projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
TLS: add variables for the IETF standard name for the connection ciphersuite
[exim.git] / src / src / spool_in.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Functions for reading spool files. When compiling for a utility (eximon),
9 not all are needed, and some functionality can be cut out. */
10
11
12 #include "exim.h"
13
14
15
16 #ifndef COMPILE_UTILITY
17 /*************************************************
18 * Open and lock data file *
19 *************************************************/
20
21 /* The data file is the one that is used for locking, because the header file
22 can get replaced during delivery because of header rewriting. The file has
23 to opened with write access so that we can get an exclusive lock, but in
24 fact it won't be written to. Just in case there's a major disaster (e.g.
25 overwriting some other file descriptor with the value of this one), open it
26 with append.
27
28 As called by deliver_message() (at least) we are operating as root.
29
30 Argument: the id of the message
31 Returns: fd if file successfully opened and locked, else -1
32
33 Side effect: message_subdir is set for the (possibly split) spool directory
34 */
35
36 int
37 spool_open_datafile(uschar *id)
38 {
39 struct stat statbuf;
40 flock_t lock_data;
41 int fd;
42
43 /* If split_spool_directory is set, first look for the file in the appropriate
44 sub-directory of the input directory. If it is not found there, try the input
45 directory itself, to pick up leftovers from before the splitting. If split_
46 spool_directory is not set, first look in the main input directory. If it is
47 not found there, try the split sub-directory, in case it is left over from a
48 splitting state. */
49
50 for (int i = 0; i < 2; i++)
51 {
52 uschar * fname;
53 int save_errno;
54
55 message_subdir[0] = split_spool_directory == i ? '\0' : id[5];
56 fname = spool_fname(US"input", message_subdir, id, US"-D");
57 DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
58
59 /* We protect against symlink attacks both in not propagating the
60 * file-descriptor to other processes as we exec, and also ensuring that we
61 * don't even open symlinks.
62 * No -D file inside the spool area should be a symlink.
63 */
64 if ((fd = Uopen(fname,
65 #ifdef O_CLOEXEC
66 O_CLOEXEC |
67 #endif
68 #ifdef O_NOFOLLOW
69 O_NOFOLLOW |
70 #endif
71 O_RDWR | O_APPEND, 0)) >= 0)
72 break;
73 save_errno = errno;
74 if (errno == ENOENT)
75 {
76 if (i == 0) continue;
77 if (!f.queue_running)
78 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
79 *queue_name ? US" Q=" : US"",
80 *queue_name ? queue_name : US"",
81 id);
82 }
83 else
84 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
85 errno = save_errno;
86 return -1;
87 }
88
89 /* File is open and message_subdir is set. Set the close-on-exec flag, and lock
90 the file. We lock only the first line of the file (containing the message ID)
91 because this apparently is needed for running Exim under Cygwin. If the entire
92 file is locked in one process, a sub-process cannot access it, even when passed
93 an open file descriptor (at least, I think that's the Cygwin story). On real
94 Unix systems it doesn't make any difference as long as Exim is consistent in
95 what it locks. */
96
97 #ifndef O_CLOEXEC
98 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
99 #endif
100
101 lock_data.l_type = F_WRLCK;
102 lock_data.l_whence = SEEK_SET;
103 lock_data.l_start = 0;
104 lock_data.l_len = SPOOL_DATA_START_OFFSET;
105
106 if (fcntl(fd, F_SETLK, &lock_data) < 0)
107 {
108 log_write(L_skip_delivery,
109 LOG_MAIN,
110 "Spool file is locked (another process is handling this message)");
111 (void)close(fd);
112 errno = 0;
113 return -1;
114 }
115
116 /* Get the size of the data; don't include the leading filename line
117 in the count, but add one for the newline before the data. */
118
119 if (fstat(fd, &statbuf) == 0)
120 {
121 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
122 message_size = message_body_size + 1;
123 }
124
125 return fd;
126 }
127 #endif /* COMPILE_UTILITY */
128
129
130
131 /*************************************************
132 * Read non-recipients tree from spool file *
133 *************************************************/
134
135 /* The tree of non-recipients is written to the spool file in a form that
136 makes it easy to read back into a tree. The format is as follows:
137
138 . Each node is preceded by two letter(Y/N) indicating whether it has left
139 or right children. There's one space after the two flags, before the name.
140
141 . The left subtree (if any) then follows, then the right subtree (if any).
142
143 This function is entered with the next input line in the buffer. Note we must
144 save the right flag before recursing with the same buffer.
145
146 Once the tree is read, we re-construct the balance fields by scanning the tree.
147 I forgot to write them out originally, and the compatible fix is to do it this
148 way. This initial local recursing function does the necessary.
149
150 Arguments:
151 node tree node
152
153 Returns: maximum depth below the node, including the node itself
154 */
155
156 static int
157 count_below(tree_node *node)
158 {
159 int nleft, nright;
160 if (node == NULL) return 0;
161 nleft = count_below(node->left);
162 nright = count_below(node->right);
163 node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
164 return 1 + ((nleft > nright)? nleft : nright);
165 }
166
167 /* This is the real function...
168
169 Arguments:
170 connect pointer to the root of the tree
171 f FILE to read data from
172 buffer contains next input line; further lines read into it
173 buffer_size size of the buffer
174
175 Returns: FALSE on format error
176 */
177
178 static BOOL
179 read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
180 int buffer_size)
181 {
182 tree_node *node;
183 int n = Ustrlen(buffer);
184 BOOL right = buffer[1] == 'Y';
185
186 if (n < 5) return FALSE; /* malformed line */
187 buffer[n-1] = 0; /* Remove \n */
188 node = store_get(sizeof(tree_node) + n - 3);
189 *connect = node;
190 Ustrcpy(node->name, buffer + 3);
191 node->data.ptr = NULL;
192
193 if (buffer[0] == 'Y')
194 {
195 if (Ufgets(buffer, buffer_size, f) == NULL ||
196 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
197 return FALSE;
198 }
199 else node->left = NULL;
200
201 if (right)
202 {
203 if (Ufgets(buffer, buffer_size, f) == NULL ||
204 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
205 return FALSE;
206 }
207 else node->right = NULL;
208
209 (void) count_below(*connect);
210 return TRUE;
211 }
212
213
214
215
216 /* Reset all the global variables to their default values. However, there is
217 one exception. DO NOT change the default value of dont_deliver, because it may
218 be forced by an external setting. */
219
220 void
221 spool_clear_header_globals(void)
222 {
223 acl_var_c = acl_var_m = NULL;
224 authenticated_id = NULL;
225 authenticated_sender = NULL;
226 f.allow_unqualified_recipient = FALSE;
227 f.allow_unqualified_sender = FALSE;
228 body_linecount = 0;
229 body_zerocount = 0;
230 f.deliver_firsttime = FALSE;
231 f.deliver_freeze = FALSE;
232 deliver_frozen_at = 0;
233 f.deliver_manual_thaw = FALSE;
234 /* f.dont_deliver must NOT be reset */
235 header_list = header_last = NULL;
236 host_lookup_deferred = FALSE;
237 host_lookup_failed = FALSE;
238 interface_address = NULL;
239 interface_port = 0;
240 f.local_error_message = FALSE;
241 #ifdef HAVE_LOCAL_SCAN
242 local_scan_data = NULL;
243 #endif
244 max_received_linelength = 0;
245 message_linecount = 0;
246 received_protocol = NULL;
247 received_count = 0;
248 recipients_list = NULL;
249 sender_address = NULL;
250 sender_fullhost = NULL;
251 sender_helo_name = NULL;
252 sender_host_address = NULL;
253 sender_host_name = NULL;
254 sender_host_port = 0;
255 sender_host_authenticated = NULL;
256 sender_ident = NULL;
257 f.sender_local = FALSE;
258 f.sender_set_untrusted = FALSE;
259 smtp_active_hostname = primary_hostname;
260 #ifndef COMPILE_UTILITY
261 f.spool_file_wireformat = FALSE;
262 #endif
263 tree_nonrecipients = NULL;
264
265 #ifdef EXPERIMENTAL_BRIGHTMAIL
266 bmi_run = 0;
267 bmi_verdicts = NULL;
268 #endif
269
270 #ifndef DISABLE_DKIM
271 dkim_signers = NULL;
272 f.dkim_disable_verify = FALSE;
273 dkim_collect_input = 0;
274 #endif
275
276 #ifdef SUPPORT_TLS
277 tls_in.certificate_verified = FALSE;
278 # ifdef SUPPORT_DANE
279 tls_in.dane_verified = FALSE;
280 # endif
281 tls_in.cipher = NULL;
282 # ifndef COMPILE_UTILITY /* tls support fns not built in */
283 tls_free_cert(&tls_in.ourcert);
284 tls_free_cert(&tls_in.peercert);
285 # endif
286 tls_in.peerdn = NULL;
287 tls_in.sni = NULL;
288 tls_in.ocsp = OCSP_NOT_REQ;
289 # if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
290 tls_requiretls = 0;
291 # endif
292 #endif
293
294 #ifdef WITH_CONTENT_SCAN
295 spam_bar = NULL;
296 spam_score = NULL;
297 spam_score_int = NULL;
298 #endif
299
300 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
301 message_smtputf8 = FALSE;
302 message_utf8_downconvert = 0;
303 #endif
304
305 dsn_ret = 0;
306 dsn_envid = NULL;
307 }
308
309
310 /*************************************************
311 * Read spool header file *
312 *************************************************/
313
314 /* This function reads a spool header file and places the data into the
315 appropriate global variables. The header portion is always read, but header
316 structures are built only if read_headers is set true. It isn't, for example,
317 while generating -bp output.
318
319 It may be possible for blocks of nulls (binary zeroes) to get written on the
320 end of a file if there is a system crash during writing. It was observed on an
321 earlier version of Exim that omitted to fsync() the files - this is thought to
322 have been the cause of that incident, but in any case, this code must be robust
323 against such an event, and if such a file is encountered, it must be treated as
324 malformed.
325
326 As called from deliver_message() (at least) we are running as root.
327
328 Arguments:
329 name name of the header file, including the -H
330 read_headers TRUE if in-store header structures are to be built
331 subdir_set TRUE is message_subdir is already set
332
333 Returns: spool_read_OK success
334 spool_read_notopen open failed
335 spool_read_enverror error in the envelope portion
336 spool_read_hdrerror error in the header portion
337 */
338
339 int
340 spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
341 {
342 FILE * fp = NULL;
343 int n;
344 int rcount = 0;
345 long int uid, gid;
346 BOOL inheader = FALSE;
347 uschar *p;
348
349 /* Reset all the global variables to their default values. However, there is
350 one exception. DO NOT change the default value of dont_deliver, because it may
351 be forced by an external setting. */
352
353 spool_clear_header_globals();
354
355 /* Generate the full name and open the file. If message_subdir is already
356 set, just look in the given directory. Otherwise, look in both the split
357 and unsplit directories, as for the data file above. */
358
359 for (int n = 0; n < 2; n++)
360 {
361 if (!subdir_set)
362 message_subdir[0] = split_spool_directory == (n == 0) ? name[5] : 0;
363
364 if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
365 break;
366 if (n != 0 || subdir_set || errno != ENOENT)
367 return spool_read_notopen;
368 }
369
370 errno = 0;
371
372 #ifndef COMPILE_UTILITY
373 DEBUG(D_deliver) debug_printf("reading spool file %s\n", name);
374 #endif /* COMPILE_UTILITY */
375
376 /* The first line of a spool file contains the message id followed by -H (i.e.
377 the file name), in order to make the file self-identifying. */
378
379 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
380 if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
381 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
382 goto SPOOL_FORMAT_ERROR;
383
384 /* The next three lines in the header file are in a fixed format. The first
385 contains the login, uid, and gid of the user who caused the file to be written.
386 There are known cases where a negative gid is used, so we allow for both
387 negative uids and gids. The second contains the mail address of the message's
388 sender, enclosed in <>. The third contains the time the message was received,
389 and the number of warning messages for delivery delays that have been sent. */
390
391 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
392
393 p = big_buffer + Ustrlen(big_buffer);
394 while (p > big_buffer && isspace(p[-1])) p--;
395 *p = 0;
396 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
397 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
398 gid = Uatoi(p);
399 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
400 *p = 0;
401 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
402 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
403 uid = Uatoi(p);
404 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
405 *p = 0;
406
407 originator_login = string_copy(big_buffer);
408 originator_uid = (uid_t)uid;
409 originator_gid = (gid_t)gid;
410
411 /* envelope from */
412 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
413 n = Ustrlen(big_buffer);
414 if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
415 goto SPOOL_FORMAT_ERROR;
416
417 sender_address = store_get(n-2);
418 Ustrncpy(sender_address, big_buffer+1, n-3);
419 sender_address[n-3] = 0;
420
421 /* time */
422 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
423 if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
424 goto SPOOL_FORMAT_ERROR;
425 received_time.tv_usec = 0;
426
427 message_age = time(NULL) - received_time.tv_sec;
428
429 #ifndef COMPILE_UTILITY
430 DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
431 originator_login, (long int)originator_uid, (long int)originator_gid,
432 sender_address);
433 #endif /* COMPILE_UTILITY */
434
435 /* Now there may be a number of optional lines, each starting with "-". If you
436 add a new setting here, make sure you set the default above.
437
438 Because there are now quite a number of different possibilities, we use a
439 switch on the first character to avoid too many failing tests. Thanks to Nico
440 Erfurth for the patch that implemented this. I have made it even more efficient
441 by not re-scanning the first two characters.
442
443 To allow new versions of Exim that add additional flags to interwork with older
444 versions that do not understand them, just ignore any lines starting with "-"
445 that we don't recognize. Otherwise it wouldn't be possible to back off a new
446 version that left new-style flags written on the spool. */
447
448 p = big_buffer + 2;
449 for (;;)
450 {
451 int len;
452 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
453 if (big_buffer[0] != '-') break;
454 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
455 && big_buffer[len-1] != '\n'
456 )
457 { /* buffer not big enough for line; certs make this possible */
458 uschar * buf;
459 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
460 buf = store_get_perm(big_buffer_size *= 2);
461 memcpy(buf, big_buffer, --len);
462 big_buffer = buf;
463 if (Ufgets(big_buffer+len, big_buffer_size-len, fp) == NULL)
464 goto SPOOL_READ_ERROR;
465 }
466 big_buffer[len-1] = 0;
467
468 switch(big_buffer[1])
469 {
470 case 'a':
471
472 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
473 variable, because Exim allows any number of them, with arbitrary names.
474 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
475 the c or m. */
476
477 if (Ustrncmp(p, "clc ", 4) == 0 ||
478 Ustrncmp(p, "clm ", 4) == 0)
479 {
480 uschar *name, *endptr;
481 int count;
482 tree_node *node;
483 endptr = Ustrchr(big_buffer + 6, ' ');
484 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
485 name = string_sprintf("%c%.*s", big_buffer[4],
486 (int)(endptr - big_buffer - 6), big_buffer + 6);
487 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
488 node = acl_var_create(name);
489 node->data.ptr = store_get(count + 1);
490 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
491 ((uschar*)node->data.ptr)[count] = 0;
492 }
493
494 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
495 f.allow_unqualified_recipient = TRUE;
496 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
497 f.allow_unqualified_sender = TRUE;
498
499 else if (Ustrncmp(p, "uth_id", 6) == 0)
500 authenticated_id = string_copy(big_buffer + 9);
501 else if (Ustrncmp(p, "uth_sender", 10) == 0)
502 authenticated_sender = string_copy(big_buffer + 13);
503 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
504 smtp_active_hostname = string_copy(big_buffer + 17);
505
506 /* For long-term backward compatibility, we recognize "-acl", which was
507 used before the number of ACL variables changed from 10 to 20. This was
508 before the subsequent change to an arbitrary number of named variables.
509 This code is retained so that upgrades from very old versions can still
510 handle old-format spool files. The value given after "-acl" is a number
511 that is 0-9 for connection variables, and 10-19 for message variables. */
512
513 else if (Ustrncmp(p, "cl ", 3) == 0)
514 {
515 unsigned index, count;
516 uschar name[20]; /* Need plenty of space for %u format */
517 tree_node * node;
518 if ( sscanf(CS big_buffer + 5, "%u %u", &index, &count) != 2
519 || index >= 20
520 || count > 16384 /* arbitrary limit on variable size */
521 )
522 goto SPOOL_FORMAT_ERROR;
523 if (index < 10)
524 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
525 else
526 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
527 node = acl_var_create(name);
528 node->data.ptr = store_get(count + 1);
529 /* We sanity-checked the count, so disable the Coverity error */
530 /* coverity[tainted_data] */
531 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
532 (US node->data.ptr)[count] = '\0';
533 }
534 break;
535
536 case 'b':
537 if (Ustrncmp(p, "ody_linecount", 13) == 0)
538 body_linecount = Uatoi(big_buffer + 15);
539 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
540 body_zerocount = Uatoi(big_buffer + 15);
541 #ifdef EXPERIMENTAL_BRIGHTMAIL
542 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
543 bmi_verdicts = string_copy(big_buffer + 14);
544 #endif
545 break;
546
547 case 'd':
548 if (Ustrcmp(p, "eliver_firsttime") == 0)
549 f.deliver_firsttime = TRUE;
550 /* Check if the dsn flags have been set in the header file */
551 else if (Ustrncmp(p, "sn_ret", 6) == 0)
552 dsn_ret= atoi(CS big_buffer + 8);
553 else if (Ustrncmp(p, "sn_envid", 8) == 0)
554 dsn_envid = string_copy(big_buffer + 11);
555 break;
556
557 case 'f':
558 if (Ustrncmp(p, "rozen", 5) == 0)
559 {
560 f.deliver_freeze = TRUE;
561 if (sscanf(CS big_buffer+7, TIME_T_FMT, &deliver_frozen_at) != 1)
562 goto SPOOL_READ_ERROR;
563 }
564 break;
565
566 case 'h':
567 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
568 host_lookup_deferred = TRUE;
569 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
570 host_lookup_failed = TRUE;
571 else if (Ustrncmp(p, "ost_auth", 8) == 0)
572 sender_host_authenticated = string_copy(big_buffer + 11);
573 else if (Ustrncmp(p, "ost_name", 8) == 0)
574 sender_host_name = string_copy(big_buffer + 11);
575 else if (Ustrncmp(p, "elo_name", 8) == 0)
576 sender_helo_name = string_copy(big_buffer + 11);
577
578 /* We now record the port number after the address, separated by a
579 dot. For compatibility during upgrading, do nothing if there
580 isn't a value (it gets left at zero). */
581
582 else if (Ustrncmp(p, "ost_address", 11) == 0)
583 {
584 sender_host_port = host_address_extract_port(big_buffer + 14);
585 sender_host_address = string_copy(big_buffer + 14);
586 }
587 break;
588
589 case 'i':
590 if (Ustrncmp(p, "nterface_address", 16) == 0)
591 {
592 interface_port = host_address_extract_port(big_buffer + 19);
593 interface_address = string_copy(big_buffer + 19);
594 }
595 else if (Ustrncmp(p, "dent", 4) == 0)
596 sender_ident = string_copy(big_buffer + 7);
597 break;
598
599 case 'l':
600 if (Ustrcmp(p, "ocal") == 0)
601 f.sender_local = TRUE;
602 else if (Ustrcmp(big_buffer, "-localerror") == 0)
603 f.local_error_message = TRUE;
604 #ifdef HAVE_LOCAL_SCAN
605 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
606 local_scan_data = string_copy(big_buffer + 12);
607 #endif
608 break;
609
610 case 'm':
611 if (Ustrcmp(p, "anual_thaw") == 0) f.deliver_manual_thaw = TRUE;
612 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
613 max_received_linelength = Uatoi(big_buffer + 24);
614 break;
615
616 case 'N':
617 if (*p == 0) f.dont_deliver = TRUE; /* -N */
618 break;
619
620 case 'r':
621 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
622 received_protocol = string_copy(big_buffer + 19);
623 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
624 {
625 unsigned usec;
626 if (sscanf(CS big_buffer + 21, "%u", &usec) == 1)
627 received_time.tv_usec = usec;
628 }
629 break;
630
631 case 's':
632 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
633 f.sender_set_untrusted = TRUE;
634 #ifdef WITH_CONTENT_SCAN
635 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
636 spam_bar = string_copy(big_buffer + 10);
637 else if (Ustrncmp(p, "pam_score ", 10) == 0)
638 spam_score = string_copy(big_buffer + 12);
639 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
640 spam_score_int = string_copy(big_buffer + 16);
641 #endif
642 #ifndef COMPILE_UTILITY
643 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
644 f.spool_file_wireformat = TRUE;
645 #endif
646 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
647 else if (Ustrncmp(p, "mtputf8", 7) == 0)
648 message_smtputf8 = TRUE;
649 #endif
650 break;
651
652 #ifdef SUPPORT_TLS
653 case 't':
654 if (Ustrncmp(p, "ls_", 3) == 0)
655 {
656 uschar * q = p + 3;
657 if (Ustrncmp(q, "certificate_verified", 20) == 0)
658 tls_in.certificate_verified = TRUE;
659 else if (Ustrncmp(q, "cipher", 6) == 0)
660 tls_in.cipher = string_copy(big_buffer + 12);
661 # ifndef COMPILE_UTILITY /* tls support fns not built in */
662 else if (Ustrncmp(q, "ourcert", 7) == 0)
663 (void) tls_import_cert(big_buffer + 13, &tls_in.ourcert);
664 else if (Ustrncmp(q, "peercert", 8) == 0)
665 (void) tls_import_cert(big_buffer + 14, &tls_in.peercert);
666 # endif
667 else if (Ustrncmp(q, "peerdn", 6) == 0)
668 tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
669 else if (Ustrncmp(q, "sni", 3) == 0)
670 tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
671 else if (Ustrncmp(q, "ocsp", 4) == 0)
672 tls_in.ocsp = big_buffer[10] - '0';
673 # if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
674 else if (Ustrncmp(q, "requiretls", 10) == 0)
675 tls_requiretls = strtol(CS big_buffer+16, NULL, 0);
676 # endif
677 }
678 break;
679 #endif
680
681 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
682 case 'u':
683 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
684 message_utf8_downconvert = 1;
685 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
686 message_utf8_downconvert = -1;
687 break;
688 #endif
689
690 default: /* Present because some compilers complain if all */
691 break; /* possibilities are not covered. */
692 }
693 }
694
695 /* Build sender_fullhost if required */
696
697 #ifndef COMPILE_UTILITY
698 host_build_sender_fullhost();
699 #endif /* COMPILE_UTILITY */
700
701 #ifndef COMPILE_UTILITY
702 DEBUG(D_deliver)
703 debug_printf("sender_local=%d ident=%s\n", f.sender_local,
704 (sender_ident == NULL)? US"unset" : sender_ident);
705 #endif /* COMPILE_UTILITY */
706
707 /* We now have the tree of addresses NOT to deliver to, or a line
708 containing "XX", indicating no tree. */
709
710 if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
711 !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
712 goto SPOOL_FORMAT_ERROR;
713
714 #ifndef COMPILE_UTILITY
715 DEBUG(D_deliver)
716 {
717 debug_printf("Non-recipients:\n");
718 debug_print_tree(tree_nonrecipients);
719 }
720 #endif /* COMPILE_UTILITY */
721
722 /* After reading the tree, the next line has not yet been read into the
723 buffer. It contains the count of recipients which follow on separate lines.
724 Apply an arbitrary sanity check.*/
725
726 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
727 if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
728 goto SPOOL_FORMAT_ERROR;
729
730 #ifndef COMPILE_UTILITY
731 DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
732 #endif /* COMPILE_UTILITY */
733
734 recipients_list_max = rcount;
735 recipients_list = store_get(rcount * sizeof(recipient_item));
736
737 /* We sanitised the count and know we have enough memory, so disable
738 the Coverity error on recipients_count */
739 /* coverity[tainted_data] */
740
741 for (recipients_count = 0; recipients_count < rcount; recipients_count++)
742 {
743 int nn;
744 int pno = -1;
745 int dsn_flags = 0;
746 uschar *orcpt = NULL;
747 uschar *errors_to = NULL;
748 uschar *p;
749
750 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
751 nn = Ustrlen(big_buffer);
752 if (nn < 2) goto SPOOL_FORMAT_ERROR;
753
754 /* Remove the newline; this terminates the address if there is no additional
755 data on the line. */
756
757 p = big_buffer + nn - 1;
758 *p-- = 0;
759
760 /* Look back from the end of the line for digits and special terminators.
761 Since an address must end with a domain, we can tell that extra data is
762 present by the presence of the terminator, which is always some character
763 that cannot exist in a domain. (If I'd thought of the need for additional
764 data early on, I'd have put it at the start, with the address at the end. As
765 it is, we have to operate backwards. Addresses are permitted to contain
766 spaces, you see.)
767
768 This code has to cope with various versions of this data that have evolved
769 over time. In all cases, the line might just contain an address, with no
770 additional data. Otherwise, the possibilities are as follows:
771
772 Exim 3 type: <address><space><digits>,<digits>,<digits>
773
774 The second set of digits is the parent number for one_time addresses. The
775 other values were remnants of earlier experiments that were abandoned.
776
777 Exim 4 first type: <address><space><digits>
778
779 The digits are the parent number for one_time addresses.
780
781 Exim 4 new type: <address><space><data>#<type bits>
782
783 The type bits indicate what the contents of the data are.
784
785 Bit 01 indicates that, reading from right to left, the data
786 ends with <errors_to address><space><len>,<pno> where pno is
787 the parent number for one_time addresses, and len is the length
788 of the errors_to address (zero meaning none).
789
790 Bit 02 indicates that, again reading from right to left, the data continues
791 with orcpt len(orcpt),dsn_flags
792 */
793
794 while (isdigit(*p)) p--;
795
796 /* Handle Exim 3 spool files */
797
798 if (*p == ',')
799 {
800 int dummy;
801 while (isdigit(*(--p)) || *p == ',');
802 if (*p == ' ')
803 {
804 *p++ = 0;
805 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
806 }
807 }
808
809 /* Handle early Exim 4 spool files */
810
811 else if (*p == ' ')
812 {
813 *p++ = 0;
814 (void)sscanf(CS p, "%d", &pno);
815 }
816
817 /* Handle current format Exim 4 spool files */
818
819 else if (*p == '#')
820 {
821 int flags;
822
823 #if !defined (COMPILE_UTILITY)
824 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 4 standard format spoolfile\n");
825 #endif
826
827 (void)sscanf(CS p+1, "%d", &flags);
828
829 if ((flags & 0x01) != 0) /* one_time data exists */
830 {
831 int len;
832 while (isdigit(*(--p)) || *p == ',' || *p == '-');
833 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
834 *p = 0;
835 if (len > 0)
836 {
837 p -= len;
838 errors_to = string_copy(p);
839 }
840 }
841
842 *(--p) = 0; /* Terminate address */
843 if ((flags & 0x02) != 0) /* one_time data exists */
844 {
845 int len;
846 while (isdigit(*(--p)) || *p == ',' || *p == '-');
847 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
848 *p = 0;
849 if (len > 0)
850 {
851 p -= len;
852 orcpt = string_copy(p);
853 }
854 }
855
856 *(--p) = 0; /* Terminate address */
857 }
858 #if !defined(COMPILE_UTILITY)
859 else
860 { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); }
861
862 if ((orcpt != NULL) || (dsn_flags != 0))
863 {
864 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| orcpt: |%s| dsn_flags: %d\n",
865 big_buffer, orcpt, dsn_flags);
866 }
867 if (errors_to != NULL)
868 {
869 DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: |%s| errorsto: |%s|\n",
870 big_buffer, errors_to);
871 }
872 #endif
873
874 recipients_list[recipients_count].address = string_copy(big_buffer);
875 recipients_list[recipients_count].pno = pno;
876 recipients_list[recipients_count].errors_to = errors_to;
877 recipients_list[recipients_count].orcpt = orcpt;
878 recipients_list[recipients_count].dsn_flags = dsn_flags;
879 }
880
881 /* The remainder of the spool header file contains the headers for the message,
882 separated off from the previous data by a blank line. Each header is preceded
883 by a count of its length and either a certain letter (for various identified
884 headers), space (for a miscellaneous live header) or an asterisk (for a header
885 that has been rewritten). Count the Received: headers. We read the headers
886 always, in order to check on the format of the file, but only create a header
887 list if requested to do so. */
888
889 inheader = TRUE;
890 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
891 if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
892
893 while ((n = fgetc(fp)) != EOF)
894 {
895 header_line *h;
896 uschar flag[4];
897 int i;
898
899 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
900 if(ungetc(n, fp) == EOF || fscanf(fp, "%d%c ", &n, flag) == EOF)
901 goto SPOOL_READ_ERROR;
902 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
903
904 if (read_headers)
905 {
906 h = store_get(sizeof(header_line));
907 h->next = NULL;
908 h->type = flag[0];
909 h->slen = n;
910 h->text = store_get(n+1);
911
912 if (h->type == htype_received) received_count++;
913
914 if (header_list == NULL) header_list = h;
915 else header_last->next = h;
916 header_last = h;
917
918 for (i = 0; i < n; i++)
919 {
920 int c = fgetc(fp);
921 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
922 if (c == '\n' && h->type != htype_old) message_linecount++;
923 h->text[i] = c;
924 }
925 h->text[i] = 0;
926 }
927
928 /* Not requiring header data, just skip through the bytes */
929
930 else for (i = 0; i < n; i++)
931 {
932 int c = fgetc(fp);
933 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
934 }
935 }
936
937 /* We have successfully read the data in the header file. Update the message
938 line count by adding the body linecount to the header linecount. Close the file
939 and give a positive response. */
940
941 #ifndef COMPILE_UTILITY
942 DEBUG(D_deliver) debug_printf("body_linecount=%d message_linecount=%d\n",
943 body_linecount, message_linecount);
944 #endif /* COMPILE_UTILITY */
945
946 message_linecount += body_linecount;
947
948 fclose(fp);
949 return spool_read_OK;
950
951
952 /* There was an error reading the spool or there was missing data,
953 or there was a format error. A "read error" with no errno means an
954 unexpected EOF, which we treat as a format error. */
955
956 SPOOL_READ_ERROR:
957 if (errno != 0)
958 {
959 n = errno;
960
961 #ifndef COMPILE_UTILITY
962 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
963 #endif /* COMPILE_UTILITY */
964
965 fclose(fp);
966 errno = n;
967 return inheader? spool_read_hdrerror : spool_read_enverror;
968 }
969
970 SPOOL_FORMAT_ERROR:
971
972 #ifndef COMPILE_UTILITY
973 DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
974 #endif /* COMPILE_UTILITY */
975
976 fclose(fp);
977 errno = ERRNO_SPOOLFORMAT;
978 return inheader? spool_read_hdrerror : spool_read_enverror;
979 }
980
981 /* vi: aw ai sw=2
982 */
983 /* End of spool_in.c */
Unnamed repository; edit this file 'description' to name the repository.