projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Testsuite: OpenSSL version variances
[exim.git] / src / src / malware.c
CommitLineData
8523533c
TK		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
3386088d 5/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015 */
8523533c
TK		 6/* License: GPL */
7
8/* Code for calling virus (malware) scanners. Called from acl.c. */
9
10#include "exim.h"
11#ifdef WITH_CONTENT_SCAN
12
b1f8e4f8 13typedef enum {M_FPROTD, M_DRWEB, M_AVES, M_FSEC, M_KAVD, M_CMDL,
b6fbf22d 14 M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD, M_AVAST} scanner_t;
b1f8e4f8
JH		 15typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
16static struct scan
17{
18 scanner_t scancode;
19 const uschar * name;
20 const uschar * options_default;
21 contype_t conn;
22} m_scans[] =
23{
24 { M_FPROTD, US"f-protd", US"localhost 10200-10204", MC_TCP },
25 { M_DRWEB, US"drweb", US"/usr/local/drweb/run/drwebd.sock", MC_STRM },
26 { M_AVES, US"aveserver", US"/var/run/aveserver", MC_UNIX },
27 { M_FSEC, US"fsecure", US"/var/run/.fsav", MC_UNIX },
28 { M_KAVD, US"kavdaemon", US"/var/run/AvpCtl", MC_UNIX },
29 { M_CMDL, US"cmdline", NULL, MC_NONE },
30 { M_SOPHIE, US"sophie", US"/var/run/sophie", MC_UNIX },
31 { M_CLAMD, US"clamd", US"/tmp/clamd", MC_NONE },
32 { M_SOCK, US"sock", US"/tmp/malware.sock", MC_STRM },
33 { M_MKSD, US"mksd", NULL, MC_NONE },
b6fbf22d 34 { M_AVAST, US"avast", US"/var/run/avast/scan.sock", MC_STRM },
b1f8e4f8
JH		 35 { -1, NULL, NULL, MC_NONE } /* end-marker */
36};
37
599dcb77
TL		 38/* The maximum number of clamd servers that are supported in the configuration */
39#define MAX_CLAMD_SERVERS 32
40#define MAX_CLAMD_SERVERS_S "32"
599dcb77 41
8a512ed5
JH		 42typedef struct clamd_address {
43 uschar * hostspec;
44 unsigned tcp_port;
45 unsigned retry;
46} clamd_address;
599dcb77 47
b1f8e4f8
JH		 48#ifndef nelements
49# define nelements(arr) (sizeof(arr) / sizeof(arr[0]))
8523533c
TK		 50#endif
51
a9ccd69a 52
0f0c8159 53#define MALWARE_TIMEOUT 120 /* default timeout, seconds */
a9ccd69a
PH		 54
55
8523533c
TK		 56#define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */
57#define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */
58#define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */
59
2376f2f5
TK		 60#define DERR_READ_ERR (1<<0) /* read error */
61#define DERR_NOMEMORY (1<<2) /* no memory */
62#define DERR_TIMEOUT (1<<9) /* scan timeout has run out */
63#define DERR_BAD_CALL (1<<15) /* wrong command */
64
476be7e2
JH		 65
66static const uschar * malware_regex_default = US ".+";
67static const pcre * malware_default_re = NULL;
68
69static const uschar * drweb_re_str = US "infected\\swith\\s*(.+?)$";
70static const pcre * drweb_re = NULL;
71
72static const uschar * fsec_re_str = US "\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$";
73static const pcre * fsec_re = NULL;
74
75static const uschar * kav_re_sus_str = US "suspicion:\\s*(.+?)\\s*$";
76static const uschar * kav_re_inf_str = US "infected:\\s*(.+?)\\s*$";
77static const pcre * kav_re_sus = NULL;
78static const pcre * kav_re_inf = NULL;
79
80static const uschar * ava_re_clean_str = US "(?!\\\\)\\t\\[\\+\\]";
81static const uschar * ava_re_virus_str = US "(?!\\\\)\\t\\[L\\]\\d\\.\\d\\t\\d\\s(.*)";
82static const pcre * ava_re_clean = NULL;
83static const pcre * ava_re_virus = NULL;
84
85
86
87/******************************************************************************/
88
b1f8e4f8 89/* Routine to check whether a system is big- or little-endian.
8523533c
TK		 90 Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
91 Needed for proper kavdaemon implementation. Sigh. */
92#define BIG_MY_ENDIAN 0
93#define LITTLE_MY_ENDIAN 1
b1f8e4f8
JH		 94static int test_byte_order(void);
95static inline int
96test_byte_order()
97{
98 short int word = 0x0001;
99 char *byte = (char *) &word;
100 return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
8523533c
TK		 101}
102
b1f8e4f8 103BOOL malware_ok = FALSE;
8523533c 104
8544e77a
PP		 105/* Gross hacks for the -bmalware option; perhaps we should just create
106the scan directory normally for that case, but look into rigging up the
107needed header variables if not already set on the command-line? */
108extern int spool_mbox_ok;
109extern uschar spooled_message_id[17];
110
8544e77a
PP		 111
112
b1f8e4f8
JH		 113static inline int
114malware_errlog_defer(const uschar * str)
115{
8a512ed5
JH		 116log_write(0, LOG_MAIN|LOG_PANIC, "malware acl condition: %s", str);
117return DEFER;
b1f8e4f8
JH		 118}
119
120static int
0ea02355
JH		 121m_errlog_defer(struct scan * scanent, const uschar * hostport,
122 const uschar * str)
b1f8e4f8 123{
0ea02355
JH		 124return malware_errlog_defer(string_sprintf("%s %s : %s",
125 scanent->name, hostport ? hostport : CUS"", str));
b1f8e4f8
JH		 126}
127static int
0ea02355
JH		 128m_errlog_defer_3(struct scan * scanent, const uschar * hostport,
129 const uschar * str, int fd_to_close)
b1f8e4f8 130{
8a512ed5 131(void) close(fd_to_close);
0ea02355 132return m_errlog_defer(scanent, hostport, str);
b1f8e4f8
JH		 133}
134
135/*************************************************/
136
137/* Only used by the Clamav code, which is working from a list of servers and
138uses the returned in_addr to get a second connection to the same system.
139*/
140static inline int
141m_tcpsocket(const uschar * hostname, unsigned int port,
142 host_item * host, uschar ** errstr)
143{
8a512ed5 144return ip_connectedsocket(SOCK_STREAM, hostname, port, port, 5, host, errstr);
b1f8e4f8
JH		 145}
146
b1f8e4f8
JH		 147static int
148m_sock_send(int sock, uschar * buf, int cnt, uschar ** errstr)
149{
8a512ed5
JH		 150if (send(sock, buf, cnt, 0) < 0)
151 {
152 int err = errno;
153 (void)close(sock);
154 *errstr = string_sprintf("unable to send to socket (%s): %s",
155 buf, strerror(err));
156 return -1;
157 }
158return sock;
b1f8e4f8
JH		 159}
160
161static const pcre *
162m_pcre_compile(const uschar * re, uschar ** errstr)
163{
8a512ed5
JH		 164const uschar * rerror;
165int roffset;
166const pcre * cre;
167
168cre = pcre_compile(CS re, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
169if (!cre)
170 *errstr= string_sprintf("regular expression error in '%s': %s at offset %d",
171 re, rerror, roffset);
172return cre;
b1f8e4f8
JH		 173}
174
175uschar *
176m_pcre_exec(const pcre * cre, uschar * text)
177{
8a512ed5
JH		 178int ovector[10*3];
179int i = pcre_exec(cre, NULL, CS text, Ustrlen(text), 0, 0,
180 ovector, nelements(ovector));
181uschar * substr = NULL;
182if (i >= 2) /* Got it */
183 pcre_get_substring(CS text, ovector, i, 1, (const char **) &substr);
184return substr;
b1f8e4f8
JH		 185}
186
187static const pcre *
55414b25
JH		 188m_pcre_nextinlist(const uschar ** list, int * sep,
189 char * listerr, uschar ** errstr)
b1f8e4f8 190{
8a512ed5
JH		 191const uschar * list_ele;
192const pcre * cre = NULL;
193
194if (!(list_ele = string_nextinlist(list, sep, NULL, 0)))
195 *errstr = US listerr;
196else
197 cre = m_pcre_compile(CUS list_ele, errstr);
198return cre;
b1f8e4f8
JH		 199}
200
4e71661f
JH		 201/*
202 Simple though inefficient wrapper for reading a line. Drop CRs and the
203 trailing newline. Can return early on buffer full. Null-terminate.
204 Apply initial timeout if no data ready.
205
0f0c8159
JH		 206 Return: number of chars - zero for an empty line
207 -1 on EOF
208 -2 on timeout or error
4e71661f
JH		 209*/
210static int
211recv_line(int fd, uschar * buffer, int bsize, int tmo)
212{
213uschar * p = buffer;
214ssize_t rcv;
0f0c8159 215BOOL ok = FALSE;
4e71661f
JH		 216
217if (!fd_ready(fd, tmo-time(NULL)))
0f0c8159 218 return -2;
4e71661f 219
0f0c8159 220/*XXX tmo handling assumes we always get a whole line */
4e71661f 221/* read until \n */
0f0c8159 222errno = 0;
4e71661f
JH		 223while ((rcv = read(fd, p, 1)) > 0)
224 {
0f0c8159 225 ok = TRUE;
4e71661f
JH		 226 if (p-buffer > bsize-2) break;
227 if (*p == '\n') break;
228 if (*p != '\r') p++;
229 }
0f0c8159
JH		 230if (!ok)
231 {
232 DEBUG(D_acl) debug_printf("Malware scan: read %s (%s)\n",
233 rcv==0 ? "EOF" : "error", strerror(errno));
234 return rcv==0 ? -1 : -2;
235 }
4e71661f
JH		 236*p = '\0';
237
238DEBUG(D_acl) debug_printf("Malware scan: read '%s'\n", buffer);
239return p - buffer;
240}
241
242/* return TRUE iff size as requested */
243static BOOL
244recv_len(int sock, void * buf, int size, int tmo)
245{
246return fd_ready(sock, tmo-time(NULL))
247 ? recv(sock, buf, size, 0) == size
248 : FALSE;
249}
250
251
0f0c8159
JH		 252
253/* ============= private routines for the "mksd" scanner type ============== */
254
255#include <sys/uio.h>
256
257static inline int
258mksd_writev (int sock, struct iovec * iov, int iovcnt)
259{
260int i;
261
262for (;;)
263 {
264 do
265 i = writev (sock, iov, iovcnt);
266 while (i < 0 && errno == EINTR);
267 if (i <= 0)
268 {
269 (void) malware_errlog_defer(
270 US"unable to write to mksd UNIX socket (/var/run/mksd/socket)");
271 return -1;
272 }
273 for (;;) /* check for short write */
274 if (i >= iov->iov_len)
275 {
276 if (--iovcnt == 0)
277 return 0;
278 i -= iov->iov_len;
279 iov++;
280 }
281 else
282 {
283 iov->iov_len -= i;
284 iov->iov_base = CS iov->iov_base + i;
285 break;
286 }
287 }
288}
289
290static inline int
291mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size, int tmo)
292{
293int offset = 0;
294int i;
295
296do
297 {
298 i = ip_recv(sock, av_buffer+offset, av_buffer_size-offset, tmo-time(NULL));
299 if (i <= 0)
300 {
301 (void) malware_errlog_defer(US"unable to read from mksd UNIX socket (/var/run/mksd/socket)");
302 return -1;
303 }
304
305 offset += i;
306 /* offset == av_buffer_size -> buffer full */
307 if (offset == av_buffer_size)
308 {
309 (void) malware_errlog_defer(US"malformed reply received from mksd");
310 return -1;
311 }
312 } while (av_buffer[offset-1] != '\n');
313
314av_buffer[offset] = '\0';
315return offset;
316}
317
318static inline int
319mksd_parse_line(struct scan * scanent, char * line)
320{
321char *p;
322
323switch (*line)
324 {
325 case 'O': /* OK */
326 return OK;
327
328 case 'E':
329 case 'A': /* ERR */
330 if ((p = strchr (line, '\n')) != NULL)
331 *p = '\0';
0ea02355 332 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 333 string_sprintf("scanner failed: %s", line));
334
335 default: /* VIR */
336 if ((p = strchr (line, '\n')) != NULL)
337 {
338 *p = '\0';
339 if ( p-line > 5
340 && line[3] == ' '
341 && (p = strchr(line+4, ' ')) != NULL
342 && p-line > 4
343 )
344 {
345 *p = '\0';
346 malware_name = string_copy(US line+4);
347 return OK;
348 }
349 }
0ea02355 350 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 351 string_sprintf("malformed reply received: %s", line));
352 }
353}
354
355static int
356mksd_scan_packed(struct scan * scanent, int sock, const uschar * scan_filename,
357 int tmo)
358{
359struct iovec iov[3];
360const char *cmd = "MSQ\n";
361uschar av_buffer[1024];
362
363iov[0].iov_base = (void *) cmd;
364iov[0].iov_len = 3;
365iov[1].iov_base = (void *) scan_filename;
366iov[1].iov_len = Ustrlen(scan_filename);
367iov[2].iov_base = (void *) (cmd + 3);
368iov[2].iov_len = 1;
369
370if (mksd_writev (sock, iov, 3) < 0)
371 return DEFER;
372
373if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer), tmo) < 0)
374 return DEFER;
375
376return mksd_parse_line (scanent, CS av_buffer);
377}
378
8a512ed5
JH		 379
380static int
381clamd_option(clamd_address * cd, const uschar * optstr, int * subsep)
382{
383uschar * s;
384
385cd->retry = 0;
386while ((s = string_nextinlist(&optstr, subsep, NULL, 0)))
8a512ed5
JH		 387 if (Ustrncmp(s, "retry=", 6) == 0)
388 {
389 int sec = readconf_readtime((s += 6), '\0', FALSE);
390 if (sec < 0)
391 return FAIL;
392 cd->retry = sec;
393 }
394 else
395 return FAIL;
93a6fce2 396return OK;
8a512ed5
JH		 397}
398
8544e77a
PP		 399/*************************************************
400* Scan content for malware *
401*************************************************/
402
403/* This is an internal interface for scanning an email; the normal interface
404is via malware(), or there's malware_in_file() used for testing/debugging.
405
406Arguments:
0f0c8159 407 malware_re match condition for "malware="
8544e77a 408 eml_filename the file holding the email to be scanned
0f0c8159 409 timeout if nonzero, non-default timeoutl
8544e77a
PP		 410 faking whether or not we're faking this up for the -bmalware test
411
412Returns: Exim message processing code (OK, FAIL, DEFER, ...)
413 where true means malware was found (condition applies)
414*/
b1f8e4f8 415static int
0f0c8159
JH		 416malware_internal(const uschar * malware_re, const uschar * eml_filename,
417 int timeout, BOOL faking)
b1f8e4f8 418{
0f0c8159 419int sep = 0;
55414b25 420const uschar *av_scanner_work = av_scanner;
0f0c8159 421uschar *scanner_name;
0f0c8159
JH		 422unsigned long mbox_size;
423FILE *mbox_file;
424const pcre *re;
425uschar * errstr;
426struct scan * scanent;
427const uschar * scanner_options;
428int sock = -1;
429time_t tmo;
430
431/* make sure the eml mbox file is spooled up */
432if (!(mbox_file = spool_mbox(&mbox_size, faking ? eml_filename : NULL)))
433 return malware_errlog_defer(US"error while creating mbox spool file");
434
435/* none of our current scanners need the mbox
436 file as a stream, so we can close it right away */
437(void)fclose(mbox_file);
438
439if (!malware_re)
440 return FAIL; /* empty means "don't match anything" */
441
442/* parse 1st option */
443 if ( (strcmpic(malware_re, US"false") == 0) ||
444 (Ustrcmp(malware_re,"0") == 0) )
445 return FAIL; /* explicitly no matching */
446
447/* special cases (match anything except empty) */
476be7e2
JH		 448if ( strcmpic(malware_re,US"true") == 0
449 || Ustrcmp(malware_re,"*") == 0
450 || Ustrcmp(malware_re,"1") == 0
451 )
452 {
453 if ( !malware_default_re
454 && !(malware_default_re = m_pcre_compile(malware_regex_default, &errstr)))
455 return malware_errlog_defer(errstr);
0f0c8159 456 malware_re = malware_regex_default;
476be7e2
JH		 457 re = malware_default_re;
458 }
0f0c8159
JH		 459
460/* compile the regex, see if it works */
476be7e2 461else if (!(re = m_pcre_compile(malware_re, &errstr)))
0f0c8159
JH		 462 return malware_errlog_defer(errstr);
463
476be7e2
JH		 464/* Reset sep that is set by previous string_nextinlist() call */
465sep = 0;
466
0f0c8159
JH		 467/* if av_scanner starts with a dollar, expand it first */
468if (*av_scanner == '$')
469 {
470 if (!(av_scanner_work = expand_string(av_scanner)))
471 return malware_errlog_defer(
472 string_sprintf("av_scanner starts with $, but expansion failed: %s",
473 expand_string_message));
b1f8e4f8 474
0f0c8159 475 DEBUG(D_acl)
b1f8e4f8 476 debug_printf("Expanded av_scanner global: %s\n", av_scanner_work);
0f0c8159
JH		 477 /* disable result caching in this case */
478 malware_name = NULL;
479 malware_ok = FALSE;
8523533c
TK		 480 }
481
0f0c8159
JH		 482/* Do not scan twice (unless av_scanner is dynamic). */
483if (!malware_ok)
484 {
485 /* find the scanner type from the av_scanner option */
486 if (!(scanner_name = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
487 return malware_errlog_defer(US"av_scanner configuration variable is empty");
488 if (!timeout) timeout = MALWARE_TIMEOUT;
489 tmo = time(NULL) + timeout;
490
3e60dd41
JH		 491 for (scanent = m_scans; ; scanent++)
492 {
0f0c8159
JH		 493 if (!scanent->name)
494 return malware_errlog_defer(string_sprintf("unknown scanner type '%s'",
495 scanner_name));
496 if (strcmpic(scanner_name, US scanent->name) != 0)
497 continue;
498 if (!(scanner_options = string_nextinlist(&av_scanner_work, &sep, NULL, 0)))
499 scanner_options = scanent->options_default;
500 if (scanent->conn == MC_NONE)
b1f8e4f8 501 break;
0f0c8159
JH		 502 switch(scanent->conn)
503 {
3e60dd41
JH		 504 case MC_TCP: sock = ip_tcpsocket(scanner_options, &errstr, 5); break;
505 case MC_UNIX: sock = ip_unixsocket(scanner_options, &errstr); break;
506 case MC_STRM: sock = ip_streamsocket(scanner_options, &errstr, 5); break;
0f0c8159 507 default: /* compiler quietening */ break;
384152a6 508 }
0f0c8159 509 if (sock < 0)
0ea02355 510 return m_errlog_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 511 break;
512 }
513 DEBUG(D_acl) debug_printf("Malware scan: %s tmo %s\n", scanner_name, readconf_printtime(timeout));
8e669ac1 514
0f0c8159
JH		 515 switch (scanent->scancode)
516 {
517 case M_FPROTD: /* "f-protd" scanner type -------------------------------- */
b1f8e4f8 518 {
0f0c8159
JH		 519 uschar *fp_scan_option;
520 unsigned int detected=0, par_count=0;
521 uschar * scanrequest;
522 uschar buf[32768], *strhelper, *strhelper2;
523 uschar * malware_name_internal = NULL;
524 int len;
b1f8e4f8 525
0f0c8159 526 scanrequest = string_sprintf("GET %s", eml_filename);
b1f8e4f8 527
0f0c8159
JH		 528 while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
529 NULL, 0)))
530 {
531 scanrequest = string_sprintf("%s%s%s", scanrequest,
532 par_count ? "%20" : "?", fp_scan_option);
533 par_count++;
534 }
535 scanrequest = string_sprintf("%s HTTP/1.0\r\n\r\n", scanrequest);
536 DEBUG(D_acl) debug_printf("Malware scan: issuing %s: %s\n",
537 scanner_name, scanrequest);
b1f8e4f8 538
0f0c8159
JH		 539 /* send scan request */
540 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
0ea02355 541 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 542
0f0c8159
JH		 543 while ((len = recv_line(sock, buf, sizeof(buf), tmo)) >= 0)
544 if (len > 0)
545 {
546 if (Ustrstr(buf, US"<detected type=\"") != NULL)
547 detected = 1;
548 else if (detected && (strhelper = Ustrstr(buf, US"<name>")))
4e71661f 549 {
0f0c8159 550 if ((strhelper2 = Ustrstr(buf, US"</name>")) != NULL)
4e71661f 551 {
0f0c8159
JH		 552 *strhelper2 = '\0';
553 malware_name_internal = string_copy(strhelper+6);
4e71661f
JH		 554 }
555 }
0f0c8159 556 else if (Ustrstr(buf, US"<summary code=\""))
4e71661f 557 {
0f0c8159
JH		 558 malware_name = Ustrstr(buf, US"<summary code=\"11\">")
559 ? malware_name_internal : NULL;
560 break;
4e71661f 561 }
0f0c8159
JH		 562 }
563 if (len < -1)
564 {
565 (void)close(sock);
566 return DEFER;
567 }
568 break;
569 } /* f-protd */
b1f8e4f8 570
0f0c8159
JH		 571 case M_DRWEB: /* "drweb" scanner type ----------------------------------- */
572 /* v0.1 - added support for tcp sockets */
573 /* v0.0 - initial release -- support for unix sockets */
574 {
575 int result;
576 off_t fsize;
577 unsigned int fsize_uint;
578 uschar * tmpbuf, *drweb_fbuf;
579 int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
580 drweb_vnum, drweb_slen, drweb_fin = 0x0000;
0f0c8159
JH		 581
582 /* prepare variables */
583 drweb_cmd = htonl(DRWEBD_SCAN_CMD);
584 drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
585
586 if (*scanner_options != '/')
587 {
588 /* calc file size */
589 if ((drweb_fd = open(CCS eml_filename, O_RDONLY)) == -1)
0ea02355 590 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 591 string_sprintf("can't open spool file %s: %s",
592 eml_filename, strerror(errno)),
593 sock);
b1f8e4f8 594
0f0c8159
JH		 595 if ((fsize = lseek(drweb_fd, 0, SEEK_END)) == -1)
596 {
597 int err = errno;
b1f8e4f8 598 (void)close(drweb_fd);
0ea02355 599 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 600 string_sprintf("can't seek spool file %s: %s",
601 eml_filename, strerror(err)),
602 sock);
603 }
604 fsize_uint = (unsigned int) fsize;
605 if ((off_t)fsize_uint != fsize)
606 {
b1f8e4f8 607 (void)close(drweb_fd);
0ea02355 608 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 609 string_sprintf("seeking spool file %s, size overflow",
610 eml_filename),
611 sock);
4e71661f 612 }
0f0c8159
JH		 613 drweb_slen = htonl(fsize);
614 lseek(drweb_fd, 0, SEEK_SET);
615
616 DEBUG(D_acl) debug_printf("Malware scan: issuing %s remote scan [%s]\n",
617 scanner_name, scanner_options);
618
619 /* send scan request */
620 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
621 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
622 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
623 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0))
4e71661f 624 {
0f0c8159 625 (void)close(drweb_fd);
0ea02355 626 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
0f0c8159
JH		 627 "unable to send commands to socket (%s)", scanner_options),
628 sock);
4e71661f 629 }
8e669ac1 630
0f0c8159
JH		 631 if (!(drweb_fbuf = (uschar *) malloc (fsize_uint)))
632 {
633 (void)close(drweb_fd);
0ea02355 634 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 635 string_sprintf("unable to allocate memory %u for file (%s)",
636 fsize_uint, eml_filename),
637 sock);
638 }
b1f8e4f8 639
0f0c8159
JH		 640 if ((result = read (drweb_fd, drweb_fbuf, fsize)) == -1)
641 {
642 int err = errno;
643 (void)close(drweb_fd);
644 free(drweb_fbuf);
0ea02355 645 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 646 string_sprintf("can't read spool file %s: %s",
647 eml_filename, strerror(err)),
648 sock);
649 }
650 (void)close(drweb_fd);
b1f8e4f8 651
0f0c8159
JH		 652 /* send file body to socket */
653 if (send(sock, drweb_fbuf, fsize, 0) < 0)
4e71661f 654 {
0f0c8159 655 free(drweb_fbuf);
0ea02355 656 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
0f0c8159
JH		 657 "unable to send file body to socket (%s)", scanner_options),
658 sock);
659 }
660 (void)close(drweb_fd);
661 }
662 else
663 {
664 drweb_slen = htonl(Ustrlen(eml_filename));
b1f8e4f8 665
0f0c8159
JH		 666 DEBUG(D_acl) debug_printf("Malware scan: issuing %s local scan [%s]\n",
667 scanner_name, scanner_options);
b1f8e4f8 668
0f0c8159
JH		 669 /* send scan request */
670 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
671 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
672 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
673 (send(sock, eml_filename, Ustrlen(eml_filename), 0) < 0) ||
674 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0))
0ea02355 675 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
0f0c8159
JH		 676 "unable to send commands to socket (%s)", scanner_options),
677 sock);
678 }
b1f8e4f8 679
0f0c8159
JH		 680 /* wait for result */
681 if (!recv_len(sock, &drweb_rc, sizeof(drweb_rc), tmo))
0ea02355 682 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 683 US"unable to read return code", sock);
684 drweb_rc = ntohl(drweb_rc);
685
686 if (!recv_len(sock, &drweb_vnum, sizeof(drweb_vnum), tmo))
0ea02355 687 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 688 US"unable to read the number of viruses", sock);
689 drweb_vnum = ntohl(drweb_vnum);
690
691 /* "virus(es) found" if virus number is > 0 */
692 if (drweb_vnum)
693 {
694 int i;
b1f8e4f8 695
0f0c8159
JH		 696 /* setup default virus name */
697 malware_name = US"unknown";
b1f8e4f8 698
0f0c8159 699 /* set up match regex */
476be7e2
JH		 700 if (!drweb_re)
701 drweb_re = m_pcre_compile(drweb_re_str, &errstr);
b1f8e4f8 702
0f0c8159
JH		 703 /* read and concatenate virus names into one string */
704 for (i = 0; i < drweb_vnum; i++)
4e71661f 705 {
0f0c8159
JH		 706 int size = 0, off = 0, ovector[10*3];
707 /* read the size of report */
708 if (!recv_len(sock, &drweb_slen, sizeof(drweb_slen), tmo))
0ea02355 709 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 710 US"cannot read report size", sock);
711 drweb_slen = ntohl(drweb_slen);
712 tmpbuf = store_get(drweb_slen);
b1f8e4f8 713
0f0c8159
JH		 714 /* read report body */
715 if (!recv_len(sock, tmpbuf, drweb_slen, tmo))
0ea02355 716 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 717 US"cannot read report string", sock);
718 tmpbuf[drweb_slen] = '\0';
8544e77a 719
0f0c8159
JH		 720 /* try matcher on the line, grab substring */
721 result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0,
722 ovector, nelements(ovector));
723 if (result >= 2)
724 {
725 const char * pre_malware_nb;
8e669ac1 726
0f0c8159 727 pcre_get_substring(CS tmpbuf, ovector, result, 1, &pre_malware_nb);
8e669ac1 728
0f0c8159
JH		 729 if (i==0) /* the first name we just copy to malware_name */
730 malware_name = string_append(NULL, &size, &off,
731 1, pre_malware_nb);
8e669ac1 732
0f0c8159
JH		 733 else /* concatenate each new virus name to previous */
734 malware_name = string_append(malware_name, &size, &off,
735 2, "/", pre_malware_nb);
8e669ac1 736
0f0c8159
JH		 737 pcre_free_substring(pre_malware_nb);
738 }
739 }
740 }
741 else
742 {
743 const char *drweb_s = NULL;
744
745 if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
746 if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
747 if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout";
748 if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command";
749 /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED.
750 * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM,
751 * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR
752 * and others are ignored */
753 if (drweb_s)
0ea02355 754 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 755 string_sprintf("drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s),
756 sock);
8e669ac1 757
0f0c8159 758 /* no virus found */
b1f8e4f8 759 malware_name = NULL;
0f0c8159
JH		 760 }
761 break;
762 } /* drweb */
8e669ac1 763
0f0c8159
JH		 764 case M_AVES: /* "aveserver" scanner type -------------------------------- */
765 {
766 uschar buf[32768];
767 int result;
8544e77a 768
0f0c8159
JH		 769 /* read aveserver's greeting and see if it is ready (2xx greeting) */
770 buf[0] = 0;
771 recv_line(sock, buf, sizeof(buf), tmo);
8544e77a 772
0f0c8159 773 if (buf[0] != '2') /* aveserver is having problems */
0ea02355 774 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159 775 string_sprintf("unavailable (Responded: %s).",
b1f8e4f8 776 ((buf[0] != 0) ? buf : (uschar *)"nothing") ),
0f0c8159 777 sock);
8e669ac1 778
0f0c8159
JH		 779 /* prepare our command */
780 (void)string_format(buf, sizeof(buf), "SCAN bPQRSTUW %s\r\n",
781 eml_filename);
782
783 /* and send it */
784 DEBUG(D_acl) debug_printf("Malware scan: issuing %s %s\n",
785 scanner_name, buf);
786 if (m_sock_send(sock, buf, Ustrlen(buf), &errstr) < 0)
0ea02355 787 return m_errlog_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 788
789 malware_name = NULL;
790 result = 0;
791 /* read response lines, find malware name and final response */
792 while (recv_line(sock, buf, sizeof(buf), tmo) > 0)
793 {
794 if (buf[0] == '2')
795 break;
796 if (buf[0] == '5') /* aveserver is having problems */
4e71661f 797 {
0ea02355 798 result = m_errlog_defer(scanent, CUS callout_address,
0f0c8159
JH		 799 string_sprintf("unable to scan file %s (Responded: %s).",
800 eml_filename, buf));
801 break;
4e71661f 802 }
0f0c8159
JH		 803 if (Ustrncmp(buf,"322",3) == 0)
804 {
805 uschar *p = Ustrchr(&buf[4], ' ');
806 *p = '\0';
807 malware_name = string_copy(&buf[4]);
808 }
809 }
810
811 if (m_sock_send(sock, US"quit\r\n", 6, &errstr) < 0)
0ea02355 812 return m_errlog_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 813
814 /* read aveserver's greeting and see if it is ready (2xx greeting) */
815 buf[0] = 0;
816 recv_line(sock, buf, sizeof(buf), tmo);
817
818 if (buf[0] != '2') /* aveserver is having problems */
0ea02355 819 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 820 string_sprintf("unable to quit dialogue (Responded: %s).",
821 ((buf[0] != 0) ? buf : (uschar *)"nothing") ),
822 sock);
823
824 if (result == DEFER)
825 {
826 (void)close(sock);
827 return DEFER;
828 }
829 break;
b1f8e4f8 830 } /* aveserver */
8e669ac1 831
b1f8e4f8
JH		 832 case M_FSEC: /* "fsecure" scanner type ---------------------------------- */
833 {
0f0c8159
JH		 834 int i, j, bread = 0;
835 uschar * file_name;
836 uschar av_buffer[1024];
0f0c8159
JH		 837 static uschar *cmdopt[] = { US"CONFIGURE\tARCHIVE\t1\n",
838 US"CONFIGURE\tTIMEOUT\t0\n",
839 US"CONFIGURE\tMAXARCH\t5\n",
840 US"CONFIGURE\tMIME\t1\n" };
841
842 malware_name = NULL;
843
844 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
845 scanner_name, scanner_options);
846 /* pass options */
847 memset(av_buffer, 0, sizeof(av_buffer));
848 for (i = 0; i != nelements(cmdopt); i++)
849 {
b1f8e4f8 850
0f0c8159 851 if (m_sock_send(sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < 0)
0ea02355 852 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 853
0f0c8159
JH		 854 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
855 if (bread > 0) av_buffer[bread]='\0';
856 if (bread < 0)
0ea02355 857 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 858 string_sprintf("unable to read answer %d (%s)", i, strerror(errno)),
859 sock);
860 for (j = 0; j < bread; j++)
861 if (av_buffer[j] == '\r' || av_buffer[j] == '\n')
862 av_buffer[j] ='@';
863 }
8e669ac1 864
0f0c8159
JH		 865 /* pass the mailfile to fsecure */
866 file_name = string_sprintf("SCAN\t%s\n", eml_filename);
b1f8e4f8 867
0f0c8159 868 if (m_sock_send(sock, file_name, Ustrlen(file_name), &errstr) < 0)
0ea02355 869 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 870
0f0c8159
JH		 871 /* set up match */
872 /* todo also SUSPICION\t */
476be7e2
JH		 873 if (!fsec_re)
874 fsec_re = m_pcre_compile(fsec_re_str, &errstr);
b1f8e4f8 875
0f0c8159
JH		 876 /* read report, linewise. Apply a timeout as the Fsecure daemon
877 sometimes wants an answer to "PING" but they won't tell us what */
fd02dc0e 878 {
0f0c8159
JH		 879 uschar * p = av_buffer;
880 uschar * q;
fd02dc0e 881
0f0c8159
JH		 882 for (;;)
883 {
80591636 884 errno = ETIMEDOUT;
0f0c8159
JH		 885 i = av_buffer+sizeof(av_buffer)-p;
886 if ((bread= ip_recv(sock, p, i-1, tmo-time(NULL))) < 0)
0ea02355 887 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 888 string_sprintf("unable to read result (%s)", strerror(errno)),
889 sock);
b1f8e4f8 890
755762fd 891 for (p[bread] = '\0'; (q = Ustrchr(p, '\n')); p = q+1)
0f0c8159
JH		 892 {
893 *q = '\0';
fd02dc0e 894
0f0c8159
JH		 895 /* Really search for virus again? */
896 if (!malware_name)
897 /* try matcher on the line, grab substring */
476be7e2 898 malware_name = m_pcre_exec(fsec_re, p);
fd02dc0e 899
0f0c8159
JH		 900 if (Ustrstr(p, "OK\tScan ok."))
901 goto fsec_found;
902 }
fd02dc0e 903
0f0c8159
JH		 904 /* copy down the trailing partial line then read another chunk */
905 i = av_buffer+sizeof(av_buffer)-p;
906 memmove(av_buffer, p, i);
907 p = av_buffer+i;
fd02dc0e 908 }
b1f8e4f8 909 }
fd02dc0e
JH		 910
911 fsec_found:
b1f8e4f8
JH		 912 break;
913 } /* fsecure */
599dcb77 914
b1f8e4f8
JH		 915 case M_KAVD: /* "kavdaemon" scanner type -------------------------------- */
916 {
0f0c8159
JH		 917 time_t t;
918 uschar tmpbuf[1024];
919 uschar * scanrequest;
920 int kav_rc;
921 unsigned long kav_reportlen, bread;
922 const pcre *kav_re;
923 uschar *p;
924
925 /* get current date and time, build scan request */
926 time(&t);
927 /* pdp note: before the eml_filename parameter, this scanned the
928 directory; not finding documentation, so we'll strip off the directory.
929 The side-effect is that the test framework scanning may end up in
930 scanning more than was requested, but for the normal interface, this is
931 fine. */
932
933 strftime(CS tmpbuf, sizeof(tmpbuf), "%d %b %H:%M:%S", localtime(&t));
934 scanrequest = string_sprintf("<0>%s:%s", CS tmpbuf, eml_filename);
935 p = Ustrrchr(scanrequest, '/');
936 if (p)
937 *p = '\0';
938
939 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
940 scanner_name, scanner_options);
941
942 /* send scan request */
943 if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+1, &errstr) < 0)
0ea02355 944 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 945
0f0c8159
JH		 946 /* wait for result */
947 if (!recv_len(sock, tmpbuf, 2, tmo))
0ea02355 948 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159 949 US"unable to read 2 bytes from socket.", sock);
b1f8e4f8 950
0f0c8159
JH		 951 /* get errorcode from one nibble */
952 kav_rc = tmpbuf[ test_byte_order()==LITTLE_MY_ENDIAN ? 0 : 1 ] & 0x0F;
953 switch(kav_rc)
954 {
955 case 5: case 6: /* improper kavdaemon configuration */
0ea02355 956 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 957 US"please reconfigure kavdaemon to NOT disinfect or remove infected files.",
958 sock);
959 case 1:
0ea02355 960 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 961 US"reported 'scanning not completed' (code 1).", sock);
962 case 7:
0ea02355 963 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 964 US"reported 'kavdaemon damaged' (code 7).", sock);
965 }
b1f8e4f8 966
0f0c8159
JH		 967 /* code 8 is not handled, since it is ambigous. It appears mostly on
968 bounces where part of a file has been cut off */
b1f8e4f8 969
0f0c8159
JH		 970 /* "virus found" return codes (2-4) */
971 if (kav_rc > 1 && kav_rc < 5)
b1f8e4f8 972 {
0f0c8159 973 int report_flag = 0;
599dcb77 974
0f0c8159
JH		 975 /* setup default virus name */
976 malware_name = US"unknown";
b1f8e4f8 977
0f0c8159 978 report_flag = tmpbuf[ test_byte_order() == LITTLE_MY_ENDIAN ? 1 : 0 ];
b1f8e4f8 979
0f0c8159
JH		 980 /* read the report, if available */
981 if (report_flag == 1)
982 {
983 /* read report size */
984 if (!recv_len(sock, &kav_reportlen, 4, tmo))
0ea02355 985 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159 986 US"cannot read report size", sock);
b1f8e4f8 987
0f0c8159
JH		 988 /* it's possible that avp returns av_buffer[1] == 1 but the
989 reportsize is 0 (!?) */
990 if (kav_reportlen > 0)
4e71661f 991 {
0f0c8159 992 /* set up match regex, depends on retcode */
476be7e2
JH		 993 if (kav_rc == 3)
994 {
995 if (!kav_re_sus) kav_re_sus = m_pcre_compile(kav_re_sus_str, &errstr);
996 kav_re = kav_re_sus;
997 }
998 else
999 {
1000 if (!kav_re_inf) kav_re_inf = m_pcre_compile(kav_re_inf_str, &errstr);
1001 kav_re = kav_re_inf;
1002 }
0f0c8159
JH		 1003
1004 /* read report, linewise */
1005 while (kav_reportlen > 0)
4e71661f 1006 {
0f0c8159
JH		 1007 if ((bread = recv_line(sock, tmpbuf, sizeof(tmpbuf), tmo)) < 0)
1008 break;
1009 kav_reportlen -= bread+1;
1010
1011 /* try matcher on the line, grab substring */
1012 if ((malware_name = m_pcre_exec(kav_re, tmpbuf)))
1013 break;
b1f8e4f8
JH		 1014 }
1015 }
1016 }
0f0c8159
JH		 1017 }
1018 else /* no virus found */
1019 malware_name = NULL;
599dcb77 1020
0f0c8159 1021 break;
599dcb77 1022 }
8544e77a 1023
b1f8e4f8
JH		 1024 case M_CMDL: /* "cmdline" scanner type ---------------------------------- */
1025 {
0f0c8159
JH		 1026 const uschar *cmdline_scanner = scanner_options;
1027 const pcre *cmdline_trigger_re;
1028 const pcre *cmdline_regex_re;
1029 uschar * file_name;
1030 uschar * commandline;
1031 void (*eximsigchld)(int);
1032 void (*eximsigpipe)(int);
1033 FILE *scanner_out = NULL;
1034 int scanner_fd;
1035 FILE *scanner_record = NULL;
1036 uschar linebuffer[32767];
1037 int rcnt;
1038 int trigger = 0;
1039 uschar *p;
1040
1041 if (!cmdline_scanner)
0ea02355 1042 return m_errlog_defer(scanent, NULL, errstr);
b1f8e4f8 1043
0f0c8159
JH		 1044 /* find scanner output trigger */
1045 cmdline_trigger_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1046 "missing trigger specification", &errstr);
1047 if (!cmdline_trigger_re)
0ea02355 1048 return m_errlog_defer(scanent, NULL, errstr);
b1f8e4f8 1049
0f0c8159
JH		 1050 /* find scanner name regex */
1051 cmdline_regex_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1052 "missing virus name regex specification", &errstr);
1053 if (!cmdline_regex_re)
0ea02355 1054 return m_errlog_defer(scanent, NULL, errstr);
b1f8e4f8 1055
0f0c8159
JH		 1056 /* prepare scanner call; despite the naming, file_name holds a directory
1057 name which is documented as the value given to %s. */
b1f8e4f8 1058
0f0c8159
JH		 1059 file_name = string_copy(eml_filename);
1060 p = Ustrrchr(file_name, '/');
1061 if (p)
1062 *p = '\0';
1063 commandline = string_sprintf(CS cmdline_scanner, file_name);
b1f8e4f8 1064
0f0c8159
JH		 1065 /* redirect STDERR too */
1066 commandline = string_sprintf("%s 2>&1", commandline);
b1f8e4f8 1067
0f0c8159
JH		 1068 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
1069 scanner_name, commandline);
b1f8e4f8 1070
0f0c8159
JH		 1071 /* store exims signal handlers */
1072 eximsigchld = signal(SIGCHLD,SIG_DFL);
1073 eximsigpipe = signal(SIGPIPE,SIG_DFL);
b1f8e4f8 1074
0f0c8159
JH		 1075 if (!(scanner_out = popen(CS commandline,"r")))
1076 {
1077 int err = errno;
1078 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
0ea02355 1079 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 1080 string_sprintf("call (%s) failed: %s.", commandline, strerror(err)));
1081 }
1082 scanner_fd = fileno(scanner_out);
94a18f28 1083
0f0c8159
JH		 1084 file_name = string_sprintf("%s/scan/%s/%s_scanner_output",
1085 spool_directory, message_id, message_id);
b1f8e4f8 1086
0f0c8159
JH		 1087 if (!(scanner_record = modefopen(file_name, "wb", SPOOL_MODE)))
1088 {
1089 int err = errno;
1090 (void) pclose(scanner_out);
1091 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
0ea02355 1092 return m_errlog_defer(scanent, NULL, string_sprintf(
0f0c8159
JH		 1093 "opening scanner output file (%s) failed: %s.",
1094 file_name, strerror(err)));
1095 }
8e669ac1 1096
0f0c8159
JH		 1097 /* look for trigger while recording output */
1098 while ((rcnt = recv_line(scanner_fd, linebuffer,
1099 sizeof(linebuffer), tmo)))
1100 {
1101 if (rcnt < 0)
93a6fce2
JH		 1102 {
1103 int err = errno;
0f0c8159
JH		 1104 if (rcnt == -1)
1105 break;
93a6fce2
JH		 1106 (void) pclose(scanner_out);
1107 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
0ea02355 1108 return m_errlog_defer(scanent, NULL, string_sprintf(
93a6fce2
JH		 1109 "unable to read from scanner (%s): %s",
1110 commandline, strerror(err)));
1111 }
4e71661f 1112
0f0c8159
JH		 1113 if (Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record))
1114 {
1115 /* short write */
1116 (void) pclose(scanner_out);
1117 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
0ea02355 1118 return m_errlog_defer(scanent, NULL, string_sprintf(
0f0c8159 1119 "short write on scanner output file (%s).", file_name));
4e71661f 1120 }
0f0c8159
JH		 1121 putc('\n', scanner_record);
1122 /* try trigger match */
1123 if ( !trigger
1124 && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1)
1125 )
1126 trigger = 1;
1127 }
8e669ac1 1128
0f0c8159
JH		 1129 (void)fclose(scanner_record);
1130 sep = pclose(scanner_out);
1131 signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1132 if (sep != 0)
0ea02355 1133 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 1134 sep == -1
1135 ? string_sprintf("running scanner failed: %s", strerror(sep))
1136 : string_sprintf("scanner returned error code: %d", sep));
b1f8e4f8 1137
0f0c8159
JH		 1138 if (trigger)
1139 {
1140 uschar * s;
1141 /* setup default virus name */
1142 malware_name = US"unknown";
b1f8e4f8 1143
0f0c8159
JH		 1144 /* re-open the scanner output file, look for name match */
1145 scanner_record = fopen(CS file_name, "rb");
1146 while (fgets(CS linebuffer, sizeof(linebuffer), scanner_record))
1147 {
1148 /* try match */
1149 if ((s = m_pcre_exec(cmdline_regex_re, linebuffer)))
1150 malware_name = s;
4e71661f 1151 }
0f0c8159
JH		 1152 (void)fclose(scanner_record);
1153 }
1154 else /* no virus found */
1155 malware_name = NULL;
1156 break;
b1f8e4f8 1157 } /* cmdline */
599dcb77 1158
b1f8e4f8
JH		 1159 case M_SOPHIE: /* "sophie" scanner type --------------------------------- */
1160 {
0f0c8159
JH		 1161 int bread = 0;
1162 uschar *p;
1163 uschar * file_name;
1164 uschar av_buffer[1024];
b1f8e4f8 1165
0f0c8159
JH		 1166 /* pass the scan directory to sophie */
1167 file_name = string_copy(eml_filename);
1168 if ((p = Ustrrchr(file_name, '/')))
1169 *p = '\0';
b1f8e4f8 1170
0f0c8159
JH		 1171 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan [%s]\n",
1172 scanner_name, scanner_options);
b1f8e4f8 1173
0f0c8159
JH		 1174 if ( write(sock, file_name, Ustrlen(file_name)) < 0
1175 || write(sock, "\n", 1) != 1
1176 )
0ea02355 1177 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1178 string_sprintf("unable to write to UNIX socket (%s)", scanner_options),
1179 sock);
b1f8e4f8 1180
0f0c8159
JH		 1181 /* wait for result */
1182 memset(av_buffer, 0, sizeof(av_buffer));
1183 if ((bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL))) <= 0)
0ea02355 1184 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1185 string_sprintf("unable to read from UNIX socket (%s)", scanner_options),
1186 sock);
1187
1188 /* infected ? */
1189 if (av_buffer[0] == '1') {
1190 uschar * s = Ustrchr(av_buffer, '\n');
1191 if (s)
1192 *s = '\0';
1193 malware_name = string_copy(&av_buffer[2]);
1194 }
1195 else if (!strncmp(CS av_buffer, "-1", 2))
0ea02355
JH		 1196 return m_errlog_defer_3(scanent, CUS callout_address,
1197 US"scanner reported error", sock);
0f0c8159
JH		 1198 else /* all ok, no virus */
1199 malware_name = NULL;
599dcb77 1200
0f0c8159 1201 break;
8544e77a 1202 }
8e669ac1 1203
b1f8e4f8
JH		 1204 case M_CLAMD: /* "clamd" scanner type ----------------------------------- */
1205 {
0f0c8159
JH		 1206/* This code was originally contributed by David Saez */
1207/* There are three scanning methods available to us:
1208* (1) Use the SCAN command, pointing to a file in the filesystem
1209* (2) Use the STREAM command, send the data on a separate port
1210* (3) Use the zINSTREAM command, send the data inline
1211* The zINSTREAM command was introduced with ClamAV 0.95, which marked
1212* STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
1213* In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
1214* the TCP-connected daemon is actually local; otherwise we use zINSTREAM unless
1215* WITH_OLD_CLAMAV_STREAM is defined.
1216* See Exim bug 926 for details. */
1217
80591636 1218 uschar *p, *vname, *result_tag;
0f0c8159
JH		 1219 int bread=0;
1220 uschar * file_name;
1221 uschar av_buffer[1024];
1222 uschar *hostname = US"";
1223 host_item connhost;
1224 uschar *clamav_fbuf;
1225 int clam_fd, result;
1226 off_t fsize;
1227 unsigned int fsize_uint;
1228 BOOL use_scan_command = FALSE;
8a512ed5 1229 clamd_address * cv[MAX_CLAMD_SERVERS];
0f0c8159
JH		 1230 int num_servers = 0;
1231#ifdef WITH_OLD_CLAMAV_STREAM
1232 unsigned int port;
1233 uschar av_buffer2[1024];
1234 int sockData;
1235#else
1236 uint32_t send_size, send_final_zeroblock;
1237#endif
1238
8a512ed5
JH		 1239 /*XXX if unixdomain socket, only one server supported. Needs fixing;
1240 there's no reason we should not mix local and remote servers */
1241
0f0c8159 1242 if (*scanner_options == '/')
8a512ed5
JH		 1243 {
1244 clamd_address * cd;
1245 const uschar * sublist;
1246 int subsep = ' ';
1247
0f0c8159
JH		 1248 /* Local file; so we def want to use_scan_command and don't want to try
1249 * passing IP/port combinations */
1250 use_scan_command = TRUE;
8a512ed5
JH		 1251 cd = (clamd_address *) store_get(sizeof(clamd_address));
1252
1253 /* extract socket-path part */
1254 sublist = scanner_options;
1255 cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0);
1256
1257 /* parse options */
1258 if (clamd_option(cd, sublist, &subsep) != OK)
0ea02355 1259 return m_errlog_defer(scanent, NULL,
8a512ed5
JH		 1260 string_sprintf("bad option '%s'", scanner_options));
1261 cv[0] = cd;
1262 }
0f0c8159
JH		 1263 else
1264 {
0f0c8159
JH		 1265 /* Go through the rest of the list of host/port and construct an array
1266 * of servers to try. The first one is the bit we just passed from
1267 * scanner_options so process that first and then scan the remainder of
1268 * the address buffer */
1269 do
4e71661f 1270 {
8a512ed5
JH		 1271 clamd_address * cd;
1272 const uschar * sublist;
1273 int subsep = ' ';
1274 uschar * s;
b1f8e4f8 1275
0f0c8159
JH		 1276 /* The 'local' option means use the SCAN command over the network
1277 * socket (ie common file storage in use) */
8a512ed5
JH		 1278 /*XXX we could accept this also as a local option? */
1279 if (strcmpic(scanner_options, US"local") == 0)
0f0c8159
JH		 1280 {
1281 use_scan_command = TRUE;
1282 continue;
1283 }
b1f8e4f8 1284
8a512ed5 1285 cd = (clamd_address *) store_get(sizeof(clamd_address));
b1f8e4f8 1286
0f0c8159 1287 /* extract host and port part */
8a512ed5
JH		 1288 sublist = scanner_options;
1289 if (!(cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, 0)))
1290 {
0ea02355 1291 (void) m_errlog_defer(scanent, NULL,
8a512ed5
JH		 1292 string_sprintf("missing address: '%s'", scanner_options));
1293 continue;
1294 }
1295 if (!(s = string_nextinlist(&sublist, &subsep, NULL, 0)))
0f0c8159 1296 {
0ea02355 1297 (void) m_errlog_defer(scanent, NULL,
8a512ed5
JH		 1298 string_sprintf("missing port: '%s'", scanner_options));
1299 continue;
1300 }
93a6fce2 1301 cd->tcp_port = atoi(CS s);
8a512ed5
JH		 1302
1303 /* parse options */
1304 /*XXX should these options be common over scanner types? */
1305 if (clamd_option(cd, sublist, &subsep) != OK)
1306 {
0ea02355 1307 return m_errlog_defer(scanent, NULL,
8a512ed5 1308 string_sprintf("bad option '%s'", scanner_options));
0f0c8159
JH		 1309 continue;
1310 }
b1f8e4f8 1311
8a512ed5 1312 cv[num_servers++] = cd;
0f0c8159
JH		 1313 if (num_servers >= MAX_CLAMD_SERVERS)
1314 {
0ea02355 1315 (void) m_errlog_defer(scanent, NULL,
0f0c8159
JH		 1316 US"More than " MAX_CLAMD_SERVERS_S " clamd servers "
1317 "specified; only using the first " MAX_CLAMD_SERVERS_S );
1318 break;
1319 }
8a512ed5
JH		 1320 } while ((scanner_options = string_nextinlist(&av_scanner_work, &sep,
1321 NULL, 0)));
8e669ac1 1322
0f0c8159
JH		 1323 /* check if we have at least one server */
1324 if (!num_servers)
0ea02355 1325 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 1326 US"no useable server addresses in malware configuration option.");
1327 }
b1f8e4f8 1328
0f0c8159
JH		 1329 /* See the discussion of response formats below to see why we really
1330 don't like colons in filenames when passing filenames to ClamAV. */
1331 if (use_scan_command && Ustrchr(eml_filename, ':'))
0ea02355 1332 return m_errlog_defer(scanent, NULL,
0f0c8159
JH		 1333 string_sprintf("local/SCAN mode incompatible with" \
1334 " : in path to email filename [%s]", eml_filename));
b1f8e4f8 1335
0f0c8159
JH		 1336 /* We have some network servers specified */
1337 if (num_servers)
1338 {
1339 /* Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd
1340 * only supports AF_INET, but we should probably be looking to the
1341 * future and rewriting this to be protocol-independent anyway. */
b1f8e4f8 1342
0f0c8159
JH		 1343 while (num_servers > 0)
1344 {
8a512ed5
JH		 1345 int i = random_number( num_servers );
1346 clamd_address * cd = cv[i];
b1f8e4f8 1347
8a512ed5
JH		 1348 DEBUG(D_acl) debug_printf("trying server name %s, port %u\n",
1349 cd->hostspec, cd->tcp_port);
0f0c8159
JH		 1350
1351 /* Lookup the host. This is to ensure that we connect to the same IP
1352 * on both connections (as one host could resolve to multiple ips) */
8a512ed5 1353 for (;;)
0f0c8159 1354 {
8a512ed5
JH		 1355 sock= m_tcpsocket(cd->hostspec, cd->tcp_port, &connhost, &errstr);
1356 if (sock >= 0)
1357 {
1358 /* Connection successfully established with a server */
1359 hostname = cd->hostspec;
1360 break;
1361 }
1362 if (cd->retry <= 0) break;
1363 while (cd->retry > 0) cd->retry = sleep(cd->retry);
4e71661f 1364 }
8a512ed5
JH		 1365 if (sock >= 0)
1366 break;
b1f8e4f8 1367
0ea02355 1368 (void) m_errlog_defer(scanent, CUS callout_address, errstr);
0f0c8159
JH		 1369
1370 /* Remove the server from the list. XXX We should free the memory */
1371 num_servers--;
8a512ed5
JH		 1372 for (; i < num_servers; i++)
1373 cv[i] = cv[i+1];
4e71661f 1374 }
8e669ac1 1375
0f0c8159 1376 if (num_servers == 0)
0ea02355 1377 return m_errlog_defer(scanent, NULL, US"all servers failed");
0f0c8159
JH		 1378 }
1379 else
8a512ed5
JH		 1380 for (;;)
1381 {
1382 if ((sock = ip_unixsocket(cv[0]->hostspec, &errstr)) >= 0)
1383 {
1384 hostname = cv[0]->hostspec;
1385 break;
1386 }
1387 if (cv[0]->retry <= 0)
0ea02355 1388 return m_errlog_defer(scanent, CUS callout_address, errstr);
8a512ed5
JH		 1389 while (cv[0]->retry > 0) cv[0]->retry = sleep(cv[0]->retry);
1390 }
b1f8e4f8 1391
0f0c8159
JH		 1392 /* have socket in variable "sock"; command to use is semi-independent of
1393 * the socket protocol. We use SCAN if is local (either Unix/local
1394 * domain socket, or explicitly told local) else we stream the data.
1395 * How we stream the data depends upon how we were built. */
1396
1397 if (!use_scan_command)
1398 {
4e71661f 1399#ifdef WITH_OLD_CLAMAV_STREAM
0f0c8159
JH		 1400 /* "STREAM\n" command, get back a "PORT <N>\n" response, send data to
1401 * that port on a second connection; then in the scan-method-neutral
1402 * part, read the response back on the original connection. */
b1f8e4f8 1403
0f0c8159
JH		 1404 DEBUG(D_acl) debug_printf(
1405 "Malware scan: issuing %s old-style remote scan (PORT)\n",
1406 scanner_name);
b1f8e4f8 1407
0f0c8159
JH		 1408 /* Pass the string to ClamAV (7 = "STREAM\n") */
1409 if (m_sock_send(sock, US"STREAM\n", 7, &errstr) < 0)
0ea02355 1410 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 1411
0f0c8159
JH		 1412 memset(av_buffer2, 0, sizeof(av_buffer2));
1413 bread = ip_recv(sock, av_buffer2, sizeof(av_buffer2), tmo-time(NULL));
b1f8e4f8 1414
0f0c8159 1415 if (bread < 0)
0ea02355 1416 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1417 string_sprintf("unable to read PORT from socket (%s)",
1418 strerror(errno)),
1419 sock);
b1f8e4f8 1420
0f0c8159 1421 if (bread == sizeof(av_buffer2))
0ea02355
JH		 1422 return m_errlog_defer_3(scanent, CUS callout_address,
1423 "buffer too small", sock);
b1f8e4f8 1424
0f0c8159 1425 if (!(*av_buffer2))
0ea02355
JH		 1426 return m_errlog_defer_3(scanent, CUS callout_address,
1427 "ClamAV returned null", sock);
b1f8e4f8 1428
0f0c8159
JH		 1429 av_buffer2[bread] = '\0';
1430 if( sscanf(CS av_buffer2, "PORT %u\n", &port) != 1 )
0ea02355 1431 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1432 string_sprintf("Expected port information from clamd, got '%s'",
1433 av_buffer2),
1434 sock);
b1f8e4f8 1435
0f0c8159
JH		 1436 sockData = m_tcpsocket(connhost.address, port, NULL, &errstr);
1437 if (sockData < 0)
0ea02355 1438 return m_errlog_defer_3(scanent, CUS callout_address, errstr, sock);
b1f8e4f8 1439
4e71661f
JH		 1440# define CLOSE_SOCKDATA (void)close(sockData)
1441#else /* WITH_OLD_CLAMAV_STREAM not defined */
0f0c8159
JH		 1442 /* New protocol: "zINSTREAM\n" followed by a sequence of <length><data>
1443 chunks, <n> a 4-byte number (network order), terminated by a zero-length
1444 chunk. */
b1f8e4f8 1445
0f0c8159
JH		 1446 DEBUG(D_acl) debug_printf(
1447 "Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
1448 scanner_name);
b1f8e4f8 1449
0f0c8159
JH		 1450 /* Pass the string to ClamAV (10 = "zINSTREAM\0") */
1451 if (send(sock, "zINSTREAM", 10, 0) < 0)
0ea02355 1452 return m_errlog_defer_3(scanent, CUS hostname,
0f0c8159
JH		 1453 string_sprintf("unable to send zINSTREAM to socket (%s)",
1454 strerror(errno)),
1455 sock);
b1f8e4f8 1456
4e71661f
JH		 1457# define CLOSE_SOCKDATA /**/
1458#endif
b1f8e4f8 1459
0f0c8159
JH		 1460 /* calc file size */
1461 if ((clam_fd = open(CS eml_filename, O_RDONLY)) < 0)
1462 {
1463 int err = errno;
1464 CLOSE_SOCKDATA;
0ea02355 1465 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1466 string_sprintf("can't open spool file %s: %s",
1467 eml_filename, strerror(err)),
1468 sock);
1469 }
1470 if ((fsize = lseek(clam_fd, 0, SEEK_END)) < 0)
1471 {
1472 int err = errno;
1473 CLOSE_SOCKDATA; (void)close(clam_fd);
0ea02355 1474 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1475 string_sprintf("can't seek spool file %s: %s",
1476 eml_filename, strerror(err)),
1477 sock);
1478 }
1479 fsize_uint = (unsigned int) fsize;
1480 if ((off_t)fsize_uint != fsize)
1481 {
1482 CLOSE_SOCKDATA; (void)close(clam_fd);
0ea02355 1483 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1484 string_sprintf("seeking spool file %s, size overflow",
1485 eml_filename),
1486 sock);
1487 }
1488 lseek(clam_fd, 0, SEEK_SET);
b1f8e4f8 1489
0f0c8159
JH		 1490 if (!(clamav_fbuf = (uschar *) malloc (fsize_uint)))
1491 {
1492 CLOSE_SOCKDATA; (void)close(clam_fd);
0ea02355 1493 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1494 string_sprintf("unable to allocate memory %u for file (%s)",
1495 fsize_uint, eml_filename),
1496 sock);
1497 }
b1f8e4f8 1498
0f0c8159
JH		 1499 if ((result = read(clam_fd, clamav_fbuf, fsize_uint)) < 0)
1500 {
1501 int err = errno;
1502 free(clamav_fbuf); CLOSE_SOCKDATA; (void)close(clam_fd);
0ea02355 1503 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1504 string_sprintf("can't read spool file %s: %s",
1505 eml_filename, strerror(err)),
1506 sock);
1507 }
1508 (void)close(clam_fd);
b1f8e4f8 1509
0f0c8159 1510 /* send file body to socket */
4e71661f 1511#ifdef WITH_OLD_CLAMAV_STREAM
0f0c8159
JH		 1512 if (send(sockData, clamav_fbuf, fsize_uint, 0) < 0)
1513 {
1514 free(clamav_fbuf); CLOSE_SOCKDATA;
0ea02355 1515 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1516 string_sprintf("unable to send file body to socket (%s:%u)",
1517 hostname, port),
1518 sock);
1519 }
4e71661f 1520#else
0f0c8159
JH		 1521 send_size = htonl(fsize_uint);
1522 send_final_zeroblock = 0;
1523 if ((send(sock, &send_size, sizeof(send_size), 0) < 0) ||
1524 (send(sock, clamav_fbuf, fsize_uint, 0) < 0) ||
1525 (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0))
1526 {
b1f8e4f8 1527 free(clamav_fbuf);
0ea02355 1528 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1529 string_sprintf("unable to send file body to socket (%s)", hostname),
1530 sock);
4e71661f 1531 }
0f0c8159 1532#endif
b1f8e4f8 1533
0f0c8159 1534 free(clamav_fbuf);
b1f8e4f8 1535
0f0c8159
JH		 1536 CLOSE_SOCKDATA;
1537#undef CLOSE_SOCKDATA
1538 }
1539 else
1540 { /* use scan command */
1541 /* Send a SCAN command pointing to a filename; then in the then in the
1542 * scan-method-neutral part, read the response back */
1543
1544/* ================================================================= */
1545
1546 /* Prior to the reworking post-Exim-4.72, this scanned a directory,
1547 which dates to when ClamAV needed us to break apart the email into the
1548 MIME parts (eg, with the now deprecated demime condition coming first).
1549 Some time back, ClamAV gained the ability to deconstruct the emails, so
1550 doing this would actually have resulted in the mail attachments being
1551 scanned twice, in the broken out files and from the original .eml.
1552 Since ClamAV now handles emails (and has for quite some time) we can
1553 just use the email file itself. */
1554 /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
1555 file_name = string_sprintf("SCAN %s\n", eml_filename);
1556
1557 DEBUG(D_acl) debug_printf(
1558 "Malware scan: issuing %s local-path scan [%s]\n",
1559 scanner_name, scanner_options);
b1f8e4f8 1560
0f0c8159 1561 if (send(sock, file_name, Ustrlen(file_name), 0) < 0)
0ea02355 1562 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1563 string_sprintf("unable to write to socket (%s)", strerror(errno)),
1564 sock);
b1f8e4f8 1565
0f0c8159
JH		 1566 /* Do not shut down the socket for writing; a user report noted that
1567 * clamd 0.70 does not react well to this. */
1568 }
1569 /* Commands have been sent, no matter which scan method or connection
1570 * type we're using; now just read the result, independent of method. */
1571
1572 /* Read the result */
1573 memset(av_buffer, 0, sizeof(av_buffer));
1574 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1575 (void)close(sock);
1576 sock = -1;
1577
1578 if (bread <= 0)
0ea02355 1579 return m_errlog_defer(scanent, CUS callout_address,
0f0c8159
JH		 1580 string_sprintf("unable to read from socket (%s)",
1581 errno == 0 ? "EOF" : strerror(errno)));
1582
1583 if (bread == sizeof(av_buffer))
0ea02355
JH		 1584 return m_errlog_defer(scanent, CUS callout_address,
1585 US"buffer too small");
0f0c8159
JH		 1586 /* We're now assured of a NULL at the end of av_buffer */
1587
1588 /* Check the result. ClamAV returns one of two result formats.
1589 In the basic mode, the response is of the form:
1590 infected: -> "<filename>: <virusname> FOUND"
1591 not-infected: -> "<filename>: OK"
1592 error: -> "<filename>: <errcode> ERROR
1593 If the ExtendedDetectionInfo option has been turned on, then we get:
1594 "<filename>: <virusname>(<virushash>:<virussize>) FOUND"
1595 for the infected case. Compare:
1596/tmp/eicar.com: Eicar-Test-Signature FOUND
1597/tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
1598
1599 In the streaming case, clamd uses the filename "stream" which you should
1600 be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The
1601 client app will replace "stream" with the original filename before returning
1602 results to stdout, but the trace shows the data).
1603
1604 We will assume that the pathname passed to clamd from Exim does not contain
1605 a colon. We will have whined loudly above if the eml_filename does (and we're
1606 passing a filename to clamd). */
1607
1608 if (!(*av_buffer))
0ea02355
JH		 1609 return m_errlog_defer(scanent, CUS callout_address,
1610 US"ClamAV returned null");
0f0c8159
JH		 1611
1612 /* strip newline at the end (won't be present for zINSTREAM)
1613 (also any trailing whitespace, which shouldn't exist, but we depend upon
1614 this below, so double-check) */
1615 p = av_buffer + Ustrlen(av_buffer) - 1;
1616 if (*p == '\n') *p = '\0';
1617
1618 DEBUG(D_acl) debug_printf("Malware response: %s\n", av_buffer);
1619
1620 while (isspace(*--p) && (p > av_buffer))
1621 *p = '\0';
1622 if (*p) ++p;
0f0c8159
JH		 1623
1624 /* colon in returned output? */
80591636 1625 if(!(p = Ustrchr(av_buffer,':')))
0ea02355 1626 return m_errlog_defer(scanent, CUS callout_address, string_sprintf(
0f0c8159
JH		 1627 "ClamAV returned malformed result (missing colon): %s",
1628 av_buffer));
1629
1630 /* strip filename */
1631 while (*p && isspace(*++p)) /**/;
1632 vname = p;
1633
1634 /* It would be bad to encounter a virus with "FOUND" in part of the name,
1635 but we should at least be resistant to it. */
1636 p = Ustrrchr(vname, ' ');
1637 result_tag = p ? p+1 : vname;
1638
1639 if (Ustrcmp(result_tag, "FOUND") == 0)
1640 {
1641 /* p should still be the whitespace before the result_tag */
1642 while (isspace(*p)) --p;
1643 *++p = '\0';
1644 /* Strip off the extended information too, which will be in parens
1645 after the virus name, with no intervening whitespace. */
1646 if (*--p == ')')
4e71661f 1647 {
0f0c8159
JH		 1648 /* "(hash:size)", so previous '(' will do; if not found, we have
1649 a curious virus name, but not an error. */
1650 p = Ustrrchr(vname, '(');
1651 if (p)
1652 *p = '\0';
4e71661f 1653 }
0f0c8159
JH		 1654 malware_name = string_copy(vname);
1655 DEBUG(D_acl) debug_printf("Malware found, name \"%s\"\n", malware_name);
b1f8e4f8 1656
0f0c8159
JH		 1657 }
1658 else if (Ustrcmp(result_tag, "ERROR") == 0)
0ea02355 1659 return m_errlog_defer(scanent, CUS callout_address,
0f0c8159 1660 string_sprintf("ClamAV returned: %s", av_buffer));
b1f8e4f8 1661
0f0c8159
JH		 1662 else if (Ustrcmp(result_tag, "OK") == 0)
1663 {
1664 /* Everything should be OK */
1665 malware_name = NULL;
1666 DEBUG(D_acl) debug_printf("Malware not found\n");
b1f8e4f8 1667
0f0c8159
JH		 1668 }
1669 else
0ea02355 1670 return m_errlog_defer(scanent, CUS callout_address,
0f0c8159
JH		 1671 string_sprintf("unparseable response from ClamAV: {%s}", av_buffer));
1672
1673 break;
b1f8e4f8
JH		 1674 } /* clamd */
1675
1676 case M_SOCK: /* "sock" scanner type ------------------------------------- */
0f0c8159
JH		 1677 /* This code was derived by Martin Poole from the clamd code contributed
1678 by David Saez and the cmdline code
1679 */
b1f8e4f8 1680 {
0f0c8159
JH		 1681 int bread;
1682 uschar * commandline;
1683 uschar av_buffer[1024];
1684 uschar * linebuffer;
1685 uschar * sockline_scanner;
1686 uschar sockline_scanner_default[] = "%s\n";
1687 const pcre *sockline_trig_re;
1688 const pcre *sockline_name_re;
1689
1690 /* find scanner command line */
1691 if ((sockline_scanner = string_nextinlist(&av_scanner_work, &sep,
1692 NULL, 0)))
1693 { /* check for no expansions apart from one %s */
1694 uschar * s = Ustrchr(sockline_scanner, '%');
1695 if (s++)
1696 if ((*s != 's' && *s != '%') || Ustrchr(s+1, '%'))
0ea02355 1697 return m_errlog_defer_3(scanent, NULL,
0f0c8159
JH		 1698 US"unsafe sock scanner call spec", sock);
1699 }
1700 else
1701 sockline_scanner = sockline_scanner_default;
b1f8e4f8 1702
0f0c8159
JH		 1703 /* find scanner output trigger */
1704 sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1705 "missing trigger specification", &errstr);
1706 if (!sockline_trig_re)
0ea02355 1707 return m_errlog_defer_3(scanent, NULL, errstr, sock);
b1f8e4f8 1708
0f0c8159
JH		 1709 /* find virus name regex */
1710 sockline_name_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1711 "missing virus name regex specification", &errstr);
1712 if (!sockline_name_re)
0ea02355 1713 return m_errlog_defer_3(scanent, NULL, errstr, sock);
b1f8e4f8 1714
0f0c8159
JH		 1715 /* prepare scanner call - security depends on expansions check above */
1716 commandline = string_sprintf("%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
1717 commandline = string_sprintf( CS sockline_scanner, CS commandline);
b1f8e4f8
JH		 1718
1719
0f0c8159
JH		 1720 /* Pass the command string to the socket */
1721 if (m_sock_send(sock, commandline, Ustrlen(commandline), &errstr) < 0)
0ea02355 1722 return m_errlog_defer(scanent, CUS callout_address, errstr);
b1f8e4f8 1723
0f0c8159
JH		 1724 /* Read the result */
1725 bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
b1f8e4f8 1726
0f0c8159 1727 if (bread <= 0)
0ea02355 1728 return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1729 string_sprintf("unable to read from socket (%s)", strerror(errno)),
1730 sock);
b1f8e4f8 1731
0f0c8159 1732 if (bread == sizeof(av_buffer))
0ea02355
JH		 1733 return m_errlog_defer_3(scanent, CUS callout_address,
1734 US"buffer too small", sock);
0f0c8159
JH		 1735 av_buffer[bread] = '\0';
1736 linebuffer = string_copy(av_buffer);
b1f8e4f8 1737
0f0c8159
JH		 1738 /* try trigger match */
1739 if (regex_match_and_setup(sockline_trig_re, linebuffer, 0, -1))
1740 {
1741 if (!(malware_name = m_pcre_exec(sockline_name_re, av_buffer)))
1742 malware_name = US "unknown";
b1f8e4f8 1743 }
0f0c8159
JH		 1744 else /* no virus found */
1745 malware_name = NULL;
1746 break;
8523533c 1747 }
8e669ac1 1748
b1f8e4f8
JH		 1749 case M_MKSD: /* "mksd" scanner type ------------------------------------- */
1750 {
0f0c8159
JH		 1751 char *mksd_options_end;
1752 int mksd_maxproc = 1; /* default, if no option supplied */
1753 int retval;
b1f8e4f8 1754
0f0c8159
JH		 1755 if (scanner_options)
1756 {
1757 mksd_maxproc = (int)strtol(CS scanner_options, &mksd_options_end, 10);
1758 if ( *scanner_options == '\0'
1759 || *mksd_options_end != '\0'
1760 || mksd_maxproc < 1
1761 || mksd_maxproc > 32
1762 )
0ea02355 1763 return m_errlog_defer(scanent, CUS callout_address,
0f0c8159
JH		 1764 string_sprintf("invalid option '%s'", scanner_options));
1765 }
8e669ac1 1766
3e60dd41 1767 if((sock = ip_unixsocket(US "/var/run/mksd/socket", &errstr)) < 0)
0ea02355 1768 return m_errlog_defer(scanent, CUS callout_address, errstr);
8e669ac1 1769
0f0c8159 1770 malware_name = NULL;
94a18f28 1771
0f0c8159 1772 DEBUG(D_acl) debug_printf("Malware scan: issuing %s scan\n", scanner_name);
94a18f28 1773
0f0c8159
JH		 1774 if ((retval = mksd_scan_packed(scanent, sock, eml_filename, tmo)) != OK)
1775 {
1776 close (sock);
1777 return retval;
1778 }
1779 break;
8523533c 1780 }
0f0c8159 1781
b6fbf22d
JH		 1782 case M_AVAST: /* "avast" scanner type ----------------------------------- */
1783 {
1784 int ovector[1*3];
1785 uschar buf[1024];
1786 uschar * scanrequest;
b6fbf22d 1787 enum {AVA_HELO, AVA_OPT, AVA_RSP, AVA_DONE} avast_stage;
0f0c8159 1788 int nread;
b6fbf22d
JH		 1789
1790 /* According to Martin Tuma @avast the protocol uses "escaped
1791 whitespace", that is, every embedded whitespace is backslash
1792 escaped, as well as backslash is protected by backslash.
1793 The returned lines contain the name of the scanned file, a tab
1794 and the [ ] marker.
1795 [+] - not infected
1796 [L] - infected
1797 [E] - some error occured
1798 Such marker follows the first non-escaped TAB. */
476be7e2
JH		 1799 if ( ( !ava_re_clean
1800 && !(ava_re_clean = m_pcre_compile(ava_re_clean_str, &errstr)))
1801 || ( !ava_re_virus
1802 && !(ava_re_virus = m_pcre_compile(ava_re_virus_str, &errstr)))
b6fbf22d
JH		 1803 )
1804 return malware_errlog_defer(errstr);
1805
1806 /* wait for result */
0f0c8159
JH		 1807 for (avast_stage = AVA_HELO;
1808 (nread = recv_line(sock, buf, sizeof(buf), tmo)) > 0;
1809 )
b6fbf22d
JH		 1810 {
1811 int slen = Ustrlen(buf);
94431adb 1812 if (slen >= 1)
b6fbf22d
JH		 1813 {
1814 DEBUG(D_acl) debug_printf("got from avast: %s\n", buf);
1815 switch (avast_stage)
1816 {
1817 case AVA_HELO:
1818 if (Ustrncmp(buf, "220", 3) != 0)
1819 goto endloop; /* require a 220 */
1820 goto sendreq;
1821
1822 case AVA_OPT:
1823 if (Ustrncmp(buf, "210", 3) == 0)
1824 break; /* ignore 210 responses */
1825 if (Ustrncmp(buf, "200", 3) != 0)
1826 goto endloop; /* require a 200 */
1827
1828 sendreq:
1829 {
1830 int len;
1831 /* Check for another option to send. Newline-terminate it. */
1832 if ((scanrequest = string_nextinlist(&av_scanner_work, &sep,
1833 NULL, 0)))
1834 {
1835 scanrequest = string_sprintf("%s\n", scanrequest);
1836 avast_stage = AVA_OPT; /* just sent option */
1837 }
1838 else
1839 {
1840 scanrequest = string_sprintf("SCAN %s/scan/%s\n",
1841 spool_directory, message_id);
1842 avast_stage = AVA_RSP; /* just sent command */
1843 }
1844
1845 /* send config-cmd or scan-request to socket */
1846 len = Ustrlen(scanrequest);
1847 if (send(sock, scanrequest, len, 0) < 0)
1848 {
1849 scanrequest[len-1] = '\0';
0ea02355 1850 return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
b6fbf22d
JH		 1851 "unable to send request '%s' to socket (%s): %s",
1852 scanrequest, scanner_options, strerror(errno)), sock);
1853 }
1854 break;
1855 }
1856
1857 case AVA_RSP:
1858 if (Ustrncmp(buf, "210", 3) == 0)
1859 break; /* ignore the "210 SCAN DATA" message */
1860
476be7e2 1861 if (pcre_exec(ava_re_clean, NULL, CS buf, slen,
b6fbf22d
JH		 1862 0, 0, ovector, nelements(ovector)) > 0)
1863 break;
1864
476be7e2 1865 if ((malware_name = m_pcre_exec(ava_re_virus, buf)))
b6fbf22d
JH		 1866 { /* remove backslash in front of [whitespace|backslash] */
1867 uschar * p, * p0;
94431adb 1868 for (p = malware_name; *p; ++p)
b6fbf22d
JH		 1869 if (*p == '\\' && (isspace(p[1]) || p[1] == '\\'))
1870 for (p0 = p; *p0; ++p0) *p0 = p0[1];
94431adb 1871
b6fbf22d
JH		 1872 avast_stage = AVA_DONE;
1873 goto endloop;
1874 }
1875
94431adb 1876 if (Ustrncmp(buf, "200 SCAN OK", 11) == 0)
b6fbf22d
JH		 1877 { /* we're done finally */
1878 if (send(sock, "QUIT\n", 5, 0) < 0) /* courtesy */
0ea02355
JH		 1879 return m_errlog_defer_3(scanent, CUS callout_address,
1880 string_sprintf(
b6fbf22d
JH		 1881 "unable to send quit request to socket (%s): %s",
1882 scanner_options, strerror(errno)),
1883 sock);
1884 malware_name = NULL;
1885 avast_stage = AVA_DONE;
1886 goto endloop;
1887 }
1888
1889 /* here for any unexpected response from the scanner */
1890 goto endloop;
755762fd
HSHR		 1891
1892 case AVA_DONE: log_write(0, LOG_PANIC, "%s:%d:%s: should not happen",
1893 __FILE__, __LINE__, __FUNCTION__);
b6fbf22d 1894 }
0f0c8159 1895 }
b6fbf22d 1896 }
b6fbf22d
JH		 1897 endloop:
1898
1899 switch(avast_stage)
1900 {
94431adb 1901 case AVA_HELO:
b6fbf22d 1902 case AVA_OPT:
0ea02355 1903 case AVA_RSP: return m_errlog_defer_3(scanent, CUS callout_address,
0f0c8159
JH		 1904 nread >= 0
1905 ? string_sprintf(
1906 "invalid response from scanner: '%s'", buf)
1907 : nread == -1
1908 ? US"EOF from scanner"
1909 : US"timeout from scanner",
1910 sock);
b6fbf22d
JH		 1911 default: break;
1912 }
1913 }
0f0c8159
JH		 1914 break;
1915 } /* scanner type switch */
8523533c 1916
0f0c8159
JH		 1917 if (sock >= 0)
1918 (void) close (sock);
1919 malware_ok = TRUE; /* set "been here, done that" marker */
b1f8e4f8 1920 }
8523533c 1921
0f0c8159
JH		 1922/* match virus name against pattern (caseless ------->----------v) */
1923if (malware_name && regex_match_and_setup(re, malware_name, 0, -1))
1924 {
1925 DEBUG(D_acl) debug_printf(
1926 "Matched regex to malware [%s] [%s]\n", malware_re, malware_name);
1927 return OK;
1928 }
1929else
1930 return FAIL;
8523533c
TK		 1931}
1932
1933
0f0c8159
JH		 1934/*************************************************
1935* Scan an email for malware *
1936*************************************************/
8523533c 1937
0f0c8159
JH		 1938/* This is the normal interface for scanning an email, which doesn't need a
1939filename; it's a wrapper around the malware_file function.
8523533c 1940
0f0c8159
JH		 1941Arguments:
1942 malware_re match condition for "malware="
1943 timeout if nonzero, timeout in seconds
1944
1945Returns: Exim message processing code (OK, FAIL, DEFER, ...)
1946 where true means malware was found (condition applies)
1947*/
1948int
1949malware(const uschar * malware_re, int timeout)
8523533c 1950{
0f0c8159
JH		 1951 uschar * scan_filename;
1952 int ret;
8e669ac1 1953
0f0c8159
JH		 1954 scan_filename = string_sprintf("%s/scan/%s/%s.eml",
1955 spool_directory, message_id, message_id);
1956 ret = malware_internal(malware_re, scan_filename, timeout, FALSE);
1957 if (ret == DEFER) av_failed = TRUE;
1958
1959 return ret;
8523533c
TK		 1960}
1961
8e669ac1 1962
0f0c8159
JH		 1963/*************************************************
1964* Scan a file for malware *
1965*************************************************/
8e669ac1 1966
0f0c8159
JH		 1967/* This is a test wrapper for scanning an email, which is not used in
1968normal processing. Scan any file, using the Exim scanning interface.
1969This function tampers with various global variables so is unsafe to use
1970in any other context.
8e669ac1 1971
0f0c8159
JH		 1972Arguments:
1973 eml_filename a file holding the message to be scanned
8523533c 1974
0f0c8159
JH		 1975Returns: Exim message processing code (OK, FAIL, DEFER, ...)
1976 where true means malware was found (condition applies)
1977*/
1978int
1979malware_in_file(uschar *eml_filename)
8523533c 1980{
0f0c8159
JH		 1981 uschar message_id_buf[64];
1982 int ret;
8523533c 1983
0f0c8159
JH		 1984 /* spool_mbox() assumes various parameters exist, when creating
1985 the relevant directory and the email within */
1986 (void) string_format(message_id_buf, sizeof(message_id_buf),
1987 "dummy-%d", vaguely_random_number(INT_MAX));
1988 message_id = message_id_buf;
1989 sender_address = US"malware-sender@example.net";
1990 return_path = US"";
1991 recipients_list = NULL;
1992 receive_add_recipient(US"malware-victim@example.net", -1);
1993 enable_dollar_recipients = TRUE;
8e669ac1 1994
0f0c8159 1995 ret = malware_internal(US"*", eml_filename, 0, TRUE);
8544e77a 1996
0f0c8159
JH		 1997 Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
1998 spool_mbox_ok = 1;
1999 /* don't set no_mbox_unspool; at present, there's no way for it to become
2000 set, but if that changes, then it should apply to these tests too */
2001 unspool_mbox();
8e669ac1 2002
0f0c8159
JH		 2003 /* silence static analysis tools */
2004 message_id = NULL;
8e669ac1 2005
0f0c8159 2006 return ret;
8523533c
TK		 2007}
2008
476be7e2
JH		 2009
2010void
2011malware_init(void)
2012{
2013if (!malware_default_re)
2014 malware_default_re = regex_must_compile(malware_regex_default, FALSE, TRUE);
2015if (!drweb_re)
2016 drweb_re = regex_must_compile(drweb_re_str, FALSE, TRUE);
2017if (!fsec_re)
2018 fsec_re = regex_must_compile(fsec_re_str, FALSE, TRUE);
2019if (!kav_re_sus)
2020 kav_re_sus = regex_must_compile(kav_re_sus_str, FALSE, TRUE);
2021if (!kav_re_inf)
2022 kav_re_inf = regex_must_compile(kav_re_inf_str, FALSE, TRUE);
2023if (!ava_re_clean)
2024 ava_re_clean = regex_must_compile(ava_re_clean_str, FALSE, TRUE);
2025if (!ava_re_virus)
2026 ava_re_virus = regex_must_compile(ava_re_virus_str, FALSE, TRUE);
2027}
2028
b1f8e4f8
JH		 2029#endif /*WITH_CONTENT_SCAN*/
2030/*
2031 * vi: aw ai sw=2
2032 */
Unnamed repository; edit this file 'description' to name the repository.