directory if it does not exist. From release 4.21, normal message logs should
be created when the message is received.
+Called from deliver_message(), can be operating as root.
+
Argument:
filename the file name
mode the mode required
static int
open_msglog_file(uschar *filename, int mode, uschar **error)
{
-int fd = Uopen(filename, O_WRONLY|O_APPEND|O_CREAT, mode);
+int fd, i;
-if (fd < 0 && errno == ENOENT)
+for (i = 2; i > 0; i--)
{
+ fd = Uopen(filename,
+#ifdef O_CLOEXEC
+ O_CLOEXEC |
+#endif
+#ifdef O_NOFOLLOW
+ O_NOFOLLOW |
+#endif
+ O_WRONLY|O_APPEND|O_CREAT, mode);
+ if (fd >= 0)
+ {
+ /* Set the close-on-exec flag and change the owner to the exim uid/gid (this
+ function is called as root). Double check the mode, because the group setting
+ doesn't always get set automatically. */
+
+#ifndef O_CLOEXEC
+ (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#endif
+ if (fchown(fd, exim_uid, exim_gid) < 0)
+ {
+ *error = US"chown";
+ return -1;
+ }
+ if (fchmod(fd, mode) < 0)
+ {
+ *error = US"chmod";
+ return -1;
+ }
+ return fd;
+ }
+ if (errno != ENOENT)
+ break;
+
(void)directory_make(spool_directory,
spool_sname(US"msglog", message_subdir),
MSGLOG_DIRECTORY_MODE, TRUE);
- fd = Uopen(filename, O_WRONLY|O_APPEND|O_CREAT, mode);
- }
-
-/* Set the close-on-exec flag and change the owner to the exim uid/gid (this
-function is called as root). Double check the mode, because the group setting
-doesn't always get set automatically. */
-
-if (fd >= 0)
- {
- (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
- if (fchown(fd, exim_uid, exim_gid) < 0)
- {
- *error = US"chown";
- return -1;
- }
- if (fchmod(fd, mode) < 0)
- {
- *error = US"chmod";
- return -1;
- }
}
-else *error = US"create";
-return fd;
+*error = US"create";
+return -1;
}
while (addr->parent)
{
addr = addr->parent;
- if ((addr->child_count -= 1) > 0) return; /* Incomplete parent */
+ if (--addr->child_count > 0) return; /* Incomplete parent */
address_done(addr, now);
/* Log the completion of all descendents only when there is no ancestor with
/* We start with just the local part for pipe, file, and reply deliveries, and
for successful local deliveries from routers that have the log_as_local flag
set. File deliveries from filters can be specified as non-absolute paths in
-cases where the transport is goin to complete the path. If there is an error
+cases where the transport is going to complete the path. If there is an error
before this happens (expansion failure) the local part will not be updated, and
so won't necessarily look like a path. Add extra text for this case. */
)
)
)
- log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s\n",
+ log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
ret == -1 ? strerror(errno) : "short write");
/* Now any messages */
if( (ret = write(pfd[pipe_write], &message_length, sizeof(int))) != sizeof(int)
|| message_length > 0 && (ret = write(pfd[pipe_write], s, message_length)) != message_length
)
- log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s\n",
+ log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
ret == -1 ? strerror(errno) : "short write");
}
}
for (addr2 = addr; addr2; addr2 = addr2->next)
{
- len = read(pfd[pipe_read], &status, sizeof(int));
- if (len > 0)
+ if ((len = read(pfd[pipe_read], &status, sizeof(int))) > 0)
{
int i;
uschar **sptr;
if (testflag(addr2, af_file))
{
- int local_part_length;
- len = read(pfd[pipe_read], &local_part_length, sizeof(int));
- len = read(pfd[pipe_read], big_buffer, local_part_length);
- big_buffer[local_part_length] = 0;
+ int llen;
+ if ( read(pfd[pipe_read], &llen, sizeof(int)) != sizeof(int)
+ || llen > 64*4 /* limit from rfc 5821, times I18N factor */
+ )
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part length read"
+ " from delivery subprocess");
+ break;
+ }
+ /* sanity-checked llen so disable the Coverity error */
+ /* coverity[tainted_data] */
+ if (read(pfd[pipe_read], big_buffer, llen) != llen)
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part read"
+ " from delivery subprocess");
+ break;
+ }
+ big_buffer[llen] = 0;
addr2->local_part = string_copy(big_buffer);
}
addr3 = store_get(sizeof(address_item));
*addr3 = *addr2;
addr3->next = NULL;
- addr3->shadow_message = (uschar *) &(addr2->shadow_message);
+ addr3->shadow_message = US &addr2->shadow_message;
addr3->transport = stp;
addr3->transport_return = DEFER;
addr3->return_filename = NULL;
addr3->return_file = -1;
*last = addr3;
- last = &(addr3->next);
+ last = &addr3->next;
}
/* If we found any addresses to shadow, run the delivery, and stick any
uschar *ptr = endptr;
uschar *msg = p->msg;
BOOL done = p->done;
-BOOL unfinished = TRUE;
+BOOL finished = FALSE;
/* minimum size to read is header size including id, subid and length */
int required = PIPE_HEADER_SIZE;
There will be only one read if we get all the available data (i.e. don't
fill the buffer completely). */
- if (remaining < required && unfinished)
+ if (remaining < required && !finished)
{
int len;
int available = big_buffer_size - remaining;
/* If the length is zero (eof or no-more-data), just process what we
already have. Note that if the process is still running and we have
read all the data in the pipe (but less that "available") then we
- won't read any more, as "unfinished" will get set FALSE. */
+ won't read any more, as "finished" will get set. */
endptr += len;
remaining += len;
- unfinished = len == available;
+ finished = len != available;
}
/* If we are at the end of the available data, exit the loop. */
}
DEBUG(D_deliver)
- debug_printf("header read id:%c,subid:%c,size:%s,required:%d,remaining:%d,unfinished:%d\n",
- id, subid, header+2, required, remaining, unfinished);
+ debug_printf("header read id:%c,subid:%c,size:%s,required:%d,remaining:%d,finished:%d\n",
+ id, subid, header+2, required, remaining, finished);
/* is there room for the dataset we want to read ? */
if (required > big_buffer_size - PIPE_HEADER_SIZE)
break;
}
- /* we wrote all datasets with atomic write() calls
- remaining < required only happens if big_buffer was too small
- to get all available data from pipe. unfinished has to be true
- as well. */
+ /* We wrote all datasets with atomic write() calls. Remaining < required only
+ happens if big_buffer was too small to get all available data from pipe;
+ finished has to be false as well. */
+
if (remaining < required)
{
- if (unfinished)
+ if (!finished)
continue;
msg = string_sprintf("failed to read pipe from transport process "
- "%d for transport %s: required size=%d > remaining size=%d and unfinished=false",
+ "%d for transport %s: required size=%d > remaining size=%d and finished=true",
pid, addr->transport->driver_name, required, remaining);
done = TRUE;
break;
}
- /* step behind the header */
+ /* Step past the header */
ptr += PIPE_HEADER_SIZE;
/* Handle each possible type of item, assuming the complete item is
/* Cut out any "delete" items on the list. */
- for (rp = &(addr->retries); (r = *rp); rp = &r->next)
+ for (rp = &addr->retries; (r = *rp); rp = &r->next)
if (Ustrcmp(r->key, ptr+1) == 0) /* Found item with same key */
{
if ((r->flags & rf_delete) == 0) break; /* It was not "delete" */
/* We want to add a delete item only if there is no non-delete item;
however we still have to step ptr through the data. */
- if (!r || (*ptr & rf_delete) == 0)
+ if (!r || !(*ptr & rf_delete))
{
r = store_get(sizeof(retry_item));
r->next = addr->retries;
switch (subid)
{
case '1':
- addr->cipher = NULL;
- addr->peerdn = NULL;
-
- if (*ptr)
- addr->cipher = string_copy(ptr);
- while (*ptr++);
- if (*ptr)
- addr->peerdn = string_copy(ptr);
- break;
+ addr->cipher = NULL;
+ addr->peerdn = NULL;
+
+ if (*ptr)
+ addr->cipher = string_copy(ptr);
+ while (*ptr++);
+ if (*ptr)
+ addr->peerdn = string_copy(ptr);
+ break;
case '2':
- if (*ptr)
- (void) tls_import_cert(ptr, &addr->peercert);
- else
- addr->peercert = NULL;
- break;
+ if (*ptr)
+ (void) tls_import_cert(ptr, &addr->peercert);
+ else
+ addr->peercert = NULL;
+ break;
case '3':
- if (*ptr)
- (void) tls_import_cert(ptr, &addr->ourcert);
- else
- addr->ourcert = NULL;
- break;
+ if (*ptr)
+ (void) tls_import_cert(ptr, &addr->ourcert);
+ else
+ addr->ourcert = NULL;
+ break;
# ifndef DISABLE_OCSP
case '4':
- addr->ocsp = OCSP_NOT_REQ;
- if (*ptr)
- addr->ocsp = *ptr - '0';
- break;
+ addr->ocsp = *ptr ? *ptr - '0' : OCSP_NOT_REQ;
+ break;
# endif
}
while (*ptr++);
{
#ifdef SUPPORT_SOCKS
case '2': /* proxy information; must arrive before A0 and applies to that addr XXX oops*/
- proxy_session = TRUE; /*XXX shouod this be cleared somewhere? */
+ proxy_session = TRUE; /*XXX should this be cleared somewhere? */
if (*ptr == 0)
ptr++;
else
) )
&& ( !multi_domain
|| ( (
- !tp->expand_multi_domain || (deliver_set_expansions(next), 1),
+ (void)(!tp->expand_multi_domain || ((void)deliver_set_expansions(next), 1)),
exp_bool(addr,
US"transport", next->transport->name, D_transport,
US"multi_domain", next->transport->multi_domain,
}
/* Now fork a subprocess to do the remote delivery, but before doing so,
- ensure that any cached resourses are released so as not to interfere with
+ ensure that any cached resources are released so as not to interfere with
what happens in the subprocess. */
search_tidyup();
{
uschar * fname = spool_fname(US"input", message_subdir, message_id, US"-D");
- if ((deliver_datafile = Uopen(fname, O_RDWR | O_APPEND, 0)) < 0)
+ if ((deliver_datafile = Uopen(fname,
+#ifdef O_CLOEXEC
+ O_CLOEXEC |
+#endif
+ O_RDWR | O_APPEND, 0)) < 0)
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to reopen %s for remote "
"parallel delivery: %s", fname, strerror(errno));
}
/* Set the close-on-exec flag */
-
+#ifndef O_CLOEXEC
(void)fcntl(deliver_datafile, F_SETFD, fcntl(deliver_datafile, F_GETFD) |
FD_CLOEXEC);
+#endif
/* Set the uid/gid of this process; bombs out on failure. */
if (!addr->peerdn)
*ptr++ = 0;
else
- {
- ptr += sprintf(CS ptr, "%.512s", addr->peerdn);
- ptr++;
- }
+ ptr += sprintf(CS ptr, "%.512s", addr->peerdn) + 1;
rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
}
+ else if (continue_proxy) /* known TLS, but no cipher info */
+ rmt_dlv_checked_write(fd, 'X', '1', US"*\0", 3);
+
if (addr->peercert)
{
ptr = big_buffer;
address_item *new_parent = store_get(sizeof(address_item));
*new_parent = *addr;
addr->parent = new_parent;
+ new_parent->child_count = 1;
addr->address = new_address;
addr->unique = string_copy(new_address);
addr->domain = deliver_domain;
one message in the same process. Therefore we needn't worry too much about
store leakage.
+Liable to be called as root.
+
Arguments:
id the id of the message to be delivered
forced TRUE if delivery was forced by an administrator; this overrides
time_t now = time(NULL);
address_item *addr_last = NULL;
uschar *filter_message = NULL;
-FILE *jread;
int process_recipients = RECIP_ACCEPT;
open_db dbblock;
open_db *dbm_file;
{
uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");
+ FILE * jread;
- if ((jread = Ufopen(fname, "rb")))
+ if ( (journal_fd = Uopen(fname, O_RDWR|O_APPEND
+#ifdef O_CLOEXEC
+ | O_CLOEXEC
+#endif
+#ifdef O_NOFOLLOW
+ | O_NOFOLLOW
+#endif
+ , SPOOL_MODE)) >= 0
+ && lseek(journal_fd, 0, SEEK_SET) == 0
+ && (jread = fdopen(journal_fd, "rb"))
+ )
{
while (Ufgets(big_buffer, big_buffer_size, jread))
{
DEBUG(D_deliver) debug_printf("Previously delivered address %s taken from "
"journal file\n", big_buffer);
}
- (void)fclose(jread);
+ rewind(jread);
+ if ((journal_fd = dup(fileno(jread))) < 0)
+ journal_fd = fileno(jread);
+ else
+ (void) fclose(jread); /* Try to not leak the FILE resource */
+
/* Panic-dies on error */
(void)spool_write_header(message_id, SW_DELIVERING, NULL);
}
while (p)
{
- if (parent->child_count == SHRT_MAX)
+ if (parent->child_count == USHRT_MAX)
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "system filter generated more "
- "than %d delivery addresses", SHRT_MAX);
+ "than %d delivery addresses", USHRT_MAX);
parent->child_count++;
p->parent = parent;
tpname = tmp;
}
else
- {
p->message = string_sprintf("system_filter_%s_transport is unset",
type);
- }
if (tpname)
{
transport_instance *tp;
for (tp = transports; tp; tp = tp->next)
- {
if (Ustrcmp(tp->name, tpname) == 0)
{
p->transport = tp;
break;
}
- }
if (!tp)
p->message = string_sprintf("failed to find \"%s\" transport "
"for system filter delivery", tpname);
happen. */
if ( header_rewritten
- && ( ( addr_local
- && (addr_local->next || addr_remote)
- )
- || (addr_remote && addr_remote->next)
+ && ( addr_local && (addr_local->next || addr_remote)
+ || addr_remote && addr_remote->next
) )
{
/* Panic-dies on error */
}
-/* If there are any deliveries to be done, open the journal file. This is used
-to record successful deliveries as soon as possible after each delivery is
-known to be complete. A file opened with O_APPEND is used so that several
-processes can run simultaneously.
+/* If there are any deliveries to be and we do not already have the journal
+file, create it. This is used to record successful deliveries as soon as
+possible after each delivery is known to be complete. A file opened with
+O_APPEND is used so that several processes can run simultaneously.
The journal is just insurance against crashes. When the spool file is
ultimately updated at the end of processing, the journal is deleted. If a
if (addr_local || addr_remote)
{
- uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");
-
- if ((journal_fd = Uopen(fname, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE)) <0)
+ if (journal_fd < 0)
{
- log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't open journal file %s: %s",
- fname, strerror(errno));
- return DELIVER_NOT_ATTEMPTED;
- }
+ uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");
+
+ if ((journal_fd = Uopen(fname,
+#ifdef O_CLOEXEC
+ O_CLOEXEC |
+#endif
+ O_WRONLY|O_APPEND|O_CREAT|O_EXCL, SPOOL_MODE)) < 0)
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't open journal file %s: %s",
+ fname, strerror(errno));
+ return DELIVER_NOT_ATTEMPTED;
+ }
- /* Set the close-on-exec flag, make the file owned by Exim, and ensure
- that the mode is correct - the group setting doesn't always seem to get
- set automatically. */
+ /* Set the close-on-exec flag, make the file owned by Exim, and ensure
+ that the mode is correct - the group setting doesn't always seem to get
+ set automatically. */
- if( fcntl(journal_fd, F_SETFD, fcntl(journal_fd, F_GETFD) | FD_CLOEXEC)
- || fchown(journal_fd, exim_uid, exim_gid)
- || fchmod(journal_fd, SPOOL_MODE)
- )
- {
- int ret = Uunlink(fname);
- log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't set perms on journal file %s: %s",
- fname, strerror(errno));
- if(ret && errno != ENOENT)
- log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
- fname, strerror(errno));
- return DELIVER_NOT_ATTEMPTED;
+ if( fchown(journal_fd, exim_uid, exim_gid)
+ || fchmod(journal_fd, SPOOL_MODE)
+#ifndef O_CLOEXEC
+ || fcntl(journal_fd, F_SETFD, fcntl(journal_fd, F_GETFD) | FD_CLOEXEC)
+#endif
+ )
+ {
+ int ret = Uunlink(fname);
+ log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't set perms on journal file %s: %s",
+ fname, strerror(errno));
+ if(ret && errno != ENOENT)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
+ fname, strerror(errno));
+ return DELIVER_NOT_ATTEMPTED;
+ }
}
}
+else if (journal_fd >= 0)
+ {
+ close(journal_fd);
+ journal_fd = -1;
+ }
)
{
/* copy and relink address_item and send report with all of them at once later */
- address_item *addr_next;
- addr_next = addr_senddsn;
+ address_item * addr_next = addr_senddsn;
addr_senddsn = store_get(sizeof(address_item));
- memcpy(addr_senddsn, addr_dsntmp, sizeof(address_item));
+ *addr_senddsn = *addr_dsntmp;
addr_senddsn->next = addr_next;
}
else
/* Otherwise, handle the sending of a message. Find the error address for
the first address, then send a message that includes all failed addresses
that have the same error address. Note the bounce_recipient is a global so
- that it can be accesssed by $bounce_recipient while creating a customized
+ that it can be accessed by $bounce_recipient while creating a customized
error message. */
else
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s", fname,
strerror(errno));
- /* Move the message off the spool if reqested */
+ /* Move the message off the spool if requested */
#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
if (deliver_freeze && move_frozen_messages)
projects / exim.git / blobdiff