projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
perl paranoia about @INC
[exim.git] / src / src / spool_in.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2016 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Functions for reading spool files. When compiling for a utility (eximon),
9 not all are needed, and some functionality can be cut out. */
10
11
12 #include "exim.h"
13
14
15
16 #ifndef COMPILE_UTILITY
17 /*************************************************
18 * Open and lock data file *
19 *************************************************/
20
21 /* The data file is the one that is used for locking, because the header file
22 can get replaced during delivery because of header rewriting. The file has
23 to opened with write access so that we can get an exclusive lock, but in
24 fact it won't be written to. Just in case there's a major disaster (e.g.
25 overwriting some other file descriptor with the value of this one), open it
26 with append.
27
28 As called by deliver_message() (at least) we are operating as root.
29
30 Argument: the id of the message
31 Returns: fd if file successfully opened and locked, else -1
32
33 Side effect: message_subdir is set for the (possibly split) spool directory
34 */
35
36 int
37 spool_open_datafile(uschar *id)
38 {
39 int i;
40 struct stat statbuf;
41 flock_t lock_data;
42 int fd;
43
44 /* If split_spool_directory is set, first look for the file in the appropriate
45 sub-directory of the input directory. If it is not found there, try the input
46 directory itself, to pick up leftovers from before the splitting. If split_
47 spool_directory is not set, first look in the main input directory. If it is
48 not found there, try the split sub-directory, in case it is left over from a
49 splitting state. */
50
51 for (i = 0; i < 2; i++)
52 {
53 uschar * fname;
54 int save_errno;
55
56 message_subdir[0] = split_spool_directory == i ? '\0' : id[5];
57 fname = spool_fname(US"input", message_subdir, id, US"-D");
58 DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
59
60 if ((fd = Uopen(fname,
61 #ifdef O_CLOEXEC
62 O_CLOEXEC |
63 #endif
64 O_RDWR | O_APPEND, 0)) >= 0)
65 break;
66 save_errno = errno;
67 if (errno == ENOENT)
68 {
69 if (i == 0) continue;
70 if (!queue_running)
71 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
72 *queue_name ? US" Q=" : US"",
73 *queue_name ? queue_name : US"",
74 id);
75 }
76 else
77 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
78 errno = save_errno;
79 return -1;
80 }
81
82 /* File is open and message_subdir is set. Set the close-on-exec flag, and lock
83 the file. We lock only the first line of the file (containing the message ID)
84 because this apparently is needed for running Exim under Cygwin. If the entire
85 file is locked in one process, a sub-process cannot access it, even when passed
86 an open file descriptor (at least, I think that's the Cygwin story). On real
87 Unix systems it doesn't make any difference as long as Exim is consistent in
88 what it locks. */
89
90 #ifndef O_CLOEXEC
91 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
92 #endif
93
94 lock_data.l_type = F_WRLCK;
95 lock_data.l_whence = SEEK_SET;
96 lock_data.l_start = 0;
97 lock_data.l_len = SPOOL_DATA_START_OFFSET;
98
99 if (fcntl(fd, F_SETLK, &lock_data) < 0)
100 {
101 log_write(L_skip_delivery,
102 LOG_MAIN,
103 "Spool file is locked (another process is handling this message)");
104 (void)close(fd);
105 errno = 0;
106 return -1;
107 }
108
109 /* Get the size of the data; don't include the leading filename line
110 in the count, but add one for the newline before the data. */
111
112 if (fstat(fd, &statbuf) == 0)
113 {
114 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
115 message_size = message_body_size + 1;
116 }
117
118 return fd;
119 }
120 #endif /* COMPILE_UTILITY */
121
122
123
124 /*************************************************
125 * Read non-recipients tree from spool file *
126 *************************************************/
127
128 /* The tree of non-recipients is written to the spool file in a form that
129 makes it easy to read back into a tree. The format is as follows:
130
131 . Each node is preceded by two letter(Y/N) indicating whether it has left
132 or right children. There's one space after the two flags, before the name.
133
134 . The left subtree (if any) then follows, then the right subtree (if any).
135
136 This function is entered with the next input line in the buffer. Note we must
137 save the right flag before recursing with the same buffer.
138
139 Once the tree is read, we re-construct the balance fields by scanning the tree.
140 I forgot to write them out originally, and the compatible fix is to do it this
141 way. This initial local recursing function does the necessary.
142
143 Arguments:
144 node tree node
145
146 Returns: maximum depth below the node, including the node itself
147 */
148
149 static int
150 count_below(tree_node *node)
151 {
152 int nleft, nright;
153 if (node == NULL) return 0;
154 nleft = count_below(node->left);
155 nright = count_below(node->right);
156 node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
157 return 1 + ((nleft > nright)? nleft : nright);
158 }
159
160 /* This is the real function...
161
162 Arguments:
163 connect pointer to the root of the tree
164 f FILE to read data from
165 buffer contains next input line; further lines read into it
166 buffer_size size of the buffer
167
168 Returns: FALSE on format error
169 */
170
171 static BOOL
172 read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
173 int buffer_size)
174 {
175 tree_node *node;
176 int n = Ustrlen(buffer);
177 BOOL right = buffer[1] == 'Y';
178
179 if (n < 5) return FALSE; /* malformed line */
180 buffer[n-1] = 0; /* Remove \n */
181 node = store_get(sizeof(tree_node) + n - 3);
182 *connect = node;
183 Ustrcpy(node->name, buffer + 3);
184 node->data.ptr = NULL;
185
186 if (buffer[0] == 'Y')
187 {
188 if (Ufgets(buffer, buffer_size, f) == NULL ||
189 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
190 return FALSE;
191 }
192 else node->left = NULL;
193
194 if (right)
195 {
196 if (Ufgets(buffer, buffer_size, f) == NULL ||
197 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
198 return FALSE;
199 }
200 else node->right = NULL;
201
202 (void) count_below(*connect);
203 return TRUE;
204 }
205
206
207
208
209 /*************************************************
210 * Read spool header file *
211 *************************************************/
212
213 /* This function reads a spool header file and places the data into the
214 appropriate global variables. The header portion is always read, but header
215 structures are built only if read_headers is set true. It isn't, for example,
216 while generating -bp output.
217
218 It may be possible for blocks of nulls (binary zeroes) to get written on the
219 end of a file if there is a system crash during writing. It was observed on an
220 earlier version of Exim that omitted to fsync() the files - this is thought to
221 have been the cause of that incident, but in any case, this code must be robust
222 against such an event, and if such a file is encountered, it must be treated as
223 malformed.
224
225 As called from deliver_message() (at least) we are running as root.
226
227 Arguments:
228 name name of the header file, including the -H
229 read_headers TRUE if in-store header structures are to be built
230 subdir_set TRUE is message_subdir is already set
231
232 Returns: spool_read_OK success
233 spool_read_notopen open failed
234 spool_read_enverror error in the envelope portion
235 spool_read_hdrerror error in the header portion
236 */
237
238 int
239 spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
240 {
241 FILE *f = NULL;
242 int n;
243 int rcount = 0;
244 long int uid, gid;
245 BOOL inheader = FALSE;
246 uschar *p;
247
248 /* Reset all the global variables to their default values. However, there is
249 one exception. DO NOT change the default value of dont_deliver, because it may
250 be forced by an external setting. */
251
252 acl_var_c = acl_var_m = NULL;
253 authenticated_id = NULL;
254 authenticated_sender = NULL;
255 allow_unqualified_recipient = FALSE;
256 allow_unqualified_sender = FALSE;
257 body_linecount = 0;
258 body_zerocount = 0;
259 deliver_firsttime = FALSE;
260 deliver_freeze = FALSE;
261 deliver_frozen_at = 0;
262 deliver_manual_thaw = FALSE;
263 /* dont_deliver must NOT be reset */
264 header_list = header_last = NULL;
265 host_lookup_deferred = FALSE;
266 host_lookup_failed = FALSE;
267 interface_address = NULL;
268 interface_port = 0;
269 local_error_message = FALSE;
270 local_scan_data = NULL;
271 max_received_linelength = 0;
272 message_linecount = 0;
273 received_protocol = NULL;
274 received_count = 0;
275 recipients_list = NULL;
276 sender_address = NULL;
277 sender_fullhost = NULL;
278 sender_helo_name = NULL;
279 sender_host_address = NULL;
280 sender_host_name = NULL;
281 sender_host_port = 0;
282 sender_host_authenticated = NULL;
283 sender_ident = NULL;
284 sender_local = FALSE;
285 sender_set_untrusted = FALSE;
286 smtp_active_hostname = primary_hostname;
287 tree_nonrecipients = NULL;
288
289 #ifdef EXPERIMENTAL_BRIGHTMAIL
290 bmi_run = 0;
291 bmi_verdicts = NULL;
292 #endif
293
294 #ifndef DISABLE_DKIM
295 dkim_signers = NULL;
296 dkim_disable_verify = FALSE;
297 dkim_collect_input = FALSE;
298 #endif
299
300 #ifdef SUPPORT_TLS
301 tls_in.certificate_verified = FALSE;
302 # ifdef EXPERIMENTAL_DANE
303 tls_in.dane_verified = FALSE;
304 # endif
305 tls_in.cipher = NULL;
306 # ifndef COMPILE_UTILITY /* tls support fns not built in */
307 tls_free_cert(&tls_in.ourcert);
308 tls_free_cert(&tls_in.peercert);
309 # endif
310 tls_in.peerdn = NULL;
311 tls_in.sni = NULL;
312 tls_in.ocsp = OCSP_NOT_REQ;
313 #endif
314
315 #ifdef WITH_CONTENT_SCAN
316 spam_bar = NULL;
317 spam_score = NULL;
318 spam_score_int = NULL;
319 #endif
320
321 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
322 message_smtputf8 = FALSE;
323 message_utf8_downconvert = 0;
324 #endif
325
326 dsn_ret = 0;
327 dsn_envid = NULL;
328
329 /* Generate the full name and open the file. If message_subdir is already
330 set, just look in the given directory. Otherwise, look in both the split
331 and unsplit directories, as for the data file above. */
332
333 for (n = 0; n < 2; n++)
334 {
335 if (!subdir_set)
336 message_subdir[0] = split_spool_directory == (n == 0) ? name[5] : 0;
337
338 if ((f = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
339 break;
340 if (n != 0 || subdir_set || errno != ENOENT)
341 return spool_read_notopen;
342 }
343
344 errno = 0;
345
346 #ifndef COMPILE_UTILITY
347 DEBUG(D_deliver) debug_printf("reading spool file %s\n", name);
348 #endif /* COMPILE_UTILITY */
349
350 /* The first line of a spool file contains the message id followed by -H (i.e.
351 the file name), in order to make the file self-identifying. */
352
353 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
354 if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
355 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
356 goto SPOOL_FORMAT_ERROR;
357
358 /* The next three lines in the header file are in a fixed format. The first
359 contains the login, uid, and gid of the user who caused the file to be written.
360 There are known cases where a negative gid is used, so we allow for both
361 negative uids and gids. The second contains the mail address of the message's
362 sender, enclosed in <>. The third contains the time the message was received,
363 and the number of warning messages for delivery delays that have been sent. */
364
365 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
366
367 p = big_buffer + Ustrlen(big_buffer);
368 while (p > big_buffer && isspace(p[-1])) p--;
369 *p = 0;
370 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
371 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
372 gid = Uatoi(p);
373 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
374 *p = 0;
375 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
376 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
377 uid = Uatoi(p);
378 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
379 *p = 0;
380
381 originator_login = string_copy(big_buffer);
382 originator_uid = (uid_t)uid;
383 originator_gid = (gid_t)gid;
384
385 /* envelope from */
386 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
387 n = Ustrlen(big_buffer);
388 if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
389 goto SPOOL_FORMAT_ERROR;
390
391 sender_address = store_get(n-2);
392 Ustrncpy(sender_address, big_buffer+1, n-3);
393 sender_address[n-3] = 0;
394
395 /* time */
396 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
397 if (sscanf(CS big_buffer, "%d %d", &received_time, &warning_count) != 2)
398 goto SPOOL_FORMAT_ERROR;
399
400 message_age = time(NULL) - received_time;
401
402 #ifndef COMPILE_UTILITY
403 DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
404 originator_login, (long int)originator_uid, (long int)originator_gid,
405 sender_address);
406 #endif /* COMPILE_UTILITY */
407
408 /* Now there may be a number of optional lines, each starting with "-". If you
409 add a new setting here, make sure you set the default above.
410
411 Because there are now quite a number of different possibilities, we use a
412 switch on the first character to avoid too many failing tests. Thanks to Nico
413 Erfurth for the patch that implemented this. I have made it even more efficient
414 by not re-scanning the first two characters.
415
416 To allow new versions of Exim that add additional flags to interwork with older
417 versions that do not understand them, just ignore any lines starting with "-"
418 that we don't recognize. Otherwise it wouldn't be possible to back off a new
419 version that left new-style flags written on the spool. */
420
421 p = big_buffer + 2;
422 for (;;)
423 {
424 int len;
425 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
426 if (big_buffer[0] != '-') break;
427 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
428 && big_buffer[len-1] != '\n'
429 )
430 { /* buffer not big enough for line; certs make this possible */
431 uschar * buf;
432 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
433 buf = store_get_perm(big_buffer_size *= 2);
434 memcpy(buf, big_buffer, --len);
435 big_buffer = buf;
436 if (Ufgets(big_buffer+len, big_buffer_size-len, f) == NULL)
437 goto SPOOL_READ_ERROR;
438 }
439 big_buffer[len-1] = 0;
440
441 switch(big_buffer[1])
442 {
443 case 'a':
444
445 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
446 variable, because Exim allows any number of them, with arbitrary names.
447 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
448 the c or m. */
449
450 if (Ustrncmp(p, "clc ", 4) == 0 ||
451 Ustrncmp(p, "clm ", 4) == 0)
452 {
453 uschar *name, *endptr;
454 int count;
455 tree_node *node;
456 endptr = Ustrchr(big_buffer + 6, ' ');
457 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
458 name = string_sprintf("%c%.*s", big_buffer[4], endptr - big_buffer - 6,
459 big_buffer + 6);
460 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
461 node = acl_var_create(name);
462 node->data.ptr = store_get(count + 1);
463 if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
464 ((uschar*)node->data.ptr)[count] = 0;
465 }
466
467 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
468 allow_unqualified_recipient = TRUE;
469 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
470 allow_unqualified_sender = TRUE;
471
472 else if (Ustrncmp(p, "uth_id", 6) == 0)
473 authenticated_id = string_copy(big_buffer + 9);
474 else if (Ustrncmp(p, "uth_sender", 10) == 0)
475 authenticated_sender = string_copy(big_buffer + 13);
476 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
477 smtp_active_hostname = string_copy(big_buffer + 17);
478
479 /* For long-term backward compatibility, we recognize "-acl", which was
480 used before the number of ACL variables changed from 10 to 20. This was
481 before the subsequent change to an arbitrary number of named variables.
482 This code is retained so that upgrades from very old versions can still
483 handle old-format spool files. The value given after "-acl" is a number
484 that is 0-9 for connection variables, and 10-19 for message variables. */
485
486 else if (Ustrncmp(p, "cl ", 3) == 0)
487 {
488 unsigned index, count;
489 uschar name[20]; /* Need plenty of space for %u format */
490 tree_node * node;
491 if ( sscanf(CS big_buffer + 5, "%u %u", &index, &count) != 2
492 || index >= 20
493 || count > 16384 /* arbitrary limit on variable size */
494 )
495 goto SPOOL_FORMAT_ERROR;
496 if (index < 10)
497 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
498 else
499 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
500 node = acl_var_create(name);
501 node->data.ptr = store_get(count + 1);
502 /* We sanity-checked the count, so disable the Coverity error */
503 /* coverity[tainted_data] */
504 if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
505 (US node->data.ptr)[count] = '\0';
506 }
507 break;
508
509 case 'b':
510 if (Ustrncmp(p, "ody_linecount", 13) == 0)
511 body_linecount = Uatoi(big_buffer + 15);
512 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
513 body_zerocount = Uatoi(big_buffer + 15);
514 #ifdef EXPERIMENTAL_BRIGHTMAIL
515 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
516 bmi_verdicts = string_copy(big_buffer + 14);
517 #endif
518 break;
519
520 case 'd':
521 if (Ustrcmp(p, "eliver_firsttime") == 0)
522 deliver_firsttime = TRUE;
523 /* Check if the dsn flags have been set in the header file */
524 else if (Ustrncmp(p, "sn_ret", 6) == 0)
525 dsn_ret= atoi(CS big_buffer + 8);
526 else if (Ustrncmp(p, "sn_envid", 8) == 0)
527 dsn_envid = string_copy(big_buffer + 11);
528 break;
529
530 case 'f':
531 if (Ustrncmp(p, "rozen", 5) == 0)
532 {
533 deliver_freeze = TRUE;
534 if (sscanf(CS big_buffer+7, TIME_T_FMT, &deliver_frozen_at) != 1)
535 goto SPOOL_READ_ERROR;
536 }
537 break;
538
539 case 'h':
540 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
541 host_lookup_deferred = TRUE;
542 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
543 host_lookup_failed = TRUE;
544 else if (Ustrncmp(p, "ost_auth", 8) == 0)
545 sender_host_authenticated = string_copy(big_buffer + 11);
546 else if (Ustrncmp(p, "ost_name", 8) == 0)
547 sender_host_name = string_copy(big_buffer + 11);
548 else if (Ustrncmp(p, "elo_name", 8) == 0)
549 sender_helo_name = string_copy(big_buffer + 11);
550
551 /* We now record the port number after the address, separated by a
552 dot. For compatibility during upgrading, do nothing if there
553 isn't a value (it gets left at zero). */
554
555 else if (Ustrncmp(p, "ost_address", 11) == 0)
556 {
557 sender_host_port = host_address_extract_port(big_buffer + 14);
558 sender_host_address = string_copy(big_buffer + 14);
559 }
560 break;
561
562 case 'i':
563 if (Ustrncmp(p, "nterface_address", 16) == 0)
564 {
565 interface_port = host_address_extract_port(big_buffer + 19);
566 interface_address = string_copy(big_buffer + 19);
567 }
568 else if (Ustrncmp(p, "dent", 4) == 0)
569 sender_ident = string_copy(big_buffer + 7);
570 break;
571
572 case 'l':
573 if (Ustrcmp(p, "ocal") == 0) sender_local = TRUE;
574 else if (Ustrcmp(big_buffer, "-localerror") == 0)
575 local_error_message = TRUE;
576 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
577 local_scan_data = string_copy(big_buffer + 12);
578 break;
579
580 case 'm':
581 if (Ustrcmp(p, "anual_thaw") == 0) deliver_manual_thaw = TRUE;
582 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
583 max_received_linelength = Uatoi(big_buffer + 24);
584 break;
585
586 case 'N':
587 if (*p == 0) dont_deliver = TRUE; /* -N */
588 break;
589
590 case 'r':
591 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
592 received_protocol = string_copy(big_buffer + 19);
593 break;
594
595 case 's':
596 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
597 sender_set_untrusted = TRUE;
598 #ifdef WITH_CONTENT_SCAN
599 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
600 spam_bar = string_copy(big_buffer + 10);
601 else if (Ustrncmp(p, "pam_score ", 10) == 0)
602 spam_score = string_copy(big_buffer + 12);
603 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
604 spam_score_int = string_copy(big_buffer + 16);
605 #endif
606 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
607 else if (Ustrncmp(p, "mtputf8", 7) == 0)
608 message_smtputf8 = TRUE;
609 #endif
610 break;
611
612 #ifdef SUPPORT_TLS
613 case 't':
614 if (Ustrncmp(p, "ls_certificate_verified", 23) == 0)
615 tls_in.certificate_verified = TRUE;
616 else if (Ustrncmp(p, "ls_cipher", 9) == 0)
617 tls_in.cipher = string_copy(big_buffer + 12);
618 # ifndef COMPILE_UTILITY /* tls support fns not built in */
619 else if (Ustrncmp(p, "ls_ourcert", 10) == 0)
620 (void) tls_import_cert(big_buffer + 13, &tls_in.ourcert);
621 else if (Ustrncmp(p, "ls_peercert", 11) == 0)
622 (void) tls_import_cert(big_buffer + 14, &tls_in.peercert);
623 # endif
624 else if (Ustrncmp(p, "ls_peerdn", 9) == 0)
625 tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
626 else if (Ustrncmp(p, "ls_sni", 6) == 0)
627 tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
628 else if (Ustrncmp(p, "ls_ocsp", 7) == 0)
629 tls_in.ocsp = big_buffer[10] - '0';
630 break;
631 #endif
632
633 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
634 case 'u':
635 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
636 message_utf8_downconvert = 1;
637 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
638 message_utf8_downconvert = -1;
639 break;
640 #endif
641
642 default: /* Present because some compilers complain if all */
643 break; /* possibilities are not covered. */
644 }
645 }
646
647 /* Build sender_fullhost if required */
648
649 #ifndef COMPILE_UTILITY
650 host_build_sender_fullhost();
651 #endif /* COMPILE_UTILITY */
652
653 #ifndef COMPILE_UTILITY
654 DEBUG(D_deliver)
655 debug_printf("sender_local=%d ident=%s\n", sender_local,
656 (sender_ident == NULL)? US"unset" : sender_ident);
657 #endif /* COMPILE_UTILITY */
658
659 /* We now have the tree of addresses NOT to deliver to, or a line
660 containing "XX", indicating no tree. */
661
662 if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
663 !read_nonrecipients_tree(&tree_nonrecipients, f, big_buffer, big_buffer_size))
664 goto SPOOL_FORMAT_ERROR;
665
666 #ifndef COMPILE_UTILITY
667 DEBUG(D_deliver)
668 {
669 debug_printf("Non-recipients:\n");
670 debug_print_tree(tree_nonrecipients);
671 }
672 #endif /* COMPILE_UTILITY */
673
674 /* After reading the tree, the next line has not yet been read into the
675 buffer. It contains the count of recipients which follow on separate lines.
676 Apply an arbitrary sanity check.*/
677
678 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
679 if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
680 goto SPOOL_FORMAT_ERROR;
681
682 #ifndef COMPILE_UTILITY
683 DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
684 #endif /* COMPILE_UTILITY */
685
686 recipients_list_max = rcount;
687 recipients_list = store_get(rcount * sizeof(recipient_item));
688
689 /* We sanitised the count and know we have enough memory, so disable
690 the Coverity error on recipients_count */
691 /* coverity[tainted_data] */
692
693 for (recipients_count = 0; recipients_count < rcount; recipients_count++)
694 {
695 int nn;
696 int pno = -1;
697 int dsn_flags = 0;
698 uschar *orcpt = NULL;
699 uschar *errors_to = NULL;
700 uschar *p;
701
702 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
703 nn = Ustrlen(big_buffer);
704 if (nn < 2) goto SPOOL_FORMAT_ERROR;
705
706 /* Remove the newline; this terminates the address if there is no additional
707 data on the line. */
708
709 p = big_buffer + nn - 1;
710 *p-- = 0;
711
712 /* Look back from the end of the line for digits and special terminators.
713 Since an address must end with a domain, we can tell that extra data is
714 present by the presence of the terminator, which is always some character
715 that cannot exist in a domain. (If I'd thought of the need for additional
716 data early on, I'd have put it at the start, with the address at the end. As
717 it is, we have to operate backwards. Addresses are permitted to contain
718 spaces, you see.)
719
720 This code has to cope with various versions of this data that have evolved
721 over time. In all cases, the line might just contain an address, with no
722 additional data. Otherwise, the possibilities are as follows:
723
724 Exim 3 type: <address><space><digits>,<digits>,<digits>
725
726 The second set of digits is the parent number for one_time addresses. The
727 other values were remnants of earlier experiments that were abandoned.
728
729 Exim 4 first type: <address><space><digits>
730
731 The digits are the parent number for one_time addresses.
732
733 Exim 4 new type: <address><space><data>#<type bits>
734
735 The type bits indicate what the contents of the data are.
736
737 Bit 01 indicates that, reading from right to left, the data
738 ends with <errors_to address><space><len>,<pno> where pno is
739 the parent number for one_time addresses, and len is the length
740 of the errors_to address (zero meaning none).
741
742 Bit 02 indicates that, again reading from right to left, the data continues
743 with orcpt len(orcpt),dsn_flags
744 */
745
746 while (isdigit(*p)) p--;
747
748 /* Handle Exim 3 spool files */
749
750 if (*p == ',')
751 {
752 int dummy;
753 while (isdigit(*(--p)) || *p == ',');
754 if (*p == ' ')
755 {
756 *p++ = 0;
757 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
758 }
759 }
760
761 /* Handle early Exim 4 spool files */
762
763 else if (*p == ' ')
764 {
765 *p++ = 0;
766 (void)sscanf(CS p, "%d", &pno);
767 }
768
769 /* Handle current format Exim 4 spool files */
770
771 else if (*p == '#')
772 {
773 int flags;
774
775 #if !defined (COMPILE_UTILITY)
776 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 4 standard format spoolfile\n");
777 #endif
778
779 (void)sscanf(CS p+1, "%d", &flags);
780
781 if ((flags & 0x01) != 0) /* one_time data exists */
782 {
783 int len;
784 while (isdigit(*(--p)) || *p == ',' || *p == '-');
785 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
786 *p = 0;
787 if (len > 0)
788 {
789 p -= len;
790 errors_to = string_copy(p);
791 }
792 }
793
794 *(--p) = 0; /* Terminate address */
795 if ((flags & 0x02) != 0) /* one_time data exists */
796 {
797 int len;
798 while (isdigit(*(--p)) || *p == ',' || *p == '-');
799 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
800 *p = 0;
801 if (len > 0)
802 {
803 p -= len;
804 orcpt = string_copy(p);
805 }
806 }
807
808 *(--p) = 0; /* Terminate address */
809 }
810 #if !defined(COMPILE_UTILITY)
811 else
812 { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
813
814 if ((orcpt != NULL) || (dsn_flags != 0))
815 {
816 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| orcpt: |%s| dsn_flags: %d\n",
817 big_buffer, orcpt, dsn_flags);
818 }
819 if (errors_to != NULL)
820 {
821 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| errorsto: |%s|\n",
822 big_buffer, errors_to);
823 }
824 #endif
825
826 recipients_list[recipients_count].address = string_copy(big_buffer);
827 recipients_list[recipients_count].pno = pno;
828 recipients_list[recipients_count].errors_to = errors_to;
829 recipients_list[recipients_count].orcpt = orcpt;
830 recipients_list[recipients_count].dsn_flags = dsn_flags;
831 }
832
833 /* The remainder of the spool header file contains the headers for the message,
834 separated off from the previous data by a blank line. Each header is preceded
835 by a count of its length and either a certain letter (for various identified
836 headers), space (for a miscellaneous live header) or an asterisk (for a header
837 that has been rewritten). Count the Received: headers. We read the headers
838 always, in order to check on the format of the file, but only create a header
839 list if requested to do so. */
840
841 inheader = TRUE;
842 if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
843 if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
844
845 while ((n = fgetc(f)) != EOF)
846 {
847 header_line *h;
848 uschar flag[4];
849 int i;
850
851 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
852 if(ungetc(n, f) == EOF || fscanf(f, "%d%c ", &n, flag) == EOF)
853 goto SPOOL_READ_ERROR;
854 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
855
856 if (read_headers)
857 {
858 h = store_get(sizeof(header_line));
859 h->next = NULL;
860 h->type = flag[0];
861 h->slen = n;
862 h->text = store_get(n+1);
863
864 if (h->type == htype_received) received_count++;
865
866 if (header_list == NULL) header_list = h;
867 else header_last->next = h;
868 header_last = h;
869
870 for (i = 0; i < n; i++)
871 {
872 int c = fgetc(f);
873 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
874 if (c == '\n' && h->type != htype_old) message_linecount++;
875 h->text[i] = c;
876 }
877 h->text[i] = 0;
878 }
879
880 /* Not requiring header data, just skip through the bytes */
881
882 else for (i = 0; i < n; i++)
883 {
884 int c = fgetc(f);
885 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
886 }
887 }
888
889 /* We have successfully read the data in the header file. Update the message
890 line count by adding the body linecount to the header linecount. Close the file
891 and give a positive response. */
892
893 #ifndef COMPILE_UTILITY
894 DEBUG(D_deliver) debug_printf("body_linecount=%d message_linecount=%d\n",
895 body_linecount, message_linecount);
896 #endif /* COMPILE_UTILITY */
897
898 message_linecount += body_linecount;
899
900 fclose(f);
901 return spool_read_OK;
902
903
904 /* There was an error reading the spool or there was missing data,
905 or there was a format error. A "read error" with no errno means an
906 unexpected EOF, which we treat as a format error. */
907
908 SPOOL_READ_ERROR:
909 if (errno != 0)
910 {
911 n = errno;
912
913 #ifndef COMPILE_UTILITY
914 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
915 #endif /* COMPILE_UTILITY */
916
917 fclose(f);
918 errno = n;
919 return inheader? spool_read_hdrerror : spool_read_enverror;
920 }
921
922 SPOOL_FORMAT_ERROR:
923
924 #ifndef COMPILE_UTILITY
925 DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
926 #endif /* COMPILE_UTILITY */
927
928 fclose(f);
929 errno = ERRNO_SPOOLFORMAT;
930 return inheader? spool_read_hdrerror : spool_read_enverror;
931 }
932
933 /* vi: aw ai sw=2
934 */
935 /* End of spool_in.c */
Unnamed repository; edit this file 'description' to name the repository.