1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Functions for reading spool files. When compiling for a utility (eximon),
10 not all are needed, and some functionality can be cut out. */
17 #ifndef COMPILE_UTILITY
18 /*************************************************
19 * Open and lock data file *
20 *************************************************/
22 /* The data file is the one that is used for locking, because the header file
23 can get replaced during delivery because of header rewriting. The file has
24 to opened with write access so that we can get an exclusive lock, but in
25 fact it won't be written to. Just in case there's a major disaster (e.g.
26 overwriting some other file descriptor with the value of this one), open it
29 As called by deliver_message() (at least) we are operating as root.
31 Argument: the id of the message
32 Returns: fd if file successfully opened and locked, else -1
34 Side effect: message_subdir is set for the (possibly split) spool directory
38 spool_open_datafile(uschar *id)
44 /* If split_spool_directory is set, first look for the file in the appropriate
45 sub-directory of the input directory. If it is not found there, try the input
46 directory itself, to pick up leftovers from before the splitting. If split_
47 spool_directory is not set, first look in the main input directory. If it is
48 not found there, try the split sub-directory, in case it is left over from a
51 for (int i = 0; i < 2; i++)
56 set_subdir_str(message_subdir, id, i);
57 fname = spool_fname(US"input", message_subdir, id, US"-D");
58 DEBUG(D_deliver) debug_printf_indent("Trying spool file %s\n", fname);
60 /* We protect against symlink attacks both in not propagating the
61 * file-descriptor to other processes as we exec, and also ensuring that we
62 * don't even open symlinks.
63 * No -D file inside the spool area should be a symlink.
65 if ((fd = Uopen(fname,
72 O_RDWR | O_APPEND, 0)) >= 0)
79 log_write(0, LOG_MAIN, "Spool%s%s file %s-D not found",
80 *queue_name ? US" Q=" : US"",
81 *queue_name ? queue_name : US"",
85 log_write(0, LOG_MAIN, "Spool error for %s: %s", fname, strerror(errno));
90 /* File is open and message_subdir is set. Set the close-on-exec flag, and lock
91 the file. We lock only the first line of the file (containing the message ID)
92 because this apparently is needed for running Exim under Cygwin. If the entire
93 file is locked in one process, a sub-process cannot access it, even when passed
94 an open file descriptor (at least, I think that's the Cygwin story). On real
95 Unix systems it doesn't make any difference as long as Exim is consistent in
99 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
102 lock_data.l_type = F_WRLCK;
103 lock_data.l_whence = SEEK_SET;
104 lock_data.l_start = 0;
105 lock_data.l_len = SPOOL_DATA_START_OFFSET;
107 if (fcntl(fd, F_SETLK, &lock_data) < 0)
109 log_write(L_skip_delivery, LOG_MAIN,
110 "Spool file for %s is locked (another process is handling this message)",
117 /* Get the size of the data; don't include the leading filename line
118 in the count, but add one for the newline before the data. */
120 if (fstat(fd, &statbuf) == 0)
122 message_body_size = statbuf.st_size - SPOOL_DATA_START_OFFSET;
123 message_size = message_body_size + 1;
128 #endif /* COMPILE_UTILITY */
132 /*************************************************
133 * Read non-recipients tree from spool file *
134 *************************************************/
136 /* The tree of non-recipients is written to the spool file in a form that
137 makes it easy to read back into a tree. The format is as follows:
139 . Each node is preceded by two letter(Y/N) indicating whether it has left
140 or right children. There's one space after the two flags, before the name.
142 . The left subtree (if any) then follows, then the right subtree (if any).
144 This function is entered with the next input line in the buffer. Note we must
145 save the right flag before recursing with the same buffer.
147 Once the tree is read, we re-construct the balance fields by scanning the tree.
148 I forgot to write them out originally, and the compatible fix is to do it this
149 way. This initial local recursing function does the necessary.
154 Returns: maximum depth below the node, including the node itself
158 count_below(tree_node *node)
161 if (node == NULL) return 0;
162 nleft = count_below(node->left);
163 nright = count_below(node->right);
164 node->balance = (nleft > nright)? 1 : ((nright > nleft)? 2 : 0);
165 return 1 + ((nleft > nright)? nleft : nright);
168 /* This is the real function...
171 connect pointer to the root of the tree
172 f FILE to read data from
173 buffer contains next input line; further lines read into it
174 buffer_size size of the buffer
176 Returns: FALSE on format error
180 read_nonrecipients_tree(tree_node **connect, FILE *f, uschar *buffer,
184 int n = Ustrlen(buffer);
185 BOOL right = buffer[1] == 'Y';
187 if (n < 5) return FALSE; /* malformed line */
188 buffer[n-1] = 0; /* Remove \n */
189 node = store_get(sizeof(tree_node) + n - 3, GET_TAINTED); /* rcpt names tainted */
191 Ustrcpy(node->name, buffer + 3);
192 node->data.ptr = NULL;
194 if (buffer[0] == 'Y')
196 if (Ufgets(buffer, buffer_size, f) == NULL ||
197 !read_nonrecipients_tree(&node->left, f, buffer, buffer_size))
200 else node->left = NULL;
204 if (Ufgets(buffer, buffer_size, f) == NULL ||
205 !read_nonrecipients_tree(&node->right, f, buffer, buffer_size))
208 else node->right = NULL;
210 (void) count_below(*connect);
217 /* Reset all the global variables to their default values. However, there is
218 one exception. DO NOT change the default value of dont_deliver, because it may
219 be forced by an external setting. */
222 spool_clear_header_globals(void)
224 acl_var_c = acl_var_m = NULL;
225 authenticated_id = NULL;
226 authenticated_sender = NULL;
227 f.allow_unqualified_recipient = FALSE;
228 f.allow_unqualified_sender = FALSE;
231 f.deliver_firsttime = FALSE;
232 f.deliver_freeze = FALSE;
233 deliver_frozen_at = 0;
234 f.deliver_manual_thaw = FALSE;
235 /* f.dont_deliver must NOT be reset */
236 header_list = header_last = NULL;
237 host_lookup_deferred = FALSE;
238 host_lookup_failed = FALSE;
239 interface_address = NULL;
241 f.local_error_message = FALSE;
242 #ifdef HAVE_LOCAL_SCAN
243 local_scan_data = NULL;
245 max_received_linelength = 0;
246 message_linecount = 0;
247 received_protocol = NULL;
249 recipients_list = NULL;
250 sender_address = NULL;
251 sender_fullhost = NULL;
252 sender_helo_name = NULL;
253 sender_host_address = NULL;
254 sender_host_name = NULL;
255 sender_host_port = 0;
256 sender_host_authenticated = sender_host_auth_pubname = NULL;
258 f.sender_local = FALSE;
259 f.sender_set_untrusted = FALSE;
260 smtp_active_hostname = primary_hostname;
261 #ifndef COMPILE_UTILITY
262 f.spool_file_wireformat = FALSE;
264 tree_nonrecipients = NULL;
266 #ifdef EXPERIMENTAL_BRIGHTMAIL
273 f.dkim_disable_verify = FALSE;
274 dkim_collect_input = 0;
278 tls_in.certificate_verified = FALSE;
280 tls_in.dane_verified = FALSE;
282 tls_in.ver = tls_in.cipher = NULL;
283 # ifndef COMPILE_UTILITY /* tls support fns not built in */
284 tls_free_cert(&tls_in.ourcert);
285 tls_free_cert(&tls_in.peercert);
287 tls_in.peerdn = NULL;
289 tls_in.ocsp = OCSP_NOT_REQ;
292 #ifdef WITH_CONTENT_SCAN
295 spam_score_int = NULL;
298 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
299 message_smtputf8 = FALSE;
300 message_utf8_downconvert = 0;
303 #ifndef COMPILE_UTILITY
304 debuglog_name[0] = '\0';
311 fgets_big_buffer(FILE *fp)
316 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) return NULL;
318 while ((len = Ustrlen(big_buffer)) == big_buffer_size-1
319 && big_buffer[len-1] != '\n')
324 if (big_buffer_size >= BIG_BUFFER_SIZE * 4) return NULL;
325 newsize = big_buffer_size * 2;
326 newbuffer = store_get_perm(newsize, FALSE);
327 memcpy(newbuffer, big_buffer, len);
329 big_buffer = newbuffer;
330 big_buffer_size = newsize;
331 if (Ufgets(big_buffer + len, big_buffer_size - len, fp) == NULL) return NULL;
334 if (len <= 0 || big_buffer[len-1] != '\n') return NULL;
340 /*************************************************
341 * Read spool header file *
342 *************************************************/
344 /* This function reads a spool header file and places the data into the
345 appropriate global variables. The header portion is always read, but header
346 structures are built only if read_headers is set true. It isn't, for example,
347 while generating -bp output.
349 It may be possible for blocks of nulls (binary zeroes) to get written on the
350 end of a file if there is a system crash during writing. It was observed on an
351 earlier version of Exim that omitted to fsync() the files - this is thought to
352 have been the cause of that incident, but in any case, this code must be robust
353 against such an event, and if such a file is encountered, it must be treated as
356 As called from deliver_message() (at least) we are running as root.
359 name name of the header file, including the -H
360 read_headers TRUE if in-store header structures are to be built
361 subdir_set TRUE is message_subdir is already set
363 Returns: spool_read_OK success
364 spool_read_notopen open failed
365 spool_read_enverror error in the envelope portion
366 spool_read_hdrerror error in the header portion
370 spool_read_header(uschar *name, BOOL read_headers, BOOL subdir_set)
376 BOOL inheader = FALSE;
378 /* Reset all the global variables to their default values. However, there is
379 one exception. DO NOT change the default value of dont_deliver, because it may
380 be forced by an external setting. */
382 spool_clear_header_globals();
384 /* Generate the full name and open the file. If message_subdir is already
385 set, just look in the given directory. Otherwise, look in both the split
386 and unsplit directories, as for the data file above. */
388 for (int n = 0; n < 2; n++)
391 set_subdir_str(message_subdir, name, n);
393 if ((fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
395 if (n != 0 || subdir_set || errno != ENOENT)
396 return spool_read_notopen;
401 #ifndef COMPILE_UTILITY
402 DEBUG(D_deliver) debug_printf_indent("reading spool file %s\n", name);
403 #endif /* COMPILE_UTILITY */
405 /* The first line of a spool file contains the message id followed by -H (i.e.
406 the file name), in order to make the file self-identifying. */
408 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
409 if (Ustrlen(big_buffer) != MESSAGE_ID_LENGTH + 3 ||
410 Ustrncmp(big_buffer, name, MESSAGE_ID_LENGTH + 2) != 0)
411 goto SPOOL_FORMAT_ERROR;
413 /* The next three lines in the header file are in a fixed format. The first
414 contains the login, uid, and gid of the user who caused the file to be written.
415 There are known cases where a negative gid is used, so we allow for both
416 negative uids and gids. The second contains the mail address of the message's
417 sender, enclosed in <>. The third contains the time the message was received,
418 and the number of warning messages for delivery delays that have been sent. */
420 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
423 uschar *p = big_buffer + Ustrlen(big_buffer);
424 while (p > big_buffer && isspace(p[-1])) p--;
426 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
427 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
429 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
431 if (!isdigit(p[-1])) goto SPOOL_FORMAT_ERROR;
432 while (p > big_buffer && (isdigit(p[-1]) || '-' == p[-1])) p--;
434 if (p <= big_buffer || *(--p) != ' ') goto SPOOL_FORMAT_ERROR;
438 originator_login = string_copy(big_buffer);
439 originator_uid = (uid_t)uid;
440 originator_gid = (gid_t)gid;
443 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
444 n = Ustrlen(big_buffer);
445 if (n < 3 || big_buffer[0] != '<' || big_buffer[n-2] != '>')
446 goto SPOOL_FORMAT_ERROR;
448 sender_address = store_get(n-2, GET_TAINTED);
449 Ustrncpy(sender_address, big_buffer+1, n-3);
450 sender_address[n-3] = 0;
453 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
454 if (sscanf(CS big_buffer, TIME_T_FMT " %d", &received_time.tv_sec, &warning_count) != 2)
455 goto SPOOL_FORMAT_ERROR;
456 received_time.tv_usec = 0;
457 received_time_complete = received_time;
460 message_age = time(NULL) - received_time.tv_sec;
461 #ifndef COMPILE_UTILITY
462 if (f.running_in_test_harness)
463 message_age = test_harness_fudged_queue_time(message_age);
466 #ifndef COMPILE_UTILITY
467 DEBUG(D_deliver) debug_printf_indent("user=%s uid=%ld gid=%ld sender=%s\n",
468 originator_login, (long int)originator_uid, (long int)originator_gid,
472 /* Now there may be a number of optional lines, each starting with "-". If you
473 add a new setting here, make sure you set the default above.
475 Because there are now quite a number of different possibilities, we use a
476 switch on the first character to avoid too many failing tests. Thanks to Nico
477 Erfurth for the patch that implemented this. I have made it even more efficient
478 by not re-scanning the first two characters.
480 To allow new versions of Exim that add additional flags to interwork with older
481 versions that do not understand them, just ignore any lines starting with "-"
482 that we don't recognize. Otherwise it wouldn't be possible to back off a new
483 version that left new-style flags written on the spool.
485 If the line starts with "--" the content of the variable is tainted.
486 If the line start "--(<lookuptype>)" it is also quoted for the given <lookuptype>.
491 const void * proto_mem;
495 if (fgets_big_buffer(fp) == NULL) goto SPOOL_READ_ERROR;
496 if (big_buffer[0] != '-') break;
497 big_buffer[Ustrlen(big_buffer)-1] = 0;
499 proto_mem = big_buffer[1] == '-' ? GET_TAINTED : GET_UNTAINTED;
500 var = big_buffer + (proto_mem == GET_UNTAINTED ? 1 : 2);
501 if (*var == '(') /* marker for quoted value */
505 for (s = ++var; *s != ')'; ) s++;
506 #ifndef COMPILE_UTILITY
507 if ((idx = search_findtype(var, s - var)) < 0)
509 DEBUG(D_any) debug_printf("Unrecognised quoter %.*s\n", (int)(s - var), var+1);
510 goto SPOOL_FORMAT_ERROR;
512 proto_mem = store_get_quoted(1, GET_TAINTED, idx);
513 #endif /* COMPILE_UTILITY */
522 /* Nowadays we use "-aclc" and "-aclm" for the different types of ACL
523 variable, because Exim allows any number of them, with arbitrary names.
524 The line in the spool file is "-acl[cm] <name> <length>". The name excludes
527 if (Ustrncmp(p, "clc ", 4) == 0 ||
528 Ustrncmp(p, "clm ", 4) == 0)
530 uschar *name, *endptr;
533 endptr = Ustrchr(var + 5, ' ');
534 if (endptr == NULL) goto SPOOL_FORMAT_ERROR;
535 name = string_sprintf("%c%.*s", var[3],
536 (int)(endptr - var - 5), var + 5);
537 if (sscanf(CS endptr, " %d", &count) != 1) goto SPOOL_FORMAT_ERROR;
538 node = acl_var_create(name);
539 node->data.ptr = store_get(count + 1, proto_mem);
540 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
541 ((uschar*)node->data.ptr)[count] = 0;
544 else if (Ustrcmp(p, "llow_unqualified_recipient") == 0)
545 f.allow_unqualified_recipient = TRUE;
546 else if (Ustrcmp(p, "llow_unqualified_sender") == 0)
547 f.allow_unqualified_sender = TRUE;
549 else if (Ustrncmp(p, "uth_id", 6) == 0)
550 authenticated_id = string_copy_taint(var + 8, proto_mem);
551 else if (Ustrncmp(p, "uth_sender", 10) == 0)
552 authenticated_sender = string_copy_taint(var + 12, proto_mem);
553 else if (Ustrncmp(p, "ctive_hostname", 14) == 0)
554 smtp_active_hostname = string_copy_taint(var + 16, proto_mem);
556 /* For long-term backward compatibility, we recognize "-acl", which was
557 used before the number of ACL variables changed from 10 to 20. This was
558 before the subsequent change to an arbitrary number of named variables.
559 This code is retained so that upgrades from very old versions can still
560 handle old-format spool files. The value given after "-acl" is a number
561 that is 0-9 for connection variables, and 10-19 for message variables. */
563 else if (Ustrncmp(p, "cl ", 3) == 0)
565 unsigned index, count;
566 uschar name[20]; /* Need plenty of space for %u format */
568 if ( sscanf(CS var + 4, "%u %u", &index, &count) != 2
570 || count > 16384 /* arbitrary limit on variable size */
572 goto SPOOL_FORMAT_ERROR;
574 (void) string_format(name, sizeof(name), "%c%u", 'c', index);
576 (void) string_format(name, sizeof(name), "%c%u", 'm', index - 10);
577 node = acl_var_create(name);
578 node->data.ptr = store_get(count + 1, proto_mem);
579 /* We sanity-checked the count, so disable the Coverity error */
580 /* coverity[tainted_data] */
581 if (fread(node->data.ptr, 1, count+1, fp) < count) goto SPOOL_READ_ERROR;
582 (US node->data.ptr)[count] = '\0';
587 if (Ustrncmp(p, "ody_linecount", 13) == 0)
588 body_linecount = Uatoi(var + 14);
589 else if (Ustrncmp(p, "ody_zerocount", 13) == 0)
590 body_zerocount = Uatoi(var + 14);
591 #ifdef EXPERIMENTAL_BRIGHTMAIL
592 else if (Ustrncmp(p, "mi_verdicts ", 12) == 0)
593 bmi_verdicts = string_copy_taint(var + 13, proto_mem);
598 if (Ustrcmp(p, "eliver_firsttime") == 0)
599 f.deliver_firsttime = TRUE;
600 else if (Ustrncmp(p, "sn_ret", 6) == 0)
601 dsn_ret= atoi(CS var + 7);
602 else if (Ustrncmp(p, "sn_envid", 8) == 0)
603 dsn_envid = string_copy_taint(var + 10, proto_mem);
604 #ifndef COMPILE_UTILITY
605 else if (Ustrncmp(p, "ebug_selector ", 14) == 0)
606 debug_selector = strtol(CS var + 15, NULL, 0);
607 else if (Ustrncmp(p, "ebuglog_name ", 13) == 0)
608 debug_logging_from_spool(var + 14);
613 if (Ustrncmp(p, "rozen", 5) == 0)
615 f.deliver_freeze = TRUE;
616 if (sscanf(CS var+6, TIME_T_FMT, &deliver_frozen_at) != 1)
617 goto SPOOL_READ_ERROR;
622 if (Ustrcmp(p, "ost_lookup_deferred") == 0)
623 host_lookup_deferred = TRUE;
624 else if (Ustrcmp(p, "ost_lookup_failed") == 0)
625 host_lookup_failed = TRUE;
626 else if (Ustrncmp(p, "ost_auth_pubname", 16) == 0)
627 sender_host_auth_pubname = string_copy_taint(var + 18, proto_mem);
628 else if (Ustrncmp(p, "ost_auth", 8) == 0)
629 sender_host_authenticated = string_copy_taint(var + 10, proto_mem);
630 else if (Ustrncmp(p, "ost_name", 8) == 0)
631 sender_host_name = string_copy_taint(var + 10, proto_mem);
632 else if (Ustrncmp(p, "elo_name", 8) == 0)
633 sender_helo_name = string_copy_taint(var + 10, proto_mem);
635 /* We now record the port number after the address, separated by a
636 dot. For compatibility during upgrading, do nothing if there
637 isn't a value (it gets left at zero). */
639 else if (Ustrncmp(p, "ost_address", 11) == 0)
641 sender_host_port = host_address_extract_port(var + 13);
642 sender_host_address = string_copy_taint(var + 13, proto_mem);
647 if (Ustrncmp(p, "nterface_address", 16) == 0)
649 interface_port = host_address_extract_port(var + 18);
650 interface_address = string_copy_taint(var + 18, proto_mem);
652 else if (Ustrncmp(p, "dent", 4) == 0)
653 sender_ident = string_copy_taint(var + 6, proto_mem);
657 if (Ustrcmp(p, "ocal") == 0)
658 f.sender_local = TRUE;
659 else if (Ustrcmp(var, "localerror") == 0)
660 f.local_error_message = TRUE;
661 #ifdef HAVE_LOCAL_SCAN
662 else if (Ustrncmp(p, "ocal_scan ", 10) == 0)
663 local_scan_data = string_copy_taint(var + 11, proto_mem);
668 if (Ustrcmp(p, "anual_thaw") == 0)
669 f.deliver_manual_thaw = TRUE;
670 else if (Ustrncmp(p, "ax_received_linelength", 22) == 0)
671 max_received_linelength = Uatoi(var + 23);
675 if (*p == 0) f.dont_deliver = TRUE; /* -N */
679 if (Ustrncmp(p, "eceived_protocol", 16) == 0)
680 received_protocol = string_copy_taint(var + 18, proto_mem);
681 else if (Ustrncmp(p, "eceived_time_usec", 17) == 0)
684 if (sscanf(CS var + 20, "%u", &usec) == 1)
686 received_time.tv_usec = usec;
687 if (!received_time_complete.tv_sec) received_time_complete.tv_usec = usec;
690 else if (Ustrncmp(p, "eceived_time_complete", 21) == 0)
693 if (sscanf(CS var + 23, "%u.%u", &sec, &usec) == 2)
695 received_time_complete.tv_sec = sec;
696 received_time_complete.tv_usec = usec;
702 if (Ustrncmp(p, "ender_set_untrusted", 19) == 0)
703 f.sender_set_untrusted = TRUE;
704 #ifdef WITH_CONTENT_SCAN
705 else if (Ustrncmp(p, "pam_bar ", 8) == 0)
706 spam_bar = string_copy_taint(var + 9, proto_mem);
707 else if (Ustrncmp(p, "pam_score ", 10) == 0)
708 spam_score = string_copy_taint(var + 11, proto_mem);
709 else if (Ustrncmp(p, "pam_score_int ", 14) == 0)
710 spam_score_int = string_copy_taint(var + 15, proto_mem);
712 #ifndef COMPILE_UTILITY
713 else if (Ustrncmp(p, "pool_file_wireformat", 20) == 0)
714 f.spool_file_wireformat = TRUE;
716 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
717 else if (Ustrncmp(p, "mtputf8", 7) == 0)
718 message_smtputf8 = TRUE;
724 if (Ustrncmp(p, "ls_", 3) == 0)
726 const uschar * q = p + 3;
727 if (Ustrncmp(q, "certificate_verified", 20) == 0)
728 tls_in.certificate_verified = TRUE;
729 else if (Ustrncmp(q, "cipher", 6) == 0)
730 tls_in.cipher = string_copy_taint(q+7, proto_mem);
731 # ifndef COMPILE_UTILITY /* tls support fns not built in */
732 else if (Ustrncmp(q, "ourcert", 7) == 0)
733 (void) tls_import_cert(q+8, &tls_in.ourcert);
734 else if (Ustrncmp(q, "peercert", 8) == 0)
735 (void) tls_import_cert(q+9, &tls_in.peercert);
737 else if (Ustrncmp(q, "peerdn", 6) == 0)
738 tls_in.peerdn = string_unprinting(string_copy_taint(q+7, proto_mem));
739 else if (Ustrncmp(q, "sni", 3) == 0)
740 tls_in.sni = string_unprinting(string_copy_taint(q+4, proto_mem));
741 else if (Ustrncmp(q, "ocsp", 4) == 0)
742 tls_in.ocsp = q[5] - '0';
743 # ifndef DISABLE_TLS_RESUME
744 else if (Ustrncmp(q, "resumption", 10) == 0)
745 tls_in.resumption = q[11] - 'A';
747 else if (Ustrncmp(q, "ver", 3) == 0)
748 tls_in.ver = string_copy_taint(q+4, proto_mem);
753 #if defined(SUPPORT_I18N) && !defined(COMPILE_UTILITY)
755 if (Ustrncmp(p, "tf8_downcvt", 11) == 0)
756 message_utf8_downconvert = 1;
757 else if (Ustrncmp(p, "tf8_optdowncvt", 15) == 0)
758 message_utf8_downconvert = -1;
762 default: /* Present because some compilers complain if all */
763 break; /* possibilities are not covered. */
767 /* Build sender_fullhost if required */
769 #ifndef COMPILE_UTILITY
770 host_build_sender_fullhost();
771 #endif /* COMPILE_UTILITY */
773 #ifndef COMPILE_UTILITY
775 debug_printf_indent("sender_local=%d ident=%s\n", f.sender_local,
776 sender_ident ? sender_ident : US"unset");
777 #endif /* COMPILE_UTILITY */
779 /* We now have the tree of addresses NOT to deliver to, or a line
780 containing "XX", indicating no tree. */
782 if (Ustrncmp(big_buffer, "XX\n", 3) != 0 &&
783 !read_nonrecipients_tree(&tree_nonrecipients, fp, big_buffer, big_buffer_size))
784 goto SPOOL_FORMAT_ERROR;
786 #ifndef COMPILE_UTILITY
787 DEBUG(D_deliver) debug_print_tree("Non-recipients", tree_nonrecipients);
788 #endif /* COMPILE_UTILITY */
790 /* After reading the tree, the next line has not yet been read into the
791 buffer. It contains the count of recipients which follow on separate lines.
792 Apply an arbitrary sanity check.*/
794 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
795 if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
796 goto SPOOL_FORMAT_ERROR;
798 #ifndef COMPILE_UTILITY
799 DEBUG(D_deliver) debug_printf_indent("recipients_count=%d\n", rcount);
800 #endif /* COMPILE_UTILITY */
802 recipients_list_max = rcount;
803 recipients_list = store_get(rcount * sizeof(recipient_item), GET_UNTAINTED);
805 /* We sanitised the count and know we have enough memory, so disable
806 the Coverity error on recipients_count */
807 /* coverity[tainted_data] */
809 for (recipients_count = 0; recipients_count < rcount; recipients_count++)
814 uschar *orcpt = NULL;
815 uschar *errors_to = NULL;
818 if (fgets_big_buffer(fp) == NULL) goto SPOOL_READ_ERROR;
819 nn = Ustrlen(big_buffer);
820 if (nn < 2) goto SPOOL_FORMAT_ERROR;
822 /* Remove the newline; this terminates the address if there is no additional
825 p = big_buffer + nn - 1;
828 /* Look back from the end of the line for digits and special terminators.
829 Since an address must end with a domain, we can tell that extra data is
830 present by the presence of the terminator, which is always some character
831 that cannot exist in a domain. (If I'd thought of the need for additional
832 data early on, I'd have put it at the start, with the address at the end. As
833 it is, we have to operate backwards. Addresses are permitted to contain
836 This code has to cope with various versions of this data that have evolved
837 over time. In all cases, the line might just contain an address, with no
838 additional data. Otherwise, the possibilities are as follows:
840 Exim 3 type: <address><space><digits>,<digits>,<digits>
842 The second set of digits is the parent number for one_time addresses. The
843 other values were remnants of earlier experiments that were abandoned.
845 Exim 4 first type: <address><space><digits>
847 The digits are the parent number for one_time addresses.
849 Exim 4 new type: <address><space><data>#<type bits>
851 The type bits indicate what the contents of the data are.
853 Bit 01 indicates that, reading from right to left, the data
854 ends with <errors_to address><space><len>,<pno> where pno is
855 the parent number for one_time addresses, and len is the length
856 of the errors_to address (zero meaning none).
858 Bit 02 indicates that, again reading from right to left, the data continues
859 with orcpt len(orcpt),dsn_flags
862 while (isdigit(*p)) p--;
864 /* Handle Exim 3 spool files */
869 #if !defined (COMPILE_UTILITY)
870 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim 3 spool file\n");
872 while (isdigit(*(--p)) || *p == ',');
876 (void)sscanf(CS p, "%d,%d", &dummy, &pno);
880 /* Handle early Exim 4 spool files */
884 #if !defined (COMPILE_UTILITY)
885 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - early Exim 4 spool file\n");
888 (void)sscanf(CS p, "%d", &pno);
891 /* Handle current format Exim 4 spool files */
897 #if !defined (COMPILE_UTILITY)
898 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim standard format spoolfile\n");
901 (void)sscanf(CS p+1, "%d", &flags);
903 if (flags & 0x01) /* one_time data exists */
906 while (isdigit(*(--p)) || *p == ',' || *p == '-');
907 (void)sscanf(CS p+1, "%d,%d", &len, &pno);
912 errors_to = string_copy_taint(p, GET_TAINTED);
916 *--p = 0; /* Terminate address */
917 if (flags & 0x02) /* one_time data exists */
920 while (isdigit(*(--p)) || *p == ',' || *p == '-');
921 (void)sscanf(CS p+1, "%d,%d", &len, &dsn_flags);
926 orcpt = string_copy_taint(p, GET_TAINTED);
930 *--p = 0; /* Terminate address */
932 #if !defined(COMPILE_UTILITY)
934 { DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - No additional fields\n"); }
936 if (orcpt || dsn_flags)
937 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n",
938 big_buffer, orcpt, dsn_flags);
940 DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> errorsto: <%s>\n",
941 big_buffer, errors_to);
944 recipients_list[recipients_count].address = string_copy_taint(big_buffer, GET_TAINTED);
945 recipients_list[recipients_count].pno = pno;
946 recipients_list[recipients_count].errors_to = errors_to;
947 recipients_list[recipients_count].orcpt = orcpt;
948 recipients_list[recipients_count].dsn_flags = dsn_flags;
951 /* The remainder of the spool header file contains the headers for the message,
952 separated off from the previous data by a blank line. Each header is preceded
953 by a count of its length and either a certain letter (for various identified
954 headers), space (for a miscellaneous live header) or an asterisk (for a header
955 that has been rewritten). Count the Received: headers. We read the headers
956 always, in order to check on the format of the file, but only create a header
957 list if requested to do so. */
960 if (Ufgets(big_buffer, big_buffer_size, fp) == NULL) goto SPOOL_READ_ERROR;
961 if (big_buffer[0] != '\n') goto SPOOL_FORMAT_ERROR;
963 while ((n = fgetc(fp)) != EOF)
969 if (!isdigit(n)) goto SPOOL_FORMAT_ERROR;
970 if(ungetc(n, fp) == EOF || fscanf(fp, "%d%c ", &n, flag) == EOF)
971 goto SPOOL_READ_ERROR;
972 if (flag[0] != '*') message_size += n; /* Omit non-transmitted headers */
976 h = store_get(sizeof(header_line), GET_UNTAINTED);
980 h->text = store_get(n+1, GET_TAINTED);
982 if (h->type == htype_received) received_count++;
984 if (header_list) header_last->next = h;
985 else header_list = h;
988 for (i = 0; i < n; i++)
991 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
992 if (c == '\n' && h->type != htype_old) message_linecount++;
998 /* Not requiring header data, just skip through the bytes */
1000 else for (i = 0; i < n; i++)
1003 if (c == 0 || c == EOF) goto SPOOL_FORMAT_ERROR;
1007 /* We have successfully read the data in the header file. Update the message
1008 line count by adding the body linecount to the header linecount. Close the file
1009 and give a positive response. */
1011 #ifndef COMPILE_UTILITY
1012 DEBUG(D_deliver) debug_printf_indent("body_linecount=%d message_linecount=%d\n",
1013 body_linecount, message_linecount);
1014 #endif /* COMPILE_UTILITY */
1016 message_linecount += body_linecount;
1019 return spool_read_OK;
1022 /* There was an error reading the spool or there was missing data,
1023 or there was a format error. A "read error" with no errno means an
1024 unexpected EOF, which we treat as a format error. */
1031 #ifndef COMPILE_UTILITY
1032 DEBUG(D_any) debug_printf("Error while reading spool file %s\n", name);
1033 #endif /* COMPILE_UTILITY */
1037 return inheader ? spool_read_hdrerror : spool_read_enverror;
1042 #ifndef COMPILE_UTILITY
1043 DEBUG(D_any) debug_printf("Format error in spool file %s\n", name);
1044 #endif /* COMPILE_UTILITY */
1047 errno = ERRNO_SPOOLFORMAT;
1048 return inheader? spool_read_hdrerror : spool_read_enverror;
1052 #ifndef COMPILE_UTILITY
1053 /* Read out just the (envelope) sender string from the spool -H file.
1054 Remove the <> wrap and return it in allocated store. Return NULL on error.
1056 We assume that message_subdir is already set.
1060 spool_sender_from_msgid(const uschar * id)
1062 uschar * name = string_sprintf("%s-H", id);
1065 uschar * yield = NULL;
1067 if (!(fp = Ufopen(spool_fname(US"input", message_subdir, name, US""), "rb")))
1070 DEBUG(D_deliver) debug_printf_indent("reading spool file %s\n", name);
1072 /* Skip the line with the copy of the filename, then the line with login/uid/gid.
1073 Read the next line, which should be the envelope sender.
1074 Do basic validation on that. */
1076 if ( Ufgets(big_buffer, big_buffer_size, fp) != NULL
1077 && Ufgets(big_buffer, big_buffer_size, fp) != NULL
1078 && Ufgets(big_buffer, big_buffer_size, fp) != NULL
1079 && (n = Ustrlen(big_buffer)) >= 3
1080 && big_buffer[0] == '<' && big_buffer[n-2] == '>'
1083 yield = store_get(n-2, GET_TAINTED);
1084 Ustrncpy(yield, big_buffer+1, n-3);
1090 #endif /* COMPILE_UTILITY */
1094 /* End of spool_in.c */