Added patches for remote clamd operation and improved drwebd error handling. Contribu...
[exim.git] / src / src / malware.c
1 /* $Cambridge: exim/src/src/malware.c,v 1.4 2005/01/05 13:33:58 tom Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003-???? */
8 /* License: GPL */
9
10 /* Code for calling virus (malware) scanners. Called from acl.c. */
11
12 #include "exim.h"
13 #ifdef WITH_CONTENT_SCAN
14
15 /* declaration of private routines */
16 int mksd_scan_packed(int sock);
17
18 /* SHUT_WR seems to be undefined on Unixware? */
19 #ifndef SHUT_WR
20 #define SHUT_WR 1
21 #endif
22
23 #define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */
24 #define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */
25 #define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */
26
27 #define DERR_READ_ERR (1<<0) /* read error */
28 #define DERR_NOMEMORY (1<<2) /* no memory */
29 #define DERR_TIMEOUT (1<<9) /* scan timeout has run out */
30 #define DERR_BAD_CALL (1<<15) /* wrong command */
31
32 /* Routine to check whether a system is big- or litte-endian.
33 Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
34 Needed for proper kavdaemon implementation. Sigh. */
35 #define BIG_MY_ENDIAN 0
36 #define LITTLE_MY_ENDIAN 1
37 int test_byte_order(void);
38 int test_byte_order() {
39 short int word = 0x0001;
40 char *byte = (char *) &word;
41 return(byte[0] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
42 }
43
44 uschar malware_name_buffer[256];
45 int malware_ok = 0;
46
47 int malware(uschar **listptr) {
48 int sep = 0;
49 uschar *list = *listptr;
50 uschar *av_scanner_work = av_scanner;
51 uschar *scanner_name;
52 uschar scanner_name_buffer[16];
53 uschar *malware_regex;
54 uschar malware_regex_buffer[64];
55 uschar malware_regex_default[] = ".+";
56 unsigned long mbox_size;
57 FILE *mbox_file;
58 int roffset;
59 const pcre *re;
60 const uschar *rerror;
61
62 /* make sure the eml mbox file is spooled up */
63 mbox_file = spool_mbox(&mbox_size);
64 if (mbox_file == NULL) {
65 /* error while spooling */
66 log_write(0, LOG_MAIN|LOG_PANIC,
67 "malware acl condition: error while creating mbox spool file");
68 return DEFER;
69 };
70 /* none of our current scanners need the mbox
71 file as a stream, so we can close it right away */
72 fclose(mbox_file);
73
74 /* extract the malware regex to match against from the option list */
75 if ((malware_regex = string_nextinlist(&list, &sep,
76 malware_regex_buffer,
77 sizeof(malware_regex_buffer))) != NULL) {
78
79 /* parse 1st option */
80 if ( (strcmpic(malware_regex,US"false") == 0) ||
81 (Ustrcmp(malware_regex,"0") == 0) ) {
82 /* explicitly no matching */
83 return FAIL;
84 };
85
86 /* special cases (match anything except empty) */
87 if ( (strcmpic(malware_regex,US"true") == 0) ||
88 (Ustrcmp(malware_regex,"*") == 0) ||
89 (Ustrcmp(malware_regex,"1") == 0) ) {
90 malware_regex = malware_regex_default;
91 };
92 }
93 else {
94 /* empty means "don't match anything" */
95 return FAIL;
96 };
97
98 /* compile the regex, see if it works */
99 re = pcre_compile(CS malware_regex, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
100 if (re == NULL) {
101 log_write(0, LOG_MAIN|LOG_PANIC,
102 "malware acl condition: regular expression error in '%s': %s at offset %d", malware_regex, rerror, roffset);
103 return DEFER;
104 };
105
106 /* if av_scanner starts with a dollar, expand it first */
107 if (*av_scanner == '$') {
108 av_scanner_work = expand_string(av_scanner);
109 if (av_scanner_work == NULL) {
110 log_write(0, LOG_MAIN|LOG_PANIC,
111 "malware acl condition: av_scanner starts with $, but expansion failed: %s", expand_string_message);
112 return DEFER;
113 }
114 else {
115 debug_printf("Expanded av_scanner global: %s\n", av_scanner_work);
116 /* disable result caching in this case */
117 malware_name = NULL;
118 malware_ok = 0;
119 };
120 }
121
122 /* Do not scan twice. */
123 if (malware_ok == 0) {
124
125 /* find the scanner type from the av_scanner option */
126 if ((scanner_name = string_nextinlist(&av_scanner_work, &sep,
127 scanner_name_buffer,
128 sizeof(scanner_name_buffer))) == NULL) {
129 /* no scanner given */
130 log_write(0, LOG_MAIN|LOG_PANIC,
131 "malware acl condition: av_scanner configuration variable is empty");
132 return DEFER;
133 };
134
135 /* "drweb" scanner type ----------------------------------------------- */
136 /* v0.1 - added support for tcp sockets */
137 /* v0.0 - initial release -- support for unix sockets */
138 if (strcmpic(scanner_name,US"drweb") == 0) {
139 uschar *drweb_options;
140 uschar drweb_options_buffer[1024];
141 uschar drweb_options_default[] = "/usr/local/drweb/run/drwebd.sock";
142 struct sockaddr_un server;
143 int sock, result, ovector[30];
144 unsigned int port, fsize;
145 uschar tmpbuf[1024], *drweb_fbuf;
146 uschar scanrequest[1024];
147 uschar drweb_match_string[128];
148 int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd,
149 drweb_vnum, drweb_slen, drweb_fin = 0x0000;
150 unsigned long bread;
151 uschar hostname[256];
152 struct hostent *he;
153 struct in_addr in;
154 pcre *drweb_re;
155
156 if ((drweb_options = string_nextinlist(&av_scanner_work, &sep,
157 drweb_options_buffer, sizeof(drweb_options_buffer))) == NULL) {
158 /* no options supplied, use default options */
159 drweb_options = drweb_options_default;
160 };
161
162 if (*drweb_options != '/') {
163
164 /* extract host and port part */
165 if( sscanf(CS drweb_options, "%s %u", hostname, &port) != 2 ) {
166 log_write(0, LOG_MAIN|LOG_PANIC,
167 "malware acl condition: drweb: invalid socket '%s'", drweb_options);
168 return DEFER;
169 }
170
171 /* Lookup the host */
172 if((he = gethostbyname(CS hostname)) == 0) {
173 log_write(0, LOG_MAIN|LOG_PANIC,
174 "malware acl condition: drweb: failed to lookup host '%s'", hostname);
175 return DEFER;
176 }
177
178 in = *(struct in_addr *) he->h_addr_list[0];
179
180 /* Open the drwebd TCP socket */
181 if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
182 log_write(0, LOG_MAIN|LOG_PANIC,
183 "malware acl condition: drweb: unable to acquire socket (%s)",
184 strerror(errno));
185 return DEFER;
186 }
187
188 if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
189 close(sock);
190 log_write(0, LOG_MAIN|LOG_PANIC,
191 "malware acl condition: drweb: connection to %s, port %u failed (%s)",
192 inet_ntoa(in), port, strerror(errno));
193 return DEFER;
194 }
195
196 /* prepare variables */
197 drweb_cmd = htonl(DRWEBD_SCAN_CMD);
198 drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
199 snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml",
200 spool_directory, message_id, message_id);
201
202 /* calc file size */
203 drweb_fd = open(CS scanrequest, O_RDONLY);
204 if (drweb_fd == -1) {
205 close(sock);
206 log_write(0, LOG_MAIN|LOG_PANIC,
207 "malware acl condition: drweb: can't open spool file %s: %s",
208 scanrequest, strerror(errno));
209 return DEFER;
210 }
211 fsize = lseek(drweb_fd, 0, SEEK_END);
212 if (fsize == -1) {
213 close(sock);
214 close(drweb_fd);
215 log_write(0, LOG_MAIN|LOG_PANIC,
216 "malware acl condition: drweb: can't seek spool file %s: %s",
217 scanrequest, strerror(errno));
218 return DEFER;
219 }
220 drweb_slen = htonl(fsize);
221 lseek(drweb_fd, 0, SEEK_SET);
222
223 /* send scan request */
224 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
225 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
226 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0) ||
227 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0)) {
228 close(sock);
229 close(drweb_fd);
230 log_write(0, LOG_MAIN|LOG_PANIC,
231 "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options);
232 return DEFER;
233 }
234
235 drweb_fbuf = (uschar *) malloc (fsize);
236 if (!drweb_fbuf) {
237 close(sock);
238 close(drweb_fd);
239 log_write(0, LOG_MAIN|LOG_PANIC,
240 "malware acl condition: drweb: unable to allocate memory %u for file (%s)",
241 fsize, scanrequest);
242 return DEFER;
243 }
244
245 result = read (drweb_fd, drweb_fbuf, fsize);
246 if (result == -1) {
247 close(sock);
248 close(drweb_fd);
249 free(drweb_fbuf);
250 log_write(0, LOG_MAIN|LOG_PANIC,
251 "malware acl condition: drweb: can't read spool file %s: %s",
252 scanrequest, strerror(errno));
253 return DEFER;
254 }
255 close(drweb_fd);
256
257 /* send file body to socket */
258 if (send(sock, drweb_fbuf, fsize, 0) < 0) {
259 close(sock);
260 free(drweb_fbuf);
261 log_write(0, LOG_MAIN|LOG_PANIC,
262 "malware acl condition: drweb: unable to send file body to socket (%s)", drweb_options);
263 return DEFER;
264 }
265 close(drweb_fd);
266 }
267 else {
268 /* open the drwebd UNIX socket */
269 sock = socket(AF_UNIX, SOCK_STREAM, 0);
270 if (sock < 0) {
271 log_write(0, LOG_MAIN|LOG_PANIC,
272 "malware acl condition: drweb: can't open UNIX socket");
273 return DEFER;
274 }
275 server.sun_family = AF_UNIX;
276 Ustrcpy(server.sun_path, drweb_options);
277 if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
278 close(sock);
279 log_write(0, LOG_MAIN|LOG_PANIC,
280 "malware acl condition: drweb: unable to connect to socket (%s). errno=%d", drweb_options, errno);
281 return DEFER;
282 }
283
284 /* prepare variables */
285 drweb_cmd = htonl(DRWEBD_SCAN_CMD);
286 drweb_flags = htonl(DRWEBD_RETURN_VIRUSES | DRWEBD_IS_MAIL);
287 snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml", spool_directory, message_id, message_id);
288 drweb_slen = htonl(Ustrlen(scanrequest));
289
290 /* send scan request */
291 if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), 0) < 0) ||
292 (send(sock, &drweb_flags, sizeof(drweb_flags), 0) < 0) ||
293 (send(sock, &drweb_slen, sizeof(drweb_slen), 0) < 0) ||
294 (send(sock, scanrequest, Ustrlen(scanrequest), 0) < 0) ||
295 (send(sock, &drweb_fin, sizeof(drweb_fin), 0) < 0)) {
296 close(sock);
297 log_write(0, LOG_MAIN|LOG_PANIC,
298 "malware acl condition: drweb: unable to send commands to socket (%s)", drweb_options);
299 return DEFER;
300 }
301 }
302
303 /* wait for result */
304 if ((bread = recv(sock, &drweb_rc, sizeof(drweb_rc), 0) != sizeof(drweb_rc))) {
305 close(sock);
306 log_write(0, LOG_MAIN|LOG_PANIC,
307 "malware acl condition: drweb: unable to read return code");
308 return DEFER;
309 }
310 drweb_rc = ntohl(drweb_rc);
311
312 if ((bread = recv(sock, &drweb_vnum, sizeof(drweb_vnum), 0) != sizeof(drweb_vnum))) {
313 close(sock);
314 log_write(0, LOG_MAIN|LOG_PANIC,
315 "malware acl condition: drweb: unable to read the number of viruses");
316 return DEFER;
317 }
318 drweb_vnum = ntohl(drweb_vnum);
319
320 /* "virus(es) found" if virus number is > 0 */
321 if (drweb_vnum)
322 {
323 int i;
324 uschar pre_malware_nb[256];
325
326 malware_name = malware_name_buffer;
327
328 /* setup default virus name */
329 Ustrcpy(malware_name_buffer,"unknown");
330
331 /* read and concatenate virus names into one string */
332 for (i=0;i<drweb_vnum;i++)
333 {
334 /* read the size of report */
335 if ((bread = recv(sock, &drweb_slen, sizeof(drweb_slen), 0) != sizeof(drweb_slen))) {
336 close(sock);
337 log_write(0, LOG_MAIN|LOG_PANIC,
338 "malware acl condition: drweb: cannot read report size");
339 return DEFER;
340 };
341 drweb_slen = ntohl(drweb_slen);
342
343 /* read report body */
344 if ((bread = recv(sock, tmpbuf, drweb_slen, 0)) != drweb_slen) {
345 close(sock);
346 log_write(0, LOG_MAIN|LOG_PANIC,
347 "malware acl condition: drweb: cannot read report string");
348 return DEFER;
349 };
350 tmpbuf[drweb_slen] = '\0';
351
352 /* set up match regex, depends on retcode */
353 Ustrcpy(drweb_match_string, "infected\\swith\\s*(.+?)$");
354
355 drweb_re = pcre_compile( CS drweb_match_string,
356 PCRE_COPT,
357 (const char **)&rerror,
358 &roffset,
359 NULL );
360
361 /* try matcher on the line, grab substring */
362 result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0, ovector, 30);
363 if (result >= 2) {
364 pcre_copy_substring(CS tmpbuf, ovector, result, 1, CS pre_malware_nb, 255);
365 }
366 /* the first name we just copy to malware_name */
367 if (i==0)
368 Ustrcpy(CS malware_name_buffer, CS pre_malware_nb);
369 else {
370 /* concatenate each new virus name to previous */
371 int slen = Ustrlen(malware_name_buffer);
372 if (slen < (slen+Ustrlen(pre_malware_nb))) {
373 Ustrcat(malware_name_buffer, "/");
374 Ustrcat(malware_name_buffer, pre_malware_nb);
375 }
376 }
377 }
378 }
379 else {
380 char *drweb_s = NULL;
381
382 if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
383 if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
384 if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout";
385 if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command";
386 /* retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED.
387 * DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM,
388 * DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR
389 * and others are ignored */
390 if (drweb_s) {
391 log_write(0, LOG_MAIN|LOG_PANIC,
392 "malware acl condition: drweb: drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s);
393 close(sock);
394 return DEFER;
395 }
396 /* no virus found */
397 malware_name = NULL;
398 };
399 close(sock);
400 }
401 /* ----------------------------------------------------------------------- */
402 else if (strcmpic(scanner_name,US"aveserver") == 0) {
403 uschar *kav_options;
404 uschar kav_options_buffer[1024];
405 uschar kav_options_default[] = "/var/run/aveserver";
406 uschar buf[32768];
407 struct sockaddr_un server;
408 int sock;
409
410 if ((kav_options = string_nextinlist(&av_scanner_work, &sep,
411 kav_options_buffer,
412 sizeof(kav_options_buffer))) == NULL) {
413 /* no options supplied, use default options */
414 kav_options = kav_options_default;
415 };
416
417 /* open the aveserver socket */
418 sock = socket(AF_UNIX, SOCK_STREAM, 0);
419 if (sock < 0) {
420 log_write(0, LOG_MAIN|LOG_PANIC,
421 "malware acl condition: can't open UNIX socket.");
422 return DEFER;
423 }
424 server.sun_family = AF_UNIX;
425 Ustrcpy(server.sun_path, kav_options);
426 if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
427 close(sock);
428 log_write(0, LOG_MAIN|LOG_PANIC,
429 "malware acl condition: unable to connect to aveserver UNIX socket (%s). errno=%d", kav_options, errno);
430 return DEFER;
431 }
432
433 /* read aveserver's greeting and see if it is ready (2xx greeting) */
434 recv_line(sock, buf, 32768);
435
436 if (buf[0] != '2') {
437 /* aveserver is having problems */
438 close(sock);
439 log_write(0, LOG_MAIN|LOG_PANIC,
440 "malware acl condition: aveserver is unavailable (Responded: %s).", ((buf[0] != 0) ? buf : (uschar *)"nothing") );
441 return DEFER;
442 };
443
444 /* prepare our command */
445 snprintf(CS buf, 32768, "SCAN bPQRSTUW %s/scan/%s/%s.eml\r\n", spool_directory, message_id, message_id);
446
447 /* and send it */
448 if (send(sock, buf, Ustrlen(buf), 0) < 0) {
449 close(sock);
450 log_write(0, LOG_MAIN|LOG_PANIC,
451 "malware acl condition: unable to write to aveserver UNIX socket (%s)", kav_options);
452 return DEFER;
453 }
454
455 malware_name = NULL;
456 /* read response lines, find malware name and final response */
457 while (recv_line(sock, buf, 32768) > 0) {
458 debug_printf("aveserver: %s\n", buf);
459 if (buf[0] == '2') break;
460 if (Ustrncmp(buf,"322",3) == 0) {
461 uschar *p = Ustrchr(&buf[4],' ');
462 *p = '\0';
463 Ustrcpy(malware_name_buffer,&buf[4]);
464 malware_name = malware_name_buffer;
465 };
466 }
467
468 close(sock);
469 }
470 /* "fsecure" scanner type ------------------------------------------------- */
471 else if (strcmpic(scanner_name,US"fsecure") == 0) {
472 uschar *fsecure_options;
473 uschar fsecure_options_buffer[1024];
474 uschar fsecure_options_default[] = "/var/run/.fsav";
475 struct sockaddr_un server;
476 int sock, i, j, bread = 0;
477 uschar file_name[1024];
478 uschar av_buffer[1024];
479 pcre *fs_inf;
480 static uschar *cmdoptions[] = { US"CONFIGURE\tARCHIVE\t1\n",
481 US"CONFIGURE\tTIMEOUT\t0\n",
482 US"CONFIGURE\tMAXARCH\t5\n",
483 US"CONFIGURE\tMIME\t1\n" };
484
485 malware_name = NULL;
486 if ((fsecure_options = string_nextinlist(&av_scanner_work, &sep,
487 fsecure_options_buffer,
488 sizeof(fsecure_options_buffer))) == NULL) {
489 /* no options supplied, use default options */
490 fsecure_options = fsecure_options_default;
491 };
492
493 /* open the fsecure socket */
494 sock = socket(AF_UNIX, SOCK_STREAM, 0);
495 if (sock < 0) {
496 log_write(0, LOG_MAIN|LOG_PANIC,
497 "malware acl condition: unable to open fsecure socket %s (%s)",
498 fsecure_options, strerror(errno));
499 return DEFER;
500 }
501 server.sun_family = AF_UNIX;
502 Ustrcpy(server.sun_path, fsecure_options);
503 if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
504 close(sock);
505 log_write(0, LOG_MAIN|LOG_PANIC,
506 "malware acl condition: unable to connect to fsecure socket %s (%s)",
507 fsecure_options, strerror(errno));
508 return DEFER;
509 }
510
511 /* pass options */
512 memset(av_buffer, 0, sizeof(av_buffer));
513 for (i=0; i != 4; i++) {
514 /* debug_printf("send option \"%s\"",cmdoptions[i]); */
515 if (write(sock, cmdoptions[i], Ustrlen(cmdoptions[i])) < 0) {
516 close(sock);
517 log_write(0, LOG_MAIN|LOG_PANIC,
518 "malware acl condition: unable to write fsecure option %d to %s (%s)",
519 i, fsecure_options, strerror(errno));
520 return DEFER;
521 };
522
523 bread = read(sock, av_buffer, sizeof(av_buffer));
524 if (bread >0) av_buffer[bread]='\0';
525 if (bread < 0) {
526 close(sock);
527 log_write(0, LOG_MAIN|LOG_PANIC,
528 "malware acl condition: unable to read fsecure answer %d (%s)", i, strerror(errno));
529 return DEFER;
530 };
531 for (j=0;j<bread;j++) if((av_buffer[j]=='\r')||(av_buffer[j]=='\n')) av_buffer[j] ='@';
532 /* debug_printf("read answer %d read=%d \"%s\"\n", i, bread, av_buffer ); */
533 /* while (Ustrstr(av_buffer, "OK\tServer configured.@") == NULL); */
534 };
535
536 /* pass the mailfile to fsecure */
537 snprintf(CS file_name,1024,"SCAN\t%s/scan/%s/%s.eml\n", spool_directory, message_id, message_id);
538 /* debug_printf("send scan %s",file_name); */
539 if (write(sock, file_name, Ustrlen(file_name)) < 0) {
540 close(sock);
541 log_write(0, LOG_MAIN|LOG_PANIC,
542 "malware acl condition: unable to write fsecure scan to %s (%s)",
543 fsecure_options, strerror(errno));
544 return DEFER;
545 };
546
547 /* set up match */
548 /* todo also SUSPICION\t */
549 fs_inf = pcre_compile("\\S{0,5}INFECTED\\t[^\\t]*\\t([^\\t]+)\\t\\S*$", PCRE_COPT, (const char **)&rerror, &roffset, NULL);
550
551 /* read report, linewise */
552 do {
553 int ovector[30];
554 i = 0;
555 memset(av_buffer, 0, sizeof(av_buffer));
556 do {
557 bread=read(sock, &av_buffer[i], 1);
558 if (bread < 0) {
559 close(sock);
560 log_write(0, LOG_MAIN|LOG_PANIC,
561 "malware acl condition: unable to read fsecure result (%s)", strerror(errno));
562 return DEFER;
563 };
564 i++;
565 }
566 while ((i < sizeof(av_buffer)-1 ) && (av_buffer[i-1] != '\n'));
567 av_buffer[i-1] = '\0';
568 /* debug_printf("got line \"%s\"\n",av_buffer); */
569
570 /* Really search for virus again? */
571 if (malware_name == NULL) {
572 /* try matcher on the line, grab substring */
573 i = pcre_exec(fs_inf, NULL, CS av_buffer, Ustrlen(av_buffer), 0, 0, ovector, 30);
574 if (i >= 2) {
575 /* Got it */
576 pcre_copy_substring(CS av_buffer, ovector, i, 1, CS malware_name_buffer, 255);
577 malware_name = malware_name_buffer;
578 };
579 };
580 }
581 while (Ustrstr(av_buffer, "OK\tScan ok.") == NULL);
582 close(sock);
583 }
584 /* ----------------------------------------------------------------------- */
585
586 /* "kavdaemon" scanner type ------------------------------------------------ */
587 else if (strcmpic(scanner_name,US"kavdaemon") == 0) {
588 uschar *kav_options;
589 uschar kav_options_buffer[1024];
590 uschar kav_options_default[] = "/var/run/AvpCtl";
591 struct sockaddr_un server;
592 int sock;
593 time_t t;
594 uschar tmpbuf[1024];
595 uschar scanrequest[1024];
596 uschar kav_match_string[128];
597 int kav_rc;
598 unsigned long kav_reportlen, bread;
599 pcre *kav_re;
600
601 if ((kav_options = string_nextinlist(&av_scanner_work, &sep,
602 kav_options_buffer,
603 sizeof(kav_options_buffer))) == NULL) {
604 /* no options supplied, use default options */
605 kav_options = kav_options_default;
606 };
607
608 /* open the kavdaemon socket */
609 sock = socket(AF_UNIX, SOCK_STREAM, 0);
610 if (sock < 0) {
611 log_write(0, LOG_MAIN|LOG_PANIC,
612 "malware acl condition: can't open UNIX socket.");
613 return DEFER;
614 }
615 server.sun_family = AF_UNIX;
616 Ustrcpy(server.sun_path, kav_options);
617 if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
618 close(sock);
619 log_write(0, LOG_MAIN|LOG_PANIC,
620 "malware acl condition: unable to connect to kavdaemon UNIX socket (%s). errno=%d", kav_options, errno);
621 return DEFER;
622 }
623
624 /* get current date and time, build scan request */
625 time(&t);
626 strftime(CS tmpbuf, sizeof(tmpbuf), "<0>%d %b %H:%M:%S:%%s/scan/%%s", localtime(&t));
627 snprintf(CS scanrequest, 1024,CS tmpbuf, spool_directory, message_id);
628
629 /* send scan request */
630 if (send(sock, scanrequest, Ustrlen(scanrequest)+1, 0) < 0) {
631 close(sock);
632 log_write(0, LOG_MAIN|LOG_PANIC,
633 "malware acl condition: unable to write to kavdaemon UNIX socket (%s)", kav_options);
634 return DEFER;
635 }
636
637 /* wait for result */
638 if ((bread = recv(sock, tmpbuf, 2, 0) != 2)) {
639 close(sock);
640 log_write(0, LOG_MAIN|LOG_PANIC,
641 "malware acl condition: unable to read 2 bytes from kavdaemon socket.");
642 return DEFER;
643 }
644
645 /* get errorcode from one nibble */
646 if (test_byte_order() == LITTLE_MY_ENDIAN) {
647 kav_rc = tmpbuf[0] & 0x0F;
648 }
649 else {
650 kav_rc = tmpbuf[1] & 0x0F;
651 };
652
653 /* improper kavdaemon configuration */
654 if ( (kav_rc == 5) || (kav_rc == 6) ) {
655 close(sock);
656 log_write(0, LOG_MAIN|LOG_PANIC,
657 "malware acl condition: please reconfigure kavdaemon to NOT disinfect or remove infected files.");
658 return DEFER;
659 };
660
661 if (kav_rc == 1) {
662 close(sock);
663 log_write(0, LOG_MAIN|LOG_PANIC,
664 "malware acl condition: kavdaemon reported 'scanning not completed' (code 1).");
665 return DEFER;
666 };
667
668 if (kav_rc == 7) {
669 close(sock);
670 log_write(0, LOG_MAIN|LOG_PANIC,
671 "malware acl condition: kavdaemon reported 'kavdaemon damaged' (code 7).");
672 return DEFER;
673 };
674
675 /* code 8 is not handled, since it is ambigous. It appears mostly on
676 bounces where part of a file has been cut off */
677
678 /* "virus found" return codes (2-4) */
679 if ((kav_rc > 1) && (kav_rc < 5)) {
680 int report_flag = 0;
681
682 /* setup default virus name */
683 Ustrcpy(malware_name_buffer,"unknown");
684 malware_name = malware_name_buffer;
685
686 if (test_byte_order() == LITTLE_MY_ENDIAN) {
687 report_flag = tmpbuf[1];
688 }
689 else {
690 report_flag = tmpbuf[0];
691 };
692
693 /* read the report, if available */
694 if( report_flag == 1 ) {
695 /* read report size */
696 if ((bread = recv(sock, &kav_reportlen, 4, 0)) != 4) {
697 close(sock);
698 log_write(0, LOG_MAIN|LOG_PANIC,
699 "malware acl condition: cannot read report size from kavdaemon");
700 return DEFER;
701 };
702
703 /* it's possible that avp returns av_buffer[1] == 1 but the
704 reportsize is 0 (!?) */
705 if (kav_reportlen > 0) {
706 /* set up match regex, depends on retcode */
707 if( kav_rc == 3 )
708 Ustrcpy(kav_match_string, "suspicion:\\s*(.+?)\\s*$");
709 else
710 Ustrcpy(kav_match_string, "infected:\\s*(.+?)\\s*$");
711
712 kav_re = pcre_compile( CS kav_match_string,
713 PCRE_COPT,
714 (const char **)&rerror,
715 &roffset,
716 NULL );
717
718 /* read report, linewise */
719 while (kav_reportlen > 0) {
720 int result = 0;
721 int ovector[30];
722
723 bread = 0;
724 while ( recv(sock, &tmpbuf[bread], 1, 0) == 1 ) {
725 kav_reportlen--;
726 if ( (tmpbuf[bread] == '\n') || (bread > 1021) ) break;
727 bread++;
728 };
729 bread++;
730 tmpbuf[bread] = '\0';
731
732 /* try matcher on the line, grab substring */
733 result = pcre_exec(kav_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), 0, 0, ovector, 30);
734 if (result >= 2) {
735 pcre_copy_substring(CS tmpbuf, ovector, result, 1, CS malware_name_buffer, 255);
736 break;
737 };
738 };
739 };
740 };
741 }
742 else {
743 /* no virus found */
744 malware_name = NULL;
745 };
746
747 close(sock);
748 }
749 /* ----------------------------------------------------------------------- */
750
751
752 /* "cmdline" scanner type ------------------------------------------------ */
753 else if (strcmpic(scanner_name,US"cmdline") == 0) {
754 uschar *cmdline_scanner;
755 uschar cmdline_scanner_buffer[1024];
756 uschar *cmdline_trigger;
757 uschar cmdline_trigger_buffer[1024];
758 const pcre *cmdline_trigger_re;
759 uschar *cmdline_regex;
760 uschar cmdline_regex_buffer[1024];
761 const pcre *cmdline_regex_re;
762 uschar file_name[1024];
763 uschar commandline[1024];
764 void (*eximsigchld)(int);
765 void (*eximsigpipe)(int);
766 FILE *scanner_out = NULL;
767 FILE *scanner_record = NULL;
768 uschar linebuffer[32767];
769 int trigger = 0;
770 int result;
771 int ovector[30];
772
773 /* find scanner command line */
774 if ((cmdline_scanner = string_nextinlist(&av_scanner_work, &sep,
775 cmdline_scanner_buffer,
776 sizeof(cmdline_scanner_buffer))) == NULL) {
777 /* no command line supplied */
778 log_write(0, LOG_MAIN|LOG_PANIC,
779 "malware acl condition: missing commandline specification for cmdline scanner type.");
780 return DEFER;
781 };
782
783 /* find scanner output trigger */
784 if ((cmdline_trigger = string_nextinlist(&av_scanner_work, &sep,
785 cmdline_trigger_buffer,
786 sizeof(cmdline_trigger_buffer))) == NULL) {
787 /* no trigger regex supplied */
788 log_write(0, LOG_MAIN|LOG_PANIC,
789 "malware acl condition: missing trigger specification for cmdline scanner type.");
790 return DEFER;
791 };
792
793 /* precompile trigger regex */
794 cmdline_trigger_re = pcre_compile(CS cmdline_trigger, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
795 if (cmdline_trigger_re == NULL) {
796 log_write(0, LOG_MAIN|LOG_PANIC,
797 "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_trigger_re, rerror, roffset);
798 return DEFER;
799 };
800
801 /* find scanner name regex */
802 if ((cmdline_regex = string_nextinlist(&av_scanner_work, &sep,
803 cmdline_regex_buffer,
804 sizeof(cmdline_regex_buffer))) == NULL) {
805 /* no name regex supplied */
806 log_write(0, LOG_MAIN|LOG_PANIC,
807 "malware acl condition: missing virus name regex specification for cmdline scanner type.");
808 return DEFER;
809 };
810
811 /* precompile name regex */
812 cmdline_regex_re = pcre_compile(CS cmdline_regex, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
813 if (cmdline_regex_re == NULL) {
814 log_write(0, LOG_MAIN|LOG_PANIC,
815 "malware acl condition: regular expression error in '%s': %s at offset %d", cmdline_regex_re, rerror, roffset);
816 return DEFER;
817 };
818
819 /* prepare scanner call */
820 snprintf(CS file_name,1024,"%s/scan/%s", spool_directory, message_id);
821 snprintf(CS commandline,1024, CS cmdline_scanner,file_name);
822 /* redirect STDERR too */
823 Ustrcat(commandline," 2>&1");
824
825 /* store exims signal handlers */
826 eximsigchld = signal(SIGCHLD,SIG_DFL);
827 eximsigpipe = signal(SIGPIPE,SIG_DFL);
828
829 scanner_out = popen(CS commandline,"r");
830 if (scanner_out == NULL) {
831 log_write(0, LOG_MAIN|LOG_PANIC,
832 "malware acl condition: calling cmdline scanner (%s) failed: %s.", commandline, strerror(errno));
833 signal(SIGCHLD,eximsigchld);
834 signal(SIGPIPE,eximsigpipe);
835 return DEFER;
836 };
837
838 snprintf(CS file_name,1024,"%s/scan/%s/%s_scanner_output", spool_directory, message_id, message_id);
839 scanner_record = fopen(CS file_name,"w");
840
841 if (scanner_record == NULL) {
842 log_write(0, LOG_MAIN|LOG_PANIC,
843 "malware acl condition: opening scanner output file (%s) failed: %s.", file_name, strerror(errno));
844 pclose(scanner_out);
845 signal(SIGCHLD,eximsigchld);
846 signal(SIGPIPE,eximsigpipe);
847 return DEFER;
848 };
849
850 /* look for trigger while recording output */
851 while(fgets(CS linebuffer,32767,scanner_out) != NULL) {
852 if ( Ustrlen(linebuffer) > fwrite(linebuffer, 1, Ustrlen(linebuffer), scanner_record) ) {
853 /* short write */
854 log_write(0, LOG_MAIN|LOG_PANIC,
855 "malware acl condition: short write on scanner output file (%s).", file_name);
856 pclose(scanner_out);
857 signal(SIGCHLD,eximsigchld);
858 signal(SIGPIPE,eximsigpipe);
859 return DEFER;
860 };
861 /* try trigger match */
862 if (!trigger && regex_match_and_setup(cmdline_trigger_re, linebuffer, 0, -1))
863 trigger = 1;
864 };
865
866 fclose(scanner_record);
867 pclose(scanner_out);
868 signal(SIGCHLD,eximsigchld);
869 signal(SIGPIPE,eximsigpipe);
870
871 if (trigger) {
872 /* setup default virus name */
873 Ustrcpy(malware_name_buffer,"unknown");
874 malware_name = malware_name_buffer;
875
876 /* re-open the scanner output file, look for name match */
877 scanner_record = fopen(CS file_name,"r");
878 while(fgets(CS linebuffer,32767,scanner_record) != NULL) {
879 /* try match */
880 result = pcre_exec(cmdline_regex_re, NULL, CS linebuffer, Ustrlen(linebuffer), 0, 0, ovector, 30);
881 if (result >= 2) {
882 pcre_copy_substring(CS linebuffer, ovector, result, 1, CS malware_name_buffer, 255);
883 };
884 };
885 fclose(scanner_record);
886 }
887 else {
888 /* no virus found */
889 malware_name = NULL;
890 };
891 }
892 /* ----------------------------------------------------------------------- */
893
894
895 /* "sophie" scanner type ------------------------------------------------- */
896 else if (strcmpic(scanner_name,US"sophie") == 0) {
897 uschar *sophie_options;
898 uschar sophie_options_buffer[1024];
899 uschar sophie_options_default[] = "/var/run/sophie";
900 int bread = 0;
901 struct sockaddr_un server;
902 int sock;
903 uschar file_name[1024];
904 uschar av_buffer[1024];
905
906 if ((sophie_options = string_nextinlist(&av_scanner_work, &sep,
907 sophie_options_buffer,
908 sizeof(sophie_options_buffer))) == NULL) {
909 /* no options supplied, use default options */
910 sophie_options = sophie_options_default;
911 };
912
913 /* open the sophie socket */
914 sock = socket(AF_UNIX, SOCK_STREAM, 0);
915 if (sock < 0) {
916 log_write(0, LOG_MAIN|LOG_PANIC,
917 "malware acl condition: can't open UNIX socket.");
918 return DEFER;
919 }
920 server.sun_family = AF_UNIX;
921 Ustrcpy(server.sun_path, sophie_options);
922 if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
923 close(sock);
924 log_write(0, LOG_MAIN|LOG_PANIC,
925 "malware acl condition: unable to connect to sophie UNIX socket (%s). errno=%d", sophie_options, errno);
926 return DEFER;
927 }
928
929 /* pass the scan directory to sophie */
930 snprintf(CS file_name,1024,"%s/scan/%s", spool_directory, message_id);
931 if (write(sock, file_name, Ustrlen(file_name)) < 0) {
932 close(sock);
933 log_write(0, LOG_MAIN|LOG_PANIC,
934 "malware acl condition: unable to write to sophie UNIX socket (%s)", sophie_options);
935 return DEFER;
936 };
937
938 write(sock, "\n", 1);
939
940 /* wait for result */
941 memset(av_buffer, 0, sizeof(av_buffer));
942 if ((!(bread = read(sock, av_buffer, sizeof(av_buffer))) > 0)) {
943 close(sock);
944 log_write(0, LOG_MAIN|LOG_PANIC,
945 "malware acl condition: unable to read from sophie UNIX socket (%s)", sophie_options);
946 return DEFER;
947 };
948
949 close(sock);
950
951 /* infected ? */
952 if (av_buffer[0] == '1') {
953 if (Ustrchr(av_buffer, '\n')) *Ustrchr(av_buffer, '\n') = '\0';
954 Ustrcpy(malware_name_buffer,&av_buffer[2]);
955 malware_name = malware_name_buffer;
956 }
957 else if (!strncmp(CS av_buffer, "-1", 2)) {
958 log_write(0, LOG_MAIN|LOG_PANIC,
959 "malware acl condition: malware acl condition: sophie reported error");
960 return DEFER;
961 }
962 else {
963 /* all ok, no virus */
964 malware_name = NULL;
965 };
966 }
967 /* ----------------------------------------------------------------------- */
968
969
970 /* "clamd" scanner type ------------------------------------------------- */
971 /* This code was contributed by David Saez <david@ols.es> */
972 else if (strcmpic(scanner_name,US"clamd") == 0) {
973 uschar *clamd_options;
974 uschar clamd_options_buffer[1024];
975 uschar clamd_options_default[] = "/tmp/clamd";
976 uschar *p,*vname;
977 struct sockaddr_un server;
978 int sock,bread=0;
979 unsigned int port;
980 uschar file_name[1024];
981 uschar av_buffer[1024];
982 uschar hostname[256];
983 struct hostent *he;
984 struct in_addr in;
985 uschar *clamd_options2;
986 uschar clamd_options2_buffer[1024];
987 uschar clamd_options2_default[] = "";
988 uschar av_buffer2[1024];
989 uschar *clamav_fbuf;
990 uschar scanrequest[1024];
991 int sockData, clam_fd, result;
992 unsigned int fsize;
993
994 if ((clamd_options = string_nextinlist(&av_scanner_work, &sep,
995 clamd_options_buffer,
996 sizeof(clamd_options_buffer))) == NULL) {
997 /* no options supplied, use default options */
998 clamd_options = clamd_options_default;
999 }
1000 if ((clamd_options2 = string_nextinlist(&av_scanner_work, &sep,
1001 clamd_options2_buffer,
1002 sizeof(clamd_options2_buffer))) == NULL) {
1003 clamd_options2 = clamd_options2_default;
1004 }
1005
1006 /* socket does not start with '/' -> network socket */
1007 if (*clamd_options != '/') {
1008
1009 /* extract host and port part */
1010 if( sscanf(CS clamd_options, "%s %u", hostname, &port) != 2 ) {
1011 log_write(0, LOG_MAIN|LOG_PANIC,
1012 "malware acl condition: clamd: invalid socket '%s'", clamd_options);
1013 return DEFER;
1014 };
1015
1016 /* Lookup the host */
1017 if((he = gethostbyname(CS hostname)) == 0) {
1018 log_write(0, LOG_MAIN|LOG_PANIC,
1019 "malware acl condition: clamd: failed to lookup host '%s'", hostname);
1020 return DEFER;
1021 }
1022
1023 in = *(struct in_addr *) he->h_addr_list[0];
1024
1025 /* Open the ClamAV Socket */
1026 if ( (sock = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
1027 log_write(0, LOG_MAIN|LOG_PANIC,
1028 "malware acl condition: clamd: unable to acquire socket (%s)",
1029 strerror(errno));
1030 return DEFER;
1031 }
1032
1033 if (ip_connect(sock, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
1034 close(sock);
1035 log_write(0, LOG_MAIN|LOG_PANIC,
1036 "malware acl condition: clamd: connection to %s, port %u failed (%s)",
1037 inet_ntoa(in), port, strerror(errno));
1038 return DEFER;
1039 }
1040
1041 if (strcmpic(clamd_options2,US"local") == 0) {
1042
1043 /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
1044
1045 snprintf(CS file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id);
1046
1047 if (send(sock, file_name, Ustrlen(file_name), 0) < 0) {
1048 close(sock);
1049 log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
1050 strerror(errno));
1051 return DEFER;
1052 }
1053 } else {
1054
1055 /* Pass the string to ClamAV (7 = "STREAM\n") */
1056
1057 if (send(sock, "STREAM\n", 7, 0) < 0) {
1058 close(sock);
1059 log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
1060 strerror(errno));
1061 return DEFER;
1062 }
1063 memset(av_buffer2, 0, sizeof(av_buffer2));
1064 bread = read(sock, av_buffer2, sizeof(av_buffer2));
1065
1066 if (bread < 0) {
1067 log_write(0, LOG_MAIN|LOG_PANIC,
1068 "malware acl condition: clamd: unable to read PORT from socket (%s)",
1069 strerror(errno));
1070 return DEFER;
1071 }
1072
1073 if (bread == sizeof(av_buffer)) {
1074 log_write(0, LOG_MAIN|LOG_PANIC,
1075 "malware acl condition: clamd: buffer too small");
1076 return DEFER;
1077 }
1078
1079 if (!(*av_buffer2)) {
1080 log_write(0, LOG_MAIN|LOG_PANIC,
1081 "malware acl condition: clamd: ClamAV returned null");
1082 return DEFER;
1083 }
1084
1085 av_buffer2[bread] = '\0';
1086 if( sscanf(CS av_buffer2, "PORT %hu\n", &port) != 1 ) {
1087 log_write(0, LOG_MAIN|LOG_PANIC,
1088 "malware acl condition: clamd: Expected port information from clamd, got '%s'", av_buffer2);
1089 return DEFER;
1090 };
1091
1092 if ( (sockData = ip_socket(SOCK_STREAM, AF_INET)) < 0) {
1093 log_write(0, LOG_MAIN|LOG_PANIC,
1094 "malware acl condition: clamd: unable to acquire socket (%s)",
1095 strerror(errno));
1096 return DEFER;
1097 }
1098
1099 if (ip_connect(sockData, AF_INET, (uschar*)inet_ntoa(in), port, 5) < 0) {
1100 close(sockData);
1101 log_write(0, LOG_MAIN|LOG_PANIC,
1102 "malware acl condition: clamd: connection to %s, port %u failed (%s)",
1103 inet_ntoa(in), port, strerror(errno));
1104 return DEFER;
1105 }
1106
1107 snprintf(CS scanrequest, 1024,CS"%s/scan/%s/%s.eml",
1108 spool_directory, message_id, message_id);
1109
1110 /* calc file size */
1111 clam_fd = open(CS scanrequest, O_RDONLY);
1112 if (clam_fd == -1) {
1113 log_write(0, LOG_MAIN|LOG_PANIC,
1114 "malware acl condition: clamd: can't open spool file %s: %s",
1115 scanrequest, strerror(errno));
1116 return DEFER;
1117 }
1118 fsize = lseek(clam_fd, 0, SEEK_END);
1119 if (fsize == -1) {
1120 log_write(0, LOG_MAIN|LOG_PANIC,
1121 "malware acl condition: clamd: can't seek spool file %s: %s",
1122 scanrequest, strerror(errno));
1123 return DEFER;
1124 }
1125 lseek(clam_fd, 0, SEEK_SET);
1126
1127 clamav_fbuf = (uschar *) malloc (fsize);
1128 if (!clamav_fbuf) {
1129 close(sockData);
1130 close(clam_fd);
1131 log_write(0, LOG_MAIN|LOG_PANIC,
1132 "malware acl condition: clamd: unable to allocate memory %u for file (%s)",
1133 fsize, scanrequest);
1134 return DEFER;
1135 }
1136
1137 result = read (clam_fd, clamav_fbuf, fsize);
1138 if (result == -1) {
1139 close(sockData);
1140 close(clam_fd);
1141 free(clamav_fbuf);
1142 log_write(0, LOG_MAIN|LOG_PANIC,
1143 "malware acl condition: clamd: can't read spool file %s: %s",
1144 scanrequest, strerror(errno));
1145 return DEFER;
1146 }
1147 close(clam_fd);
1148
1149 /* send file body to socket */
1150 if (send(sockData, clamav_fbuf, fsize, 0) < 0) {
1151 close(sockData);
1152 free(clamav_fbuf);
1153 log_write(0, LOG_MAIN|LOG_PANIC,
1154 "malware acl condition: clamd: unable to send file body to socket (%s:%u)", hostname, port);
1155 return DEFER;
1156 }
1157 free(clamav_fbuf);
1158 close(sockData);
1159 }
1160 }
1161 else {
1162 /* open the local socket */
1163 if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
1164 log_write(0, LOG_MAIN|LOG_PANIC,
1165 "malware acl condition: clamd: unable to acquire socket (%s)",
1166 strerror(errno));
1167 return DEFER;
1168 }
1169
1170 server.sun_family = AF_UNIX;
1171 Ustrcpy(server.sun_path, clamd_options);
1172
1173 if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
1174 close(sock);
1175 log_write(0, LOG_MAIN|LOG_PANIC,
1176 "malware acl condition: clamd: unable to connect to UNIX socket %s (%s)",
1177 clamd_options, strerror(errno) );
1178 return DEFER;
1179 }
1180 }
1181
1182 /* Pass the string to ClamAV (7 = "SCAN \n" + \0) */
1183
1184 snprintf(CS file_name,1024,"SCAN %s/scan/%s\n", spool_directory, message_id);
1185
1186 if (send(sock, file_name, Ustrlen(file_name), 0) < 0) {
1187 close(sock);
1188 log_write(0, LOG_MAIN|LOG_PANIC,"malware acl condition: clamd: unable to write to socket (%s)",
1189 strerror(errno));
1190 return DEFER;
1191 }
1192
1193 /*
1194 We're done sending, close socket for writing.
1195
1196 One user reported that clamd 0.70 does not like this any more ...
1197
1198 */
1199
1200 /* shutdown(sock, SHUT_WR); */
1201
1202 /* Read the result */
1203 memset(av_buffer, 0, sizeof(av_buffer));
1204 bread = read(sock, av_buffer, sizeof(av_buffer));
1205 close(sock);
1206
1207 if (!(bread > 0)) {
1208 log_write(0, LOG_MAIN|LOG_PANIC,
1209 "malware acl condition: clamd: unable to read from socket (%s)",
1210 strerror(errno));
1211 return DEFER;
1212 }
1213
1214 if (bread == sizeof(av_buffer)) {
1215 log_write(0, LOG_MAIN|LOG_PANIC,
1216 "malware acl condition: clamd: buffer too small");
1217 return DEFER;
1218 }
1219
1220 /* Check the result. ClamAV Returns
1221 infected: -> "<filename>: <virusname> FOUND"
1222 not-infected: -> "<filename>: OK"
1223 error: -> "<filename>: <errcode> ERROR */
1224
1225 if (!(*av_buffer)) {
1226 log_write(0, LOG_MAIN|LOG_PANIC,
1227 "malware acl condition: clamd: ClamAV returned null");
1228 return DEFER;
1229 }
1230
1231 /* colon in returned output? */
1232 if((p = Ustrrchr(av_buffer,':')) == NULL) {
1233 log_write(0, LOG_MAIN|LOG_PANIC,
1234 "malware acl condition: clamd: ClamAV returned malformed result: %s",
1235 av_buffer);
1236 return DEFER;
1237 }
1238
1239 /* strip filename strip CR at the end */
1240 ++p;
1241 while (*p == ' ') ++p;
1242 vname = p;
1243 p = vname + Ustrlen(vname) - 1;
1244 if( *p == '\n' ) *p = '\0';
1245
1246 if ((p = Ustrstr(vname, "FOUND"))!=NULL) {
1247 *p=0;
1248 for (--p;p>vname && *p<=32;p--) *p=0;
1249 for (;*vname==32;vname++);
1250 Ustrcpy(malware_name_buffer,vname);
1251 malware_name = malware_name_buffer;
1252 }
1253 else {
1254 if (Ustrstr(vname, "ERROR")!=NULL) {
1255 /* ClamAV reports ERROR
1256 Find line start */
1257 for (;*vname!='\n' && vname>av_buffer; vname--);
1258 if (*vname=='\n') vname++;
1259
1260 log_write(0, LOG_MAIN|LOG_PANIC,
1261 "malware acl condition: clamd: ClamAV returned %s",vname);
1262 return DEFER;
1263 }
1264 else {
1265 /* Everything should be OK */
1266 malware_name = NULL;
1267 }
1268 }
1269 }
1270 /* ----------------------------------------------------------------------- */
1271
1272
1273 /* "mksd" scanner type --------------------------------------------------- */
1274 else if (strcmpic(scanner_name,US"mksd") == 0) {
1275 uschar *mksd_options;
1276 char *mksd_options_end;
1277 uschar mksd_options_buffer[32];
1278 int mksd_maxproc = 1; /* default, if no option supplied */
1279 struct sockaddr_un server;
1280 int sock;
1281 int retval;
1282
1283 if ((mksd_options = string_nextinlist(&av_scanner_work, &sep,
1284 mksd_options_buffer,
1285 sizeof(mksd_options_buffer))) != NULL) {
1286 mksd_maxproc = (int) strtol(CS mksd_options, &mksd_options_end, 10);
1287 if ((*mksd_options == '\0') || (*mksd_options_end != '\0') ||
1288 (mksd_maxproc < 1) || (mksd_maxproc > 32)) {
1289 log_write(0, LOG_MAIN|LOG_PANIC,
1290 "malware acl condition: mksd: invalid option '%s'", mksd_options);
1291 return DEFER;
1292 }
1293 }
1294
1295 /* open the mksd socket */
1296 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1297 if (sock < 0) {
1298 log_write(0, LOG_MAIN|LOG_PANIC,
1299 "malware acl condition: can't open UNIX socket.");
1300 return DEFER;
1301 }
1302 server.sun_family = AF_UNIX;
1303 Ustrcpy(server.sun_path, "/var/run/mksd/socket");
1304 if (connect(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_un)) < 0) {
1305 close(sock);
1306 log_write(0, LOG_MAIN|LOG_PANIC,
1307 "malware acl condition: unable to connect to mksd UNIX socket (/var/run/mksd/socket). errno=%d", errno);
1308 return DEFER;
1309 }
1310
1311 malware_name = NULL;
1312
1313 retval = mksd_scan_packed(sock);
1314
1315 if (retval != OK)
1316 return retval;
1317 }
1318 /* ----------------------------------------------------------------------- */
1319
1320 /* "unknown" scanner type ------------------------------------------------- */
1321 else {
1322 log_write(0, LOG_MAIN|LOG_PANIC,
1323 "malware condition: unknown scanner type '%s'", scanner_name);
1324 return DEFER;
1325 };
1326 /* ----------------------------------------------------------------------- */
1327
1328 /* set "been here, done that" marker */
1329 malware_ok = 1;
1330 };
1331
1332 /* match virus name against pattern (caseless ------->----------v) */
1333 if ( (malware_name != NULL) &&
1334 (regex_match_and_setup(re, malware_name, 0, -1)) ) {
1335 return OK;
1336 }
1337 else {
1338 return FAIL;
1339 };
1340 }
1341
1342
1343 /* simple wrapper for reading lines from sockets */
1344 int recv_line(int sock, uschar *buffer, int size) {
1345 uschar *p = buffer;
1346
1347 memset(buffer,0,size);
1348 /* read until \n */
1349 while(recv(sock,p,1,0) > -1) {
1350 if ((p-buffer) > (size-2)) break;
1351 if (*p == '\n') break;
1352 if (*p != '\r') p++;
1353 };
1354 *p = '\0';
1355
1356 return (p-buffer);
1357 }
1358
1359
1360 /* ============= private routines for the "mksd" scanner type ============== */
1361
1362 #include <sys/uio.h>
1363
1364 int mksd_writev (int sock, struct iovec *iov, int iovcnt)
1365 {
1366 int i;
1367
1368 for (;;) {
1369 do
1370 i = writev (sock, iov, iovcnt);
1371 while ((i < 0) && (errno == EINTR));
1372 if (i <= 0) {
1373 close (sock);
1374 log_write(0, LOG_MAIN|LOG_PANIC,
1375 "malware acl condition: unable to write to mksd UNIX socket (/var/run/mksd/socket)");
1376 return -1;
1377 }
1378
1379 for (;;)
1380 if (i >= iov->iov_len) {
1381 if (--iovcnt == 0)
1382 return 0;
1383 i -= iov->iov_len;
1384 iov++;
1385 } else {
1386 iov->iov_len -= i;
1387 iov->iov_base = CS iov->iov_base + i;
1388 break;
1389 }
1390 }
1391 }
1392
1393 int mksd_read_lines (int sock, uschar *av_buffer, int av_buffer_size)
1394 {
1395 int offset = 0;
1396 int i;
1397
1398 do {
1399 if ((i = recv (sock, av_buffer+offset, av_buffer_size-offset, 0)) <= 0) {
1400 close (sock);
1401 log_write(0, LOG_MAIN|LOG_PANIC,
1402 "malware acl condition: unable to read from mksd UNIX socket (/var/run/mksd/socket)");
1403 return -1;
1404 }
1405
1406 offset += i;
1407 /* offset == av_buffer_size -> buffer full */
1408 if (offset == av_buffer_size) {
1409 close (sock);
1410 log_write(0, LOG_MAIN|LOG_PANIC,
1411 "malware acl condition: malformed reply received from mksd");
1412 return -1;
1413 }
1414 } while (av_buffer[offset-1] != '\n');
1415
1416 av_buffer[offset] = '\0';
1417 return offset;
1418 }
1419
1420 int mksd_parse_line (char *line)
1421 {
1422 char *p;
1423
1424 switch (*line) {
1425 case 'O':
1426 /* OK */
1427 return OK;
1428 case 'E':
1429 case 'A':
1430 /* ERR */
1431 if ((p = strchr (line, '\n')) != NULL)
1432 (*p) = '\0';
1433 log_write(0, LOG_MAIN|LOG_PANIC,
1434 "malware acl condition: mksd scanner failed: %s", line);
1435 return DEFER;
1436 default:
1437 /* VIR */
1438 if ((p = strchr (line, '\n')) != NULL) {
1439 (*p) = '\0';
1440 if (((p-line) > 5) && ((p-line) < sizeof (malware_name_buffer)) && (line[3] == ' '))
1441 if (((p = strchr (line+4, ' ')) != NULL) && ((p-line) > 4)) {
1442 (*p) = '\0';
1443 Ustrcpy (malware_name_buffer, line+4);
1444 malware_name = malware_name_buffer;
1445 return OK;
1446 }
1447 }
1448 log_write(0, LOG_MAIN|LOG_PANIC,
1449 "malware acl condition: malformed reply received from mksd: %s", line);
1450 return DEFER;
1451 }
1452 }
1453
1454 int mksd_scan_packed (int sock)
1455 {
1456 struct iovec iov[7];
1457 char *cmd = "MSQ/scan/.eml\n";
1458 uschar av_buffer[1024];
1459
1460 iov[0].iov_base = cmd;
1461 iov[0].iov_len = 3;
1462 iov[1].iov_base = CS spool_directory;
1463 iov[1].iov_len = Ustrlen (spool_directory);
1464 iov[2].iov_base = cmd + 3;
1465 iov[2].iov_len = 6;
1466 iov[3].iov_base = iov[5].iov_base = CS message_id;
1467 iov[3].iov_len = iov[5].iov_len = Ustrlen (message_id);
1468 iov[4].iov_base = cmd + 3;
1469 iov[4].iov_len = 1;
1470 iov[6].iov_base = cmd + 9;
1471 iov[6].iov_len = 5;
1472
1473 if (mksd_writev (sock, iov, 7) < 0)
1474 return DEFER;
1475
1476 if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer)) < 0)
1477 return DEFER;
1478
1479 close (sock);
1480
1481 return mksd_parse_line (CS av_buffer);
1482 }
1483
1484 #endif