projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Docs: clean for next release
[exim.git] / src / src / malware.c
CommitLineData
8523533c
TK		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873
JH		 5/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
6 * License: GPL
f9ba5e22 7 * Copyright (c) The Exim Maintainers 2015 - 2018
80fea873 8 */
8523533c
TK		 9
10/* Code for calling virus (malware) scanners. Called from acl.c. */
11
12#include "exim.h"
c11d665d 13#ifdef WITH_CONTENT_SCAN /* entire file */
8523533c 14
c8599aad
JH		 15typedef enum {
16#ifndef DISABLE_MAL_FFROTD
17 M_FPROTD,
18#endif
19#ifndef DISABLE_MAL_FFROT6D
20 M_FPROT6D,
21#endif
22#ifndef DISABLE_MAL_DRWEB
23 M_DRWEB,
24#endif
25#ifndef DISABLE_MAL_AVE
26 M_AVES,
27#endif
28#ifndef DISABLE_MAL_FSECURE
29 M_FSEC,
30#endif
31#ifndef DISABLE_MAL_KAV
32 M_KAVD,
33#endif
34#ifndef DISABLE_MAL_SOPHIE
35 M_SOPHIE,
36#endif
37#ifndef DISABLE_MAL_CLAM
38 M_CLAMD,
39#endif
40#ifndef DISABLE_MAL_MKS
41 M_MKSD,
42#endif
43#ifndef DISABLE_MAL_AVAST
44 M_AVAST,
45#endif
46#ifndef DISABLE_MAL_SOCK
47 M_SOCK,
48#endif
49#ifndef DISABLE_MAL_CMDLINE
50 M_CMDL,
51#endif
4e559e21 52 M_DUMMY
c8599aad 53 } scanner_t;
b1f8e4f8
JH		 54typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
55static struct scan
56{
57 scanner_t scancode;
58 const uschar * name;
59 const uschar * options_default;
60 contype_t conn;
61} m_scans[] =
62{
c11d665d 63#ifndef DISABLE_MAL_FFROTD
b1f8e4f8 64 { M_FPROTD, US"f-protd", US"localhost 10200-10204", MC_TCP },
c11d665d
JH		 65#endif
66#ifndef DISABLE_MAL_FFROT6D
67 { M_FPROT6D, US"f-prot6d", US"localhost 10200", MC_TCP },
68#endif
69#ifndef DISABLE_MAL_DRWEB
b1f8e4f8 70 { M_DRWEB, US"drweb", US"/usr/local/drweb/run/drwebd.sock", MC_STRM },
c11d665d
JH		 71#endif
72#ifndef DISABLE_MAL_AVE
b1f8e4f8 73 { M_AVES, US"aveserver", US"/var/run/aveserver", MC_UNIX },
c11d665d
JH		 74#endif
75#ifndef DISABLE_MAL_FSECURE
b1f8e4f8 76 { M_FSEC, US"fsecure", US"/var/run/.fsav", MC_UNIX },
c11d665d
JH		 77#endif
78#ifndef DISABLE_MAL_KAV
b1f8e4f8 79 { M_KAVD, US"kavdaemon", US"/var/run/AvpCtl", MC_UNIX },
c11d665d
JH		 80#endif
81#ifndef DISABLE_MAL_SOPHIE
b1f8e4f8 82 { M_SOPHIE, US"sophie", US"/var/run/sophie", MC_UNIX },
c11d665d
JH		 83#endif
84#ifndef DISABLE_MAL_CLAM
b1f8e4f8 85 { M_CLAMD, US"clamd", US"/tmp/clamd", MC_NONE },
c11d665d
JH		 86#endif
87#ifndef DISABLE_MAL_MKS
b1f8e4f8 88 { M_MKSD, US"mksd", NULL, MC_NONE },
c11d665d
JH		 89#endif
90#ifndef DISABLE_MAL_AVAST
b6fbf22d 91 { M_AVAST, US"avast", US"/var/run/avast/scan.sock", MC_STRM },
c11d665d
JH		 92#endif
93#ifndef DISABLE_MAL_SOCK
94 { M_SOCK, US"sock", US"/tmp/malware.sock", MC_STRM },
95#endif
96#ifndef DISABLE_MAL_CMDLINE
97 { M_CMDL, US"cmdline", NULL, MC_NONE },
98#endif
b1f8e4f8
JH		 99 { -1, NULL, NULL, MC_NONE } /* end-marker */
100};
101
c11d665d
JH		 102/******************************************************************************/
103# ifdef MACRO_PREDEF /* build solely to predefine macros */
104
105# include "macro_predef.h"
106
107void
108features_malware(void)
109{
2b8b8e4e
JH		 110const struct scan * sc;
111const uschar * s;
112uschar * t;
c11d665d
JH		 113uschar buf[64];
114
115spf(buf, sizeof(buf), US"_HAVE_MALWARE_");
116
117for (sc = m_scans; sc->scancode != -1; sc++)
118 {
119 for(s = sc->name, t = buf+14; *s; s++) if (*s != '-') *t++ = toupper(*s);
120 *t = '\0';
121 builtin_macro_create(buf);
122 }
123}
124
125/******************************************************************************/
126# else /*!MACRO_PREDEF, main build*/
127
128
129#define MALWARE_TIMEOUT 120 /* default timeout, seconds */
130
131static const uschar * malware_regex_default = US ".+";
132static const pcre * malware_default_re = NULL;
133
134
135
136#ifndef DISABLE_MAL_CLAM
599dcb77 137/* The maximum number of clamd servers that are supported in the configuration */
c11d665d
JH		 138# define MAX_CLAMD_SERVERS 32
139# define MAX_CLAMD_SERVERS_S "32"
599dcb77 140
8a512ed5
JH		 141typedef struct clamd_address {
142 uschar * hostspec;
143 unsigned tcp_port;
144 unsigned retry;
145} clamd_address;
8523533c
TK		 146#endif
147
a9ccd69a 148
c11d665d
JH		 149#ifndef DISABLE_MAL_DRWEB
150# define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */
151# define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */
152# define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */
8523533c 153
c11d665d
JH		 154# define DERR_READ_ERR (1<<0) /* read error */
155# define DERR_NOMEMORY (1<<2) /* no memory */
156# define DERR_TIMEOUT (1<<9) /* scan timeout has run out */
157# define DERR_BAD_CALL (1<<15) /* wrong command */
476be7e2
JH		 158
159static const uschar * drweb_re_str = US "infected\\swith\\s*(.+?)$";
160static const pcre * drweb_re = NULL;
c11d665d 161#endif
476be7e2 162
c11d665d 163#ifndef DISABLE_MAL_FSECURE
476be7e2
JH		 164static const uschar * fsec_re_str = US "\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$";
165static const pcre * fsec_re = NULL;
c11d665d 166#endif
476be7e2 167
c11d665d 168#ifndef DISABLE_MAL_KAV
476be7e2
JH		 169static const uschar * kav_re_sus_str = US "suspicion:\\s*(.+?)\\s*$";
170static const uschar * kav_re_inf_str = US "infected:\\s*(.+?)\\s*$";
171static const pcre * kav_re_sus = NULL;
172static const pcre * kav_re_inf = NULL;
c11d665d 173#endif
476be7e2 174
c11d665d 175#ifndef DISABLE_MAL_AVAST
476be7e2 176static const uschar * ava_re_clean_str = US "(?!\\\\)\\t\\[\\+\\]";
ad93c40f
HSHR		 177static const uschar * ava_re_virus_str = US "(?!\\\\)\\t\\[L\\]\\d+\\.0\\t0\\s(.*)";
178static const uschar * ava_re_error_str = US "(?!\\\\)\\t\\[E\\]\\d+\\.0\\tError\\s\\d+\\s(.*)";
476be7e2
JH		 179static const pcre * ava_re_clean = NULL;
180static const pcre * ava_re_virus = NULL;
ad93c40f 181static const pcre * ava_re_error = NULL;
c11d665d 182#endif
476be7e2 183
c11d665d 184#ifndef DISABLE_MAL_FFROT6D
71b32d41
ACK		 185static const uschar * fprot6d_re_error_str = US "^\\d+\\s<(.+?)>$";
186static const uschar * fprot6d_re_virus_str = US "^\\d+\\s<infected:\\s+(.+?)>\\s+.+$";
187static const pcre * fprot6d_re_error = NULL;
188static const pcre * fprot6d_re_virus = NULL;
c11d665d 189#endif
71b32d41 190
476be7e2
JH		 191
192
193/******************************************************************************/
194
059f2ace 195#ifndef DISABLE_MAL_KAV
b1f8e4f8 196/* Routine to check whether a system is big- or little-endian.
8523533c
TK		 197 Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
198 Needed for proper kavdaemon implementation. Sigh. */
059f2ace
JH		 199# define BIG_MY_ENDIAN 0
200# define LITTLE_MY_ENDIAN 1
b1f8e4f8
JH		 201static int test_byte_order(void);
202static inline int
203test_byte_order()
204{
205 short int word = 0x0001;
5903c6ff 206 char *byte = CS &word;
b1f8e4f8 207 return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
8523533c 208}
059f2ace 209#endif
8523533c 210
b1f8e4f8 211BOOL malware_ok = FALSE;
8523533c 212
8544e77a
PP		 213/* Gross hacks for the -bmalware option; perhaps we should just create
214the scan directory normally for that case, but look into rigging up the
215needed header variables if not already set on the command-line? */
216extern int spool_mbox_ok;
55240832 217extern uschar spooled_message_id[MESSAGE_ID_LENGTH+1];
8544e77a 218
8544e77a 219
ad93c40f
HSHR		 220/* Some (currently avast only) use backslash escaped whitespace,
221this function undoes these escapes */
46682a67 222
ad93c40f 223static inline void
46682a67
JH		 224unescape(uschar *p)
225{
226uschar *p0;
227for (; *p; ++p)
228 if (*p == '\\' && (isspace(p[1]) || p[1] == '\\'))
229 for (p0 = p; *p0; ++p0) *p0 = p0[1];
ad93c40f 230}
8544e77a 231
ad93c40f 232/* --- malware_*_defer --- */
b1f8e4f8 233static inline int
ad93c40f 234malware_panic_defer(const uschar * str)
b1f8e4f8 235{
8a512ed5
JH		 236log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: %s", str);
237return DEFER;
b1f8e4f8 238}
ad93c40f
HSHR		 239static inline int
240malware_log_defer(const uschar * str)
241{
242log_write(0, LOG_MAIN, "malware acl condition: %s", str);
243return DEFER;
244}
245/* --- m_*_defer --- */
246static inline int
247m_panic_defer(struct scan * scanent, const uschar * hostport,
0ea02355 248 const uschar * str)
b1f8e4f8 249{
ad93c40f 250return malware_panic_defer(string_sprintf("%s %s : %s",
0ea02355 251 scanent->name, hostport ? hostport : CUS"", str));
b1f8e4f8 252}
ad93c40f
HSHR		 253static inline int
254m_log_defer(struct scan * scanent, const uschar * hostport,
255 const uschar * str)
256{
257return malware_log_defer(string_sprintf("%s %s : %s",
258 scanent->name, hostport ? hostport : CUS"", str));
259}
260/* --- m_*_defer_3 */
261static inline int
262m_panic_defer_3(struct scan * scanent, const uschar * hostport,
263 const uschar * str, int fd_to_close)
264{
265(void) close(fd_to_close);
266return m_panic_defer(scanent, hostport, str);
267}
b1f8e4f8
JH		 268
269/*************************************************/
270
c11d665d 271#ifndef DISABLE_MAL_CLAM
b1f8e4f8
JH		 272/* Only used by the Clamav code, which is working from a list of servers and
273uses the returned in_addr to get a second connection to the same system.
274*/
275static inline int
276m_tcpsocket(const uschar * hostname, unsigned int port,
10ac8d7f 277 host_item * host, uschar ** errstr, const blob * fastopen_blob)
b1f8e4f8 278{
4a5cbaff 279return ip_connectedsocket(SOCK_STREAM, hostname, port, port, 5,
10ac8d7f 280 host, errstr, fastopen_blob);
b1f8e4f8 281}
c11d665d 282#endif
b1f8e4f8 283
b1f8e4f8
JH		 284static int
285m_sock_send(int sock, uschar * buf, int cnt, uschar ** errstr)
286{
8a512ed5
JH		 287if (send(sock, buf, cnt, 0) < 0)
288 {
289 int err = errno;
290 (void)close(sock);
291 *errstr = string_sprintf("unable to send to socket (%s): %s",
292 buf, strerror(err));
293 return -1;
294 }
295return sock;
b1f8e4f8
JH		 296}
297
298static const pcre *
299m_pcre_compile(const uschar * re, uschar ** errstr)
300{
8a512ed5
JH		 301const uschar * rerror;
302int roffset;
303const pcre * cre;
304
305cre = pcre_compile(CS re, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
306if (!cre)
307 *errstr= string_sprintf("regular expression error in '%s': %s at offset %d",
308 re, rerror, roffset);
309return cre;
b1f8e4f8
JH		 310}
311
312uschar *
313m_pcre_exec(const pcre * cre, uschar * text)
314{
8a512ed5
JH		 315int ovector[10*3];
316int i = pcre_exec(cre, NULL, CS text, Ustrlen(text), 0, 0,
c11d665d 317 ovector, nelem(ovector));
8a512ed5
JH		 318uschar * substr = NULL;
319if (i >= 2) /* Got it */
320 pcre_get_substring(CS text, ovector, i, 1, (const char **) &substr);
321return substr;
b1f8e4f8
JH		 322}
323
324static const pcre *
55414b25
JH		 325m_pcre_nextinlist(const uschar ** list, int * sep,
326 char * listerr, uschar ** errstr)
b1f8e4f8 327{
8a512ed5
JH		 328const uschar * list_ele;
329const pcre * cre = NULL;
330
331if (!(list_ele = string_nextinlist(list, sep, NULL, 0)))
332 *errstr = US listerr;
333else
ac4d558b
JH		 334 {
335 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "RE: ",
336 string_printing(list_ele));
8a512ed5 337 cre = m_pcre_compile(CUS list_ele, errstr);
ac4d558b 338 }
8a512ed5 339return cre;
b1f8e4f8
JH		 340}
341
4e71661f
JH		 342/*
343 Simple though inefficient wrapper for reading a line. Drop CRs and the
344 trailing newline. Can return early on buffer full. Null-terminate.
345 Apply initial timeout if no data ready.
346
0f0c8159
JH		 347 Return: number of chars - zero for an empty line
348 -1 on EOF
349 -2 on timeout or error
4e71661f
JH		 350*/
351static int
352recv_line(int fd, uschar * buffer, int bsize, int tmo)
353{
354uschar * p = buffer;
355ssize_t rcv;
0f0c8159 356BOOL ok = FALSE;
4e71661f
JH		 357
358if (!fd_ready(fd, tmo-time(NULL)))
0f0c8159 359 return -2;
4e71661f 360
0f0c8159 361/*XXX tmo handling assumes we always get a whole line */
4e71661f 362/* read until \n */
0f0c8159 363errno = 0;
4e71661f
JH		 364while ((rcv = read(fd, p, 1)) > 0)
365 {
0f0c8159 366 ok = TRUE;
4e71661f
JH		 367 if (p-buffer > bsize-2) break;
368 if (*p == '\n') break;
369 if (*p != '\r') p++;
370 }
0f0c8159
JH		 371if (!ok)
372 {
e1d04f48 373 DEBUG(D_acl) debug_printf_indent("Malware scan: read %s (%s)\n",
0f0c8159
JH		 374 rcv==0 ? "EOF" : "error", strerror(errno));
375 return rcv==0 ? -1 : -2;
376 }
4e71661f
JH		 377*p = '\0';
378
e1d04f48 379DEBUG(D_acl) debug_printf_indent("Malware scan: read '%s'\n", buffer);
4e71661f
JH		 380return p - buffer;
381}
382
383/* return TRUE iff size as requested */
384static BOOL
385recv_len(int sock, void * buf, int size, int tmo)
386{
387return fd_ready(sock, tmo-time(NULL))
388 ? recv(sock, buf, size, 0) == size
389 : FALSE;
390}
391
392
0f0c8159 393
c11d665d 394#ifndef DISABLE_MAL_MKS
0f0c8159
JH		 395/* ============= private routines for the "mksd" scanner type ============== */
396
c11d665d 397# include <sys/uio.h>
0f0c8159
JH		 398
399static inline int
400mksd_writev (int sock, struct iovec * iov, int iovcnt)
401{
402int i;
403
404for (;;)
405 {
406 do
407 i = writev (sock, iov, iovcnt);
408 while (i < 0 && errno == EINTR);
409 if (i <= 0)
410 {
ad93c40f 411 (void) malware_panic_defer(
0f0c8159
JH		 412 US"unable to write to mksd UNIX socket (/var/run/mksd/socket)");
413 return -1;
414 }
415 for (;;) /* check for short write */
416 if (i >= iov->iov_len)
417 {
418 if (--iovcnt == 0)
419 return 0;
420 i -= iov->iov_len;
421 iov++;
422 }
423 else
424 {
425 iov->iov_len -= i;
426 iov->iov_base = CS iov->iov_base + i;
427 break;
428 }
429 }
430}
431
432static inline int
433mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size, int tmo)
434{
74f1a423 435client_conn_ctx cctx = {.sock = sock};
0f0c8159
JH		 436int offset = 0;
437int i;
438
439do
440 {
74f1a423 441 i = ip_recv(&cctx, av_buffer+offset, av_buffer_size-offset, tmo-time(NULL));
0f0c8159
JH		 442 if (i <= 0)
443 {
ad93c40f 444 (void) malware_panic_defer(US"unable to read from mksd UNIX socket (/var/run/mksd/socket)");
0f0c8159
JH		 445 return -1;
446 }
447
448 offset += i;
449 /* offset == av_buffer_size -> buffer full */
450 if (offset == av_buffer_size)
451 {
ad93c40f 452 (void) malware_panic_defer(US"malformed reply received from mksd");
0f0c8159
JH		 453 return -1;
454 }
455 } while (av_buffer[offset-1] != '\n');
456
457av_buffer[offset] = '\0';
458return offset;
459}
460
461static inline int
462mksd_parse_line(struct scan * scanent, char * line)
463{
464char *p;
465
466switch (*line)
467 {
468 case 'O': /* OK */
469 return OK;
470
471 case 'E':
472 case 'A': /* ERR */
473 if ((p = strchr (line, '\n')) != NULL)
474 *p = '\0';
ad93c40f 475 return m_panic_defer(scanent, NULL,
0f0c8159
JH		 476 string_sprintf("scanner failed: %s", line));
477
478 default: /* VIR */
479 if ((p = strchr (line, '\n')) != NULL)
480 {
481 *p = '\0';
482 if ( p-line > 5
483 && line[3] == ' '
484 && (p = strchr(line+4, ' ')) != NULL
485 && p-line > 4
486 )
487 {
488 *p = '\0';
489 malware_name = string_copy(US line+4);
490 return OK;
491 }
492 }
ad93c40f 493 return m_panic_defer(scanent, NULL,
0f0c8159
JH		 494 string_sprintf("malformed reply received: %s", line));
495 }
496}
497
498static int
499mksd_scan_packed(struct scan * scanent, int sock, const uschar * scan_filename,
500 int tmo)
501{
502struct iovec iov[3];
503const char *cmd = "MSQ\n";
504uschar av_buffer[1024];
505
506iov[0].iov_base = (void *) cmd;
507iov[0].iov_len = 3;
508iov[1].iov_base = (void *) scan_filename;
509iov[1].iov_len = Ustrlen(scan_filename);
510iov[2].iov_base = (void *) (cmd + 3);
511iov[2].iov_len = 1;
512
513if (mksd_writev (sock, iov, 3) < 0)
514 return DEFER;
515
516if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer), tmo) < 0)
517 return DEFER;
518
519return mksd_parse_line (scanent, CS av_buffer);
520}
c11d665d 521#endif /* MKSD */
0f0c8159 522
8a512ed5 523
c11d665d 524#ifndef DISABLE_MAL_CLAM
8a512ed5
JH		 525static int
526clamd_option(clamd_address * cd, const uschar * optstr, int * subsep)
527{
528uschar * s;
529
530cd->retry = 0;
531while ((s = string_nextinlist(&optstr, subsep, NULL, 0)))
8a512ed5
JH		 532 if (Ustrncmp(s, "retry=", 6) == 0)
533 {
534 int sec = readconf_readtime((s += 6), '\0', FALSE);
535 if (sec < 0)
536 return FAIL;
537 cd->retry = sec;
538 }
539 else
540 return FAIL;
93a6fce2 541return OK;
8a512ed5 542}
c11d665d
JH		 543#endif
544
545
8a512ed5 546
8544e77a
PP		 547/*************************************************
548* Scan content for malware *
549*************************************************/
550
551/* This is an internal interface for scanning an email; the normal interface
552is via malware(), or there's malware_in_file() used for testing/debugging.
553
554Arguments:
0f0c8159 555 malware_re match condition for "malware="
040721f2
JH		 556 scan_filename the file holding the email to be scanned, if we're faking
557 this up for the -bmalware test, else NULL
0f0c8159 558 timeout if nonzero, non-default timeoutl
8544e77a
PP		 559
560Returns: Exim message processing code (OK, FAIL, DEFER, ...)
561 where true means malware was found (condition applies)
562*/
b1f8e4f8 563static int
040721f2
JH		 564malware_internal(const uschar * malware_re, const uschar * scan_filename,
565 int timeout)
b1f8e4f8 566{
0f0c8159 567int sep = 0;
55414b25 568const uschar *av_scanner_work = av_scanner;
0f0c8159 569uschar *scanner_name;
0f0c8159
JH		 570unsigned long mbox_size;
571FILE *mbox_file;
572const pcre *re;
573uschar * errstr;
574struct scan * scanent;
575const uschar * scanner_options;
74f1a423 576client_conn_ctx malware_daemon_ctx = {.sock = -1};
0f0c8159 577time_t tmo;
040721f2 578uschar * eml_filename, * eml_dir;
0f0c8159 579
040721f2
JH		 580if (!malware_re)
581 return FAIL; /* empty means "don't match anything" */
582
583/* Ensure the eml mbox file is spooled up */
584
585if (!(mbox_file = spool_mbox(&mbox_size, scan_filename, &eml_filename)))
ad93c40f 586 return malware_panic_defer(US"error while creating mbox spool file");
0f0c8159 587
040721f2
JH		 588/* None of our current scanners need the mbox file as a stream (they use
589the name), so we can close it right away. Get the directory too. */
0f0c8159 590
040721f2
JH		 591(void) fclose(mbox_file);
592eml_dir = string_copyn(eml_filename, Ustrrchr(eml_filename, '/') - eml_filename);
0f0c8159
JH		 593
594/* parse 1st option */
040721f2 595if (strcmpic(malware_re, US"false") == 0 || Ustrcmp(malware_re,"0") == 0)
0f0c8159
JH		 596 return FAIL; /* explicitly no matching */
597
598/* special cases (match anything except empty) */
476be7e2
JH		 599if ( strcmpic(malware_re,US"true") == 0
600 || Ustrcmp(malware_re,"*") == 0
601 || Ustrcmp(malware_re,"1") == 0
602 )
603 {
604 if ( !malware_default_re
605 && !(malware_default_re = m_pcre_compile(malware_regex_default, &errstr)))
ad93c40f 606 return malware_panic_defer(errstr);
0f0c8159 607 malware_re = malware_regex_default;
476be7e2
JH		 608 re = malware_default_re;
609 }
0f0c8159
JH		 610
611/* compile the regex, see if it works */
476be7e2 612else if (!(re = m_pcre_compile(malware_re, &errstr)))
ad93c40f 613 return malware_panic_defer(errstr);
0f0c8159
JH		 614
615/* if av_scanner starts with a dollar, expand it first */
616if (*av_scanner == '$')
617 {
618 if (!(av_scanner_work = expand_string(av_scanner)))
ad93c40f 619 return malware_panic_defer(
0f0c8159
JH		 620 string_sprintf("av_scanner starts with $, but expansion failed: %s",
621 expand_string_message));
b1f8e4f8 622
0f0c8159 623 DEBUG(D_acl)
e1d04f48 624 debug_printf_indent("Expanded av_scanner global: %s\n", av_scanner_work);
0f0c8159
JH		 625 /* disable result caching in this case */
626 malware_name = NULL;
627 malware_ok = FALSE;
8523533c
TK		 628 }
629
0f0c8159
JH		 630/* Do not scan twice (unless av_scanner is dynamic). */
631if (!malware_ok)
632 {
633 /* find the scanner type from the av_scanner option */
634 if (!(scanner_name = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
ad93c40f 635 return malware_panic_defer(US"av_scanner configuration variable is empty");
0f0c8159
JH		 636 if (!timeout) timeout = MALWARE_TIMEOUT;
637 tmo = time(NULL) + timeout;
638
3e60dd41
JH		 639 for (scanent = m_scans; ; scanent++)
640 {
0f0c8159 641 if (!scanent->name)
ad93c40f 642 return malware_panic_defer(string_sprintf("unknown scanner type '%s'",
0f0c8159
JH		 643 scanner_name));
644 if (strcmpic(scanner_name, US scanent->name) != 0)
645 continue;
ac4d558b
JH		 646 DEBUG(D_acl) debug_printf_indent("Malware scan: %s tmo=%s\n",
647 scanner_name, readconf_printtime(timeout));
648
0f0c8159
JH		 649 if (!(scanner_options = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
650 scanner_options = scanent->options_default;
651 if (scanent->conn == MC_NONE)
b1f8e4f8 652 break;
ac4d558b
JH		 653
654 DEBUG(D_acl) debug_printf_indent("%15s%10s%s\n", "", "socket: ", scanner_options);
0f0c8159
JH		 655 switch(scanent->conn)
656 {
74f1a423
JH		 657 case MC_TCP:
658 malware_daemon_ctx.sock = ip_tcpsocket(scanner_options, &errstr, 5); break;
659 case MC_UNIX:
660 malware_daemon_ctx.sock = ip_unixsocket(scanner_options, &errstr); break;
661 case MC_STRM:
662 malware_daemon_ctx.sock = ip_streamsocket(scanner_options, &errstr, 5); break;
663 default:
664 /* compiler quietening */ break;
384152a6 665 }
74f1a423 666 if (malware_daemon_ctx.sock < 0)
ad93c40f 667 return m_panic_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 668 break;
669 }
8e669ac1 670
0f0c8159
JH		 671 switch (scanent->scancode)
672 {
c11d665d 673#ifndef DISABLE_MAL_FFROTD
0f0c8159 674 case M_FPROTD: /* "f-protd" scanner type -------------------------------- */
b1f8e4f8 675 {
0f0c8159
JH		 676 uschar *fp_scan_option;
677 unsigned int detected=0, par_count=0;
678 uschar * scanrequest;
679 uschar buf[32768], *strhelper, *strhelper2;
680 uschar * malware_name_internal = NULL;
681 int len;
b1f8e4f8 682
0f0c8159 683 scanrequest = string_sprintf("GET %s", eml_filename);
b1f8e4f8 684
0f0c8159
JH		 685 while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
686 NULL, 0)))
687 {
688 scanrequest = string_sprintf("%s%s%s", scanrequest,
689 par_count ? "%20" : "?", fp_scan_option);
690 par_count++;
691 }
692 scanrequest = string_sprintf("%s HTTP/1.0\r\n\r\n", scanrequest);
e1d04f48 693 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
0f0c8159 694 scanner_name, scanrequest);
b1f8e4f8 695
0f0c8159 696 /* send scan request */
74f1a423 697 if (m_sock_send(malware_daemon_ctx.sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
ad93c40f 698 return m_panic_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 699
74f1a423 700 while ((len = recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo)) >= 0)
0f0c8159
JH		 701 if (len > 0)
702 {
703 if (Ustrstr(buf, US"<detected type=\"") != NULL)
704 detected = 1;
705 else if (detected && (strhelper = Ustrstr(buf, US"<name>")))
4e71661f 706 {
0f0c8159 707 if ((strhelper2 = Ustrstr(buf, US"</name>")) != NULL)
4e71661f 708 {
0f0c8159
JH		 709 *strhelper2 = '\0';
710 malware_name_internal = string_copy(strhelper+6);
4e71661f
JH		 711 }
712 }
0f0c8159 713 else if (Ustrstr(buf, US"<summary code=\""))
4e71661f 714 {
0f0c8159
JH		 715 malware_name = Ustrstr(buf, US"<summary code=\"11\">")
716 ? malware_name_internal : NULL;
717 break;
4e71661f 718 }
0f0c8159
JH		 719 }
720 if (len < -1)
721 {
74f1a423 722 (void)close(malware_daemon_ctx.sock);
0f0c8159
JH		 723 return DEFER;
724 }
725 break;
726 } /* f-protd */
c11d665d
JH		 727#endif
728
729#ifndef DISABLE_MAL_FFROT6D
730 case M_FPROT6D: /* "f-prot6d" scanner type ----------------------------------- */
731 {
732 int bread;
733 uschar * e;
734 uschar * linebuffer;
735 uschar * scanrequest;
736 uschar av_buffer[1024];
737
738 if ((!fprot6d_re_virus && !(fprot6d_re_virus = m_pcre_compile(fprot6d_re_virus_str, &errstr)))
739 || (!fprot6d_re_error && !(fprot6d_re_error = m_pcre_compile(fprot6d_re_error_str, &errstr))))
ad93c40f 740 return malware_panic_defer(errstr);
c11d665d
JH		 741
742 scanrequest = string_sprintf("SCAN FILE %s\n", eml_filename);
743 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
744 scanner_name, scanrequest);
745
74f1a423 746 if (m_sock_send(malware_daemon_ctx.sock, scanrequest, Ustrlen(scanrequest), &errstr) < 0)
ad93c40f 747 return m_panic_defer(scanent, CUS callout_address, errstr);
c11d665d 748
74f1a423 749 bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo-time(NULL));
c11d665d
JH		 750
751 if (bread <= 0)
ad93c40f 752 return m_panic_defer_3(scanent, CUS callout_address,
c11d665d 753 string_sprintf("unable to read from socket (%s)", strerror(errno)),
74f1a423 754 malware_daemon_ctx.sock);
c11d665d
JH		 755
756 if (bread == sizeof(av_buffer))
ad93c40f 757 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 758 US"buffer too small", malware_daemon_ctx.sock);
c11d665d
JH		 759
760 av_buffer[bread] = '\0';
761 linebuffer = string_copy(av_buffer);
762
74f1a423 763 m_sock_send(malware_daemon_ctx.sock, US"QUIT\n", 5, 0);
c11d665d
JH		 764
765 if ((e = m_pcre_exec(fprot6d_re_error, linebuffer)))
ad93c40f 766 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 767 string_sprintf("scanner reported error (%s)", e), malware_daemon_ctx.sock);
b1f8e4f8 768
c11d665d
JH		 769 if (!(malware_name = m_pcre_exec(fprot6d_re_virus, linebuffer)))
770 malware_name = NULL;
771
772 break;
773 } /* f-prot6d */
774#endif
775
776#ifndef DISABLE_MAL_DRWEB
0f0c8159
JH		 777 case M_DRWEB: /* "drweb" scanner type ----------------------------------- */
778 /* v0.1 - added support for tcp sockets */
779 /* v0.0 - initial release -- support for unix sockets */
780 {
781 int result;
782 off_t fsize;
783 unsigned int fsize_uint;
784 uschar * tmpbuf, *drweb_fbuf;
785 int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
786 drweb_vnum, drweb_slen, drweb_fin = 0x0000;
0f0c8159
JH		 787
788 /* prepare variables */
789 drweb_cmd = htonl(DRWEBD_SCAN_CMD);
790 drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
791
792 if (*scanner_options != '/')
793 {
794 /* calc file size */
795 if ((drweb_fd = open(CCS eml_filename, O_RDONLY)) == -1)
ad93c40f 796 return m_panic_defer_3(scanent, NULL,
0f0c8159
JH		 797 string_sprintf("can't open spool file %s: %s",
798 eml_filename, strerror(errno)),
74f1a423 799 malware_daemon_ctx.sock);
b1f8e4f8 800
0f0c8159
JH		 801 if ((fsize = lseek(drweb_fd, 0, SEEK_END)) == -1)
802 {
d315eda1
JH		 803 int err;
804badseek: err = errno;
b1f8e4f8 805 (void)close(drweb_fd);
ad93c40f 806 return m_panic_defer_3(scanent, NULL,
0f0c8159
JH		 807 string_sprintf("can't seek spool file %s: %s",
808 eml_filename, strerror(err)),
74f1a423 809 malware_daemon_ctx.sock);
0f0c8159
JH		 810 }
811 fsize_uint = (unsigned int) fsize;
812 if ((off_t)fsize_uint != fsize)
813 {
b1f8e4f8 814 (void)close(drweb_fd);
ad93c40f 815 return m_panic_defer_3(scanent, NULL,
0f0c8159
JH		 816 string_sprintf("seeking spool file %s, size overflow",
817 eml_filename),
74f1a423 818 malware_daemon_ctx.sock);
4e71661f 819 }
0f0c8159 820 drweb_slen = htonl(fsize);
d315eda1
JH		 821 if (lseek(drweb_fd, 0, SEEK_SET) < 0)
822 goto badseek;
0f0c8159 823
e1d04f48 824 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s remote scan [%s]\n",
0f0c8159
JH		 825 scanner_name, scanner_options);
826
827 /* send scan request */
74f1a423
JH		 828 if ((send(malware_daemon_ctx.sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
829 (send(malware_daemon_ctx.sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
830 (send(malware_daemon_ctx.sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
831 (send(malware_daemon_ctx.sock, &drweb_slen, sizeof(drweb_slen), 0) < 0))
4e71661f 832 {
0f0c8159 833 (void)close(drweb_fd);
ad93c40f 834 return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
0f0c8159 835 "unable to send commands to socket (%s)", scanner_options),
74f1a423 836 malware_daemon_ctx.sock);
4e71661f 837 }
8e669ac1 838
40c90bca 839 if (!(drweb_fbuf = US malloc(fsize_uint)))
0f0c8159
JH		 840 {
841 (void)close(drweb_fd);
ad93c40f 842 return m_panic_defer_3(scanent, NULL,
0f0c8159
JH		 843 string_sprintf("unable to allocate memory %u for file (%s)",
844 fsize_uint, eml_filename),
74f1a423 845 malware_daemon_ctx.sock);
0f0c8159 846 }
b1f8e4f8 847
0f0c8159
JH		 848 if ((result = read (drweb_fd, drweb_fbuf, fsize)) == -1)
849 {
850 int err = errno;
851 (void)close(drweb_fd);
852 free(drweb_fbuf);
ad93c40f 853 return m_panic_defer_3(scanent, NULL,
0f0c8159
JH		 854 string_sprintf("can't read spool file %s: %s",
855 eml_filename, strerror(err)),
74f1a423 856 malware_daemon_ctx.sock);
0f0c8159
JH		 857 }
858 (void)close(drweb_fd);
b1f8e4f8 859
0f0c8159 860 /* send file body to socket */
74f1a423 861 if (send(malware_daemon_ctx.sock, drweb_fbuf, fsize, 0) < 0)
4e71661f 862 {
0f0c8159 863 free(drweb_fbuf);
ad93c40f 864 return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
0f0c8159 865 "unable to send file body to socket (%s)", scanner_options),
74f1a423 866 malware_daemon_ctx.sock);
0f0c8159 867 }
0f0c8159
JH		 868 }
869 else
870 {
871 drweb_slen = htonl(Ustrlen(eml_filename));
b1f8e4f8 872
e1d04f48 873 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s local scan [%s]\n",
0f0c8159 874 scanner_name, scanner_options);
b1f8e4f8 875
0f0c8159 876 /* send scan request */
74f1a423
JH		 877 if ((send(malware_daemon_ctx.sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
878 (send(malware_daemon_ctx.sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
879 (send(malware_daemon_ctx.sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
880 (send(malware_daemon_ctx.sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
881 (send(malware_daemon_ctx.sock, &drweb_fin, sizeof(drweb_fin), 0) < 0))
ad93c40f 882 return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
0f0c8159 883 "unable to send commands to socket (%s)", scanner_options),
74f1a423 884 malware_daemon_ctx.sock);
0f0c8159 885 }
b1f8e4f8 886
0f0c8159 887 /* wait for result */
74f1a423 888 if (!recv_len(malware_daemon_ctx.sock, &drweb_rc, sizeof(drweb_rc), tmo))
ad93c40f 889 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 890 US"unable to read return code", malware_daemon_ctx.sock);
0f0c8159
JH		 891 drweb_rc = ntohl(drweb_rc);
892
74f1a423 893 if (!recv_len(malware_daemon_ctx.sock, &drweb_vnum, sizeof(drweb_vnum), tmo))
ad93c40f 894 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 895 US"unable to read the number of viruses", malware_daemon_ctx.sock);
0f0c8159
JH		 896 drweb_vnum = ntohl(drweb_vnum);
897
898 /* "virus(es) found" if virus number is > 0 */
899 if (drweb_vnum)
900 {
901 int i;
acec9514 902 gstring * g = NULL;
b1f8e4f8 903
0f0c8159
JH		 904 /* setup default virus name */
905 malware_name = US"unknown";
b1f8e4f8 906
0f0c8159 907 /* set up match regex */
476be7e2
JH		 908 if (!drweb_re)
909 drweb_re = m_pcre_compile(drweb_re_str, &errstr);
b1f8e4f8 910
0f0c8159
JH		 911 /* read and concatenate virus names into one string */
912 for (i = 0; i < drweb_vnum; i++)
4e71661f 913 {
acec9514
JH		 914 int ovector[10*3];
915
0f0c8159 916 /* read the size of report */
74f1a423 917 if (!recv_len(malware_daemon_ctx.sock, &drweb_slen, sizeof(drweb_slen), tmo))
ad93c40f 918 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 919 US"cannot read report size", malware_daemon_ctx.sock);
0f0c8159
JH		 920 drweb_slen = ntohl(drweb_slen);
921 tmpbuf = store_get(drweb_slen);
b1f8e4f8 922
0f0c8159 923 /* read report body */
74f1a423 924 if (!recv_len(malware_daemon_ctx.sock, tmpbuf, drweb_slen, tmo))
ad93c40f 925 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 926 US"cannot read report string", malware_daemon_ctx.sock);
0f0c8159 927 tmpbuf[drweb_slen] = '\0';
8544e77a 928
0f0c8159
JH		 929 /* try matcher on the line, grab substring */
930 result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0,
c11d665d 931 ovector, nelem(ovector));
0f0c8159
JH		 932 if (result >= 2)
933 {
934 const char * pre_malware_nb;
8e669ac1 935
0f0c8159 936 pcre_get_substring(CS tmpbuf, ovector, result, 1, &pre_malware_nb);
8e669ac1 937
0f0c8159 938 if (i==0) /* the first name we just copy to malware_name */
b2bcdd35 939 g = string_cat(NULL, US pre_malware_nb);
8e669ac1 940
acec9514 941 /*XXX could be string_append_listele? */
0f0c8159 942 else /* concatenate each new virus name to previous */
acec9514 943 g = string_append(g, 2, "/", pre_malware_nb);
8e669ac1 944
0f0c8159
JH		 945 pcre_free_substring(pre_malware_nb);
946 }
947 }
acec9514 948 malware_name = string_from_gstring(g);
0f0c8159
JH		 949 }
950 else
951 {
952 const char *drweb_s = NULL;
953
954 if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
955 if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
956 if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout";
957 if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command";
958 /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED.
959 * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM,
960 * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR
961 * and others are ignored */
962 if (drweb_s)
ad93c40f 963 return m_panic_defer_3(scanent, CUS callout_address,
0f0c8159 964 string_sprintf("drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s),
74f1a423 965 malware_daemon_ctx.sock);
8e669ac1 966
0f0c8159 967 /* no virus found */
b1f8e4f8 968 malware_name = NULL;
0f0c8159
JH		 969 }
970 break;
971 } /* drweb */
c11d665d 972#endif
8e669ac1 973
c11d665d 974#ifndef DISABLE_MAL_AVE
0f0c8159
JH		 975 case M_AVES: /* "aveserver" scanner type -------------------------------- */
976 {
977 uschar buf[32768];
978 int result;
8544e77a 979
0f0c8159
JH		 980 /* read aveserver's greeting and see if it is ready (2xx greeting) */
981 buf[0] = 0;
74f1a423 982 recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo);
8544e77a 983
0f0c8159 984 if (buf[0] != '2') /* aveserver is having problems */
ad93c40f 985 return m_panic_defer_3(scanent, CUS callout_address,
0f0c8159 986 string_sprintf("unavailable (Responded: %s).",
5903c6ff 987 ((buf[0] != 0) ? buf : US "nothing") ),
74f1a423 988 malware_daemon_ctx.sock);
8e669ac1 989
0f0c8159
JH		 990 /* prepare our command */
991 (void)string_format(buf, sizeof(buf), "SCAN bPQRSTUW %s\r\n",
992 eml_filename);
993
994 /* and send it */
e1d04f48 995 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s %s\n",
0f0c8159 996 scanner_name, buf);
74f1a423 997 if (m_sock_send(malware_daemon_ctx.sock, buf, Ustrlen(buf), &errstr) < 0)
ad93c40f 998 return m_panic_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 999
1000 malware_name = NULL;
1001 result = 0;
1002 /* read response lines, find malware name and final response */
74f1a423 1003 while (recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo) > 0)
0f0c8159
JH		 1004 {
1005 if (buf[0] == '2')
1006 break;
1007 if (buf[0] == '5') /* aveserver is having problems */
4e71661f 1008 {
ad93c40f 1009 result = m_panic_defer(scanent, CUS callout_address,
0f0c8159
JH		 1010 string_sprintf("unable to scan file %s (Responded: %s).",
1011 eml_filename, buf));
1012 break;
4e71661f 1013 }
0f0c8159
JH		 1014 if (Ustrncmp(buf,"322",3) == 0)
1015 {
1016 uschar *p = Ustrchr(&buf[4], ' ');
1017 *p = '\0';
1018 malware_name = string_copy(&buf[4]);
1019 }
1020 }
1021
74f1a423 1022 if (m_sock_send(malware_daemon_ctx.sock, US"quit\r\n", 6, &errstr) < 0)
ad93c40f 1023 return m_panic_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 1024
1025 /* read aveserver's greeting and see if it is ready (2xx greeting) */
1026 buf[0] = 0;
74f1a423 1027 recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo);
0f0c8159
JH		 1028
1029 if (buf[0] != '2') /* aveserver is having problems */
ad93c40f 1030 return m_panic_defer_3(scanent, CUS callout_address,
0f0c8159 1031 string_sprintf("unable to quit dialogue (Responded: %s).",
5903c6ff 1032 ((buf[0] != 0) ? buf : US "nothing") ),
74f1a423 1033 malware_daemon_ctx.sock);
0f0c8159
JH		 1034
1035 if (result == DEFER)
1036 {
74f1a423 1037 (void)close(malware_daemon_ctx.sock);
0f0c8159
JH		 1038 return DEFER;
1039 }
1040 break;
b1f8e4f8 1041 } /* aveserver */
c11d665d 1042#endif
8e669ac1 1043
c11d665d 1044#ifndef DISABLE_MAL_FSECURE
b1f8e4f8
JH		 1045 case M_FSEC: /* "fsecure" scanner type ---------------------------------- */
1046 {
0f0c8159
JH		 1047 int i, j, bread = 0;
1048 uschar * file_name;
1049 uschar av_buffer[1024];
0f0c8159
JH		 1050 static uschar *cmdopt[] = { US"CONFIGURE\tARCHIVE\t1\n",
1051 US"CONFIGURE\tTIMEOUT\t0\n",
1052 US"CONFIGURE\tMAXARCH\t5\n",
1053 US"CONFIGURE\tMIME\t1\n" };
1054
1055 malware_name = NULL;
1056
e1d04f48 1057 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
0f0c8159
JH		 1058 scanner_name, scanner_options);
1059 /* pass options */
1060 memset(av_buffer, 0, sizeof(av_buffer));
c11d665d 1061 for (i = 0; i != nelem(cmdopt); i++)
0f0c8159 1062 {
b1f8e4f8 1063
74f1a423 1064 if (m_sock_send(malware_daemon_ctx.sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < 0)
ad93c40f 1065 return m_panic_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 1066
74f1a423 1067 bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo-time(NULL));
0f0c8159
JH		 1068 if (bread > 0) av_buffer[bread]='\0';
1069 if (bread < 0)
ad93c40f 1070 return m_panic_defer_3(scanent, CUS callout_address,
0f0c8159 1071 string_sprintf("unable to read answer %d (%s)", i, strerror(errno)),
74f1a423 1072 malware_daemon_ctx.sock);
0f0c8159
JH		 1073 for (j = 0; j < bread; j++)
1074 if (av_buffer[j] == '\r' || av_buffer[j] == '\n')
1075 av_buffer[j] ='@';
1076 }
8e669ac1 1077
0f0c8159
JH		 1078 /* pass the mailfile to fsecure */
1079 file_name = string_sprintf("SCAN\t%s\n", eml_filename);
b1f8e4f8 1080
74f1a423 1081 if (m_sock_send(malware_daemon_ctx.sock, file_name, Ustrlen(file_name), &errstr) < 0)
ad93c40f 1082 return m_panic_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 1083
0f0c8159
JH		 1084 /* set up match */
1085 /* todo also SUSPICION\t */
476be7e2
JH		 1086 if (!fsec_re)
1087 fsec_re = m_pcre_compile(fsec_re_str, &errstr);
b1f8e4f8 1088
0f0c8159
JH		 1089 /* read report, linewise. Apply a timeout as the Fsecure daemon
1090 sometimes wants an answer to "PING" but they won't tell us what */
fd02dc0e 1091 {
0f0c8159
JH		 1092 uschar * p = av_buffer;
1093 uschar * q;
fd02dc0e 1094
0f0c8159
JH		 1095 for (;;)
1096 {
80591636 1097 errno = ETIMEDOUT;
0f0c8159 1098 i = av_buffer+sizeof(av_buffer)-p;
74f1a423 1099 if ((bread= ip_recv(&malware_daemon_ctx, p, i-1, tmo-time(NULL))) < 0)
ad93c40f 1100 return m_panic_defer_3(scanent, CUS callout_address,
0f0c8159 1101 string_sprintf("unable to read result (%s)", strerror(errno)),
74f1a423 1102 malware_daemon_ctx.sock);
b1f8e4f8 1103
755762fd 1104 for (p[bread] = '\0'; (q = Ustrchr(p, '\n')); p = q+1)
0f0c8159
JH		 1105 {
1106 *q = '\0';
fd02dc0e 1107
0f0c8159
JH		 1108 /* Really search for virus again? */
1109 if (!malware_name)
1110 /* try matcher on the line, grab substring */
476be7e2 1111 malware_name = m_pcre_exec(fsec_re, p);
fd02dc0e 1112
0f0c8159
JH		 1113 if (Ustrstr(p, "OK\tScan ok."))
1114 goto fsec_found;
1115 }
fd02dc0e 1116
0f0c8159
JH		 1117 /* copy down the trailing partial line then read another chunk */
1118 i = av_buffer+sizeof(av_buffer)-p;
1119 memmove(av_buffer, p, i);
1120 p = av_buffer+i;
fd02dc0e 1121 }
b1f8e4f8 1122 }
fd02dc0e
JH		 1123
1124 fsec_found:
b1f8e4f8
JH		 1125 break;
1126 } /* fsecure */
c11d665d 1127#endif
599dcb77 1128
c11d665d 1129#ifndef DISABLE_MAL_KAV
b1f8e4f8
JH		 1130 case M_KAVD: /* "kavdaemon" scanner type -------------------------------- */
1131 {
0f0c8159
JH		 1132 time_t t;
1133 uschar tmpbuf[1024];
1134 uschar * scanrequest;
1135 int kav_rc;
2decbec9
RC		 1136 unsigned long kav_reportlen;
1137 int bread;
0f0c8159
JH		 1138 const pcre *kav_re;
1139 uschar *p;
1140
1141 /* get current date and time, build scan request */
1142 time(&t);
1143 /* pdp note: before the eml_filename parameter, this scanned the
1144 directory; not finding documentation, so we'll strip off the directory.
1145 The side-effect is that the test framework scanning may end up in
1146 scanning more than was requested, but for the normal interface, this is
1147 fine. */
1148
1149 strftime(CS tmpbuf, sizeof(tmpbuf), "%d %b %H:%M:%S", localtime(&t));
1150 scanrequest = string_sprintf("<0>%s:%s", CS tmpbuf, eml_filename);
1151 p = Ustrrchr(scanrequest, '/');
1152 if (p)
1153 *p = '\0';
1154
e1d04f48 1155 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
0f0c8159
JH		 1156 scanner_name, scanner_options);
1157
1158 /* send scan request */
74f1a423 1159 if (m_sock_send(malware_daemon_ctx.sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
ad93c40f 1160 return m_panic_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 1161
0f0c8159 1162 /* wait for result */
74f1a423 1163 if (!recv_len(malware_daemon_ctx.sock, tmpbuf, 2, tmo))
ad93c40f 1164 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 1165 US"unable to read 2 bytes from socket.", malware_daemon_ctx.sock);
b1f8e4f8 1166
0f0c8159
JH		 1167 /* get errorcode from one nibble */
1168 kav_rc = tmpbuf[ test_byte_order()==LITTLE_MY_ENDIAN ? 0 : 1 ] & 0x0F;
1169 switch(kav_rc)
1170 {
1171 case 5: case 6: /* improper kavdaemon configuration */
ad93c40f 1172 return m_panic_defer_3(scanent, CUS callout_address,
0f0c8159 1173 US"please reconfigure kavdaemon to NOT disinfect or remove infected files.",
74f1a423 1174 malware_daemon_ctx.sock);
0f0c8159 1175 case 1:
ad93c40f 1176 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 1177 US"reported 'scanning not completed' (code 1).", malware_daemon_ctx.sock);
0f0c8159 1178 case 7:
ad93c40f 1179 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 1180 US"reported 'kavdaemon damaged' (code 7).", malware_daemon_ctx.sock);
0f0c8159 1181 }
b1f8e4f8 1182
4c04137d 1183 /* code 8 is not handled, since it is ambiguous. It appears mostly on
0f0c8159 1184 bounces where part of a file has been cut off */
b1f8e4f8 1185
0f0c8159
JH		 1186 /* "virus found" return codes (2-4) */
1187 if (kav_rc > 1 && kav_rc < 5)
b1f8e4f8 1188 {
0f0c8159 1189 int report_flag = 0;
599dcb77 1190
0f0c8159
JH		 1191 /* setup default virus name */
1192 malware_name = US"unknown";
b1f8e4f8 1193
0f0c8159 1194 report_flag = tmpbuf[ test_byte_order() == LITTLE_MY_ENDIAN ? 1 : 0 ];
b1f8e4f8 1195
0f0c8159
JH		 1196 /* read the report, if available */
1197 if (report_flag == 1)
1198 {
1199 /* read report size */
74f1a423 1200 if (!recv_len(malware_daemon_ctx.sock, &kav_reportlen, 4, tmo))
ad93c40f 1201 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 1202 US"cannot read report size", malware_daemon_ctx.sock);
b1f8e4f8 1203
0f0c8159
JH		 1204 /* it's possible that avp returns av_buffer[1] == 1 but the
1205 reportsize is 0 (!?) */
1206 if (kav_reportlen > 0)
4e71661f 1207 {
0f0c8159 1208 /* set up match regex, depends on retcode */
476be7e2
JH		 1209 if (kav_rc == 3)
1210 {
1211 if (!kav_re_sus) kav_re_sus = m_pcre_compile(kav_re_sus_str, &errstr);
1212 kav_re = kav_re_sus;
1213 }
1214 else
1215 {
1216 if (!kav_re_inf) kav_re_inf = m_pcre_compile(kav_re_inf_str, &errstr);
1217 kav_re = kav_re_inf;
1218 }
0f0c8159 1219
6e92b3ae
JH		 1220 /* read report, linewise. Using size from stream to read amount of data
1221 from same stream is safe enough. */
1222 /* coverity[tainted_data] */
0f0c8159 1223 while (kav_reportlen > 0)
4e71661f 1224 {
74f1a423 1225 if ((bread = recv_line(malware_daemon_ctx.sock, tmpbuf, sizeof(tmpbuf), tmo)) < 0)
0f0c8159
JH		 1226 break;
1227 kav_reportlen -= bread+1;
1228
1229 /* try matcher on the line, grab substring */
1230 if ((malware_name = m_pcre_exec(kav_re, tmpbuf)))
1231 break;
b1f8e4f8
JH		 1232 }
1233 }
1234 }
0f0c8159
JH		 1235 }
1236 else /* no virus found */
1237 malware_name = NULL;
599dcb77 1238
0f0c8159 1239 break;
599dcb77 1240 }
c11d665d 1241#endif
8544e77a 1242
c11d665d 1243#ifndef DISABLE_MAL_CMDLINE
b1f8e4f8
JH		 1244 case M_CMDL: /* "cmdline" scanner type ---------------------------------- */
1245 {
0f0c8159
JH		 1246 const uschar *cmdline_scanner = scanner_options;
1247 const pcre *cmdline_trigger_re;
1248 const pcre *cmdline_regex_re;
1249 uschar * file_name;
1250 uschar * commandline;
1251 void (*eximsigchld)(int);
1252 void (*eximsigpipe)(int);
1253 FILE *scanner_out = NULL;
1254 int scanner_fd;
1255 FILE *scanner_record = NULL;
1256 uschar linebuffer[32767];
1257 int rcnt;
1258 int trigger = 0;
1259 uschar *p;
1260
1261 if (!cmdline_scanner)
ad93c40f 1262 return m_panic_defer(scanent, NULL, errstr);
b1f8e4f8 1263
0f0c8159
JH		 1264 /* find scanner output trigger */
1265 cmdline_trigger_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1266 "missing trigger specification", &errstr);
1267 if (!cmdline_trigger_re)
ad93c40f 1268 return m_panic_defer(scanent, NULL, errstr);
b1f8e4f8 1269
0f0c8159
JH		 1270 /* find scanner name regex */
1271 cmdline_regex_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1272 "missing virus name regex specification", &errstr);
1273 if (!cmdline_regex_re)
ad93c40f 1274 return m_panic_defer(scanent, NULL, errstr);
b1f8e4f8 1275
0f0c8159
JH		 1276 /* prepare scanner call; despite the naming, file_name holds a directory
1277 name which is documented as the value given to %s. */
b1f8e4f8 1278
0f0c8159
JH		 1279 file_name = string_copy(eml_filename);
1280 p = Ustrrchr(file_name, '/');
1281 if (p)
1282 *p = '\0';
1283 commandline = string_sprintf(CS cmdline_scanner, file_name);
b1f8e4f8 1284
0f0c8159
JH		 1285 /* redirect STDERR too */
1286 commandline = string_sprintf("%s 2>&1", commandline);
b1f8e4f8 1287
e1d04f48 1288 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
0f0c8159 1289 scanner_name, commandline);
b1f8e4f8 1290
0f0c8159
JH		 1291 /* store exims signal handlers */
1292 eximsigchld = signal(SIGCHLD,SIG_DFL);
1293 eximsigpipe = signal(SIGPIPE,SIG_DFL);
b1f8e4f8 1294
0f0c8159
JH		 1295 if (!(scanner_out = popen(CS commandline,"r")))
1296 {
1297 int err = errno;
1298 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
ad93c40f 1299 return m_panic_defer(scanent, NULL,
0f0c8159
JH		 1300 string_sprintf("call (%s) failed: %s.", commandline, strerror(err)));
1301 }
1302 scanner_fd = fileno(scanner_out);
94a18f28 1303
040721f2 1304 file_name = string_sprintf("%s/%s_scanner_output", eml_dir, message_id);
b1f8e4f8 1305
0f0c8159
JH		 1306 if (!(scanner_record = modefopen(file_name, "wb", SPOOL_MODE)))
1307 {
1308 int err = errno;
1309 (void) pclose(scanner_out);
1310 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
ad93c40f 1311 return m_panic_defer(scanent, NULL, string_sprintf(
0f0c8159
JH		 1312 "opening scanner output file (%s) failed: %s.",
1313 file_name, strerror(err)));
1314 }
8e669ac1 1315
0f0c8159
JH		 1316 /* look for trigger while recording output */
1317 while ((rcnt = recv_line(scanner_fd, linebuffer,
1318 sizeof(linebuffer), tmo)))
1319 {
1320 if (rcnt < 0)
93a6fce2
JH		 1321 {
1322 int err = errno;
0f0c8159
JH		 1323 if (rcnt == -1)
1324 break;
93a6fce2
JH		 1325 (void) pclose(scanner_out);
1326 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
ad93c40f 1327 return m_panic_defer(scanent, NULL, string_sprintf(
93a6fce2
JH		 1328 "unable to read from scanner (%s): %s",
1329 commandline, strerror(err)));
1330 }
4e71661f 1331
0f0c8159
JH		 1332 if (Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record))
1333 {
1334 /* short write */
1335 (void) pclose(scanner_out);
1336 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
ad93c40f 1337 return m_panic_defer(scanent, NULL, string_sprintf(
0f0c8159 1338 "short write on scanner output file (%s).", file_name));
4e71661f 1339 }
0f0c8159
JH		 1340 putc('\n', scanner_record);
1341 /* try trigger match */
1342 if ( !trigger
1343 && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1)
1344 )
1345 trigger = 1;
1346 }
8e669ac1 1347
0f0c8159
JH		 1348 (void)fclose(scanner_record);
1349 sep = pclose(scanner_out);
1350 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1351 if (sep != 0)
ad93c40f 1352 return m_panic_defer(scanent, NULL,
0f0c8159
JH		 1353 sep == -1
1354 ? string_sprintf("running scanner failed: %s", strerror(sep))
1355 : string_sprintf("scanner returned error code: %d", sep));
b1f8e4f8 1356
0f0c8159
JH		 1357 if (trigger)
1358 {
1359 uschar * s;
1360 /* setup default virus name */
1361 malware_name = US"unknown";
b1f8e4f8 1362
0f0c8159
JH		 1363 /* re-open the scanner output file, look for name match */
1364 scanner_record = fopen(CS file_name, "rb");
1365 while (fgets(CS linebuffer, sizeof(linebuffer), scanner_record))
1366 {
1367 /* try match */
1368 if ((s = m_pcre_exec(cmdline_regex_re, linebuffer)))
1369 malware_name = s;
4e71661f 1370 }
0f0c8159
JH		 1371 (void)fclose(scanner_record);
1372 }
1373 else /* no virus found */
1374 malware_name = NULL;
1375 break;
b1f8e4f8 1376 } /* cmdline */
c11d665d 1377#endif
599dcb77 1378
c11d665d 1379#ifndef DISABLE_MAL_SOPHIE
b1f8e4f8
JH		 1380 case M_SOPHIE: /* "sophie" scanner type --------------------------------- */
1381 {
0f0c8159
JH		 1382 int bread = 0;
1383 uschar *p;
1384 uschar * file_name;
1385 uschar av_buffer[1024];
b1f8e4f8 1386
0f0c8159
JH		 1387 /* pass the scan directory to sophie */
1388 file_name = string_copy(eml_filename);
1389 if ((p = Ustrrchr(file_name, '/')))
1390 *p = '\0';
b1f8e4f8 1391
e1d04f48 1392 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
0f0c8159 1393 scanner_name, scanner_options);
b1f8e4f8 1394
74f1a423
JH		 1395 if ( write(malware_daemon_ctx.sock, file_name, Ustrlen(file_name)) < 0
1396 || write(malware_daemon_ctx.sock, "\n", 1) != 1
0f0c8159 1397 )
ad93c40f 1398 return m_panic_defer_3(scanent, CUS callout_address,
0f0c8159 1399 string_sprintf("unable to write to UNIX socket (%s)", scanner_options),
74f1a423 1400 malware_daemon_ctx.sock);
b1f8e4f8 1401
0f0c8159
JH		 1402 /* wait for result */
1403 memset(av_buffer, 0, sizeof(av_buffer));
74f1a423 1404 if ((bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo-time(NULL))) <= 0)
ad93c40f 1405 return m_panic_defer_3(scanent, CUS callout_address,
0f0c8159 1406 string_sprintf("unable to read from UNIX socket (%s)", scanner_options),
74f1a423 1407 malware_daemon_ctx.sock);
0f0c8159
JH		 1408
1409 /* infected ? */
1410 if (av_buffer[0] == '1') {
1411 uschar * s = Ustrchr(av_buffer, '\n');
1412 if (s)
1413 *s = '\0';
1414 malware_name = string_copy(&av_buffer[2]);
1415 }
1416 else if (!strncmp(CS av_buffer, "-1", 2))
ad93c40f 1417 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 1418 US"scanner reported error", malware_daemon_ctx.sock);
0f0c8159
JH		 1419 else /* all ok, no virus */
1420 malware_name = NULL;
599dcb77 1421
0f0c8159 1422 break;
8544e77a 1423 }
c11d665d 1424#endif
8e669ac1 1425
c11d665d 1426#ifndef DISABLE_MAL_CLAM
b1f8e4f8
JH		 1427 case M_CLAMD: /* "clamd" scanner type ----------------------------------- */
1428 {
0f0c8159
JH		 1429/* This code was originally contributed by David Saez */
1430/* There are three scanning methods available to us:
1431* (1) Use the SCAN command, pointing to a file in the filesystem
1432* (2) Use the STREAM command, send the data on a separate port
1433* (3) Use the zINSTREAM command, send the data inline
1434* The zINSTREAM command was introduced with ClamAV 0.95, which marked
1435* STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
1436* In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
e5ba8aa7 1437* the TCP-connected daemon is actually local; otherwise we use zINSTREAM
0f0c8159
JH		 1438* See Exim bug 926 for details. */
1439
80591636 1440 uschar *p, *vname, *result_tag;
0f0c8159 1441 int bread=0;
0f0c8159
JH		 1442 uschar av_buffer[1024];
1443 uschar *hostname = US"";
1444 host_item connhost;
1445 uschar *clamav_fbuf;
1446 int clam_fd, result;
1447 off_t fsize;
1448 unsigned int fsize_uint;
1449 BOOL use_scan_command = FALSE;
8a512ed5 1450 clamd_address * cv[MAX_CLAMD_SERVERS];
0f0c8159 1451 int num_servers = 0;
0f0c8159 1452 uint32_t send_size, send_final_zeroblock;
4a5cbaff 1453 blob cmd_str;
0f0c8159 1454
8a512ed5
JH		 1455 /*XXX if unixdomain socket, only one server supported. Needs fixing;
1456 there's no reason we should not mix local and remote servers */
1457
0f0c8159 1458 if (*scanner_options == '/')
8a512ed5
JH		 1459 {
1460 clamd_address * cd;
1461 const uschar * sublist;
1462 int subsep = ' ';
1463
0f0c8159
JH		 1464 /* Local file; so we def want to use_scan_command and don't want to try
1465 * passing IP/port combinations */
1466 use_scan_command = TRUE;
8a512ed5
JH		 1467 cd = (clamd_address *) store_get(sizeof(clamd_address));
1468
1469 /* extract socket-path part */
1470 sublist = scanner_options;
1471 cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0);
1472
1473 /* parse options */
1474 if (clamd_option(cd, sublist, &subsep) != OK)
ad93c40f 1475 return m_panic_defer(scanent, NULL,
8a512ed5
JH		 1476 string_sprintf("bad option '%s'", scanner_options));
1477 cv[0] = cd;
1478 }
0f0c8159
JH		 1479 else
1480 {
0f0c8159
JH		 1481 /* Go through the rest of the list of host/port and construct an array
1482 * of servers to try. The first one is the bit we just passed from
1483 * scanner_options so process that first and then scan the remainder of
1484 * the address buffer */
1485 do
4e71661f 1486 {
8a512ed5
JH		 1487 clamd_address * cd;
1488 const uschar * sublist;
1489 int subsep = ' ';
1490 uschar * s;
b1f8e4f8 1491
0f0c8159
JH		 1492 /* The 'local' option means use the SCAN command over the network
1493 * socket (ie common file storage in use) */
8a512ed5
JH		 1494 /*XXX we could accept this also as a local option? */
1495 if (strcmpic(scanner_options, US"local") == 0)
0f0c8159
JH		 1496 {
1497 use_scan_command = TRUE;
1498 continue;
1499 }
b1f8e4f8 1500
8a512ed5 1501 cd = (clamd_address *) store_get(sizeof(clamd_address));
b1f8e4f8 1502
0f0c8159 1503 /* extract host and port part */
8a512ed5
JH		 1504 sublist = scanner_options;
1505 if (!(cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0)))
1506 {
ad93c40f 1507 (void) m_panic_defer(scanent, NULL,
8a512ed5
JH		 1508 string_sprintf("missing address: '%s'", scanner_options));
1509 continue;
1510 }
1511 if (!(s = string_nextinlist(&sublist, &subsep, NULL, 0)))
0f0c8159 1512 {
ad93c40f 1513 (void) m_panic_defer(scanent, NULL,
8a512ed5
JH		 1514 string_sprintf("missing port: '%s'", scanner_options));
1515 continue;
1516 }
93a6fce2 1517 cd->tcp_port = atoi(CS s);
8a512ed5
JH		 1518
1519 /* parse options */
1520 /*XXX should these options be common over scanner types? */
1521 if (clamd_option(cd, sublist, &subsep) != OK)
ad93c40f 1522 return m_panic_defer(scanent, NULL,
8a512ed5 1523 string_sprintf("bad option '%s'", scanner_options));
b1f8e4f8 1524
8a512ed5 1525 cv[num_servers++] = cd;
0f0c8159
JH		 1526 if (num_servers >= MAX_CLAMD_SERVERS)
1527 {
ad93c40f 1528 (void) m_panic_defer(scanent, NULL,
0f0c8159
JH		 1529 US"More than " MAX_CLAMD_SERVERS_S " clamd servers "
1530 "specified; only using the first " MAX_CLAMD_SERVERS_S );
1531 break;
1532 }
8a512ed5
JH		 1533 } while ((scanner_options = string_nextinlist(&av_scanner_work, &sep,
1534 NULL, 0)));
8e669ac1 1535
0f0c8159
JH		 1536 /* check if we have at least one server */
1537 if (!num_servers)
ad93c40f 1538 return m_panic_defer(scanent, NULL,
0f0c8159
JH		 1539 US"no useable server addresses in malware configuration option.");
1540 }
b1f8e4f8 1541
0f0c8159
JH		 1542 /* See the discussion of response formats below to see why we really
1543 don't like colons in filenames when passing filenames to ClamAV. */
1544 if (use_scan_command && Ustrchr(eml_filename, ':'))
ad93c40f 1545 return m_panic_defer(scanent, NULL,
0f0c8159
JH		 1546 string_sprintf("local/SCAN mode incompatible with" \
1547 " : in path to email filename [%s]", eml_filename));
b1f8e4f8 1548
4a5cbaff
JH		 1549 /* Set up the very first data we will be sending */
1550 if (!use_scan_command)
4a5cbaff 1551 { cmd_str.data = US"zINSTREAM"; cmd_str.len = 10; }
4a5cbaff
JH		 1552 else
1553 {
1554 cmd_str.data = string_sprintf("SCAN %s\n", eml_filename);
1555 cmd_str.len = Ustrlen(cmd_str.data);
1556 }
1557
0f0c8159
JH		 1558 /* We have some network servers specified */
1559 if (num_servers)
1560 {
1561 /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd
1562 * only supports AF_INET, but we should probably be looking to the
1563 * future and rewriting this to be protocol-independent anyway. */
b1f8e4f8 1564
0f0c8159
JH		 1565 while (num_servers > 0)
1566 {
4a5cbaff 1567 int i = random_number(num_servers);
8a512ed5 1568 clamd_address * cd = cv[i];
b1f8e4f8 1569
e1d04f48 1570 DEBUG(D_acl) debug_printf_indent("trying server name %s, port %u\n",
8a512ed5 1571 cd->hostspec, cd->tcp_port);
0f0c8159
JH		 1572
1573 /* Lookup the host. This is to ensure that we connect to the same IP
1574 * on both connections (as one host could resolve to multiple ips) */
8a512ed5 1575 for (;;)
0f0c8159 1576 {
b536a578 1577 /*XXX we trust that the cmd_str is ideempotent */
74f1a423 1578 if ((malware_daemon_ctx.sock = m_tcpsocket(cd->hostspec, cd->tcp_port,
4a5cbaff 1579 &connhost, &errstr, &cmd_str)) >= 0)
8a512ed5
JH		 1580 {
1581 /* Connection successfully established with a server */
1582 hostname = cd->hostspec;
4a5cbaff 1583 cmd_str.len = 0;
8a512ed5
JH		 1584 break;
1585 }
1586 if (cd->retry <= 0) break;
1587 while (cd->retry > 0) cd->retry = sleep(cd->retry);
4e71661f 1588 }
74f1a423 1589 if (malware_daemon_ctx.sock >= 0)
8a512ed5 1590 break;
b1f8e4f8 1591
ad93c40f 1592 (void) m_panic_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 1593
1594 /* Remove the server from the list. XXX We should free the memory */
1595 num_servers--;
8a512ed5
JH		 1596 for (; i < num_servers; i++)
1597 cv[i] = cv[i+1];
4e71661f 1598 }
8e669ac1 1599
0f0c8159 1600 if (num_servers == 0)
ad93c40f 1601 return m_panic_defer(scanent, NULL, US"all servers failed");
0f0c8159
JH		 1602 }
1603 else
8a512ed5
JH		 1604 for (;;)
1605 {
74f1a423 1606 if ((malware_daemon_ctx.sock = ip_unixsocket(cv[0]->hostspec, &errstr)) >= 0)
8a512ed5
JH		 1607 {
1608 hostname = cv[0]->hostspec;
1609 break;
1610 }
1611 if (cv[0]->retry <= 0)
ad93c40f 1612 return m_panic_defer(scanent, CUS callout_address, errstr);
8a512ed5
JH		 1613 while (cv[0]->retry > 0) cv[0]->retry = sleep(cv[0]->retry);
1614 }
b1f8e4f8 1615
0f0c8159
JH		 1616 /* have socket in variable "sock"; command to use is semi-independent of
1617 * the socket protocol. We use SCAN if is local (either Unix/local
1618 * domain socket, or explicitly told local) else we stream the data.
1619 * How we stream the data depends upon how we were built. */
1620
1621 if (!use_scan_command)
1622 {
0f0c8159
JH		 1623 /* New protocol: "zINSTREAM\n" followed by a sequence of <length><data>
1624 chunks, <n> a 4-byte number (network order), terminated by a zero-length
1625 chunk. */
b1f8e4f8 1626
e1d04f48 1627 DEBUG(D_acl) debug_printf_indent(
0f0c8159
JH		 1628 "Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
1629 scanner_name);
b1f8e4f8 1630
4a5cbaff
JH		 1631 /* Pass the string to ClamAV (10 = "zINSTREAM\0"), if not already sent */
1632 if (cmd_str.len)
74f1a423 1633 if (send(malware_daemon_ctx.sock, cmd_str.data, cmd_str.len, 0) < 0)
ad93c40f 1634 return m_panic_defer_3(scanent, CUS hostname,
4a5cbaff
JH		 1635 string_sprintf("unable to send zINSTREAM to socket (%s)",
1636 strerror(errno)),
74f1a423 1637 malware_daemon_ctx.sock);
b1f8e4f8 1638
0f0c8159
JH		 1639 /* calc file size */
1640 if ((clam_fd = open(CS eml_filename, O_RDONLY)) < 0)
1641 {
1642 int err = errno;
ad93c40f 1643 return m_panic_defer_3(scanent, NULL,
0f0c8159
JH		 1644 string_sprintf("can't open spool file %s: %s",
1645 eml_filename, strerror(err)),
74f1a423 1646 malware_daemon_ctx.sock);
0f0c8159
JH		 1647 }
1648 if ((fsize = lseek(clam_fd, 0, SEEK_END)) < 0)
1649 {
d315eda1
JH		 1650 int err;
1651b_seek: err = errno;
e5ba8aa7 1652 (void)close(clam_fd);
ad93c40f 1653 return m_panic_defer_3(scanent, NULL,
0f0c8159
JH		 1654 string_sprintf("can't seek spool file %s: %s",
1655 eml_filename, strerror(err)),
74f1a423 1656 malware_daemon_ctx.sock);
0f0c8159
JH		 1657 }
1658 fsize_uint = (unsigned int) fsize;
1659 if ((off_t)fsize_uint != fsize)
1660 {
e5ba8aa7 1661 (void)close(clam_fd);
ad93c40f 1662 return m_panic_defer_3(scanent, NULL,
0f0c8159
JH		 1663 string_sprintf("seeking spool file %s, size overflow",
1664 eml_filename),
74f1a423 1665 malware_daemon_ctx.sock);
0f0c8159 1666 }
d315eda1
JH		 1667 if (lseek(clam_fd, 0, SEEK_SET) < 0)
1668 goto b_seek;
b1f8e4f8 1669
40c90bca 1670 if (!(clamav_fbuf = US malloc(fsize_uint)))
0f0c8159 1671 {
e5ba8aa7 1672 (void)close(clam_fd);
ad93c40f 1673 return m_panic_defer_3(scanent, NULL,
0f0c8159
JH		 1674 string_sprintf("unable to allocate memory %u for file (%s)",
1675 fsize_uint, eml_filename),
74f1a423 1676 malware_daemon_ctx.sock);
0f0c8159 1677 }
b1f8e4f8 1678
0f0c8159
JH		 1679 if ((result = read(clam_fd, clamav_fbuf, fsize_uint)) < 0)
1680 {
1681 int err = errno;
e5ba8aa7 1682 free(clamav_fbuf); (void)close(clam_fd);
ad93c40f 1683 return m_panic_defer_3(scanent, NULL,
0f0c8159
JH		 1684 string_sprintf("can't read spool file %s: %s",
1685 eml_filename, strerror(err)),
74f1a423 1686 malware_daemon_ctx.sock);
0f0c8159
JH		 1687 }
1688 (void)close(clam_fd);
b1f8e4f8 1689
0f0c8159 1690 /* send file body to socket */
0f0c8159
JH		 1691 send_size = htonl(fsize_uint);
1692 send_final_zeroblock = 0;
74f1a423
JH		 1693 if ((send(malware_daemon_ctx.sock, &send_size, sizeof(send_size), 0) < 0) ||
1694 (send(malware_daemon_ctx.sock, clamav_fbuf, fsize_uint, 0) < 0) ||
1695 (send(malware_daemon_ctx.sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
0f0c8159 1696 {
b1f8e4f8 1697 free(clamav_fbuf);
ad93c40f 1698 return m_panic_defer_3(scanent, NULL,
0f0c8159 1699 string_sprintf("unable to send file body to socket (%s)", hostname),
74f1a423 1700 malware_daemon_ctx.sock);
4e71661f 1701 }
b1f8e4f8 1702
0f0c8159 1703 free(clamav_fbuf);
0f0c8159
JH		 1704 }
1705 else
1706 { /* use scan command */
1707 /* Send a SCAN command pointing to a filename; then in the then in the
1708 * scan-method-neutral part, read the response back */
1709
1710/* ================================================================= */
1711
1712 /* Prior to the reworking post-Exim-4.72, this scanned a directory,
1713 which dates to when ClamAV needed us to break apart the email into the
1714 MIME parts (eg, with the now deprecated demime condition coming first).
1715 Some time back, ClamAV gained the ability to deconstruct the emails, so
1716 doing this would actually have resulted in the mail attachments being
1717 scanned twice, in the broken out files and from the original .eml.
1718 Since ClamAV now handles emails (and has for quite some time) we can
1719 just use the email file itself. */
4a5cbaff 1720 /* Pass the string to ClamAV (7 = "SCAN \n" + \0), if not already sent */
0f0c8159 1721
e1d04f48 1722 DEBUG(D_acl) debug_printf_indent(
0f0c8159
JH		 1723 "Malware scan: issuing %s local-path scan [%s]\n",
1724 scanner_name, scanner_options);
b1f8e4f8 1725
4a5cbaff 1726 if (cmd_str.len)
74f1a423 1727 if (send(malware_daemon_ctx.sock, cmd_str.data, cmd_str.len, 0) < 0)
ad93c40f 1728 return m_panic_defer_3(scanent, CUS callout_address,
4a5cbaff 1729 string_sprintf("unable to write to socket (%s)", strerror(errno)),
74f1a423 1730 malware_daemon_ctx.sock);
b1f8e4f8 1731
0f0c8159
JH		 1732 /* Do not shut down the socket for writing; a user report noted that
1733 * clamd 0.70 does not react well to this. */
1734 }
1735 /* Commands have been sent, no matter which scan method or connection
1736 * type we're using; now just read the result, independent of method. */
1737
1738 /* Read the result */
1739 memset(av_buffer, 0, sizeof(av_buffer));
74f1a423
JH		 1740 bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1741 (void)close(malware_daemon_ctx.sock);
1742 malware_daemon_ctx.sock = -1;
1743 malware_daemon_ctx.tls_ctx = NULL;
0f0c8159
JH		 1744
1745 if (bread <= 0)
ad93c40f 1746 return m_panic_defer(scanent, CUS callout_address,
0f0c8159
JH		 1747 string_sprintf("unable to read from socket (%s)",
1748 errno == 0 ? "EOF" : strerror(errno)));
1749
1750 if (bread == sizeof(av_buffer))
ad93c40f 1751 return m_panic_defer(scanent, CUS callout_address,
0ea02355 1752 US"buffer too small");
0f0c8159
JH		 1753 /* We're now assured of a NULL at the end of av_buffer */
1754
1755 /* Check the result. ClamAV returns one of two result formats.
1756 In the basic mode, the response is of the form:
1757 infected: -> "<filename>: <virusname> FOUND"
1758 not-infected: -> "<filename>: OK"
1759 error: -> "<filename>: <errcode> ERROR
1760 If the ExtendedDetectionInfo option has been turned on, then we get:
1761 "<filename>: <virusname>(<virushash>:<virussize>) FOUND"
1762 for the infected case. Compare:
1763/tmp/eicar.com: Eicar-Test-Signature FOUND
1764/tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
1765
1766 In the streaming case, clamd uses the filename "stream" which you should
1767 be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The
1768 client app will replace "stream" with the original filename before returning
1769 results to stdout, but the trace shows the data).
1770
1771 We will assume that the pathname passed to clamd from Exim does not contain
1772 a colon. We will have whined loudly above if the eml_filename does (and we're
1773 passing a filename to clamd). */
1774
1775 if (!(*av_buffer))
ad93c40f 1776 return m_panic_defer(scanent, CUS callout_address,
0ea02355 1777 US"ClamAV returned null");
0f0c8159
JH		 1778
1779 /* strip newline at the end (won't be present for zINSTREAM)
1780 (also any trailing whitespace, which shouldn't exist, but we depend upon
1781 this below, so double-check) */
1782 p = av_buffer + Ustrlen(av_buffer) - 1;
1783 if (*p == '\n') *p = '\0';
1784
e1d04f48 1785 DEBUG(D_acl) debug_printf_indent("Malware response: %s\n", av_buffer);
0f0c8159
JH		 1786
1787 while (isspace(*--p) && (p > av_buffer))
1788 *p = '\0';
1789 if (*p) ++p;
0f0c8159
JH		 1790
1791 /* colon in returned output? */
80591636 1792 if(!(p = Ustrchr(av_buffer,':')))
ad93c40f 1793 return m_panic_defer(scanent, CUS callout_address, string_sprintf(
0f0c8159
JH		 1794 "ClamAV returned malformed result (missing colon): %s",
1795 av_buffer));
1796
1797 /* strip filename */
1798 while (*p && isspace(*++p)) /**/;
1799 vname = p;
1800
1801 /* It would be bad to encounter a virus with "FOUND" in part of the name,
1802 but we should at least be resistant to it. */
1803 p = Ustrrchr(vname, ' ');
1804 result_tag = p ? p+1 : vname;
1805
1806 if (Ustrcmp(result_tag, "FOUND") == 0)
1807 {
1808 /* p should still be the whitespace before the result_tag */
1809 while (isspace(*p)) --p;
1810 *++p = '\0';
1811 /* Strip off the extended information too, which will be in parens
1812 after the virus name, with no intervening whitespace. */
1813 if (*--p == ')')
4e71661f 1814 {
0f0c8159
JH		 1815 /* "(hash:size)", so previous '(' will do; if not found, we have
1816 a curious virus name, but not an error. */
1817 p = Ustrrchr(vname, '(');
1818 if (p)
1819 *p = '\0';
4e71661f 1820 }
0f0c8159 1821 malware_name = string_copy(vname);
e1d04f48 1822 DEBUG(D_acl) debug_printf_indent("Malware found, name \"%s\"\n", malware_name);
b1f8e4f8 1823
0f0c8159
JH		 1824 }
1825 else if (Ustrcmp(result_tag, "ERROR") == 0)
ad93c40f 1826 return m_panic_defer(scanent, CUS callout_address,
0f0c8159 1827 string_sprintf("ClamAV returned: %s", av_buffer));
b1f8e4f8 1828
0f0c8159
JH		 1829 else if (Ustrcmp(result_tag, "OK") == 0)
1830 {
1831 /* Everything should be OK */
1832 malware_name = NULL;
e1d04f48 1833 DEBUG(D_acl) debug_printf_indent("Malware not found\n");
b1f8e4f8 1834
0f0c8159
JH		 1835 }
1836 else
ad93c40f 1837 return m_panic_defer(scanent, CUS callout_address,
0f0c8159
JH		 1838 string_sprintf("unparseable response from ClamAV: {%s}", av_buffer));
1839
1840 break;
b1f8e4f8 1841 } /* clamd */
c11d665d 1842#endif
b1f8e4f8 1843
c11d665d 1844#ifndef DISABLE_MAL_SOCK
b1f8e4f8 1845 case M_SOCK: /* "sock" scanner type ------------------------------------- */
0f0c8159
JH		 1846 /* This code was derived by Martin Poole from the clamd code contributed
1847 by David Saez and the cmdline code
1848 */
b1f8e4f8 1849 {
0f0c8159
JH		 1850 int bread;
1851 uschar * commandline;
1852 uschar av_buffer[1024];
1853 uschar * linebuffer;
1854 uschar * sockline_scanner;
1855 uschar sockline_scanner_default[] = "%s\n";
1856 const pcre *sockline_trig_re;
1857 const pcre *sockline_name_re;
1858
1859 /* find scanner command line */
ac4d558b
JH		 1860 if ( (sockline_scanner = string_nextinlist(&av_scanner_work, &sep,
1861 NULL, 0))
1862 && *sockline_scanner
1863 )
0f0c8159
JH		 1864 { /* check for no expansions apart from one %s */
1865 uschar * s = Ustrchr(sockline_scanner, '%');
1866 if (s++)
1867 if ((*s != 's' && *s != '%') || Ustrchr(s+1, '%'))
ad93c40f 1868 return m_panic_defer_3(scanent, NULL,
74f1a423 1869 US"unsafe sock scanner call spec", malware_daemon_ctx.sock);
0f0c8159
JH		 1870 }
1871 else
1872 sockline_scanner = sockline_scanner_default;
ac4d558b
JH		 1873 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "cmdline: ",
1874 string_printing(sockline_scanner));
b1f8e4f8 1875
0f0c8159
JH		 1876 /* find scanner output trigger */
1877 sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1878 "missing trigger specification", &errstr);
1879 if (!sockline_trig_re)
74f1a423 1880 return m_panic_defer_3(scanent, NULL, errstr, malware_daemon_ctx.sock);
b1f8e4f8 1881
0f0c8159
JH		 1882 /* find virus name regex */
1883 sockline_name_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1884 "missing virus name regex specification", &errstr);
1885 if (!sockline_name_re)
74f1a423 1886 return m_panic_defer_3(scanent, NULL, errstr, malware_daemon_ctx.sock);
b1f8e4f8 1887
0f0c8159 1888 /* prepare scanner call - security depends on expansions check above */
040721f2 1889 commandline = string_sprintf( CS sockline_scanner, CS eml_filename);
ac4d558b
JH		 1890 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "expanded: ",
1891 string_printing(commandline));
b1f8e4f8 1892
0f0c8159 1893 /* Pass the command string to the socket */
74f1a423 1894 if (m_sock_send(malware_daemon_ctx.sock, commandline, Ustrlen(commandline), &errstr) < 0)
ad93c40f 1895 return m_panic_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 1896
0f0c8159 1897 /* Read the result */
74f1a423 1898 bread = ip_recv(&malware_daemon_ctx, av_buffer, sizeof(av_buffer), tmo-time(NULL));
b1f8e4f8 1899
0f0c8159 1900 if (bread <= 0)
ad93c40f 1901 return m_panic_defer_3(scanent, CUS callout_address,
0f0c8159 1902 string_sprintf("unable to read from socket (%s)", strerror(errno)),
74f1a423 1903 malware_daemon_ctx.sock);
b1f8e4f8 1904
0f0c8159 1905 if (bread == sizeof(av_buffer))
ad93c40f 1906 return m_panic_defer_3(scanent, CUS callout_address,
74f1a423 1907 US"buffer too small", malware_daemon_ctx.sock);
0f0c8159
JH		 1908 av_buffer[bread] = '\0';
1909 linebuffer = string_copy(av_buffer);
ac4d558b
JH		 1910 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "answer: ",
1911 string_printing(linebuffer));
b1f8e4f8 1912
0f0c8159
JH		 1913 /* try trigger match */
1914 if (regex_match_and_setup(sockline_trig_re, linebuffer, 0, -1))
1915 {
1916 if (!(malware_name = m_pcre_exec(sockline_name_re, av_buffer)))
1917 malware_name = US "unknown";
ac4d558b
JH		 1918 DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "name: ",
1919 string_printing(malware_name));
b1f8e4f8 1920 }
0f0c8159
JH		 1921 else /* no virus found */
1922 malware_name = NULL;
1923 break;
8523533c 1924 }
c11d665d 1925#endif
8e669ac1 1926
c11d665d 1927#ifndef DISABLE_MAL_MKS
b1f8e4f8
JH		 1928 case M_MKSD: /* "mksd" scanner type ------------------------------------- */
1929 {
0f0c8159
JH		 1930 char *mksd_options_end;
1931 int mksd_maxproc = 1; /* default, if no option supplied */
1932 int retval;
b1f8e4f8 1933
0f0c8159
JH		 1934 if (scanner_options)
1935 {
1936 mksd_maxproc = (int)strtol(CS scanner_options, &mksd_options_end, 10);
1937 if ( *scanner_options == '\0'
1938 || *mksd_options_end != '\0'
1939 || mksd_maxproc < 1
1940 || mksd_maxproc > 32
1941 )
ad93c40f 1942 return m_panic_defer(scanent, CUS callout_address,
0f0c8159
JH		 1943 string_sprintf("invalid option '%s'", scanner_options));
1944 }
8e669ac1 1945
74f1a423 1946 if((malware_daemon_ctx.sock = ip_unixsocket(US "/var/run/mksd/socket", &errstr)) < 0)
ad93c40f 1947 return m_panic_defer(scanent, CUS callout_address, errstr);
8e669ac1 1948
0f0c8159 1949 malware_name = NULL;
94a18f28 1950
e1d04f48 1951 DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan\n", scanner_name);
94a18f28 1952
74f1a423 1953 if ((retval = mksd_scan_packed(scanent, malware_daemon_ctx.sock, eml_filename, tmo)) != OK)
0f0c8159 1954 {
74f1a423 1955 close (malware_daemon_ctx.sock);
0f0c8159
JH		 1956 return retval;
1957 }
1958 break;
8523533c 1959 }
c11d665d 1960#endif
0f0c8159 1961
c11d665d 1962#ifndef DISABLE_MAL_AVAST
b6fbf22d
JH		 1963 case M_AVAST: /* "avast" scanner type ----------------------------------- */
1964 {
b6fbf22d
JH		 1965 uschar buf[1024];
1966 uschar * scanrequest;
b6fbf22d 1967 enum {AVA_HELO, AVA_OPT, AVA_RSP, AVA_DONE} avast_stage;
0f0c8159 1968 int nread;
ad93c40f 1969 uschar * error_message = NULL;
4fe93c4b
HSHR		 1970 BOOL more_data = FALSE;
1971 BOOL strict = TRUE;
b6fbf22d
JH		 1972
1973 /* According to Martin Tuma @avast the protocol uses "escaped
1974 whitespace", that is, every embedded whitespace is backslash
1975 escaped, as well as backslash is protected by backslash.
1976 The returned lines contain the name of the scanned file, a tab
1977 and the [ ] marker.
1978 [+] - not infected
1979 [L] - infected
aded2255 1980 [E] - some error occurred
71bb51e0
HSHR		 1981 Such marker follows the first non-escaped TAB. For more information
1982 see avast-protocol(5)
ad93c40f
HSHR		 1983
1984 We observed two cases:
1985 -> SCAN /file
1986 <- /file [E]0.0 Error 13 Permission denied
1987 <- 451 SCAN Engine error 13 permission denied
1988
1989 -> SCAN /file
1990 <- /file… [E]3.0 Error 41120 The file is a decompression bomb
1991 <- /file… [+]2.0
1992 <- /file… [+]2.0 0 Eicar Test Virus!!!
1993 <- 200 SCAN OK
1994
1995 If the scanner returns 4xx, DEFER is a good decision, combined
1996 with a panic log entry, to get the admin's attention.
1997
1998 If the scanner returns 200, we reject it as malware, if found any,
1999 or, in case of an error, we set the malware message to the error
2000 string.
2001
2002 Some of the >= 42000 errors are message related - usually some
2003 broken archives etc, but some of them are e.g. license related.
2004 Once the license expires the engine starts returning errors for
2005 every scanning attempt. I¹ have the full list of the error codes
2006 but it is not a public API and is subject to change. It is hard
2007 for me to say what you should do in case of an engine error. You
2008 can have a “Treat * unscanned file as infection” policy or “Treat
2009 unscanned file as clean” policy. ¹) Jakub Bednar
2010
2011 */
2012
476be7e2
JH		 2013 if ( ( !ava_re_clean
2014 && !(ava_re_clean = m_pcre_compile(ava_re_clean_str, &errstr)))
2015 || ( !ava_re_virus
2016 && !(ava_re_virus = m_pcre_compile(ava_re_virus_str, &errstr)))
ad93c40f
HSHR		 2017 || ( !ava_re_error
2018 && !(ava_re_error = m_pcre_compile(ava_re_error_str, &errstr)))
b6fbf22d 2019 )
ad93c40f 2020 return malware_panic_defer(errstr);
b6fbf22d
JH		 2021
2022 /* wait for result */
0f0c8159 2023 for (avast_stage = AVA_HELO;
74f1a423 2024 (nread = recv_line(malware_daemon_ctx.sock, buf, sizeof(buf), tmo)) > 0;
0f0c8159 2025 )
b6fbf22d
JH		 2026 {
2027 int slen = Ustrlen(buf);
94431adb 2028 if (slen >= 1)
b6fbf22d 2029 {
71bb51e0
HSHR		 2030
2031 /* Multi line responses are bracketed between 210 … and nnn … */
2032 if (Ustrncmp(buf, "210", 3) == 0)
2033 {
2034 more_data = 1;
2035 continue;
2036 }
2037 else if (more_data && isdigit(buf[0])) more_data = 0;
2038
b6fbf22d
JH		 2039 switch (avast_stage)
2040 {
2041 case AVA_HELO:
71bb51e0 2042 if (more_data) continue;
b6fbf22d
JH		 2043 if (Ustrncmp(buf, "220", 3) != 0)
2044 goto endloop; /* require a 220 */
2045 goto sendreq;
2046
2047 case AVA_OPT:
71bb51e0 2048 if (more_data) continue;
b6fbf22d
JH		 2049 if (Ustrncmp(buf, "200", 3) != 0)
2050 goto endloop; /* require a 200 */
2051
2052 sendreq:
2053 {
2054 int len;
2055 /* Check for another option to send. Newline-terminate it. */
2056 if ((scanrequest = string_nextinlist(&av_scanner_work, &sep,
2057 NULL, 0)))
2058 {
eb445b04
HSHR		 2059 if (Ustrcmp(scanrequest, "pass_unscanned") == 0)
2060 {
2061 DEBUG(D_acl) debug_printf_indent("pass unscanned files as clean\n");
2062 strict = FALSE;
2063 goto sendreq;
2064 }
b6fbf22d
JH		 2065 scanrequest = string_sprintf("%s\n", scanrequest);
2066 avast_stage = AVA_OPT; /* just sent option */
71bb51e0 2067 DEBUG(D_acl) debug_printf_indent("send to avast OPTION: %s", scanrequest);
b6fbf22d
JH		 2068 }
2069 else
2070 {
040721f2 2071 scanrequest = string_sprintf("SCAN %s\n", eml_dir);
b6fbf22d 2072 avast_stage = AVA_RSP; /* just sent command */
71bb51e0 2073 DEBUG(D_acl) debug_printf_indent("send to avast REQUEST: SCAN %s\n", eml_dir);
b6fbf22d
JH		 2074 }
2075
2076 /* send config-cmd or scan-request to socket */
2077 len = Ustrlen(scanrequest);
74f1a423 2078 if (send(malware_daemon_ctx.sock, scanrequest, len, 0) == -1)
b6fbf22d
JH		 2079 {
2080 scanrequest[len-1] = '\0';
ad93c40f 2081 return m_panic_defer_3(scanent, CUS callout_address, string_sprintf(
b6fbf22d 2082 "unable to send request '%s' to socket (%s): %s",
74f1a423 2083 scanrequest, scanner_options, strerror(errno)), malware_daemon_ctx.sock);
b6fbf22d
JH		 2084 }
2085 break;
2086 }
2087
2088 case AVA_RSP:
71bb51e0 2089
91e974f5 2090 if (isdigit(buf[0])) /* We're done */
71bb51e0 2091 goto endloop;
71bb51e0 2092
91e974f5 2093 if (malware_name) /* Nothing else matters, just read on */
ad93c40f 2094 break;
b6fbf22d 2095
91e974f5 2096 if (pcre_exec(ava_re_clean, NULL, CS buf, slen, 0, 0, NULL, 0) == 0)
b6fbf22d
JH		 2097 break;
2098
4fe93c4b 2099 if ((malware_name = m_pcre_exec(ava_re_virus, buf)))
ad93c40f
HSHR		 2100 {
2101 unescape(malware_name);
2102 DEBUG(D_acl)
2103 debug_printf_indent("unescaped malware name: '%s'\n", malware_name);
2104 break;
2105 }
2106
91e974f5 2107 if (strict) /* treat scanner errors as malware */
ad93c40f 2108 {
4fe93c4b 2109 if ((malware_name = m_pcre_exec(ava_re_error, buf)))
91e974f5
HSHR		 2110 {
2111 unescape(malware_name);
2112 DEBUG(D_acl)
2113 debug_printf_indent("unescaped error message: '%s'\n", malware_name);
2114 break;
2115 }
ad93c40f 2116 }
91e974f5 2117 else if (pcre_exec(ava_re_error, NULL, CS buf, slen, 0, 0, NULL, 0) == 0)
eb445b04
HSHR		 2118 {
2119 log_write(0, LOG_MAIN, "internal scanner error (ignored): %s", buf);
2120 break;
2121 }
2122
83d2a861 2123 /* here also for any unexpected response from the scanner */
eb445b04 2124 DEBUG(D_acl) debug_printf("avast response not handled: '%s'\n", buf);
91e974f5 2125
b6fbf22d 2126 goto endloop;
755762fd 2127
83d2a861 2128 default: log_write(0, LOG_PANIC, "%s:%d:%s: should not happen",
755762fd 2129 __FILE__, __LINE__, __FUNCTION__);
b6fbf22d 2130 }
0f0c8159 2131 }
b6fbf22d 2132 }
91e974f5 2133
b6fbf22d
JH		 2134 endloop:
2135
46682a67
JH		 2136 if (nread == -1) error_message = US"EOF from scanner";
2137 else if (nread < 0) error_message = US"timeout from scanner";
2138 else if (nread == 0) error_message = US"got nothing from scanner";
91e974f5 2139 else if (buf[0] != '2') error_message = buf;
ad93c40f 2140
91e974f5 2141 DEBUG(D_acl) debug_printf_indent("sent to avast QUIT\n");
74f1a423 2142 if (send(malware_daemon_ctx.sock, "QUIT\n", 5, 0) == -1)
91e974f5
HSHR		 2143 return m_panic_defer_3(scanent, CUS callout_address,
2144 string_sprintf("unable to send quit request to socket (%s): %s",
74f1a423 2145 scanner_options, strerror(errno)), malware_daemon_ctx.sock);
91e974f5
HSHR		 2146
2147 if (error_message)
74f1a423 2148 return m_panic_defer_3(scanent, CUS callout_address, error_message, malware_daemon_ctx.sock);
ad93c40f 2149
b6fbf22d 2150 }
c11d665d 2151#endif
0f0c8159 2152 } /* scanner type switch */
8523533c 2153
74f1a423
JH		 2154 if (malware_daemon_ctx.sock >= 0)
2155 (void) close (malware_daemon_ctx.sock);
0f0c8159 2156 malware_ok = TRUE; /* set "been here, done that" marker */
b1f8e4f8 2157 }
8523533c 2158
0f0c8159
JH		 2159/* match virus name against pattern (caseless ------->----------v) */
2160if (malware_name && regex_match_and_setup(re, malware_name, 0, -1))
2161 {
e1d04f48 2162 DEBUG(D_acl) debug_printf_indent(
0f0c8159
JH		 2163 "Matched regex to malware [%s] [%s]\n", malware_re, malware_name);
2164 return OK;
2165 }
2166else
2167 return FAIL;
8523533c
TK		 2168}
2169
2170
0f0c8159
JH		 2171/*************************************************
2172* Scan an email for malware *
2173*************************************************/
8523533c 2174
0f0c8159
JH		 2175/* This is the normal interface for scanning an email, which doesn't need a
2176filename; it's a wrapper around the malware_file function.
8523533c 2177
0f0c8159
JH		 2178Arguments:
2179 malware_re match condition for "malware="
2180 timeout if nonzero, timeout in seconds
2181
2182Returns: Exim message processing code (OK, FAIL, DEFER, ...)
2183 where true means malware was found (condition applies)
2184*/
2185int
2186malware(const uschar * malware_re, int timeout)
8523533c 2187{
040721f2 2188int ret = malware_internal(malware_re, NULL, timeout);
8e669ac1 2189
55240832 2190if (ret == DEFER) av_failed = TRUE;
55240832 2191return ret;
8523533c
TK		 2192}
2193
8e669ac1 2194
0f0c8159
JH		 2195/*************************************************
2196* Scan a file for malware *
2197*************************************************/
8e669ac1 2198
0f0c8159
JH		 2199/* This is a test wrapper for scanning an email, which is not used in
2200normal processing. Scan any file, using the Exim scanning interface.
2201This function tampers with various global variables so is unsafe to use
2202in any other context.
8e669ac1 2203
0f0c8159
JH		 2204Arguments:
2205 eml_filename a file holding the message to be scanned
8523533c 2206
0f0c8159
JH		 2207Returns: Exim message processing code (OK, FAIL, DEFER, ...)
2208 where true means malware was found (condition applies)
2209*/
2210int
2211malware_in_file(uschar *eml_filename)
8523533c 2212{
55240832
JH		 2213uschar message_id_buf[64];
2214int ret;
2215
2216/* spool_mbox() assumes various parameters exist, when creating
2217the relevant directory and the email within */
2218
2219(void) string_format(message_id_buf, sizeof(message_id_buf),
2220 "dummy-%d", vaguely_random_number(INT_MAX));
2221message_id = message_id_buf;
2222sender_address = US"malware-sender@example.net";
2223return_path = US"";
2224recipients_list = NULL;
2225receive_add_recipient(US"malware-victim@example.net", -1);
8768d548 2226f.enable_dollar_recipients = TRUE;
55240832 2227
040721f2 2228ret = malware_internal(US"*", eml_filename, 0);
55240832
JH		 2229
2230Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
2231spool_mbox_ok = 1;
2232
2233/* don't set no_mbox_unspool; at present, there's no way for it to become
2234set, but if that changes, then it should apply to these tests too */
2235
2236unspool_mbox();
2237
2238/* silence static analysis tools */
2239message_id = NULL;
2240
2241return ret;
8523533c
TK		 2242}
2243
476be7e2
JH		 2244
2245void
2246malware_init(void)
2247{
2248if (!malware_default_re)
2249 malware_default_re = regex_must_compile(malware_regex_default, FALSE, TRUE);
c11d665d
JH		 2250
2251#ifndef DISABLE_MAL_DRWEB
476be7e2
JH		 2252if (!drweb_re)
2253 drweb_re = regex_must_compile(drweb_re_str, FALSE, TRUE);
c11d665d
JH		 2254#endif
2255#ifndef DISABLE_MAL_FSECURE
476be7e2
JH		 2256if (!fsec_re)
2257 fsec_re = regex_must_compile(fsec_re_str, FALSE, TRUE);
c11d665d
JH		 2258#endif
2259#ifndef DISABLE_MAL_KAV
476be7e2
JH		 2260if (!kav_re_sus)
2261 kav_re_sus = regex_must_compile(kav_re_sus_str, FALSE, TRUE);
2262if (!kav_re_inf)
2263 kav_re_inf = regex_must_compile(kav_re_inf_str, FALSE, TRUE);
c11d665d 2264#endif
fd5a6ffb 2265#ifndef DISABLE_MAL_AVAST
476be7e2
JH		 2266if (!ava_re_clean)
2267 ava_re_clean = regex_must_compile(ava_re_clean_str, FALSE, TRUE);
2268if (!ava_re_virus)
2269 ava_re_virus = regex_must_compile(ava_re_virus_str, FALSE, TRUE);
ad93c40f
HSHR		 2270if (!ava_re_error)
2271 ava_re_error = regex_must_compile(ava_re_error_str, FALSE, TRUE);
c11d665d 2272#endif
fd5a6ffb 2273#ifndef DISABLE_MAL_FFROT6D
71b32d41
ACK		 2274if (!fprot6d_re_error)
2275 fprot6d_re_error = regex_must_compile(fprot6d_re_error_str, FALSE, TRUE);
2276if (!fprot6d_re_virus)
2277 fprot6d_re_virus = regex_must_compile(fprot6d_re_virus_str, FALSE, TRUE);
c11d665d
JH		 2278#endif
2279}
2280
2281
2282void
2283malware_show_supported(FILE * f)
2284{
2285struct scan * sc;
2286fprintf(f, "Malware:");
059f2ace 2287for (sc = m_scans; sc->scancode != (scanner_t)-1; sc++) fprintf(f, " %s", sc->name);
c11d665d 2288fprintf(f, "\n");
476be7e2
JH		 2289}
2290
c11d665d
JH		 2291
2292# endif /*!MACRO_PREDEF*/
b1f8e4f8
JH		 2293#endif /*WITH_CONTENT_SCAN*/
2294/*
2295 * vi: aw ai sw=2
2296 */
Unnamed repository; edit this file 'description' to name the repository.