
551 }
552 scanrequest = string_sprintf("%s HTTP/1.0\r\n\r\n", scanrequest);
e1d04f48 553 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
0f0c8159 554 scanner_name, scanrequest);
b1f8e4f8 555
0f0c8159
JH		 556 /* send scan request */
557 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
0ea02355 558 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 559
0f0c8159
JH		 560 while ((len = recv_line(sock, buf, sizeof(buf), tmo)) >= 0)
561 if (len > 0)
562 {
563 if (Ustrstr(buf, US"<detected type=\"") != NULL)
564 detected = 1;
565 else if (detected && (strhelper = Ustrstr(buf, US"<name>")))
4e71661f 566 {
0f0c8159 567 if ((strhelper2 = Ustrstr(buf, US"</name>")) != NULL)
4e71661f 568 {
0f0c8159
JH		 569 *strhelper2 = '\0';
570 malware_name_internal = string_copy(strhelper+6);
4e71661f
JH		 571 }
572 }
0f0c8159 573 else if (Ustrstr(buf, US"<summary code=\""))
4e71661f 574 {
0f0c8159
JH		 575 malware_name = Ustrstr(buf, US"<summary code=\"11\">")
576 ? malware_name_internal : NULL;
577 break;
4e71661f 578 }
0f0c8159
JH		 579 }
580 if (len < -1)
581 {
582 (void)close(sock);
583 return DEFER;
584 }
585 break;
586 } /* f-protd */
b1f8e4f8 587
0f0c8159
JH		 588 case M_DRWEB: /* "drweb" scanner type ----------------------------------- */
589 /* v0.1 - added support for tcp sockets */
590 /* v0.0 - initial release -- support for unix sockets */
591 {
592 int result;
593 off_t fsize;
594 unsigned int fsize_uint;
595 uschar * tmpbuf, *drweb_fbuf;
596 int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
597 drweb_vnum, drweb_slen, drweb_fin = 0x0000;
0f0c8159
JH		 598
599 /* prepare variables */
600 drweb_cmd = htonl(DRWEBD_SCAN_CMD);
601 drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
602
603 if (*scanner_options != '/')
604 {
605 /* calc file size */
606 if ((drweb_fd = open(CCS eml_filename, O_RDONLY)) == -1)
0ea02355 607 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 608 string_sprintf("can't open spool file %s: %s",
609 eml_filename, strerror(errno)),
610 sock);
b1f8e4f8 611
0f0c8159
JH		 612 if ((fsize = lseek(drweb_fd, 0, SEEK_END)) == -1)
613 {
d315eda1
JH		 614 int err;
615badseek: err = errno;
b1f8e4f8 616 (void)close(drweb_fd);
0ea02355 617 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 618 string_sprintf("can't seek spool file %s: %s",
619 eml_filename, strerror(err)),
620 sock);
621 }
622 fsize_uint = (unsigned int) fsize;
623 if ((off_t)fsize_uint != fsize)
624 {
b1f8e4f8 625 (void)close(drweb_fd);
0ea02355 626 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 627 string_sprintf("seeking spool file %s, size overflow",
628 eml_filename),
629 sock);
4e71661f 630 }
0f0c8159 631 drweb_slen = htonl(fsize);
d315eda1
JH		 632 if (lseek(drweb_fd, 0, SEEK_SET) < 0)
633 goto badseek;
0f0c8159 634
e1d04f48 635 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s remote scan [%s]\n",
0f0c8159
JH		 636 scanner_name, scanner_options);
637
638 /* send scan request */
639 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
640 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
641 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
642 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0))
4e71661f 643 {
0f0c8159 644 (void)close(drweb_fd);
0ea02355 645 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
0f0c8159
JH		 646 "unable to send commands to socket (%s)", scanner_options),
647 sock);
4e71661f 648 }
8e669ac1 649
40c90bca 650 if (!(drweb_fbuf = US malloc(fsize_uint)))
0f0c8159
JH		 651 {
652 (void)close(drweb_fd);
0ea02355 653 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 654 string_sprintf("unable to allocate memory %u for file (%s)",
655 fsize_uint, eml_filename),
656 sock);
657 }
b1f8e4f8 658
0f0c8159
JH		 659 if ((result = read (drweb_fd, drweb_fbuf, fsize)) == -1)
660 {
661 int err = errno;
662 (void)close(drweb_fd);
663 free(drweb_fbuf);
0ea02355 664 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 665 string_sprintf("can't read spool file %s: %s",
666 eml_filename, strerror(err)),
667 sock);
668 }
669 (void)close(drweb_fd);
b1f8e4f8 670
0f0c8159
JH		 671 /* send file body to socket */
672 if (send(sock, drweb_fbuf, fsize, 0) < 0)
4e71661f 673 {
0f0c8159 674 free(drweb_fbuf);
0ea02355 675 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
0f0c8159
JH		 676 "unable to send file body to socket (%s)", scanner_options),
677 sock);
678 }
0f0c8159
JH		 679 }
680 else
681 {
682 drweb_slen = htonl(Ustrlen(eml_filename));
b1f8e4f8 683
e1d04f48 684 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s local scan [%s]\n",
0f0c8159 685 scanner_name, scanner_options);
b1f8e4f8 686
0f0c8159
JH		 687 /* send scan request */
688 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
689 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
690 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
691 (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
692 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0))
0ea02355 693 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
0f0c8159
JH		 694 "unable to send commands to socket (%s)", scanner_options),
695 sock);
696 }
b1f8e4f8 697
0f0c8159
JH		 698 /* wait for result */
699 if (!recv_len(sock, &drweb_rc, sizeof(drweb_rc), tmo))
0ea02355 700 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 701 US"unable to read return code", sock);
702 drweb_rc = ntohl(drweb_rc);
703
704 if (!recv_len(sock, &drweb_vnum, sizeof(drweb_vnum), tmo))
0ea02355 705 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 706 US"unable to read the number of viruses", sock);
707 drweb_vnum = ntohl(drweb_vnum);
708
709 /* "virus(es) found" if virus number is > 0 */
710 if (drweb_vnum)
711 {
712 int i;
b1f8e4f8 713
0f0c8159
JH		 714 /* setup default virus name */
715 malware_name = US"unknown";
b1f8e4f8 716
0f0c8159 717 /* set up match regex */
476be7e2
JH		 718 if (!drweb_re)
719 drweb_re = m_pcre_compile(drweb_re_str, &errstr);
b1f8e4f8 720
0f0c8159
JH		 721 /* read and concatenate virus names into one string */
722 for (i = 0; i < drweb_vnum; i++)
4e71661f 723 {
0f0c8159
JH		 724 int size = 0, off = 0, ovector[10*3];
725 /* read the size of report */
726 if (!recv_len(sock, &drweb_slen, sizeof(drweb_slen), tmo))
0ea02355 727 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 728 US"cannot read report size", sock);
729 drweb_slen = ntohl(drweb_slen);
730 tmpbuf = store_get(drweb_slen);
b1f8e4f8 731
0f0c8159
JH		 732 /* read report body */
733 if (!recv_len(sock, tmpbuf, drweb_slen, tmo))
0ea02355 734 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 735 US"cannot read report string", sock);
736 tmpbuf[drweb_slen] = '\0';
8544e77a 737
0f0c8159
JH		 738 /* try matcher on the line, grab substring */
739 result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0,
740 ovector, nelements(ovector));
741 if (result >= 2)
742 {
743 const char * pre_malware_nb;
8e669ac1 744
0f0c8159 745 pcre_get_substring(CS tmpbuf, ovector, result, 1, &pre_malware_nb);
8e669ac1 746
0f0c8159
JH		 747 if (i==0) /* the first name we just copy to malware_name */
748 malware_name = string_append(NULL, &size, &off,
749 1, pre_malware_nb);
8e669ac1 750
0f0c8159
JH		 751 else /* concatenate each new virus name to previous */
752 malware_name = string_append(malware_name, &size, &off,
753 2, "/", pre_malware_nb);
8e669ac1 754
0f0c8159
JH		 755 pcre_free_substring(pre_malware_nb);
756 }
757 }
758 }
759 else
760 {
761 const char *drweb_s = NULL;
762
763 if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
764 if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
765 if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout";
766 if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command";
767 /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED.
768 * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM,
769 * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR
770 * and others are ignored */
771 if (drweb_s)
0ea02355 772 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 773 string_sprintf("drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s),
774 sock);
8e669ac1 775
0f0c8159 776 /* no virus found */
b1f8e4f8 777 malware_name = NULL;
0f0c8159
JH		 778 }
779 break;
780 } /* drweb */
8e669ac1 781
0f0c8159
JH		 782 case M_AVES: /* "aveserver" scanner type -------------------------------- */
783 {
784 uschar buf[32768];
785 int result;
8544e77a 786
0f0c8159
JH		 787 /* read aveserver's greeting and see if it is ready (2xx greeting) */
788 buf[0] = 0;
789 recv_line(sock, buf, sizeof(buf), tmo);
8544e77a 790
0f0c8159 791 if (buf[0] != '2') /* aveserver is having problems */
0ea02355 792 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159 793 string_sprintf("unavailable (Responded: %s).",
5903c6ff 794 ((buf[0] != 0) ? buf : US "nothing") ),
0f0c8159 795 sock);
8e669ac1 796
0f0c8159
JH		 797 /* prepare our command */
798 (void)string_format(buf, sizeof(buf), "SCAN bPQRSTUW %s\r\n",
799 eml_filename);
800
801 /* and send it */
e1d04f48 802 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s %s\n",
0f0c8159
JH		 803 scanner_name, buf);
804 if (m_sock_send(sock, buf, Ustrlen(buf), &errstr) < 0)
0ea02355 805 return m_errlog_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 806
807 malware_name = NULL;
808 result = 0;
809 /* read response lines, find malware name and final response */
810 while (recv_line(sock, buf, sizeof(buf), tmo) > 0)
811 {
812 if (buf[0] == '2')
813 break;
814 if (buf[0] == '5') /* aveserver is having problems */
4e71661f 815 {
0ea02355 816 result = m_errlog_defer(scanent, CUS callout_address,
0f0c8159
JH		 817 string_sprintf("unable to scan file %s (Responded: %s).",
818 eml_filename, buf));
819 break;
4e71661f 820 }
0f0c8159
JH		 821 if (Ustrncmp(buf,"322",3) == 0)
822 {
823 uschar *p = Ustrchr(&buf[4], ' ');
824 *p = '\0';
825 malware_name = string_copy(&buf[4]);
826 }
827 }
828
829 if (m_sock_send(sock, US"quit\r\n", 6, &errstr) < 0)
0ea02355 830 return m_errlog_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 831
832 /* read aveserver's greeting and see if it is ready (2xx greeting) */
833 buf[0] = 0;
834 recv_line(sock, buf, sizeof(buf), tmo);
835
836 if (buf[0] != '2') /* aveserver is having problems */
0ea02355 837 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159 838 string_sprintf("unable to quit dialogue (Responded: %s).",
5903c6ff 839 ((buf[0] != 0) ? buf : US "nothing") ),
0f0c8159
JH		 840 sock);
841
842 if (result == DEFER)
843 {
844 (void)close(sock);
845 return DEFER;
846 }
847 break;
b1f8e4f8 848 } /* aveserver */
8e669ac1 849
b1f8e4f8
JH		 850 case M_FSEC: /* "fsecure" scanner type ---------------------------------- */
851 {
0f0c8159
JH		 852 int i, j, bread = 0;
853 uschar * file_name;
854 uschar av_buffer[1024];
0f0c8159
JH		 855 static uschar *cmdopt[] = { US"CONFIGURE\tARCHIVE\t1\n",
856 US"CONFIGURE\tTIMEOUT\t0\n",
857 US"CONFIGURE\tMAXARCH\t5\n",
858 US"CONFIGURE\tMIME\t1\n" };
859
860 malware_name = NULL;
861
e1d04f48 862 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
0f0c8159
JH		 863 scanner_name, scanner_options);
864 /* pass options */
865 memset(av_buffer, 0, sizeof(av_buffer));
866 for (i = 0; i != nelements(cmdopt); i++)
867 {
b1f8e4f8 868
0f0c8159 869 if (m_sock_send(sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < 0)
0ea02355 870 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 871
0f0c8159
JH		 872 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
873 if (bread > 0) av_buffer[bread]='\0';
874 if (bread < 0)
0ea02355 875 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 876 string_sprintf("unable to read answer %d (%s)", i, strerror(errno)),
877 sock);
878 for (j = 0; j < bread; j++)
879 if (av_buffer[j] == '\r' || av_buffer[j] == '\n')
880 av_buffer[j] ='@';
881 }
8e669ac1 882
0f0c8159
JH		 883 /* pass the mailfile to fsecure */
884 file_name = string_sprintf("SCAN\t%s\n", eml_filename);
b1f8e4f8 885
0f0c8159 886 if (m_sock_send(sock, file_name, Ustrlen(file_name), &errstr) < 0)
0ea02355 887 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 888
0f0c8159
JH		 889 /* set up match */
890 /* todo also SUSPICION\t */
476be7e2
JH		 891 if (!fsec_re)
892 fsec_re = m_pcre_compile(fsec_re_str, &errstr);
b1f8e4f8 893
0f0c8159
JH		 894 /* read report, linewise. Apply a timeout as the Fsecure daemon
895 sometimes wants an answer to "PING" but they won't tell us what */
fd02dc0e 896 {
0f0c8159
JH		 897 uschar * p = av_buffer;
898 uschar * q;
fd02dc0e 899
0f0c8159
JH		 900 for (;;)
901 {
80591636 902 errno = ETIMEDOUT;
0f0c8159
JH		 903 i = av_buffer+sizeof(av_buffer)-p;
904 if ((bread= ip_recv(sock, p, i-1, tmo-time(NULL))) < 0)
0ea02355 905 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 906 string_sprintf("unable to read result (%s)", strerror(errno)),
907 sock);
b1f8e4f8 908
755762fd 909 for (p[bread] = '\0'; (q = Ustrchr(p, '\n')); p = q+1)
0f0c8159
JH		 910 {
911 *q = '\0';
fd02dc0e 912
0f0c8159
JH		 913 /* Really search for virus again? */
914 if (!malware_name)
915 /* try matcher on the line, grab substring */
476be7e2 916 malware_name = m_pcre_exec(fsec_re, p);
fd02dc0e 917
0f0c8159
JH		 918 if (Ustrstr(p, "OK\tScan ok."))
919 goto fsec_found;
920 }
fd02dc0e 921
0f0c8159
JH		 922 /* copy down the trailing partial line then read another chunk */
923 i = av_buffer+sizeof(av_buffer)-p;
924 memmove(av_buffer, p, i);
925 p = av_buffer+i;
fd02dc0e 926 }
b1f8e4f8 927 }
fd02dc0e
JH		 928
929 fsec_found:
b1f8e4f8
JH		 930 break;
931 } /* fsecure */
599dcb77 932
b1f8e4f8
JH		 933 case M_KAVD: /* "kavdaemon" scanner type -------------------------------- */
934 {
0f0c8159
JH		 935 time_t t;
936 uschar tmpbuf[1024];
937 uschar * scanrequest;
938 int kav_rc;
2decbec9
RC		 939 unsigned long kav_reportlen;
940 int bread;
0f0c8159
JH		 941 const pcre *kav_re;
942 uschar *p;
943
944 /* get current date and time, build scan request */
945 time(&t);
946 /* pdp note: before the eml_filename parameter, this scanned the
947 directory; not finding documentation, so we'll strip off the directory.
948 The side-effect is that the test framework scanning may end up in
949 scanning more than was requested, but for the normal interface, this is
950 fine. */
951
952 strftime(CS tmpbuf, sizeof(tmpbuf), "%d %b %H:%M:%S", localtime(&t));
953 scanrequest = string_sprintf("<0>%s:%s", CS tmpbuf, eml_filename);
954 p = Ustrrchr(scanrequest, '/');
955 if (p)
956 *p = '\0';
957
e1d04f48 958 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
0f0c8159
JH		 959 scanner_name, scanner_options);
960
961 /* send scan request */
962 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
0ea02355 963 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 964
0f0c8159
JH		 965 /* wait for result */
966 if (!recv_len(sock, tmpbuf, 2, tmo))
0ea02355 967 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159 968 US"unable to read 2 bytes from socket.", sock);
b1f8e4f8 969
0f0c8159
JH		 970 /* get errorcode from one nibble */
971 kav_rc = tmpbuf[ test_byte_order()==LITTLE_MY_ENDIAN ? 0 : 1 ] & 0x0F;
972 switch(kav_rc)
973 {
974 case 5: case 6: /* improper kavdaemon configuration */
0ea02355 975 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 976 US"please reconfigure kavdaemon to NOT disinfect or remove infected files.",
977 sock);
978 case 1:
0ea02355 979 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 980 US"reported 'scanning not completed' (code 1).", sock);
981 case 7:
0ea02355 982 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 983 US"reported 'kavdaemon damaged' (code 7).", sock);
984 }
b1f8e4f8 985
4c04137d 986 /* code 8 is not handled, since it is ambiguous. It appears mostly on
0f0c8159 987 bounces where part of a file has been cut off */
b1f8e4f8 988
0f0c8159
JH		 989 /* "virus found" return codes (2-4) */
990 if (kav_rc > 1 && kav_rc < 5)
b1f8e4f8 991 {
0f0c8159 992 int report_flag = 0;
599dcb77 993
0f0c8159
JH		 994 /* setup default virus name */
995 malware_name = US"unknown";
b1f8e4f8 996
0f0c8159 997 report_flag = tmpbuf[ test_byte_order() == LITTLE_MY_ENDIAN ? 1 : 0 ];
b1f8e4f8 998
0f0c8159
JH		 999 /* read the report, if available */
1000 if (report_flag == 1)
1001 {
1002 /* read report size */
1003 if (!recv_len(sock, &kav_reportlen, 4, tmo))
0ea02355 1004 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159 1005 US"cannot read report size", sock);
b1f8e4f8 1006
0f0c8159
JH		 1007 /* it's possible that avp returns av_buffer[1] == 1 but the
1008 reportsize is 0 (!?) */
1009 if (kav_reportlen > 0)
4e71661f 1010 {
0f0c8159 1011 /* set up match regex, depends on retcode */
476be7e2
JH		 1012 if (kav_rc == 3)
1013 {
1014 if (!kav_re_sus) kav_re_sus = m_pcre_compile(kav_re_sus_str, &errstr);
1015 kav_re = kav_re_sus;
1016 }
1017 else
1018 {
1019 if (!kav_re_inf) kav_re_inf = m_pcre_compile(kav_re_inf_str, &errstr);
1020 kav_re = kav_re_inf;
1021 }
0f0c8159 1022
6e92b3ae
JH		 1023 /* read report, linewise. Using size from stream to read amount of data
1024 from same stream is safe enough. */
1025 /* coverity[tainted_data] */
0f0c8159 1026 while (kav_reportlen > 0)
4e71661f 1027 {
0f0c8159
JH		 1028 if ((bread = recv_line(sock, tmpbuf, sizeof(tmpbuf), tmo)) < 0)
1029 break;
1030 kav_reportlen -= bread+1;
1031
1032 /* try matcher on the line, grab substring */
1033 if ((malware_name = m_pcre_exec(kav_re, tmpbuf)))
1034 break;
b1f8e4f8
JH		 1035 }
1036 }
1037 }
0f0c8159
JH		 1038 }
1039 else /* no virus found */
1040 malware_name = NULL;
599dcb77 1041
0f0c8159 1042 break;
599dcb77 1043 }
8544e77a 1044
b1f8e4f8
JH		 1045 case M_CMDL: /* "cmdline" scanner type ---------------------------------- */
1046 {
0f0c8159
JH		 1047 const uschar *cmdline_scanner = scanner_options;
1048 const pcre *cmdline_trigger_re;
1049 const pcre *cmdline_regex_re;
1050 uschar * file_name;
1051 uschar * commandline;
1052 void (*eximsigchld)(int);
1053 void (*eximsigpipe)(int);
1054 FILE *scanner_out = NULL;
1055 int scanner_fd;
1056 FILE *scanner_record = NULL;
1057 uschar linebuffer[32767];
1058 int rcnt;
1059 int trigger = 0;
1060 uschar *p;
1061
1062 if (!cmdline_scanner)
0ea02355 1063 return m_errlog_defer(scanent, NULL, errstr);
b1f8e4f8 1064
0f0c8159
JH		 1065 /* find scanner output trigger */
1066 cmdline_trigger_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1067 "missing trigger specification", &errstr);
1068 if (!cmdline_trigger_re)
0ea02355 1069 return m_errlog_defer(scanent, NULL, errstr);
b1f8e4f8 1070
0f0c8159
JH		 1071 /* find scanner name regex */
1072 cmdline_regex_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1073 "missing virus name regex specification", &errstr);
1074 if (!cmdline_regex_re)
0ea02355 1075 return m_errlog_defer(scanent, NULL, errstr);
b1f8e4f8 1076
0f0c8159
JH		 1077 /* prepare scanner call; despite the naming, file_name holds a directory
1078 name which is documented as the value given to %s. */
b1f8e4f8 1079
0f0c8159
JH		 1080 file_name = string_copy(eml_filename);
1081 p = Ustrrchr(file_name, '/');
1082 if (p)
1083 *p = '\0';
1084 commandline = string_sprintf(CS cmdline_scanner, file_name);
b1f8e4f8 1085
0f0c8159
JH		 1086 /* redirect STDERR too */
1087 commandline = string_sprintf("%s 2>&1", commandline);
b1f8e4f8 1088
e1d04f48 1089 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
0f0c8159 1090 scanner_name, commandline);
b1f8e4f8 1091
0f0c8159
JH		 1092 /* store exims signal handlers */
1093 eximsigchld = signal(SIGCHLD,SIG_DFL);
1094 eximsigpipe = signal(SIGPIPE,SIG_DFL);
b1f8e4f8 1095
0f0c8159
JH		 1096 if (!(scanner_out = popen(CS commandline,"r")))
1097 {
1098 int err = errno;
1099 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
0ea02355 1100 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 1101 string_sprintf("call (%s) failed: %s.", commandline, strerror(err)));
1102 }
1103 scanner_fd = fileno(scanner_out);
94a18f28 1104
040721f2 1105 file_name = string_sprintf("%s/%s_scanner_output", eml_dir, message_id);
b1f8e4f8 1106
0f0c8159
JH		 1107 if (!(scanner_record = modefopen(file_name, "wb", SPOOL_MODE)))
1108 {
1109 int err = errno;
1110 (void) pclose(scanner_out);
1111 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
0ea02355 1112 return m_errlog_defer(scanent, NULL, string_sprintf(
0f0c8159
JH		 1113 "opening scanner output file (%s) failed: %s.",
1114 file_name, strerror(err)));
1115 }
8e669ac1 1116
0f0c8159
JH		 1117 /* look for trigger while recording output */
1118 while ((rcnt = recv_line(scanner_fd, linebuffer,
1119 sizeof(linebuffer), tmo)))
1120 {
1121 if (rcnt < 0)
93a6fce2
JH		 1122 {
1123 int err = errno;
0f0c8159
JH		 1124 if (rcnt == -1)
1125 break;
93a6fce2
JH		 1126 (void) pclose(scanner_out);
1127 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
0ea02355 1128 return m_errlog_defer(scanent, NULL, string_sprintf(
93a6fce2
JH		 1129 "unable to read from scanner (%s): %s",
1130 commandline, strerror(err)));
1131 }
4e71661f 1132
0f0c8159
JH		 1133 if (Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record))
1134 {
1135 /* short write */
1136 (void) pclose(scanner_out);
1137 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
0ea02355 1138 return m_errlog_defer(scanent, NULL, string_sprintf(
0f0c8159 1139 "short write on scanner output file (%s).", file_name));
4e71661f 1140 }
0f0c8159
JH		 1141 putc('\n', scanner_record);
1142 /* try trigger match */
1143 if ( !trigger
1144 && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1)
1145 )
1146 trigger = 1;
1147 }
8e669ac1 1148
0f0c8159
JH		 1149 (void)fclose(scanner_record);
1150 sep = pclose(scanner_out);
1151 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1152 if (sep != 0)
0ea02355 1153 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 1154 sep == -1
1155 ? string_sprintf("running scanner failed: %s", strerror(sep))
1156 : string_sprintf("scanner returned error code: %d", sep));
b1f8e4f8 1157
0f0c8159
JH		 1158 if (trigger)
1159 {
1160 uschar * s;
1161 /* setup default virus name */
1162 malware_name = US"unknown";
b1f8e4f8 1163
0f0c8159
JH		 1164 /* re-open the scanner output file, look for name match */
1165 scanner_record = fopen(CS file_name, "rb");
1166 while (fgets(CS linebuffer, sizeof(linebuffer), scanner_record))
1167 {
1168 /* try match */
1169 if ((s = m_pcre_exec(cmdline_regex_re, linebuffer)))
1170 malware_name = s;
4e71661f 1171 }
0f0c8159
JH		 1172 (void)fclose(scanner_record);
1173 }
1174 else /* no virus found */
1175 malware_name = NULL;
1176 break;
b1f8e4f8 1177 } /* cmdline */
599dcb77 1178
b1f8e4f8
JH		 1179 case M_SOPHIE: /* "sophie" scanner type --------------------------------- */
1180 {
0f0c8159
JH		 1181 int bread = 0;
1182 uschar *p;
1183 uschar * file_name;
1184 uschar av_buffer[1024];
b1f8e4f8 1185
0f0c8159
JH		 1186 /* pass the scan directory to sophie */
1187 file_name = string_copy(eml_filename);
1188 if ((p = Ustrrchr(file_name, '/')))
1189 *p = '\0';
b1f8e4f8 1190
e1d04f48 1191 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
0f0c8159 1192 scanner_name, scanner_options);
b1f8e4f8 1193
0f0c8159
JH		 1194 if ( write(sock, file_name, Ustrlen(file_name)) < 0
1195 || write(sock, "\n", 1) != 1
1196 )
0ea02355 1197 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1198 string_sprintf("unable to write to UNIX socket (%s)", scanner_options),
1199 sock);
b1f8e4f8 1200
0f0c8159
JH		 1201 /* wait for result */
1202 memset(av_buffer, 0, sizeof(av_buffer));
1203 if ((bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL))) <= 0)
0ea02355 1204 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1205 string_sprintf("unable to read from UNIX socket (%s)", scanner_options),
1206 sock);
1207
1208 /* infected ? */
1209 if (av_buffer[0] == '1') {
1210 uschar * s = Ustrchr(av_buffer, '\n');
1211 if (s)
1212 *s = '\0';
1213 malware_name = string_copy(&av_buffer[2]);
1214 }
1215 else if (!strncmp(CS av_buffer, "-1", 2))
0ea02355
JH		 1216 return m_errlog_defer_3(scanent, CUS callout_address,
1217 US"scanner reported error", sock);
0f0c8159
JH		 1218 else /* all ok, no virus */
1219 malware_name = NULL;
599dcb77 1220
0f0c8159 1221 break;
8544e77a 1222 }
8e669ac1 1223
b1f8e4f8
JH		 1224 case M_CLAMD: /* "clamd" scanner type ----------------------------------- */
1225 {
0f0c8159
JH		 1226/* This code was originally contributed by David Saez */
1227/* There are three scanning methods available to us:
1228* (1) Use the SCAN command, pointing to a file in the filesystem
1229* (2) Use the STREAM command, send the data on a separate port
1230* (3) Use the zINSTREAM command, send the data inline
1231* The zINSTREAM command was introduced with ClamAV 0.95, which marked
1232* STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
1233* In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
1234* the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless
1235* WITH_OLD_CLAMAV_STREAM is defined.
1236* See Exim bug 926 for details. */
1237
80591636 1238 uschar *p, *vname, *result_tag;
0f0c8159
JH		 1239 int bread=0;
1240 uschar * file_name;
1241 uschar av_buffer[1024];
1242 uschar *hostname = US"";
1243 host_item connhost;
1244 uschar *clamav_fbuf;
1245 int clam_fd, result;
1246 off_t fsize;
1247 unsigned int fsize_uint;
1248 BOOL use_scan_command = FALSE;
8a512ed5 1249 clamd_address * cv[MAX_CLAMD_SERVERS];
0f0c8159
JH		 1250 int num_servers = 0;
1251#ifdef WITH_OLD_CLAMAV_STREAM
1252 unsigned int port;
1253 uschar av_buffer2[1024];
1254 int sockData;
1255#else
1256 uint32_t send_size, send_final_zeroblock;
1257#endif
4a5cbaff 1258 blob cmd_str;
0f0c8159 1259
8a512ed5
JH		 1260 /*XXX if unixdomain socket, only one server supported. Needs fixing;
1261 there's no reason we should not mix local and remote servers */
1262
0f0c8159 1263 if (*scanner_options == '/')
8a512ed5
JH		 1264 {
1265 clamd_address * cd;
1266 const uschar * sublist;
1267 int subsep = ' ';
1268
0f0c8159
JH		 1269 /* Local file; so we def want to use_scan_command and don't want to try
1270 * passing IP/port combinations */
1271 use_scan_command = TRUE;
8a512ed5
JH		 1272 cd = (clamd_address *) store_get(sizeof(clamd_address));
1273
1274 /* extract socket-path part */
1275 sublist = scanner_options;
1276 cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0);
1277
1278 /* parse options */
1279 if (clamd_option(cd, sublist, &subsep) != OK)
0ea02355 1280 return m_errlog_defer(scanent, NULL,
8a512ed5
JH		 1281 string_sprintf("bad option '%s'", scanner_options));
1282 cv[0] = cd;
1283 }
0f0c8159
JH		 1284 else
1285 {
0f0c8159
JH		 1286 /* Go through the rest of the list of host/port and construct an array
1287 * of servers to try. The first one is the bit we just passed from
1288 * scanner_options so process that first and then scan the remainder of
1289 * the address buffer */
1290 do
4e71661f 1291 {
8a512ed5
JH		 1292 clamd_address * cd;
1293 const uschar * sublist;
1294 int subsep = ' ';
1295 uschar * s;
b1f8e4f8 1296
0f0c8159
JH		 1297 /* The 'local' option means use the SCAN command over the network
1298 * socket (ie common file storage in use) */
8a512ed5
JH		 1299 /*XXX we could accept this also as a local option? */
1300 if (strcmpic(scanner_options, US"local") == 0)
0f0c8159
JH		 1301 {
1302 use_scan_command = TRUE;
1303 continue;
1304 }
b1f8e4f8 1305
8a512ed5 1306 cd = (clamd_address *) store_get(sizeof(clamd_address));
b1f8e4f8 1307
0f0c8159 1308 /* extract host and port part */
8a512ed5
JH		 1309 sublist = scanner_options;
1310 if (!(cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0)))
1311 {
0ea02355 1312 (void) m_errlog_defer(scanent, NULL,
8a512ed5
JH		 1313 string_sprintf("missing address: '%s'", scanner_options));
1314 continue;
1315 }
1316 if (!(s = string_nextinlist(&sublist, &subsep, NULL, 0)))
0f0c8159 1317 {
0ea02355 1318 (void) m_errlog_defer(scanent, NULL,
8a512ed5
JH		 1319 string_sprintf("missing port: '%s'", scanner_options));
1320 continue;
1321 }
93a6fce2 1322 cd->tcp_port = atoi(CS s);
8a512ed5
JH		 1323
1324 /* parse options */
1325 /*XXX should these options be common over scanner types? */
1326 if (clamd_option(cd, sublist, &subsep) != OK)
0ea02355 1327 return m_errlog_defer(scanent, NULL,
8a512ed5 1328 string_sprintf("bad option '%s'", scanner_options));
b1f8e4f8 1329
8a512ed5 1330 cv[num_servers++] = cd;
0f0c8159
JH		 1331 if (num_servers >= MAX_CLAMD_SERVERS)
1332 {
0ea02355 1333 (void) m_errlog_defer(scanent, NULL,
0f0c8159
JH		 1334 US"More than " MAX_CLAMD_SERVERS_S " clamd servers "
1335 "specified; only using the first " MAX_CLAMD_SERVERS_S );
1336 break;
1337 }
8a512ed5
JH		 1338 } while ((scanner_options = string_nextinlist(&av_scanner_work, &sep,
1339 NULL, 0)));
8e669ac1 1340
0f0c8159
JH		 1341 /* check if we have at least one server */
1342 if (!num_servers)
0ea02355 1343 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 1344 US"no useable server addresses in malware configuration option.");
1345 }
b1f8e4f8 1346
0f0c8159
JH		 1347 /* See the discussion of response formats below to see why we really
1348 don't like colons in filenames when passing filenames to ClamAV. */
1349 if (use_scan_command && Ustrchr(eml_filename, ':'))
0ea02355 1350 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 1351 string_sprintf("local/SCAN mode incompatible with" \
1352 " : in path to email filename [%s]", eml_filename));
b1f8e4f8 1353
4a5cbaff
JH		 1354 /* Set up the very first data we will be sending */
1355 if (!use_scan_command)
1356#ifdef WITH_OLD_CLAMAV_STREAM
1357 { cmd_str.data = US"STREAM\n"; cmd_str.len = 7; }
1358#else
1359 { cmd_str.data = US"zINSTREAM"; cmd_str.len = 10; }
1360#endif
1361 else
1362 {
1363 cmd_str.data = string_sprintf("SCAN %s\n", eml_filename);
1364 cmd_str.len = Ustrlen(cmd_str.data);
1365 }
1366
0f0c8159
JH		 1367 /* We have some network servers specified */
1368 if (num_servers)
1369 {
1370 /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd
1371 * only supports AF_INET, but we should probably be looking to the
1372 * future and rewriting this to be protocol-independent anyway. */
b1f8e4f8 1373
0f0c8159
JH		 1374 while (num_servers > 0)
1375 {
4a5cbaff 1376 int i = random_number(num_servers);
8a512ed5 1377 clamd_address * cd = cv[i];
b1f8e4f8 1378
e1d04f48 1379 DEBUG(D_acl) debug_printf_indent("trying server name %s, port %u\n",
8a512ed5 1380 cd->hostspec, cd->tcp_port);
0f0c8159
JH		 1381
1382 /* Lookup the host. This is to ensure that we connect to the same IP
1383 * on both connections (as one host could resolve to multiple ips) */
8a512ed5 1384 for (;;)
0f0c8159 1385 {
4a5cbaff
JH		 1386 if ((sock = m_tcpsocket(cd->hostspec, cd->tcp_port,
1387 &connhost, &errstr, &cmd_str)) >= 0)
8a512ed5
JH		 1388 {
1389 /* Connection successfully established with a server */
1390 hostname = cd->hostspec;
4a5cbaff 1391 cmd_str.len = 0;
8a512ed5
JH		 1392 break;
1393 }
1394 if (cd->retry <= 0) break;
1395 while (cd->retry > 0) cd->retry = sleep(cd->retry);
4e71661f 1396 }
8a512ed5
JH		 1397 if (sock >= 0)
1398 break;
b1f8e4f8 1399
0ea02355 1400 (void) m_errlog_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 1401
1402 /* Remove the server from the list. XXX We should free the memory */
1403 num_servers--;
8a512ed5
JH		 1404 for (; i < num_servers; i++)
1405 cv[i] = cv[i+1];
4e71661f 1406 }
8e669ac1 1407
0f0c8159 1408 if (num_servers == 0)
0ea02355 1409 return m_errlog_defer(scanent, NULL, US"all servers failed");
0f0c8159
JH		 1410 }
1411 else
8a512ed5
JH		 1412 for (;;)
1413 {
1414 if ((sock = ip_unixsocket(cv[0]->hostspec, &errstr)) >= 0)
1415 {
1416 hostname = cv[0]->hostspec;
1417 break;
1418 }
1419 if (cv[0]->retry <= 0)
0ea02355 1420 return m_errlog_defer(scanent, CUS callout_address, errstr);
8a512ed5
JH		 1421 while (cv[0]->retry > 0) cv[0]->retry = sleep(cv[0]->retry);
1422 }
b1f8e4f8 1423
0f0c8159
JH		 1424 /* have socket in variable "sock"; command to use is semi-independent of
1425 * the socket protocol. We use SCAN if is local (either Unix/local
1426 * domain socket, or explicitly told local) else we stream the data.
1427 * How we stream the data depends upon how we were built. */
1428
1429 if (!use_scan_command)
1430 {
4e71661f 1431#ifdef WITH_OLD_CLAMAV_STREAM
0f0c8159
JH		 1432 /* "STREAM\n" command, get back a "PORT <N>\n" response, send data to
1433 * that port on a second connection; then in the scan-method-neutral
1434 * part, read the response back on the original connection. */
b1f8e4f8 1435
e1d04f48 1436 DEBUG(D_acl) debug_printf_indent(
0f0c8159
JH		 1437 "Malware scan: issuing %s old-style remote scan (PORT)\n",
1438 scanner_name);
b1f8e4f8 1439
4a5cbaff
JH		 1440 /* Pass the string to ClamAV (7 = "STREAM\n"), if not already sent */
1441 if (cmd_str.len)
1442 if (m_sock_send(sock, cmd_str.data, cmd_str.len, &errstr) < 0)
1443 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 1444
0f0c8159
JH		 1445 memset(av_buffer2, 0, sizeof(av_buffer2));
1446 bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), tmo-time(NULL));
b1f8e4f8 1447
0f0c8159 1448 if (bread < 0)
0ea02355 1449 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1450 string_sprintf("unable to read PORT from socket (%s)",
1451 strerror(errno)),
1452 sock);
b1f8e4f8 1453
0f0c8159 1454 if (bread == sizeof(av_buffer2))
0ea02355
JH		 1455 return m_errlog_defer_3(scanent, CUS callout_address,
1456 "buffer too small", sock);
b1f8e4f8 1457
0f0c8159 1458 if (!(*av_buffer2))
0ea02355
JH		 1459 return m_errlog_defer_3(scanent, CUS callout_address,
1460 "ClamAV returned null", sock);
b1f8e4f8 1461
0f0c8159 1462 av_buffer2[bread] = '\0';
4a5cbaff 1463 if(sscanf(CS av_buffer2, "PORT %u\n", &port) != 1)
0ea02355 1464 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1465 string_sprintf("Expected port information from clamd, got '%s'",
1466 av_buffer2),
1467 sock);
b1f8e4f8 1468
4a5cbaff 1469 sockData = m_tcpsocket(connhost.address, port, NULL, &errstr, NULL);
0f0c8159 1470 if (sockData < 0)
0ea02355 1471 return m_errlog_defer_3(scanent, CUS callout_address, errstr, sock);
b1f8e4f8 1472
4e71661f
JH		 1473# define CLOSE_SOCKDATA (void)close(sockData)
1474#else /* WITH_OLD_CLAMAV_STREAM not defined */
0f0c8159
JH		 1475 /* New protocol: "zINSTREAM\n" followed by a sequence of <length><data>
1476 chunks, <n> a 4-byte number (network order), terminated by a zero-length
1477 chunk. */
b1f8e4f8 1478
e1d04f48 1479 DEBUG(D_acl) debug_printf_indent(
0f0c8159
JH		 1480 "Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
1481 scanner_name);
b1f8e4f8 1482
4a5cbaff
JH		 1483 /* Pass the string to ClamAV (10 = "zINSTREAM\0"), if not already sent */
1484 if (cmd_str.len)
1485 if (send(sock, cmd_str.data, cmd_str.len, 0) < 0)
1486 return m_errlog_defer_3(scanent, CUS hostname,
1487 string_sprintf("unable to send zINSTREAM to socket (%s)",
1488 strerror(errno)),
1489 sock);
b1f8e4f8 1490
4e71661f
JH		 1491# define CLOSE_SOCKDATA /**/
1492#endif
b1f8e4f8 1493
0f0c8159
JH		 1494 /* calc file size */
1495 if ((clam_fd = open(CS eml_filename, O_RDONLY)) < 0)
1496 {
1497 int err = errno;
1498 CLOSE_SOCKDATA;
0ea02355 1499 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1500 string_sprintf("can't open spool file %s: %s",
1501 eml_filename, strerror(err)),
1502 sock);
1503 }
1504 if ((fsize = lseek(clam_fd, 0, SEEK_END)) < 0)
1505 {
d315eda1
JH		 1506 int err;
1507b_seek: err = errno;
0f0c8159 1508 CLOSE_SOCKDATA; (void)close(clam_fd);
0ea02355 1509 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1510 string_sprintf("can't seek spool file %s: %s",
1511 eml_filename, strerror(err)),
1512 sock);
1513 }
1514 fsize_uint = (unsigned int) fsize;
1515 if ((off_t)fsize_uint != fsize)
1516 {
1517 CLOSE_SOCKDATA; (void)close(clam_fd);
0ea02355 1518 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1519 string_sprintf("seeking spool file %s, size overflow",
1520 eml_filename),
1521 sock);
1522 }
d315eda1
JH		 1523 if (lseek(clam_fd, 0, SEEK_SET) < 0)
1524 goto b_seek;
b1f8e4f8 1525
40c90bca 1526 if (!(clamav_fbuf = US malloc(fsize_uint)))
0f0c8159
JH		 1527 {
1528 CLOSE_SOCKDATA; (void)close(clam_fd);
0ea02355 1529 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1530 string_sprintf("unable to allocate memory %u for file (%s)",
1531 fsize_uint, eml_filename),
1532 sock);
1533 }
b1f8e4f8 1534
0f0c8159
JH		 1535 if ((result = read(clam_fd, clamav_fbuf, fsize_uint)) < 0)
1536 {
1537 int err = errno;
1538 free(clamav_fbuf); CLOSE_SOCKDATA; (void)close(clam_fd);
0ea02355 1539 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1540 string_sprintf("can't read spool file %s: %s",
1541 eml_filename, strerror(err)),
1542 sock);
1543 }
1544 (void)close(clam_fd);
b1f8e4f8 1545
0f0c8159 1546 /* send file body to socket */
4e71661f 1547#ifdef WITH_OLD_CLAMAV_STREAM
0f0c8159
JH		 1548 if (send(sockData, clamav_fbuf, fsize_uint, 0) < 0)
1549 {
1550 free(clamav_fbuf); CLOSE_SOCKDATA;
0ea02355 1551 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1552 string_sprintf("unable to send file body to socket (%s:%u)",
1553 hostname, port),
1554 sock);
1555 }
4e71661f 1556#else
0f0c8159
JH		 1557 send_size = htonl(fsize_uint);
1558 send_final_zeroblock = 0;
1559 if ((send(sock, &send_size, sizeof(send_size), 0) < 0) ||
1560 (send(sock, clamav_fbuf, fsize_uint, 0) < 0) ||
1561 (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
1562 {
b1f8e4f8 1563 free(clamav_fbuf);
0ea02355 1564 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1565 string_sprintf("unable to send file body to socket (%s)", hostname),
1566 sock);
4e71661f 1567 }
0f0c8159 1568#endif
b1f8e4f8 1569
0f0c8159 1570 free(clamav_fbuf);
b1f8e4f8 1571
0f0c8159
JH		 1572 CLOSE_SOCKDATA;
1573#undef CLOSE_SOCKDATA
1574 }
1575 else
1576 { /* use scan command */
1577 /* Send a SCAN command pointing to a filename; then in the then in the
1578 * scan-method-neutral part, read the response back */
1579
1580/* ================================================================= */
1581
1582 /* Prior to the reworking post-Exim-4.72, this scanned a directory,
1583 which dates to when ClamAV needed us to break apart the email into the
1584 MIME parts (eg, with the now deprecated demime condition coming first).
1585 Some time back, ClamAV gained the ability to deconstruct the emails, so
1586 doing this would actually have resulted in the mail attachments being
1587 scanned twice, in the broken out files and from the original .eml.
1588 Since ClamAV now handles emails (and has for quite some time) we can
1589 just use the email file itself. */
4a5cbaff 1590 /* Pass the string to ClamAV (7 = "SCAN \n" + \0), if not already sent */
0f0c8159 1591
e1d04f48 1592 DEBUG(D_acl) debug_printf_indent(
0f0c8159
JH		 1593 "Malware scan: issuing %s local-path scan [%s]\n",
1594 scanner_name, scanner_options);
b1f8e4f8 1595
4a5cbaff
JH		 1596 if (cmd_str.len)
1597 if (send(sock, cmd_str.data, cmd_str.len, 0) < 0)
1598 return m_errlog_defer_3(scanent, CUS callout_address,
1599 string_sprintf("unable to write to socket (%s)", strerror(errno)),
1600 sock);
b1f8e4f8 1601
0f0c8159
JH		 1602 /* Do not shut down the socket for writing; a user report noted that
1603 * clamd 0.70 does not react well to this. */
1604 }
1605 /* Commands have been sent, no matter which scan method or connection
1606 * type we're using; now just read the result, independent of method. */
1607
1608 /* Read the result */
1609 memset(av_buffer, 0, sizeof(av_buffer));
1610 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1611 (void)close(sock);
1612 sock = -1;
1613
1614 if (bread <= 0)
0ea02355 1615 return m_errlog_defer(scanent, CUS callout_address,
0f0c8159
JH		 1616 string_sprintf("unable to read from socket (%s)",
1617 errno == 0 ? "EOF" : strerror(errno)));
1618
1619 if (bread == sizeof(av_buffer))
0ea02355
JH		 1620 return m_errlog_defer(scanent, CUS callout_address,
1621 US"buffer too small");
0f0c8159
JH		 1622 /* We're now assured of a NULL at the end of av_buffer */
1623
1624 /* Check the result. ClamAV returns one of two result formats.
1625 In the basic mode, the response is of the form:
1626 infected: -> "<filename>: <virusname> FOUND"
1627 not-infected: -> "<filename>: OK"
1628 error: -> "<filename>: <errcode> ERROR
1629 If the ExtendedDetectionInfo option has been turned on, then we get:
1630 "<filename>: <virusname>(<virushash>:<virussize>) FOUND"
1631 for the infected case. Compare:
1632/tmp/eicar.com: Eicar-Test-Signature FOUND
1633/tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
1634
1635 In the streaming case, clamd uses the filename "stream" which you should
1636 be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The
1637 client app will replace "stream" with the original filename before returning
1638 results to stdout, but the trace shows the data).
1639
1640 We will assume that the pathname passed to clamd from Exim does not contain
1641 a colon. We will have whined loudly above if the eml_filename does (and we're
1642 passing a filename to clamd). */
1643
1644 if (!(*av_buffer))
0ea02355
JH		 1645 return m_errlog_defer(scanent, CUS callout_address,
1646 US"ClamAV returned null");
0f0c8159
JH		 1647
1648 /* strip newline at the end (won't be present for zINSTREAM)
1649 (also any trailing whitespace, which shouldn't exist, but we depend upon
1650 this below, so double-check) */
1651 p = av_buffer + Ustrlen(av_buffer) - 1;
1652 if (*p == '\n') *p = '\0';
1653
e1d04f48 1654 DEBUG(D_acl) debug_printf_indent("Malware response: %s\n", av_buffer);
0f0c8159
JH		 1655
1656 while (isspace(*--p) && (p > av_buffer))
1657 *p = '\0';
1658 if (*p) ++p;
0f0c8159
JH		 1659
1660 /* colon in returned output? */
80591636 1661 if(!(p = Ustrchr(av_buffer,':')))
0ea02355 1662 return m_errlog_defer(scanent, CUS callout_address, string_sprintf(
0f0c8159
JH		 1663 "ClamAV returned malformed result (missing colon): %s",
1664 av_buffer));
1665
1666 /* strip filename */
1667 while (*p && isspace(*++p)) /**/;
1668 vname = p;
1669
1670 /* It would be bad to encounter a virus with "FOUND" in part of the name,
1671 but we should at least be resistant to it. */
1672 p = Ustrrchr(vname, ' ');
1673 result_tag = p ? p+1 : vname;
1674
1675 if (Ustrcmp(result_tag, "FOUND") == 0)
1676 {
1677 /* p should still be the whitespace before the result_tag */
1678 while (isspace(*p)) --p;
1679 *++p = '\0';
1680 /* Strip off the extended information too, which will be in parens
1681 after the virus name, with no intervening whitespace. */
1682 if (*--p == ')')
4e71661f 1683 {
0f0c8159
JH		 1684 /* "(hash:size)", so previous '(' will do; if not found, we have
1685 a curious virus name, but not an error. */
1686 p = Ustrrchr(vname, '(');
1687 if (p)
1688 *p = '\0';
4e71661f 1689 }
0f0c8159 1690 malware_name = string_copy(vname);
e1d04f48 1691 DEBUG(D_acl) debug_printf_indent("Malware found, name \"%s\"\n", malware_name);
b1f8e4f8 1692
0f0c8159
JH		 1693 }
1694 else if (Ustrcmp(result_tag, "ERROR") == 0)
0ea02355 1695 return m_errlog_defer(scanent, CUS callout_address,
0f0c8159 1696 string_sprintf("ClamAV returned: %s", av_buffer));
b1f8e4f8 1697
0f0c8159
JH		 1698 else if (Ustrcmp(result_tag, "OK") == 0)
1699 {
1700 /* Everything should be OK */
1701 malware_name = NULL;
e1d04f48 1702 DEBUG(D_acl) debug_printf_indent("Malware not found\n");
b1f8e4f8 1703
0f0c8159
JH		 1704 }
1705 else
0ea02355 1706 return m_errlog_defer(scanent, CUS callout_address,
0f0c8159
JH		 1707 string_sprintf("unparseable response from ClamAV: {%s}", av_buffer));
1708
1709 break;
b1f8e4f8
JH		 1710 } /* clamd */
1711
1712 case M_SOCK: /* "sock" scanner type ------------------------------------- */
0f0c8159
JH		 1713 /* This code was derived by Martin Poole from the clamd code contributed
1714 by David Saez and the cmdline code
1715 */
b1f8e4f8 1716 {
0f0c8159
JH		 1717 int bread;
1718 uschar * commandline;
1719 uschar av_buffer[1024];
1720 uschar * linebuffer;
1721 uschar * sockline_scanner;
1722 uschar sockline_scanner_default[] = "%s\n";
1723 const pcre *sockline_trig_re;
1724 const pcre *sockline_name_re;
1725
1726 /* find scanner command line */
ac4d558b
JH		 1727 if ( (sockline_scanner = string_nextinlist(&av_scanner_work, &sep,
1728 NULL, 0))
1729 && *sockline_scanner
1730 )
0f0c8159
JH		 1731 { /* check for no expansions apart from one %s */
1732 uschar * s = Ustrchr(sockline_scanner, '%');
1733 if (s++)
1734 if ((*s != 's' && *s != '%') || Ustrchr(s+1, '%'))
0ea02355 1735 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1736 US"unsafe sock scanner call spec", sock);
1737 }
1738 else
1739 sockline_scanner = sockline_scanner_default;
ac4d558b
JH		 1740 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "cmdline: ",
1741 string_printing(sockline_scanner));
b1f8e4f8 1742
0f0c8159
JH		 1743 /* find scanner output trigger */
1744 sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1745 "missing trigger specification", &errstr);
1746 if (!sockline_trig_re)
0ea02355 1747 return m_errlog_defer_3(scanent, NULL, errstr, sock);
b1f8e4f8 1748
0f0c8159
JH		 1749 /* find virus name regex */
1750 sockline_name_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1751 "missing virus name regex specification", &errstr);
1752 if (!sockline_name_re)
0ea02355 1753 return m_errlog_defer_3(scanent, NULL, errstr, sock);
b1f8e4f8 1754
0f0c8159 1755 /* prepare scanner call - security depends on expansions check above */
040721f2 1756 commandline = string_sprintf( CS sockline_scanner, CS eml_filename);
ac4d558b
JH		 1757 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "expanded: ",
1758 string_printing(commandline));
b1f8e4f8 1759
0f0c8159
JH		 1760 /* Pass the command string to the socket */
1761 if (m_sock_send(sock, commandline, Ustrlen(commandline), &errstr) < 0)
0ea02355 1762 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 1763
0f0c8159
JH		 1764 /* Read the result */
1765 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
b1f8e4f8 1766
0f0c8159 1767 if (bread <= 0)
0ea02355 1768 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1769 string_sprintf("unable to read from socket (%s)", strerror(errno)),
1770 sock);
b1f8e4f8 1771
0f0c8159 1772 if (bread == sizeof(av_buffer))
0ea02355
JH		 1773 return m_errlog_defer_3(scanent, CUS callout_address,
1774 US"buffer too small", sock);
0f0c8159
JH		 1775 av_buffer[bread] = '\0';
1776 linebuffer = string_copy(av_buffer);
ac4d558b
JH		 1777 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "answer: ",
1778 string_printing(linebuffer));
b1f8e4f8 1779
0f0c8159
JH		 1780 /* try trigger match */
1781 if (regex_match_and_setup(sockline_trig_re, linebuffer, 0, -1))
1782 {
1783 if (!(malware_name = m_pcre_exec(sockline_name_re, av_buffer)))
1784 malware_name = US "unknown";
ac4d558b
JH		 1785 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "name: ",
1786 string_printing(malware_name));
b1f8e4f8 1787 }
0f0c8159
JH		 1788 else /* no virus found */
1789 malware_name = NULL;
1790 break;
8523533c 1791 }
8e669ac1 1792
b1f8e4f8
JH		 1793 case M_MKSD: /* "mksd" scanner type ------------------------------------- */
1794 {
0f0c8159
JH		 1795 char *mksd_options_end;
1796 int mksd_maxproc = 1; /* default, if no option supplied */
1797 int retval;
b1f8e4f8 1798
0f0c8159
JH		 1799 if (scanner_options)
1800 {
1801 mksd_maxproc = (int)strtol(CS scanner_options, &mksd_options_end, 10);
1802 if ( *scanner_options == '\0'
1803 || *mksd_options_end != '\0'
1804 || mksd_maxproc < 1
1805 || mksd_maxproc > 32
1806 )
0ea02355 1807 return m_errlog_defer(scanent, CUS callout_address,
0f0c8159
JH		 1808 string_sprintf("invalid option '%s'", scanner_options));
1809 }
8e669ac1 1810
3e60dd41 1811 if((sock = ip_unixsocket(US "/var/run/mksd/socket", &errstr)) < 0)
0ea02355 1812 return m_errlog_defer(scanent, CUS callout_address, errstr);
8e669ac1 1813
0f0c8159 1814 malware_name = NULL;
94a18f28 1815
e1d04f48 1816 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan\n", scanner_name);
94a18f28 1817
0f0c8159
JH		 1818 if ((retval = mksd_scan_packed(scanent, sock, eml_filename, tmo)) != OK)
1819 {
1820 close (sock);
1821 return retval;
1822 }
1823 break;
8523533c 1824 }
0f0c8159 1825
b6fbf22d
JH		 1826 case M_AVAST: /* "avast" scanner type ----------------------------------- */
1827 {
1828 int ovector[1*3];
1829 uschar buf[1024];
1830 uschar * scanrequest;
b6fbf22d 1831 enum {AVA_HELO, AVA_OPT, AVA_RSP, AVA_DONE} avast_stage;
0f0c8159 1832 int nread;
b6fbf22d
JH		 1833
1834 /* According to Martin Tuma @avast the protocol uses "escaped
1835 whitespace", that is, every embedded whitespace is backslash
1836 escaped, as well as backslash is protected by backslash.
1837 The returned lines contain the name of the scanned file, a tab
1838 and the [ ] marker.
1839 [+] - not infected
1840 [L] - infected
1841 [E] - some error occured
1842 Such marker follows the first non-escaped TAB. */
476be7e2
JH		 1843 if ( ( !ava_re_clean
1844 && !(ava_re_clean = m_pcre_compile(ava_re_clean_str, &errstr)))
1845 || ( !ava_re_virus
1846 && !(ava_re_virus = m_pcre_compile(ava_re_virus_str, &errstr)))
b6fbf22d
JH		 1847 )
1848 return malware_errlog_defer(errstr);
1849
1850 /* wait for result */
0f0c8159
JH		 1851 for (avast_stage = AVA_HELO;
1852 (nread = recv_line(sock, buf, sizeof(buf), tmo)) > 0;
1853 )
b6fbf22d
JH		 1854 {
1855 int slen = Ustrlen(buf);
94431adb 1856 if (slen >= 1)
b6fbf22d 1857 {
e1d04f48 1858 DEBUG(D_acl) debug_printf_indent("got from avast: %s\n", buf);
b6fbf22d
JH		 1859 switch (avast_stage)
1860 {
1861 case AVA_HELO:
1862 if (Ustrncmp(buf, "220", 3) != 0)
1863 goto endloop; /* require a 220 */
1864 goto sendreq;
1865
1866 case AVA_OPT:
1867 if (Ustrncmp(buf, "210", 3) == 0)
1868 break; /* ignore 210 responses */
1869 if (Ustrncmp(buf, "200", 3) != 0)
1870 goto endloop; /* require a 200 */
1871
1872 sendreq:
1873 {
1874 int len;
1875 /* Check for another option to send. Newline-terminate it. */
1876 if ((scanrequest = string_nextinlist(&av_scanner_work, &sep,
1877 NULL, 0)))
1878 {
1879 scanrequest = string_sprintf("%s\n", scanrequest);
1880 avast_stage = AVA_OPT; /* just sent option */
1881 }
1882 else
1883 {
040721f2 1884 scanrequest = string_sprintf("SCAN %s\n", eml_dir);
b6fbf22d
JH		 1885 avast_stage = AVA_RSP; /* just sent command */
1886 }
1887
1888 /* send config-cmd or scan-request to socket */
1889 len = Ustrlen(scanrequest);
1890 if (send(sock, scanrequest, len, 0) < 0)
1891 {
1892 scanrequest[len-1] = '\0';
0ea02355 1893 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
b6fbf22d
JH		 1894 "unable to send request '%s' to socket (%s): %s",
1895 scanrequest, scanner_options, strerror(errno)), sock);
1896 }
1897 break;
1898 }
1899
1900 case AVA_RSP:
1901 if (Ustrncmp(buf, "210", 3) == 0)
1902 break; /* ignore the "210 SCAN DATA" message */
1903
476be7e2 1904 if (pcre_exec(ava_re_clean, NULL, CS buf, slen,
b6fbf22d
JH		 1905 0, 0, ovector, nelements(ovector)) > 0)
1906 break;
1907
476be7e2 1908 if ((malware_name = m_pcre_exec(ava_re_virus, buf)))
b6fbf22d
JH		 1909 { /* remove backslash in front of [whitespace|backslash] */
1910 uschar * p, * p0;
94431adb 1911 for (p = malware_name; *p; ++p)
b6fbf22d
JH		 1912 if (*p == '\\' && (isspace(p[1]) || p[1] == '\\'))
1913 for (p0 = p; *p0; ++p0) *p0 = p0[1];
94431adb 1914
b6fbf22d
JH		 1915 avast_stage = AVA_DONE;
1916 goto endloop;
1917 }
1918
94431adb 1919 if (Ustrncmp(buf, "200 SCAN OK", 11) == 0)
b6fbf22d
JH		 1920 { /* we're done finally */
1921 if (send(sock, "QUIT\n", 5, 0) < 0) /* courtesy */
0ea02355
JH		 1922 return m_errlog_defer_3(scanent, CUS callout_address,
1923 string_sprintf(
b6fbf22d
JH		 1924 "unable to send quit request to socket (%s): %s",
1925 scanner_options, strerror(errno)),
1926 sock);
1927 malware_name = NULL;
1928 avast_stage = AVA_DONE;
1929 goto endloop;
1930 }
1931
1932 /* here for any unexpected response from the scanner */
1933 goto endloop;
755762fd
HSHR		 1934
1935 case AVA_DONE: log_write(0, LOG_PANIC, "%s:%d:%s: should not happen",
1936 __FILE__, __LINE__, __FUNCTION__);
b6fbf22d 1937 }
0f0c8159 1938 }
b6fbf22d 1939 }
b6fbf22d
JH		 1940 endloop:
1941
1942 switch(avast_stage)
1943 {
94431adb 1944 case AVA_HELO:
b6fbf22d 1945 case AVA_OPT:
0ea02355 1946 case AVA_RSP: return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1947 nread >= 0
1948 ? string_sprintf(
1949 "invalid response from scanner: '%s'", buf)
1950 : nread == -1
1951 ? US"EOF from scanner"
1952 : US"timeout from scanner",
1953 sock);
b6fbf22d
JH		 1954 default: break;
1955 }
71b32d41 1956 break;
b6fbf22d 1957 }
71b32d41
ACK		 1958
1959 case M_FPROT6D: /* "f-prot6d" scanner type ----------------------------------- */
1960 {
1961 int bread;
1962 uschar * e;
1963 uschar * linebuffer;
1964 uschar * scanrequest;
1965 uschar av_buffer[1024];
1966
1967 if ((!fprot6d_re_virus && !(fprot6d_re_virus = m_pcre_compile(fprot6d_re_virus_str, &errstr)))
1968 || (!fprot6d_re_error && !(fprot6d_re_error = m_pcre_compile(fprot6d_re_error_str, &errstr))))
1969 return malware_errlog_defer(errstr);
1970
1971 scanrequest = string_sprintf("SCAN FILE %s\n", eml_filename);
1972 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
1973 scanner_name, scanrequest);
1974
1975 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest), &errstr) < 0)
1976 return m_errlog_defer(scanent, CUS callout_address, errstr);
1977
1978 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1979
1980 if (bread <= 0)
1981 return m_errlog_defer_3(scanent, CUS callout_address,
1982 string_sprintf("unable to read from socket (%s)", strerror(errno)),
1983 sock);
1984
1985 if (bread == sizeof(av_buffer))
1986 return m_errlog_defer_3(scanent, CUS callout_address,
1987 US"buffer too small", sock);
1988
1989 av_buffer[bread] = '\0';
1990 linebuffer = string_copy(av_buffer);
1991
1992 m_sock_send(sock, US"QUIT\n", 5, 0);
1993
1994 if ((e = m_pcre_exec(fprot6d_re_error, linebuffer)))
1995 return m_errlog_defer_3(scanent, CUS callout_address,
1996 string_sprintf("scanner reported error (%s)", e), sock);
1997
1998 if (!(malware_name = m_pcre_exec(fprot6d_re_virus, linebuffer)))
1999 malware_name = NULL;
2000
0f0c8159 2001 break;
71b32d41 2002 } /* f-prot6d */
0f0c8159 2003 } /* scanner type switch */
8523533c 2004
0f0c8159
JH		 2005 if (sock >= 0)
2006 (void) close (sock);
2007 malware_ok = TRUE; /* set "been here, done that" marker */
b1f8e4f8 2008 }
8523533c 2009
0f0c8159
JH		 2010/* match virus name against pattern (caseless ------->----------v) */
2011if (malware_name && regex_match_and_setup(re, malware_name, 0, -1))
2012 {
e1d04f48 2013 DEBUG(D_acl) debug_printf_indent(
0f0c8159
JH		 2014 "Matched regex to malware [%s] [%s]\n", malware_re, malware_name);
2015 return OK;
2016 }
2017else
2018 return FAIL;
8523533c
TK		 2019}
2020
2021
0f0c8159
JH		 2022/*************************************************
2023* Scan an email for malware *
2024*************************************************/
8523533c 2025
0f0c8159
JH		 2026/* This is the normal interface for scanning an email, which doesn't need a
2027filename; it's a wrapper around the malware_file function.
8523533c 2028
0f0c8159
JH		 2029Arguments:
2030 malware_re match condition for "malware="
2031 timeout if nonzero, timeout in seconds
2032
2033Returns: Exim message processing code (OK, FAIL, DEFER, ...)
2034 where true means malware was found (condition applies)
2035*/
2036int
2037malware(const uschar * malware_re, int timeout)
8523533c 2038{
040721f2 2039int ret = malware_internal(malware_re, NULL, timeout);
8e669ac1 2040
55240832 2041if (ret == DEFER) av_failed = TRUE;
55240832 2042return ret;
8523533c
TK		 2043}
2044
8e669ac1 2045
0f0c8159
JH		 2046/*************************************************
2047* Scan a file for malware *
2048*************************************************/
8e669ac1 2049
0f0c8159
JH		 2050/* This is a test wrapper for scanning an email, which is not used in
2051normal processing. Scan any file, using the Exim scanning interface.
2052This function tampers with various global variables so is unsafe to use
2053in any other context.
8e669ac1 2054
0f0c8159
JH		 2055Arguments:
2056 eml_filename a file holding the message to be scanned
8523533c 2057
0f0c8159
JH		 2058Returns: Exim message processing code (OK, FAIL, DEFER, ...)
2059 where true means malware was found (condition applies)
2060*/
2061int
2062malware_in_file(uschar *eml_filename)
8523533c 2063{
55240832
JH		 2064uschar message_id_buf[64];
2065int ret;
2066
2067/* spool_mbox() assumes various parameters exist, when creating
2068the relevant directory and the email within */
2069
2070(void) string_format(message_id_buf, sizeof(message_id_buf),
2071 "dummy-%d", vaguely_random_number(INT_MAX));
2072message_id = message_id_buf;
2073sender_address = US"malware-sender@example.net";
2074return_path = US"";
2075recipients_list = NULL;
2076receive_add_recipient(US"malware-victim@example.net", -1);
2077enable_dollar_recipients = TRUE;
2078
040721f2 2079ret = malware_internal(US"*", eml_filename, 0);
55240832
JH		 2080
2081Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
2082spool_mbox_ok = 1;
2083
2084/* don't set no_mbox_unspool; at present, there's no way for it to become
2085set, but if that changes, then it should apply to these tests too */
2086
2087unspool_mbox();
2088
2089/* silence static analysis tools */
2090message_id = NULL;
2091
2092return ret;
8523533c
TK		 2093}
2094
476be7e2
JH		 2095
2096void
2097malware_init(void)
2098{
2099if (!malware_default_re)
2100 malware_default_re = regex_must_compile(malware_regex_default, FALSE, TRUE);
2101if (!drweb_re)
2102 drweb_re = regex_must_compile(drweb_re_str, FALSE, TRUE);
2103if (!fsec_re)
2104 fsec_re = regex_must_compile(fsec_re_str, FALSE, TRUE);
2105if (!kav_re_sus)
2106 kav_re_sus = regex_must_compile(kav_re_sus_str, FALSE, TRUE);
2107if (!kav_re_inf)
2108 kav_re_inf = regex_must_compile(kav_re_inf_str, FALSE, TRUE);
2109if (!ava_re_clean)
2110 ava_re_clean = regex_must_compile(ava_re_clean_str, FALSE, TRUE);
2111if (!ava_re_virus)
2112 ava_re_virus = regex_must_compile(ava_re_virus_str, FALSE, TRUE);
71b32d41
ACK		 2113if (!fprot6d_re_error)
2114 fprot6d_re_error = regex_must_compile(fprot6d_re_error_str, FALSE, TRUE);
2115if (!fprot6d_re_virus)
2116 fprot6d_re_virus = regex_must_compile(fprot6d_re_virus_str, FALSE, TRUE);
476be7e2
JH		 2117}
2118
b1f8e4f8
JH		 2119#endif /*WITH_CONTENT_SCAN*/
2120/*
2121 * vi: aw ai sw=2
2122 */
Unnamed repository; edit this file 'description' to name the repository.