projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Revert "GnuTLS: remove GNUTLS_E_AGAIN handling"
[exim.git] / src / src / spool_in.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Functions for reading spool files. When compiling for a utility (eximon),
9 not all are needed, and some functionality can be cut out. */
10
11
12 #include "exim.h"
13
14
15
16 #ifndef COMPILE_UTILITY
17 /*************************************************
18 * Open and lock data file *
19 *************************************************/
20
21 /* The data file is the one that is used for locking, because the header file
22 can get replaced during delivery because of header rewriting. The file has
23 to opened with write access so that we can get an exclusive lock, but in
24 fact it won't be written to. Just in case there's a major disaster (e.g.
25 overwriting some other file descriptor with the value of this one), open it
26 with append.
27
28 As called by deliver_message() (at least) we are operating as root.
29
30 Argument: the id of the message
31 Returns: fd if file successfully opened and locked, else -1
32
33 Side effect: message_subdir is set for the (possibly split) spool directory
34 */
35
36 int
37 spool_open_datafile(uschar *id)
38 {
39 struct stat statbuf;
40 flock_t lock_data;
41 int fd;
42
43 /* If split_spool_directory is set, first look for the file in the appropriate
44 sub-directory of the input directory. If it is not found there, try the input
45 directory itself, to pick up leftovers from before the splitting. If split_
46 spool_directory is not set, first look in the main input directory. If it is
47 not found there, try the split sub-directory, in case it is left over from a
48 splitting state. */
49
50 for (int i = 0; i < 2; i++)
51 {
52 uschar * fname;
53 int save_errno;
54
55 set_subdir_str(message_subdir, id, i);
56 fname = spool_fname(US"input", message_subdir, id, US"-D");
57 DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
58
59 /* We protect against symlink attacks both in not propagating the
60 * file-descriptor to other processes as we exec, and also ensuring that we
61 * don't even open symlinks.
62 * No -D file inside the spool area should be a symlink.
63 */
64 if ((fd = Uopen(fname,
65 #ifdef O_CLOEXEC
66 O_CLOEXEC |
67 #endif
68 #ifdef O_NOFOLLOW
69 O_NOFOLLOW |
70 #endif
71 O_RDWR | O_APPEND, 0)) >= 0)
72 break;
73 save_errno = errno;
74 if (errno == ENOENT)
75 {
76 if (i == 0) continue;
77 if (!f.queue_running)
78 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
79 *queue_name ? US" Q=" : US"",
80 *queue_name ? queue_name : US"",
81 id);
82 }
83 else
84 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
85 errno = save_errno;
86 return -1;
87 }
88
89 /* File is open and message_subdir is set. Set the close-on-exec flag, and lock
90 the file. We lock only the first line of the file (containing the message ID)
91 because this apparently is needed for running Exim under Cygwin. If the entire
92 file is locked in one process, a sub-process cannot access it, even when passed
93 an open file descriptor (at least, I think that's the Cygwin story). On real
94 Unix systems it doesn't make any difference as long as Exim is consistent in
95 what it locks. */
96
97 #ifndef O_CLOEXEC
98 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
99 #endif
100
101 lock_data.l_type = F_WRLCK;
102 lock_data.l_whence = SEEK_SET;
103 lock_data.l_start = 0;
104 lock_data.l_len = SPOOL_DATA_START_OFFSET;
105
106 if (fcntl(fd, F_SETLK, &lock_data) < 0)
107 {
108 log_write(L_skip_delivery, LOG_MAIN,
109 "Spool file for %s is locked (another process is handling this message)",
110 id);
111 (void)close(fd);
112 errno = 0;
113 return -1;
114 }
115
116 /* Get the size of the data; don't include the leading filename line
117 in the count, but add one for the newline before the data. */
118
119 if (fstat(fd, &statbuf) == 0)
120 {
121 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
122 message_size = message_body_size + 1;
123 }
124
125 return fd;
126 }
127 #endif /* COMPILE_UTILITY */
128
129
130
131 /*************************************************
132 * Read non-recipients tree from spool file *
133 *************************************************/
134
135 /* The tree of non-recipients is written to the spool file in a form that
136 makes it easy to read back into a tree. The format is as follows:
137
138 . Each node is preceded by two letter(Y/N) indicating whether it has left
139 or right children. There's one space after the two flags, before the name.
140
141 . The left subtree (if any) then follows, then the right subtree (if any).
142
143 This function is entered with the next input line in the buffer. Note we must
144 save the right flag before recursing with the same buffer.
145
146 Once the tree is read, we re-construct the balance fields by scanning the tree.
147 I forgot to write them out originally, and the compatible fix is to do it this
148 way. This initial local recursing function does the necessary.
149
150 Arguments:
151 node tree node
152
153 Returns: maximum depth below the node, including the node itself
154 */
155
156 static int
157 count_below(tree_node *node)
158 {
159 int nleft, nright;
160 if (node == NULL) return 0;
161 nleft = count_below(node->left);
162 nright = count_below(node->right);
163 node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
164 return 1 + ((nleft > nright)? nleft : nright);
165 }
166
167 /* This is the real function...
168
169 Arguments:
170 connect pointer to the root of the tree
171 f FILE to read data from
172 buffer contains next input line; further lines read into it
173 buffer_size size of the buffer
174
175 Returns: FALSE on format error
176 */
177
178 static BOOL
179 read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
180 int buffer_size)
181 {
182 tree_node *node;
183 int n = Ustrlen(buffer);
184 BOOL right = buffer[1] == 'Y';
185
186 if (n < 5) return FALSE; /* malformed line */
187 buffer[n-1] = 0; /* Remove \n */
188 node = store_get(sizeof(tree_node) + n - 3, TRUE); /* rcpt names tainted */
189 *connect = node;
190 Ustrcpy(node->name, buffer + 3);
191 node->data.ptr = NULL;
192
193 if (buffer[0] == 'Y')
194 {
195 if (Ufgets(buffer, buffer_size, f) == NULL ||
196 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
197 return FALSE;
198 }
199 else node->left = NULL;
200
201 if (right)
202 {
203 if (Ufgets(buffer, buffer_size, f) == NULL ||
204 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
205 return FALSE;
206 }
207 else node->right = NULL;
208
209 (void) count_below(*connect);
210 return TRUE;
211 }
212
213
214
215
216 /* Reset all the global variables to their default values. However, there is
217 one exception. DO NOT change the default value of dont_deliver, because it may
218 be forced by an external setting. */
219
220 void
221 spool_clear_header_globals(void)
222 {
223 acl_var_c = acl_var_m = NULL;
224 authenticated_id = NULL;
225 authenticated_sender = NULL;
226 f.allow_unqualified_recipient = FALSE;
227 f.allow_unqualified_sender = FALSE;
228 body_linecount = 0;
229 body_zerocount = 0;
230 f.deliver_firsttime = FALSE;
231 f.deliver_freeze = FALSE;
232 deliver_frozen_at = 0;
233 f.deliver_manual_thaw = FALSE;
234 /* f.dont_deliver must NOT be reset */
235 header_list = header_last = NULL;
236 host_lookup_deferred = FALSE;
237 host_lookup_failed = FALSE;
238 interface_address = NULL;
239 interface_port = 0;
240 f.local_error_message = FALSE;
241 #ifdef HAVE_LOCAL_SCAN
242 local_scan_data = NULL;
243 #endif
244 max_received_linelength = 0;
245 message_linecount = 0;
246 received_protocol = NULL;
247 received_count = 0;
248 recipients_list = NULL;
249 sender_address = NULL;
250 sender_fullhost = NULL;
251 sender_helo_name = NULL;
252 sender_host_address = NULL;
253 sender_host_name = NULL;
254 sender_host_port = 0;
255 sender_host_authenticated = NULL;
256 sender_ident = NULL;
257 f.sender_local = FALSE;
258 f.sender_set_untrusted = FALSE;
259 smtp_active_hostname = primary_hostname;
260 #ifndef COMPILE_UTILITY
261 f.spool_file_wireformat = FALSE;
262 #endif
263 tree_nonrecipients = NULL;
264
265 #ifdef EXPERIMENTAL_BRIGHTMAIL
266 bmi_run = 0;
267 bmi_verdicts = NULL;
268 #endif
269
270 #ifndef DISABLE_DKIM
271 dkim_signers = NULL;
272 f.dkim_disable_verify = FALSE;
273 dkim_collect_input = 0;
274 #endif
275
276 #ifndef DISABLE_TLS
277 tls_in.certificate_verified = FALSE;
278 # ifdef SUPPORT_DANE
279 tls_in.dane_verified = FALSE;
280 # endif
281 tls_in.ver = tls_in.cipher = NULL;
282 # ifndef COMPILE_UTILITY /* tls support fns not built in */
283 tls_free_cert(&tls_in.ourcert);
284 tls_free_cert(&tls_in.peercert);
285 # endif
286 tls_in.peerdn = NULL;
287 tls_in.sni = NULL;
288 tls_in.ocsp = OCSP_NOT_REQ;
289 #endif
290
291 #ifdef WITH_CONTENT_SCAN
292 spam_bar = NULL;
293 spam_score = NULL;
294 spam_score_int = NULL;
295 #endif
296
297 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
298 message_smtputf8 = FALSE;
299 message_utf8_downconvert = 0;
300 #endif
301
302 dsn_ret = 0;
303 dsn_envid = NULL;
304 }
305
306
307 /*************************************************
308 * Read spool header file *
309 *************************************************/
310
311 /* This function reads a spool header file and places the data into the
312 appropriate global variables. The header portion is always read, but header
313 structures are built only if read_headers is set true. It isn't, for example,
314 while generating -bp output.
315
316 It may be possible for blocks of nulls (binary zeroes) to get written on the
317 end of a file if there is a system crash during writing. It was observed on an
318 earlier version of Exim that omitted to fsync() the files - this is thought to
319 have been the cause of that incident, but in any case, this code must be robust
320 against such an event, and if such a file is encountered, it must be treated as
321 malformed.
322
323 As called from deliver_message() (at least) we are running as root.
324
325 Arguments:
326 name name of the header file, including the -H
327 read_headers TRUE if in-store header structures are to be built
328 subdir_set TRUE is message_subdir is already set
329
330 Returns: spool_read_OK success
331 spool_read_notopen open failed
332 spool_read_enverror error in the envelope portion
333 spool_read_hdrerror error in the header portion
334 */
335
336 int
337 spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
338 {
339 FILE * fp = NULL;
340 int n;
341 int rcount = 0;
342 long int uid, gid;
343 BOOL inheader = FALSE;
344
345 /* Reset all the global variables to their default values. However, there is
346 one exception. DO NOT change the default value of dont_deliver, because it may
347 be forced by an external setting. */
348
349 spool_clear_header_globals();
350
351 /* Generate the full name and open the file. If message_subdir is already
352 set, just look in the given directory. Otherwise, look in both the split
353 and unsplit directories, as for the data file above. */
354
355 for (int n = 0; n < 2; n++)
356 {
357 if (!subdir_set)
358 set_subdir_str(message_subdir, name, n);
359
360 if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
361 break;
362 if (n != 0 || subdir_set || errno != ENOENT)
363 return spool_read_notopen;
364 }
365
366 errno = 0;
367
368 #ifndef COMPILE_UTILITY
369 DEBUG(D_deliver) debug_printf("reading spool file %s\n", name);
370 #endif /* COMPILE_UTILITY */
371
372 /* The first line of a spool file contains the message id followed by -H (i.e.
373 the file name), in order to make the file self-identifying. */
374
375 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
376 if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
377 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
378 goto SPOOL_FORMAT_ERROR;
379
380 /* The next three lines in the header file are in a fixed format. The first
381 contains the login, uid, and gid of the user who caused the file to be written.
382 There are known cases where a negative gid is used, so we allow for both
383 negative uids and gids. The second contains the mail address of the message's
384 sender, enclosed in <>. The third contains the time the message was received,
385 and the number of warning messages for delivery delays that have been sent. */
386
387 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
388
389 {
390 uschar *p = big_buffer + Ustrlen(big_buffer);
391 while (p > big_buffer && isspace(p[-1])) p--;
392 *p = 0;
393 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
394 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
395 gid = Uatoi(p);
396 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
397 *p = 0;
398 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
399 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
400 uid = Uatoi(p);
401 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
402 *p = 0;
403 }
404
405 originator_login = string_copy(big_buffer);
406 originator_uid = (uid_t)uid;
407 originator_gid = (gid_t)gid;
408
409 /* envelope from */
410 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
411 n = Ustrlen(big_buffer);
412 if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
413 goto SPOOL_FORMAT_ERROR;
414
415 sender_address = store_get(n-2, TRUE); /* tainted */
416 Ustrncpy(sender_address, big_buffer+1, n-3);
417 sender_address[n-3] = 0;
418
419 /* time */
420 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
421 if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
422 goto SPOOL_FORMAT_ERROR;
423 received_time.tv_usec = 0;
424
425 message_age = time(NULL) - received_time.tv_sec;
426 #ifndef COMPILE_UTILITY
427 if (f.running_in_test_harness)
428 message_age = test_harness_fudged_queue_time(message_age);
429 #endif
430
431 #ifndef COMPILE_UTILITY
432 DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
433 originator_login, (long int)originator_uid, (long int)originator_gid,
434 sender_address);
435 #endif
436
437 /* Now there may be a number of optional lines, each starting with "-". If you
438 add a new setting here, make sure you set the default above.
439
440 Because there are now quite a number of different possibilities, we use a
441 switch on the first character to avoid too many failing tests. Thanks to Nico
442 Erfurth for the patch that implemented this. I have made it even more efficient
443 by not re-scanning the first two characters.
444
445 To allow new versions of Exim that add additional flags to interwork with older
446 versions that do not understand them, just ignore any lines starting with "-"
447 that we don't recognize. Otherwise it wouldn't be possible to back off a new
448 version that left new-style flags written on the spool.
449
450 If the line starts with "--" the content of the variable is tainted. */
451
452 for (;;)
453 {
454 int len;
455 BOOL tainted;
456 uschar * var;
457 const uschar * p;
458
459 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
460 if (big_buffer[0] != '-') break;
461 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
462 && big_buffer[len-1] != '\n'
463 )
464 { /* buffer not big enough for line; certs make this possible */
465 uschar * buf;
466 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
467 buf = store_get_perm(big_buffer_size *= 2, FALSE);
468 memcpy(buf, big_buffer, --len);
469 big_buffer = buf;
470 if (Ufgets(big_buffer+len, big_buffer_size-len, fp) == NULL)
471 goto SPOOL_READ_ERROR;
472 }
473 big_buffer[len-1] = 0;
474
475 tainted = big_buffer[1] == '-';
476 var = big_buffer + (tainted ? 2 : 1);
477 p = var + 1;
478
479 switch(*var)
480 {
481 case 'a':
482
483 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
484 variable, because Exim allows any number of them, with arbitrary names.
485 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
486 the c or m. */
487
488 if (Ustrncmp(p, "clc ", 4) == 0 ||
489 Ustrncmp(p, "clm ", 4) == 0)
490 {
491 uschar *name, *endptr;
492 int count;
493 tree_node *node;
494 endptr = Ustrchr(var + 5, ' ');
495 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
496 name = string_sprintf("%c%.*s", var[3],
497 (int)(endptr - var - 5), var + 5);
498 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
499 node = acl_var_create(name);
500 node->data.ptr = store_get(count + 1, tainted);
501 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
502 ((uschar*)node->data.ptr)[count] = 0;
503 }
504
505 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
506 f.allow_unqualified_recipient = TRUE;
507 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
508 f.allow_unqualified_sender = TRUE;
509
510 else if (Ustrncmp(p, "uth_id", 6) == 0)
511 authenticated_id = string_copy_taint(var + 8, tainted);
512 else if (Ustrncmp(p, "uth_sender", 10) == 0)
513 authenticated_sender = string_copy_taint(var + 12, tainted);
514 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
515 smtp_active_hostname = string_copy_taint(var + 16, tainted);
516
517 /* For long-term backward compatibility, we recognize "-acl", which was
518 used before the number of ACL variables changed from 10 to 20. This was
519 before the subsequent change to an arbitrary number of named variables.
520 This code is retained so that upgrades from very old versions can still
521 handle old-format spool files. The value given after "-acl" is a number
522 that is 0-9 for connection variables, and 10-19 for message variables. */
523
524 else if (Ustrncmp(p, "cl ", 3) == 0)
525 {
526 unsigned index, count;
527 uschar name[20]; /* Need plenty of space for %u format */
528 tree_node * node;
529 if ( sscanf(CS var + 4, "%u %u", &index, &count) != 2
530 || index >= 20
531 || count > 16384 /* arbitrary limit on variable size */
532 )
533 goto SPOOL_FORMAT_ERROR;
534 if (index < 10)
535 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
536 else
537 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
538 node = acl_var_create(name);
539 node->data.ptr = store_get(count + 1, tainted);
540 /* We sanity-checked the count, so disable the Coverity error */
541 /* coverity[tainted_data] */
542 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
543 (US node->data.ptr)[count] = '\0';
544 }
545 break;
546
547 case 'b':
548 if (Ustrncmp(p, "ody_linecount", 13) == 0)
549 body_linecount = Uatoi(var + 14);
550 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
551 body_zerocount = Uatoi(var + 14);
552 #ifdef EXPERIMENTAL_BRIGHTMAIL
553 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
554 bmi_verdicts = string_copy_taint(var + 13, tainted);
555 #endif
556 break;
557
558 case 'd':
559 if (Ustrcmp(p, "eliver_firsttime") == 0)
560 f.deliver_firsttime = TRUE;
561 /* Check if the dsn flags have been set in the header file */
562 else if (Ustrncmp(p, "sn_ret", 6) == 0)
563 dsn_ret= atoi(CS var + 7);
564 else if (Ustrncmp(p, "sn_envid", 8) == 0)
565 dsn_envid = string_copy_taint(var + 10, tainted);
566 break;
567
568 case 'f':
569 if (Ustrncmp(p, "rozen", 5) == 0)
570 {
571 f.deliver_freeze = TRUE;
572 if (sscanf(CS var+6, TIME_T_FMT, &deliver_frozen_at) != 1)
573 goto SPOOL_READ_ERROR;
574 }
575 break;
576
577 case 'h':
578 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
579 host_lookup_deferred = TRUE;
580 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
581 host_lookup_failed = TRUE;
582 else if (Ustrncmp(p, "ost_auth", 8) == 0)
583 sender_host_authenticated = string_copy_taint(var + 10, tainted);
584 else if (Ustrncmp(p, "ost_name", 8) == 0)
585 sender_host_name = string_copy_taint(var + 10, tainted);
586 else if (Ustrncmp(p, "elo_name", 8) == 0)
587 sender_helo_name = string_copy_taint(var + 10, tainted);
588
589 /* We now record the port number after the address, separated by a
590 dot. For compatibility during upgrading, do nothing if there
591 isn't a value (it gets left at zero). */
592
593 else if (Ustrncmp(p, "ost_address", 11) == 0)
594 {
595 sender_host_port = host_address_extract_port(var + 13);
596 sender_host_address = string_copy_taint(var + 13, tainted);
597 }
598 break;
599
600 case 'i':
601 if (Ustrncmp(p, "nterface_address", 16) == 0)
602 {
603 interface_port = host_address_extract_port(var + 18);
604 interface_address = string_copy_taint(var + 18, tainted);
605 }
606 else if (Ustrncmp(p, "dent", 4) == 0)
607 sender_ident = string_copy_taint(var + 6, tainted);
608 break;
609
610 case 'l':
611 if (Ustrcmp(p, "ocal") == 0)
612 f.sender_local = TRUE;
613 else if (Ustrcmp(var, "localerror") == 0)
614 f.local_error_message = TRUE;
615 #ifdef HAVE_LOCAL_SCAN
616 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
617 local_scan_data = string_copy_taint(var + 11, tainted);
618 #endif
619 break;
620
621 case 'm':
622 if (Ustrcmp(p, "anual_thaw") == 0)
623 f.deliver_manual_thaw = TRUE;
624 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
625 max_received_linelength = Uatoi(var + 23);
626 break;
627
628 case 'N':
629 if (*p == 0) f.dont_deliver = TRUE; /* -N */
630 break;
631
632 case 'r':
633 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
634 received_protocol = string_copy_taint(var + 18, tainted);
635 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
636 {
637 unsigned usec;
638 if (sscanf(CS var + 20, "%u", &usec) == 1)
639 received_time.tv_usec = usec;
640 }
641 break;
642
643 case 's':
644 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
645 f.sender_set_untrusted = TRUE;
646 #ifdef WITH_CONTENT_SCAN
647 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
648 spam_bar = string_copy_taint(var + 9, tainted);
649 else if (Ustrncmp(p, "pam_score ", 10) == 0)
650 spam_score = string_copy_taint(var + 11, tainted);
651 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
652 spam_score_int = string_copy_taint(var + 15, tainted);
653 #endif
654 #ifndef COMPILE_UTILITY
655 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
656 f.spool_file_wireformat = TRUE;
657 #endif
658 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
659 else if (Ustrncmp(p, "mtputf8", 7) == 0)
660 message_smtputf8 = TRUE;
661 #endif
662 break;
663
664 #ifndef DISABLE_TLS
665 case 't':
666 if (Ustrncmp(p, "ls_", 3) == 0)
667 {
668 const uschar * q = p + 3;
669 if (Ustrncmp(q, "certificate_verified", 20) == 0)
670 tls_in.certificate_verified = TRUE;
671 else if (Ustrncmp(q, "cipher", 6) == 0)
672 tls_in.cipher = string_copy_taint(q+7, tainted);
673 # ifndef COMPILE_UTILITY /* tls support fns not built in */
674 else if (Ustrncmp(q, "ourcert", 7) == 0)
675 (void) tls_import_cert(q+8, &tls_in.ourcert);
676 else if (Ustrncmp(q, "peercert", 8) == 0)
677 (void) tls_import_cert(q+9, &tls_in.peercert);
678 # endif
679 else if (Ustrncmp(q, "peerdn", 6) == 0)
680 tls_in.peerdn = string_unprinting(string_copy_taint(q+7, tainted));
681 else if (Ustrncmp(q, "sni", 3) == 0)
682 tls_in.sni = string_unprinting(string_copy_taint(q+4, tainted));
683 else if (Ustrncmp(q, "ocsp", 4) == 0)
684 tls_in.ocsp = q[5] - '0';
685 # ifdef EXPERIMENTAL_TLS_RESUME
686 else if (Ustrncmp(q, "resumption", 10) == 0)
687 tls_in.resumption = q[11] - 'A';
688 # endif
689 else if (Ustrncmp(q, "ver", 3) == 0)
690 tls_in.ver = string_copy_taint(q+4, tainted);
691 }
692 break;
693 #endif
694
695 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
696 case 'u':
697 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
698 message_utf8_downconvert = 1;
699 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
700 message_utf8_downconvert = -1;
701 break;
702 #endif
703
704 default: /* Present because some compilers complain if all */
705 break; /* possibilities are not covered. */
706 }
707 }
708
709 /* Build sender_fullhost if required */
710
711 #ifndef COMPILE_UTILITY
712 host_build_sender_fullhost();
713 #endif /* COMPILE_UTILITY */
714
715 #ifndef COMPILE_UTILITY
716 DEBUG(D_deliver)
717 debug_printf("sender_local=%d ident=%s\n", f.sender_local,
718 sender_ident ? sender_ident : US"unset");
719 #endif /* COMPILE_UTILITY */
720
721 /* We now have the tree of addresses NOT to deliver to, or a line
722 containing "XX", indicating no tree. */
723
724 if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
725 !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
726 goto SPOOL_FORMAT_ERROR;
727
728 #ifndef COMPILE_UTILITY
729 DEBUG(D_deliver)
730 {
731 debug_printf("Non-recipients:\n");
732 debug_print_tree(tree_nonrecipients);
733 }
734 #endif /* COMPILE_UTILITY */
735
736 /* After reading the tree, the next line has not yet been read into the
737 buffer. It contains the count of recipients which follow on separate lines.
738 Apply an arbitrary sanity check.*/
739
740 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
741 if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
742 goto SPOOL_FORMAT_ERROR;
743
744 #ifndef COMPILE_UTILITY
745 DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
746 #endif /* COMPILE_UTILITY */
747
748 recipients_list_max = rcount;
749 recipients_list = store_get(rcount * sizeof(recipient_item), FALSE);
750
751 /* We sanitised the count and know we have enough memory, so disable
752 the Coverity error on recipients_count */
753 /* coverity[tainted_data] */
754
755 for (recipients_count = 0; recipients_count < rcount; recipients_count++)
756 {
757 int nn;
758 int pno = -1;
759 int dsn_flags = 0;
760 uschar *orcpt = NULL;
761 uschar *errors_to = NULL;
762 uschar *p;
763
764 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
765 nn = Ustrlen(big_buffer);
766 if (nn < 2) goto SPOOL_FORMAT_ERROR;
767
768 /* Remove the newline; this terminates the address if there is no additional
769 data on the line. */
770
771 p = big_buffer + nn - 1;
772 *p-- = 0;
773
774 /* Look back from the end of the line for digits and special terminators.
775 Since an address must end with a domain, we can tell that extra data is
776 present by the presence of the terminator, which is always some character
777 that cannot exist in a domain. (If I'd thought of the need for additional
778 data early on, I'd have put it at the start, with the address at the end. As
779 it is, we have to operate backwards. Addresses are permitted to contain
780 spaces, you see.)
781
782 This code has to cope with various versions of this data that have evolved
783 over time. In all cases, the line might just contain an address, with no
784 additional data. Otherwise, the possibilities are as follows:
785
786 Exim 3 type: <address><space><digits>,<digits>,<digits>
787
788 The second set of digits is the parent number for one_time addresses. The
789 other values were remnants of earlier experiments that were abandoned.
790
791 Exim 4 first type: <address><space><digits>
792
793 The digits are the parent number for one_time addresses.
794
795 Exim 4 new type: <address><space><data>#<type bits>
796
797 The type bits indicate what the contents of the data are.
798
799 Bit 01 indicates that, reading from right to left, the data
800 ends with <errors_to address><space><len>,<pno> where pno is
801 the parent number for one_time addresses, and len is the length
802 of the errors_to address (zero meaning none).
803
804 Bit 02 indicates that, again reading from right to left, the data continues
805 with orcpt len(orcpt),dsn_flags
806 */
807
808 while (isdigit(*p)) p--;
809
810 /* Handle Exim 3 spool files */
811
812 if (*p == ',')
813 {
814 int dummy;
815 #if !defined (COMPILE_UTILITY)
816 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 3 spool file\n");
817 #endif
818 while (isdigit(*(--p)) || *p == ',');
819 if (*p == ' ')
820 {
821 *p++ = 0;
822 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
823 }
824 }
825
826 /* Handle early Exim 4 spool files */
827
828 else if (*p == ' ')
829 {
830 #if !defined (COMPILE_UTILITY)
831 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - early Exim 4 spool file\n");
832 #endif
833 *p++ = 0;
834 (void)sscanf(CS p, "%d", &pno);
835 }
836
837 /* Handle current format Exim 4 spool files */
838
839 else if (*p == '#')
840 {
841 int flags;
842
843 #if !defined (COMPILE_UTILITY)
844 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim standard format spoolfile\n");
845 #endif
846
847 (void)sscanf(CS p+1, "%d", &flags);
848
849 if ((flags & 0x01) != 0) /* one_time data exists */
850 {
851 int len;
852 while (isdigit(*(--p)) || *p == ',' || *p == '-');
853 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
854 *p = 0;
855 if (len > 0)
856 {
857 p -= len;
858 errors_to = string_copy_taint(p, TRUE);
859 }
860 }
861
862 *(--p) = 0; /* Terminate address */
863 if ((flags & 0x02) != 0) /* one_time data exists */
864 {
865 int len;
866 while (isdigit(*(--p)) || *p == ',' || *p == '-');
867 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
868 *p = 0;
869 if (len > 0)
870 {
871 p -= len;
872 orcpt = string_copy_taint(p, TRUE);
873 }
874 }
875
876 *(--p) = 0; /* Terminate address */
877 }
878 #if !defined(COMPILE_UTILITY)
879 else
880 { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
881
882 if (orcpt || dsn_flags)
883 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
884 big_buffer, orcpt, dsn_flags);
885 if (errors_to)
886 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> errorsto: <%s>\n",
887 big_buffer, errors_to);
888 #endif
889
890 recipients_list[recipients_count].address = string_copy_taint(big_buffer, TRUE);
891 recipients_list[recipients_count].pno = pno;
892 recipients_list[recipients_count].errors_to = errors_to;
893 recipients_list[recipients_count].orcpt = orcpt;
894 recipients_list[recipients_count].dsn_flags = dsn_flags;
895 }
896
897 /* The remainder of the spool header file contains the headers for the message,
898 separated off from the previous data by a blank line. Each header is preceded
899 by a count of its length and either a certain letter (for various identified
900 headers), space (for a miscellaneous live header) or an asterisk (for a header
901 that has been rewritten). Count the Received: headers. We read the headers
902 always, in order to check on the format of the file, but only create a header
903 list if requested to do so. */
904
905 inheader = TRUE;
906 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
907 if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
908
909 while ((n = fgetc(fp)) != EOF)
910 {
911 header_line *h;
912 uschar flag[4];
913 int i;
914
915 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
916 if(ungetc(n, fp) == EOF || fscanf(fp, "%d%c ", &n, flag) == EOF)
917 goto SPOOL_READ_ERROR;
918 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
919
920 if (read_headers)
921 {
922 h = store_get(sizeof(header_line), FALSE);
923 h->next = NULL;
924 h->type = flag[0];
925 h->slen = n;
926 h->text = store_get(n+1, TRUE); /* tainted */
927
928 if (h->type == htype_received) received_count++;
929
930 if (header_list) header_last->next = h;
931 else header_list = h;
932 header_last = h;
933
934 for (i = 0; i < n; i++)
935 {
936 int c = fgetc(fp);
937 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
938 if (c == '\n' && h->type != htype_old) message_linecount++;
939 h->text[i] = c;
940 }
941 h->text[i] = 0;
942 }
943
944 /* Not requiring header data, just skip through the bytes */
945
946 else for (i = 0; i < n; i++)
947 {
948 int c = fgetc(fp);
949 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
950 }
951 }
952
953 /* We have successfully read the data in the header file. Update the message
954 line count by adding the body linecount to the header linecount. Close the file
955 and give a positive response. */
956
957 #ifndef COMPILE_UTILITY
958 DEBUG(D_deliver) debug_printf("body_linecount=%d message_linecount=%d\n",
959 body_linecount, message_linecount);
960 #endif /* COMPILE_UTILITY */
961
962 message_linecount += body_linecount;
963
964 fclose(fp);
965 return spool_read_OK;
966
967
968 /* There was an error reading the spool or there was missing data,
969 or there was a format error. A "read error" with no errno means an
970 unexpected EOF, which we treat as a format error. */
971
972 SPOOL_READ_ERROR:
973 if (errno != 0)
974 {
975 n = errno;
976
977 #ifndef COMPILE_UTILITY
978 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
979 #endif /* COMPILE_UTILITY */
980
981 fclose(fp);
982 errno = n;
983 return inheader ? spool_read_hdrerror : spool_read_enverror;
984 }
985
986 SPOOL_FORMAT_ERROR:
987
988 #ifndef COMPILE_UTILITY
989 DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
990 #endif /* COMPILE_UTILITY */
991
992 fclose(fp);
993 errno = ERRNO_SPOOLFORMAT;
994 return inheader? spool_read_hdrerror : spool_read_enverror;
995 }
996
997 /* vi: aw ai sw=2
998 */
999 /* End of spool_in.c */
Unnamed repository; edit this file 'description' to name the repository.