projects / exim.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Fix SPA authenticator, checking client-supplied data before using it. Bug 2571
[exim.git] / src / src / spool_in.c
... / ...
CommitLineData
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
5/* Copyright (c) University of Cambridge 1995 - 2018 */
6/* Copyright (c) The Exim Maintainers 2020 */
7/* See the file NOTICE for conditions of use and distribution. */
8
9/* Functions for reading spool files. When compiling for a utility (eximon),
10not all are needed, and some functionality can be cut out. */
11
12
13#include "exim.h"
14
15
16
17#ifndef COMPILE_UTILITY
18/*************************************************
19* Open and lock data file *
20*************************************************/
21
22/* The data file is the one that is used for locking, because the header file
23can get replaced during delivery because of header rewriting. The file has
24to opened with write access so that we can get an exclusive lock, but in
25fact it won't be written to. Just in case there's a major disaster (e.g.
26overwriting some other file descriptor with the value of this one), open it
27with append.
28
29As called by deliver_message() (at least) we are operating as root.
30
31Argument: the id of the message
32Returns: fd if file successfully opened and locked, else -1
33
34Side effect: message_subdir is set for the (possibly split) spool directory
35*/
36
37int
38spool_open_datafile(uschar *id)
39{
40struct stat statbuf;
41flock_t lock_data;
42int fd;
43
44/* If split_spool_directory is set, first look for the file in the appropriate
45sub-directory of the input directory. If it is not found there, try the input
46directory itself, to pick up leftovers from before the splitting. If split_
47spool_directory is not set, first look in the main input directory. If it is
48not found there, try the split sub-directory, in case it is left over from a
49splitting state. */
50
51for (int i = 0; i < 2; i++)
52 {
53 uschar * fname;
54 int save_errno;
55
56 set_subdir_str(message_subdir, id, i);
57 fname = spool_fname(US"input", message_subdir, id, US"-D");
58 DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
59
60 /* We protect against symlink attacks both in not propagating the
61 * file-descriptor to other processes as we exec, and also ensuring that we
62 * don't even open symlinks.
63 * No -D file inside the spool area should be a symlink.
64 */
65 if ((fd = Uopen(fname,
66#ifdef O_CLOEXEC
67 O_CLOEXEC |
68#endif
69#ifdef O_NOFOLLOW
70 O_NOFOLLOW |
71#endif
72 O_RDWR | O_APPEND, 0)) >= 0)
73 break;
74 save_errno = errno;
75 if (errno == ENOENT)
76 {
77 if (i == 0) continue;
78 if (!f.queue_running)
79 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
80 *queue_name ? US" Q=" : US"",
81 *queue_name ? queue_name : US"",
82 id);
83 }
84 else
85 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
86 errno = save_errno;
87 return -1;
88 }
89
90/* File is open and message_subdir is set. Set the close-on-exec flag, and lock
91the file. We lock only the first line of the file (containing the message ID)
92because this apparently is needed for running Exim under Cygwin. If the entire
93file is locked in one process, a sub-process cannot access it, even when passed
94an open file descriptor (at least, I think that's the Cygwin story). On real
95Unix systems it doesn't make any difference as long as Exim is consistent in
96what it locks. */
97
98#ifndef O_CLOEXEC
99(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
100#endif
101
102lock_data.l_type = F_WRLCK;
103lock_data.l_whence = SEEK_SET;
104lock_data.l_start = 0;
105lock_data.l_len = SPOOL_DATA_START_OFFSET;
106
107if (fcntl(fd, F_SETLK, &lock_data) < 0)
108 {
109 log_write(L_skip_delivery, LOG_MAIN,
110 "Spool file for %s is locked (another process is handling this message)",
111 id);
112 (void)close(fd);
113 errno = 0;
114 return -1;
115 }
116
117/* Get the size of the data; don't include the leading filename line
118in the count, but add one for the newline before the data. */
119
120if (fstat(fd, &statbuf) == 0)
121 {
122 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
123 message_size = message_body_size + 1;
124 }
125
126return fd;
127}
128#endif /* COMPILE_UTILITY */
129
130
131
132/*************************************************
133* Read non-recipients tree from spool file *
134*************************************************/
135
136/* The tree of non-recipients is written to the spool file in a form that
137makes it easy to read back into a tree. The format is as follows:
138
139 . Each node is preceded by two letter(Y/N) indicating whether it has left
140 or right children. There's one space after the two flags, before the name.
141
142 . The left subtree (if any) then follows, then the right subtree (if any).
143
144This function is entered with the next input line in the buffer. Note we must
145save the right flag before recursing with the same buffer.
146
147Once the tree is read, we re-construct the balance fields by scanning the tree.
148I forgot to write them out originally, and the compatible fix is to do it this
149way. This initial local recursing function does the necessary.
150
151Arguments:
152 node tree node
153
154Returns: maximum depth below the node, including the node itself
155*/
156
157static int
158count_below(tree_node *node)
159{
160int nleft, nright;
161if (node == NULL) return 0;
162nleft = count_below(node->left);
163nright = count_below(node->right);
164node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
165return 1 + ((nleft > nright)? nleft : nright);
166}
167
168/* This is the real function...
169
170Arguments:
171 connect pointer to the root of the tree
172 f FILE to read data from
173 buffer contains next input line; further lines read into it
174 buffer_size size of the buffer
175
176Returns: FALSE on format error
177*/
178
179static BOOL
180read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
181 int buffer_size)
182{
183tree_node *node;
184int n = Ustrlen(buffer);
185BOOL right = buffer[1] == 'Y';
186
187if (n < 5) return FALSE; /* malformed line */
188buffer[n-1] = 0; /* Remove \n */
189node = store_get(sizeof(tree_node) + n - 3, TRUE); /* rcpt names tainted */
190*connect = node;
191Ustrcpy(node->name, buffer + 3);
192node->data.ptr = NULL;
193
194if (buffer[0] == 'Y')
195 {
196 if (Ufgets(buffer, buffer_size, f) == NULL ||
197 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
198 return FALSE;
199 }
200else node->left = NULL;
201
202if (right)
203 {
204 if (Ufgets(buffer, buffer_size, f) == NULL ||
205 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
206 return FALSE;
207 }
208else node->right = NULL;
209
210(void) count_below(*connect);
211return TRUE;
212}
213
214
215
216
217/* Reset all the global variables to their default values. However, there is
218one exception. DO NOT change the default value of dont_deliver, because it may
219be forced by an external setting. */
220
221void
222spool_clear_header_globals(void)
223{
224acl_var_c = acl_var_m = NULL;
225authenticated_id = NULL;
226authenticated_sender = NULL;
227f.allow_unqualified_recipient = FALSE;
228f.allow_unqualified_sender = FALSE;
229body_linecount = 0;
230body_zerocount = 0;
231f.deliver_firsttime = FALSE;
232f.deliver_freeze = FALSE;
233deliver_frozen_at = 0;
234f.deliver_manual_thaw = FALSE;
235/* f.dont_deliver must NOT be reset */
236header_list = header_last = NULL;
237host_lookup_deferred = FALSE;
238host_lookup_failed = FALSE;
239interface_address = NULL;
240interface_port = 0;
241f.local_error_message = FALSE;
242#ifdef HAVE_LOCAL_SCAN
243local_scan_data = NULL;
244#endif
245max_received_linelength = 0;
246message_linecount = 0;
247received_protocol = NULL;
248received_count = 0;
249recipients_list = NULL;
250sender_address = NULL;
251sender_fullhost = NULL;
252sender_helo_name = NULL;
253sender_host_address = NULL;
254sender_host_name = NULL;
255sender_host_port = 0;
256sender_host_authenticated = NULL;
257sender_ident = NULL;
258f.sender_local = FALSE;
259f.sender_set_untrusted = FALSE;
260smtp_active_hostname = primary_hostname;
261#ifndef COMPILE_UTILITY
262f.spool_file_wireformat = FALSE;
263#endif
264tree_nonrecipients = NULL;
265
266#ifdef EXPERIMENTAL_BRIGHTMAIL
267bmi_run = 0;
268bmi_verdicts = NULL;
269#endif
270
271#ifndef DISABLE_DKIM
272dkim_signers = NULL;
273f.dkim_disable_verify = FALSE;
274dkim_collect_input = 0;
275#endif
276
277#ifndef DISABLE_TLS
278tls_in.certificate_verified = FALSE;
279# ifdef SUPPORT_DANE
280tls_in.dane_verified = FALSE;
281# endif
282tls_in.ver = tls_in.cipher = NULL;
283# ifndef COMPILE_UTILITY /* tls support fns not built in */
284tls_free_cert(&tls_in.ourcert);
285tls_free_cert(&tls_in.peercert);
286# endif
287tls_in.peerdn = NULL;
288tls_in.sni = NULL;
289tls_in.ocsp = OCSP_NOT_REQ;
290#endif
291
292#ifdef WITH_CONTENT_SCAN
293spam_bar = NULL;
294spam_score = NULL;
295spam_score_int = NULL;
296#endif
297
298#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
299message_smtputf8 = FALSE;
300message_utf8_downconvert = 0;
301#endif
302
303dsn_ret = 0;
304dsn_envid = NULL;
305}
306
307
308/*************************************************
309* Read spool header file *
310*************************************************/
311
312/* This function reads a spool header file and places the data into the
313appropriate global variables. The header portion is always read, but header
314structures are built only if read_headers is set true. It isn't, for example,
315while generating -bp output.
316
317It may be possible for blocks of nulls (binary zeroes) to get written on the
318end of a file if there is a system crash during writing. It was observed on an
319earlier version of Exim that omitted to fsync() the files - this is thought to
320have been the cause of that incident, but in any case, this code must be robust
321against such an event, and if such a file is encountered, it must be treated as
322malformed.
323
324As called from deliver_message() (at least) we are running as root.
325
326Arguments:
327 name name of the header file, including the -H
328 read_headers TRUE if in-store header structures are to be built
329 subdir_set TRUE is message_subdir is already set
330
331Returns: spool_read_OK success
332 spool_read_notopen open failed
333 spool_read_enverror error in the envelope portion
334 spool_read_hdrerror error in the header portion
335*/
336
337int
338spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
339{
340FILE * fp = NULL;
341int n;
342int rcount = 0;
343long int uid, gid;
344BOOL inheader = FALSE;
345
346/* Reset all the global variables to their default values. However, there is
347one exception. DO NOT change the default value of dont_deliver, because it may
348be forced by an external setting. */
349
350spool_clear_header_globals();
351
352/* Generate the full name and open the file. If message_subdir is already
353set, just look in the given directory. Otherwise, look in both the split
354and unsplit directories, as for the data file above. */
355
356for (int n = 0; n < 2; n++)
357 {
358 if (!subdir_set)
359 set_subdir_str(message_subdir, name, n);
360
361 if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
362 break;
363 if (n != 0 || subdir_set || errno != ENOENT)
364 return spool_read_notopen;
365 }
366
367errno = 0;
368
369#ifndef COMPILE_UTILITY
370DEBUG(D_deliver) debug_printf("reading spool file %s\n", name);
371#endif /* COMPILE_UTILITY */
372
373/* The first line of a spool file contains the message id followed by -H (i.e.
374the file name), in order to make the file self-identifying. */
375
376if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
377if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
378 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
379 goto SPOOL_FORMAT_ERROR;
380
381/* The next three lines in the header file are in a fixed format. The first
382contains the login, uid, and gid of the user who caused the file to be written.
383There are known cases where a negative gid is used, so we allow for both
384negative uids and gids. The second contains the mail address of the message's
385sender, enclosed in <>. The third contains the time the message was received,
386and the number of warning messages for delivery delays that have been sent. */
387
388if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
389
390 {
391 uschar *p = big_buffer + Ustrlen(big_buffer);
392 while (p > big_buffer && isspace(p[-1])) p--;
393 *p = 0;
394 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
395 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
396 gid = Uatoi(p);
397 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
398 *p = 0;
399 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
400 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
401 uid = Uatoi(p);
402 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
403 *p = 0;
404 }
405
406originator_login = string_copy(big_buffer);
407originator_uid = (uid_t)uid;
408originator_gid = (gid_t)gid;
409
410/* envelope from */
411if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
412n = Ustrlen(big_buffer);
413if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
414 goto SPOOL_FORMAT_ERROR;
415
416sender_address = store_get(n-2, TRUE); /* tainted */
417Ustrncpy(sender_address, big_buffer+1, n-3);
418sender_address[n-3] = 0;
419
420/* time */
421if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
422if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
423 goto SPOOL_FORMAT_ERROR;
424received_time.tv_usec = 0;
425
426message_age = time(NULL) - received_time.tv_sec;
427#ifndef COMPILE_UTILITY
428if (f.running_in_test_harness)
429 message_age = test_harness_fudged_queue_time(message_age);
430#endif
431
432#ifndef COMPILE_UTILITY
433DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
434 originator_login, (long int)originator_uid, (long int)originator_gid,
435 sender_address);
436#endif
437
438/* Now there may be a number of optional lines, each starting with "-". If you
439add a new setting here, make sure you set the default above.
440
441Because there are now quite a number of different possibilities, we use a
442switch on the first character to avoid too many failing tests. Thanks to Nico
443Erfurth for the patch that implemented this. I have made it even more efficient
444by not re-scanning the first two characters.
445
446To allow new versions of Exim that add additional flags to interwork with older
447versions that do not understand them, just ignore any lines starting with "-"
448that we don't recognize. Otherwise it wouldn't be possible to back off a new
449version that left new-style flags written on the spool.
450
451If the line starts with "--" the content of the variable is tainted. */
452
453for (;;)
454 {
455 int len;
456 BOOL tainted;
457 uschar * var;
458 const uschar * p;
459
460 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
461 if (big_buffer[0] != '-') break;
462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
463 && big_buffer[len-1] != '\n'
464 )
465 { /* buffer not big enough for line; certs make this possible */
466 uschar * buf;
467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
468 buf = store_get_perm(big_buffer_size *= 2, FALSE);
469 memcpy(buf, big_buffer, --len);
470 big_buffer = buf;
471 if (Ufgets(big_buffer+len, big_buffer_size-len, fp) == NULL)
472 goto SPOOL_READ_ERROR;
473 }
474 big_buffer[len-1] = 0;
475
476 tainted = big_buffer[1] == '-';
477 var = big_buffer + (tainted ? 2 : 1);
478 p = var + 1;
479
480 switch(*var)
481 {
482 case 'a':
483
484 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
485 variable, because Exim allows any number of them, with arbitrary names.
486 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
487 the c or m. */
488
489 if (Ustrncmp(p, "clc ", 4) == 0 ||
490 Ustrncmp(p, "clm ", 4) == 0)
491 {
492 uschar *name, *endptr;
493 int count;
494 tree_node *node;
495 endptr = Ustrchr(var + 5, ' ');
496 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
497 name = string_sprintf("%c%.*s", var[3],
498 (int)(endptr - var - 5), var + 5);
499 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
500 node = acl_var_create(name);
501 node->data.ptr = store_get(count + 1, tainted);
502 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
503 ((uschar*)node->data.ptr)[count] = 0;
504 }
505
506 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
507 f.allow_unqualified_recipient = TRUE;
508 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
509 f.allow_unqualified_sender = TRUE;
510
511 else if (Ustrncmp(p, "uth_id", 6) == 0)
512 authenticated_id = string_copy_taint(var + 8, tainted);
513 else if (Ustrncmp(p, "uth_sender", 10) == 0)
514 authenticated_sender = string_copy_taint(var + 12, tainted);
515 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
516 smtp_active_hostname = string_copy_taint(var + 16, tainted);
517
518 /* For long-term backward compatibility, we recognize "-acl", which was
519 used before the number of ACL variables changed from 10 to 20. This was
520 before the subsequent change to an arbitrary number of named variables.
521 This code is retained so that upgrades from very old versions can still
522 handle old-format spool files. The value given after "-acl" is a number
523 that is 0-9 for connection variables, and 10-19 for message variables. */
524
525 else if (Ustrncmp(p, "cl ", 3) == 0)
526 {
527 unsigned index, count;
528 uschar name[20]; /* Need plenty of space for %u format */
529 tree_node * node;
530 if ( sscanf(CS var + 4, "%u %u", &index, &count) != 2
531 || index >= 20
532 || count > 16384 /* arbitrary limit on variable size */
533 )
534 goto SPOOL_FORMAT_ERROR;
535 if (index < 10)
536 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
537 else
538 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
539 node = acl_var_create(name);
540 node->data.ptr = store_get(count + 1, tainted);
541 /* We sanity-checked the count, so disable the Coverity error */
542 /* coverity[tainted_data] */
543 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
544 (US node->data.ptr)[count] = '\0';
545 }
546 break;
547
548 case 'b':
549 if (Ustrncmp(p, "ody_linecount", 13) == 0)
550 body_linecount = Uatoi(var + 14);
551 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
552 body_zerocount = Uatoi(var + 14);
553#ifdef EXPERIMENTAL_BRIGHTMAIL
554 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
555 bmi_verdicts = string_copy_taint(var + 13, tainted);
556#endif
557 break;
558
559 case 'd':
560 if (Ustrcmp(p, "eliver_firsttime") == 0)
561 f.deliver_firsttime = TRUE;
562 /* Check if the dsn flags have been set in the header file */
563 else if (Ustrncmp(p, "sn_ret", 6) == 0)
564 dsn_ret= atoi(CS var + 7);
565 else if (Ustrncmp(p, "sn_envid", 8) == 0)
566 dsn_envid = string_copy_taint(var + 10, tainted);
567 break;
568
569 case 'f':
570 if (Ustrncmp(p, "rozen", 5) == 0)
571 {
572 f.deliver_freeze = TRUE;
573 if (sscanf(CS var+6, TIME_T_FMT, &deliver_frozen_at) != 1)
574 goto SPOOL_READ_ERROR;
575 }
576 break;
577
578 case 'h':
579 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
580 host_lookup_deferred = TRUE;
581 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
582 host_lookup_failed = TRUE;
583 else if (Ustrncmp(p, "ost_auth", 8) == 0)
584 sender_host_authenticated = string_copy_taint(var + 10, tainted);
585 else if (Ustrncmp(p, "ost_name", 8) == 0)
586 sender_host_name = string_copy_taint(var + 10, tainted);
587 else if (Ustrncmp(p, "elo_name", 8) == 0)
588 sender_helo_name = string_copy_taint(var + 10, tainted);
589
590 /* We now record the port number after the address, separated by a
591 dot. For compatibility during upgrading, do nothing if there
592 isn't a value (it gets left at zero). */
593
594 else if (Ustrncmp(p, "ost_address", 11) == 0)
595 {
596 sender_host_port = host_address_extract_port(var + 13);
597 sender_host_address = string_copy_taint(var + 13, tainted);
598 }
599 break;
600
601 case 'i':
602 if (Ustrncmp(p, "nterface_address", 16) == 0)
603 {
604 interface_port = host_address_extract_port(var + 18);
605 interface_address = string_copy_taint(var + 18, tainted);
606 }
607 else if (Ustrncmp(p, "dent", 4) == 0)
608 sender_ident = string_copy_taint(var + 6, tainted);
609 break;
610
611 case 'l':
612 if (Ustrcmp(p, "ocal") == 0)
613 f.sender_local = TRUE;
614 else if (Ustrcmp(var, "localerror") == 0)
615 f.local_error_message = TRUE;
616#ifdef HAVE_LOCAL_SCAN
617 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
618 local_scan_data = string_copy_taint(var + 11, tainted);
619#endif
620 break;
621
622 case 'm':
623 if (Ustrcmp(p, "anual_thaw") == 0)
624 f.deliver_manual_thaw = TRUE;
625 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
626 max_received_linelength = Uatoi(var + 23);
627 break;
628
629 case 'N':
630 if (*p == 0) f.dont_deliver = TRUE; /* -N */
631 break;
632
633 case 'r':
634 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
635 received_protocol = string_copy_taint(var + 18, tainted);
636 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
637 {
638 unsigned usec;
639 if (sscanf(CS var + 20, "%u", &usec) == 1)
640 received_time.tv_usec = usec;
641 }
642 break;
643
644 case 's':
645 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
646 f.sender_set_untrusted = TRUE;
647#ifdef WITH_CONTENT_SCAN
648 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
649 spam_bar = string_copy_taint(var + 9, tainted);
650 else if (Ustrncmp(p, "pam_score ", 10) == 0)
651 spam_score = string_copy_taint(var + 11, tainted);
652 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
653 spam_score_int = string_copy_taint(var + 15, tainted);
654#endif
655#ifndef COMPILE_UTILITY
656 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
657 f.spool_file_wireformat = TRUE;
658#endif
659#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
660 else if (Ustrncmp(p, "mtputf8", 7) == 0)
661 message_smtputf8 = TRUE;
662#endif
663 break;
664
665#ifndef DISABLE_TLS
666 case 't':
667 if (Ustrncmp(p, "ls_", 3) == 0)
668 {
669 const uschar * q = p + 3;
670 if (Ustrncmp(q, "certificate_verified", 20) == 0)
671 tls_in.certificate_verified = TRUE;
672 else if (Ustrncmp(q, "cipher", 6) == 0)
673 tls_in.cipher = string_copy_taint(q+7, tainted);
674# ifndef COMPILE_UTILITY /* tls support fns not built in */
675 else if (Ustrncmp(q, "ourcert", 7) == 0)
676 (void) tls_import_cert(q+8, &tls_in.ourcert);
677 else if (Ustrncmp(q, "peercert", 8) == 0)
678 (void) tls_import_cert(q+9, &tls_in.peercert);
679# endif
680 else if (Ustrncmp(q, "peerdn", 6) == 0)
681 tls_in.peerdn = string_unprinting(string_copy_taint(q+7, tainted));
682 else if (Ustrncmp(q, "sni", 3) == 0)
683 tls_in.sni = string_unprinting(string_copy_taint(q+4, tainted));
684 else if (Ustrncmp(q, "ocsp", 4) == 0)
685 tls_in.ocsp = q[5] - '0';
686# ifdef EXPERIMENTAL_TLS_RESUME
687 else if (Ustrncmp(q, "resumption", 10) == 0)
688 tls_in.resumption = q[11] - 'A';
689# endif
690 else if (Ustrncmp(q, "ver", 3) == 0)
691 tls_in.ver = string_copy_taint(q+4, tainted);
692 }
693 break;
694#endif
695
696#if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
697 case 'u':
698 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
699 message_utf8_downconvert = 1;
700 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
701 message_utf8_downconvert = -1;
702 break;
703#endif
704
705 default: /* Present because some compilers complain if all */
706 break; /* possibilities are not covered. */
707 }
708 }
709
710/* Build sender_fullhost if required */
711
712#ifndef COMPILE_UTILITY
713host_build_sender_fullhost();
714#endif /* COMPILE_UTILITY */
715
716#ifndef COMPILE_UTILITY
717DEBUG(D_deliver)
718 debug_printf("sender_local=%d ident=%s\n", f.sender_local,
719 sender_ident ? sender_ident : US"unset");
720#endif /* COMPILE_UTILITY */
721
722/* We now have the tree of addresses NOT to deliver to, or a line
723containing "XX", indicating no tree. */
724
725if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
726 !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
727 goto SPOOL_FORMAT_ERROR;
728
729#ifndef COMPILE_UTILITY
730DEBUG(D_deliver)
731 {
732 debug_printf("Non-recipients:\n");
733 debug_print_tree(tree_nonrecipients);
734 }
735#endif /* COMPILE_UTILITY */
736
737/* After reading the tree, the next line has not yet been read into the
738buffer. It contains the count of recipients which follow on separate lines.
739Apply an arbitrary sanity check.*/
740
741if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
742if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
743 goto SPOOL_FORMAT_ERROR;
744
745#ifndef COMPILE_UTILITY
746DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
747#endif /* COMPILE_UTILITY */
748
749recipients_list_max = rcount;
750recipients_list = store_get(rcount * sizeof(recipient_item), FALSE);
751
752/* We sanitised the count and know we have enough memory, so disable
753the Coverity error on recipients_count */
754/* coverity[tainted_data] */
755
756for (recipients_count = 0; recipients_count < rcount; recipients_count++)
757 {
758 int nn;
759 int pno = -1;
760 int dsn_flags = 0;
761 uschar *orcpt = NULL;
762 uschar *errors_to = NULL;
763 uschar *p;
764
765 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
766 nn = Ustrlen(big_buffer);
767 if (nn < 2) goto SPOOL_FORMAT_ERROR;
768
769 /* Remove the newline; this terminates the address if there is no additional
770 data on the line. */
771
772 p = big_buffer + nn - 1;
773 *p-- = 0;
774
775 /* Look back from the end of the line for digits and special terminators.
776 Since an address must end with a domain, we can tell that extra data is
777 present by the presence of the terminator, which is always some character
778 that cannot exist in a domain. (If I'd thought of the need for additional
779 data early on, I'd have put it at the start, with the address at the end. As
780 it is, we have to operate backwards. Addresses are permitted to contain
781 spaces, you see.)
782
783 This code has to cope with various versions of this data that have evolved
784 over time. In all cases, the line might just contain an address, with no
785 additional data. Otherwise, the possibilities are as follows:
786
787 Exim 3 type: <address><space><digits>,<digits>,<digits>
788
789 The second set of digits is the parent number for one_time addresses. The
790 other values were remnants of earlier experiments that were abandoned.
791
792 Exim 4 first type: <address><space><digits>
793
794 The digits are the parent number for one_time addresses.
795
796 Exim 4 new type: <address><space><data>#<type bits>
797
798 The type bits indicate what the contents of the data are.
799
800 Bit 01 indicates that, reading from right to left, the data
801 ends with <errors_to address><space><len>,<pno> where pno is
802 the parent number for one_time addresses, and len is the length
803 of the errors_to address (zero meaning none).
804
805 Bit 02 indicates that, again reading from right to left, the data continues
806 with orcpt len(orcpt),dsn_flags
807 */
808
809 while (isdigit(*p)) p--;
810
811 /* Handle Exim 3 spool files */
812
813 if (*p == ',')
814 {
815 int dummy;
816#if !defined (COMPILE_UTILITY)
817 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 3 spool file\n");
818#endif
819 while (isdigit(*(--p)) || *p == ',');
820 if (*p == ' ')
821 {
822 *p++ = 0;
823 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
824 }
825 }
826
827 /* Handle early Exim 4 spool files */
828
829 else if (*p == ' ')
830 {
831#if !defined (COMPILE_UTILITY)
832 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - early Exim 4 spool file\n");
833#endif
834 *p++ = 0;
835 (void)sscanf(CS p, "%d", &pno);
836 }
837
838 /* Handle current format Exim 4 spool files */
839
840 else if (*p == '#')
841 {
842 int flags;
843
844#if !defined (COMPILE_UTILITY)
845 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim standard format spoolfile\n");
846#endif
847
848 (void)sscanf(CS p+1, "%d", &flags);
849
850 if ((flags & 0x01) != 0) /* one_time data exists */
851 {
852 int len;
853 while (isdigit(*(--p)) || *p == ',' || *p == '-');
854 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
855 *p = 0;
856 if (len > 0)
857 {
858 p -= len;
859 errors_to = string_copy_taint(p, TRUE);
860 }
861 }
862
863 *(--p) = 0; /* Terminate address */
864 if ((flags & 0x02) != 0) /* one_time data exists */
865 {
866 int len;
867 while (isdigit(*(--p)) || *p == ',' || *p == '-');
868 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
869 *p = 0;
870 if (len > 0)
871 {
872 p -= len;
873 orcpt = string_copy_taint(p, TRUE);
874 }
875 }
876
877 *(--p) = 0; /* Terminate address */
878 }
879#if !defined(COMPILE_UTILITY)
880 else
881 { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
882
883 if (orcpt || dsn_flags)
884 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
885 big_buffer, orcpt, dsn_flags);
886 if (errors_to)
887 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> errorsto: <%s>\n",
888 big_buffer, errors_to);
889#endif
890
891 recipients_list[recipients_count].address = string_copy_taint(big_buffer, TRUE);
892 recipients_list[recipients_count].pno = pno;
893 recipients_list[recipients_count].errors_to = errors_to;
894 recipients_list[recipients_count].orcpt = orcpt;
895 recipients_list[recipients_count].dsn_flags = dsn_flags;
896 }
897
898/* The remainder of the spool header file contains the headers for the message,
899separated off from the previous data by a blank line. Each header is preceded
900by a count of its length and either a certain letter (for various identified
901headers), space (for a miscellaneous live header) or an asterisk (for a header
902that has been rewritten). Count the Received: headers. We read the headers
903always, in order to check on the format of the file, but only create a header
904list if requested to do so. */
905
906inheader = TRUE;
907if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
908if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
909
910while ((n = fgetc(fp)) != EOF)
911 {
912 header_line *h;
913 uschar flag[4];
914 int i;
915
916 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
917 if(ungetc(n, fp) == EOF || fscanf(fp, "%d%c ", &n, flag) == EOF)
918 goto SPOOL_READ_ERROR;
919 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
920
921 if (read_headers)
922 {
923 h = store_get(sizeof(header_line), FALSE);
924 h->next = NULL;
925 h->type = flag[0];
926 h->slen = n;
927 h->text = store_get(n+1, TRUE); /* tainted */
928
929 if (h->type == htype_received) received_count++;
930
931 if (header_list) header_last->next = h;
932 else header_list = h;
933 header_last = h;
934
935 for (i = 0; i < n; i++)
936 {
937 int c = fgetc(fp);
938 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
939 if (c == '\n' && h->type != htype_old) message_linecount++;
940 h->text[i] = c;
941 }
942 h->text[i] = 0;
943 }
944
945 /* Not requiring header data, just skip through the bytes */
946
947 else for (i = 0; i < n; i++)
948 {
949 int c = fgetc(fp);
950 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
951 }
952 }
953
954/* We have successfully read the data in the header file. Update the message
955line count by adding the body linecount to the header linecount. Close the file
956and give a positive response. */
957
958#ifndef COMPILE_UTILITY
959DEBUG(D_deliver) debug_printf("body_linecount=%d message_linecount=%d\n",
960 body_linecount, message_linecount);
961#endif /* COMPILE_UTILITY */
962
963message_linecount += body_linecount;
964
965fclose(fp);
966return spool_read_OK;
967
968
969/* There was an error reading the spool or there was missing data,
970or there was a format error. A "read error" with no errno means an
971unexpected EOF, which we treat as a format error. */
972
973SPOOL_READ_ERROR:
974if (errno != 0)
975 {
976 n = errno;
977
978#ifndef COMPILE_UTILITY
979 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
980#endif /* COMPILE_UTILITY */
981
982 fclose(fp);
983 errno = n;
984 return inheader ? spool_read_hdrerror : spool_read_enverror;
985 }
986
987SPOOL_FORMAT_ERROR:
988
989#ifndef COMPILE_UTILITY
990DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
991#endif /* COMPILE_UTILITY */
992
993fclose(fp);
994errno = ERRNO_SPOOLFORMAT;
995return inheader? spool_read_hdrerror : spool_read_enverror;
996}
997
998/* vi: aw ai sw=2
999*/
1000/* End of spool_in.c */
Unnamed repository; edit this file 'description' to name the repository.