malware.c source code [exim/src/malware.c]

1	/*************************************************
2	* Exim - an Internet mail transport agent *
3	*************************************************/
4
5	/ Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015*
6	* License: GPL
7	* Copyright (c) The Exim Maintainers 2017 - 2018
8	*/
9
10	/ Code for calling virus (malware) scanners. Called from acl.c. /
11
12	#include "exim.h"
13	#ifdef WITH_CONTENT_SCAN /* entire file */
14
15	typedef enum {M_FPROTD, M_DRWEB, M_AVES, M_FSEC, M_KAVD, M_CMDL,
16	M_SOPHIE, M_CLAMD, M_SOCK, M_MKSD, M_AVAST, M_FPROT6D} scanner_t;
17	typedef enum {MC_NONE, MC_TCP, MC_UNIX, MC_STRM} contype_t;
18	static struct scan
19	{
20	scanner_t scancode;
21	const uschar * name;
22	const uschar * options_default;
23	contype_t conn;
24	} m_scans[] =
25	{
26	#ifndef DISABLE_MAL_FFROTD
27	{ M_FPROTD, US"f-protd", US"localhost 10200-10204", MC_TCP },
28	#endif
29	#ifndef DISABLE_MAL_FFROT6D
30	{ M_FPROT6D, US"f-prot6d", US"localhost 10200", MC_TCP },
31	#endif
32	#ifndef DISABLE_MAL_DRWEB
33	{ M_DRWEB, US"drweb", US"/usr/local/drweb/run/drwebd.sock", MC_STRM },
34	#endif
35	#ifndef DISABLE_MAL_AVE
36	{ M_AVES, US"aveserver", US"/var/run/aveserver", MC_UNIX },
37	#endif
38	#ifndef DISABLE_MAL_FSECURE
39	{ M_FSEC, US"fsecure", US"/var/run/.fsav", MC_UNIX },
40	#endif
41	#ifndef DISABLE_MAL_KAV
42	{ M_KAVD, US"kavdaemon", US"/var/run/AvpCtl", MC_UNIX },
43	#endif
44	#ifndef DISABLE_MAL_SOPHIE
45	{ M_SOPHIE, US"sophie", US"/var/run/sophie", MC_UNIX },
46	#endif
47	#ifndef DISABLE_MAL_CLAM
48	{ M_CLAMD, US"clamd", US"/tmp/clamd", MC_NONE },
49	#endif
50	#ifndef DISABLE_MAL_MKS
51	{ M_MKSD, US"mksd", NULL, MC_NONE },
52	#endif
53	#ifndef DISABLE_MAL_AVAST
54	{ M_AVAST, US"avast", US"/var/run/avast/scan.sock", MC_STRM },
55	#endif
56	#ifndef DISABLE_MAL_SOCK
57	{ M_SOCK, US"sock", US"/tmp/malware.sock", MC_STRM },
58	#endif
59	#ifndef DISABLE_MAL_CMDLINE
60	{ M_CMDL, US"cmdline", NULL, MC_NONE },
61	#endif
62	{ -`1`, NULL, NULL, MC_NONE } / end-marker /
63	};
64
65	/****************************************************************************/
66	# ifdef MACRO_PREDEF /* build solely to predefine macros */
67
68	# include "macro_predef.h"
69
70	void
71	features_malware(void)
72	{
73	const struct scan * sc;
74	const uschar * s;
75	uschar * t;
76	uschar buf[`64`];
77
78	spf(buf, sizeof(buf), US"_HAVE_MALWARE_");
79
80	for (sc = m_scans; sc->scancode != -`1`; sc++)
81	{
82	for(s = sc->name, t = buf+`14`; s; s++) if (s != `'-'`) t++ = toupper(s);
83	*t = `'\0'`;
84	builtin_macro_create(buf);
85	}
86	}
87
88	/****************************************************************************/
89	# else /!MACRO_PREDEF, main build/
90
91
92	#define MALWARE_TIMEOUT 120 /* default timeout, seconds */
93
94	static const uschar * malware_regex_default = US ".+";
95	static const pcre * malware_default_re = NULL;
96
97
98
99	#ifndef DISABLE_MAL_CLAM
100	/ The maximum number of clamd servers that are supported in the configuration /
101	# define MAX_CLAMD_SERVERS 32
102	# define MAX_CLAMD_SERVERS_S "32"
103
104	typedef struct clamd_address {
105	uschar * hostspec;
106	unsigned tcp_port;
107	unsigned retry;
108	} clamd_address;
109	#endif
110
111
112	#ifndef DISABLE_MAL_DRWEB
113	# define DRWEBD_SCAN_CMD (1) /* scan file, buffer or diskfile */
114	# define DRWEBD_RETURN_VIRUSES (1<<0) /* ask daemon return to us viruses names from report */
115	# define DRWEBD_IS_MAIL (1<<19) /* say to daemon that format is "archive MAIL" */
116
117	# define DERR_READ_ERR (1<<0) /* read error */
118	# define DERR_NOMEMORY (1<<2) /* no memory */
119	# define DERR_TIMEOUT (1<<9) /* scan timeout has run out */
120	# define DERR_BAD_CALL (1<<15) /* wrong command */
121
122	static const uschar * drweb_re_str = US "infected\\swith\\s*(.+?)$";
123	static const pcre * drweb_re = NULL;
124	#endif
125
126	#ifndef DISABLE_MAL_FSECURE
127	static const uschar * fsec_re_str = US "\\S{0,5}INFECTED\\t[^\\t]\\t([^\\t]+)\\t\\S$";
128	static const pcre * fsec_re = NULL;
129	#endif
130
131	#ifndef DISABLE_MAL_KAV
132	static const uschar * kav_re_sus_str = US "suspicion:\\s(.+?)\\s$";
133	static const uschar * kav_re_inf_str = US "infected:\\s(.+?)\\s$";
134	static const pcre * kav_re_sus = NULL;
135	static const pcre * kav_re_inf = NULL;
136	#endif
137
138	#ifndef DISABLE_MAL_AVAST
139	static const uschar * ava_re_clean_str = US "(?!\\\\)\\t\\[\\+\\]";
140	static const uschar * ava_re_virus_str = US "(?!\\\\)\\t\\[L\\]\\d\\.\\d\\t\\d\\s(.*)";
141	static const pcre * ava_re_clean = NULL;
142	static const pcre * ava_re_virus = NULL;
143	#endif
144
145	#ifndef DISABLE_MAL_FFROT6D
146	static const uschar * fprot6d_re_error_str = US "^\\d+\\s<(.+?)>$";
147	static const uschar * fprot6d_re_virus_str = US "^\\d+\\s<infected:\\s+(.+?)>\\s+.+$";
148	static const pcre * fprot6d_re_error = NULL;
149	static const pcre * fprot6d_re_virus = NULL;
150	#endif
151
152
153
154	/****************************************************************************/
155
156	/ Routine to check whether a system is big- or little-endian.*
157	Ripped from http://www.faqs.org/faqs/graphics/fileformats-faq/part4/section-7.html
158	Needed for proper kavdaemon implementation. Sigh. /*
159	#define BIG_MY_ENDIAN 0
160	#define LITTLE_MY_ENDIAN 1
161	static int test_byte_order(void);
162	static inline int
163	test_byte_order()
164	{
165	short int word = `0x0001`;
166	char *byte = CS &word;
167	return(byte[`0`] ? LITTLE_MY_ENDIAN : BIG_MY_ENDIAN);
168	}
169
170	BOOL malware_ok = FALSE;
171
172	/ Gross hacks for the -bmalware option; perhaps we should just create*
173	the scan directory normally for that case, but look into rigging up the
174	needed header variables if not already set on the command-line? /*
175	extern int spool_mbox_ok;
176	extern uschar spooled_message_id[MESSAGE_ID_LENGTH+`1`];
177
178
179
180	static inline int
181	malware_errlog_defer(const uschar * str)
182	{
183	log_write(`0`, LOG_MAIN\|LOG_PANIC, "malware acl condition: %s", str);
184	return DEFER;
185	}
186
187	static int
188	m_errlog_defer(struct scan * scanent, const uschar * hostport,
189	const uschar * str)
190	{
191	return malware_errlog_defer(string_sprintf("%s %s : %s",
192	scanent->name, hostport ? hostport : CUS"", str));
193	}
194	static int
195	m_errlog_defer_3(struct scan * scanent, const uschar * hostport,
196	const uschar * str, int fd_to_close)
197	{
198	(void) close(fd_to_close);
199	return m_errlog_defer(scanent, hostport, str);
200	}
201
202	/***********************************************/
203
204	#ifndef DISABLE_MAL_CLAM
205	/ Only used by the Clamav code, which is working from a list of servers and*
206	uses the returned in_addr to get a second connection to the same system.
207	*/
208	static inline int
209	m_tcpsocket(const uschar * hostname, unsigned int port,
210	host_item * host, uschar ** errstr, const blob * fastopen_blob)
211	{
212	return ip_connectedsocket(SOCK_STREAM, hostname, port, port, `5`,
213	host, errstr, fastopen_blob);
214	}
215	#endif
216
217	static int
218	m_sock_send(int sock, uschar * buf, int cnt, uschar ** errstr)
219	{
220	if (send(sock, buf, cnt, `0`) < `0`)
221	{
222	int err = errno;
223	(void)close(sock);
224	*errstr = string_sprintf("unable to send to socket (%s): %s",
225	buf, strerror(err));
226	return -`1`;
227	}
228	return sock;
229	}
230
231	static const pcre *
232	m_pcre_compile(const uschar * re, uschar ** errstr)
233	{
234	const uschar * rerror;
235	int roffset;
236	const pcre * cre;
237
238	cre = pcre_compile(CS re, PCRE_COPT, (const char **)&rerror, &roffset, NULL);
239	if (!cre)
240	*errstr= string_sprintf("regular expression error in '%s': %s at offset %d",
241	re, rerror, roffset);
242	return cre;
243	}
244
245	uschar *
246	m_pcre_exec(const pcre * cre, uschar * text)
247	{
248	int ovector[`10`*`3`];
249	int i = pcre_exec(cre, NULL, CS text, Ustrlen(text), `0`, `0`,
250	ovector, nelem(ovector));
251	uschar * substr = NULL;
252	if (i >= `2`) / Got it /
253	pcre_get_substring(CS text, ovector, i, `1`, (const char **) &substr);
254	return substr;
255	}
256
257	static const pcre *
258	m_pcre_nextinlist(const uschar ** list, int * sep,
259	char * listerr, uschar ** errstr)
260	{
261	const uschar * list_ele;
262	const pcre * cre = NULL;
263
264	if (!(list_ele = string_nextinlist(list, sep, NULL, `0`)))
265	*errstr = US listerr;
266	else
267	{
268	DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "RE: ",
269	string_printing(list_ele));
270	cre = m_pcre_compile(CUS list_ele, errstr);
271	}
272	return cre;
273	}
274
275	/*
276	Simple though inefficient wrapper for reading a line. Drop CRs and the
277	trailing newline. Can return early on buffer full. Null-terminate.
278	Apply initial timeout if no data ready.
279
280	Return: number of chars - zero for an empty line
281	-1 on EOF
282	-2 on timeout or error
283	*/
284	static int
285	recv_line(int fd, uschar * buffer, int bsize, int tmo)
286	{
287	uschar * p = buffer;
288	ssize_t rcv;
289	BOOL ok = FALSE;
290
291	if (!fd_ready(fd, tmo-time(NULL)))
292	return -`2`;
293
294	/XXX tmo handling assumes we always get a whole line /
295	/ read until \n /
296	errno = `0`;
297	while ((rcv = read(fd, p, `1`)) > `0`)
298	{
299	ok = TRUE;
300	if (p-buffer > bsize-`2`) break;
301	if (p == `'\n'`) break*;
302	if (*p != `'\r'`) p++;
303	}
304	if (!ok)
305	{
306	DEBUG(D_acl) debug_printf_indent("Malware scan: read %s (%s)\n",
307	rcv==`0` ? "EOF" : "error", strerror(errno));
308	return rcv==`0` ? -`1` : -`2`;
309	}
310	*p = `'\0'`;
311
312	DEBUG(D_acl) debug_printf_indent("Malware scan: read '%s'\n", buffer);
313	return p - buffer;
314	}
315
316	/ return TRUE iff size as requested /
317	static BOOL
318	recv_len(int sock, void * buf, int size, int tmo)
319	{
320	return fd_ready(sock, tmo-time(NULL))
321	? recv(sock, buf, size, `0`) == size
322	: FALSE;
323	}
324
325
326
327	#ifndef DISABLE_MAL_MKS
328	/ ============= private routines for the "mksd" scanner type ============== /
329
330	# include <sys/uio.h>
331
332	static inline int
333	mksd_writev (int sock, struct iovec * iov, int iovcnt)
334	{
335	int i;
336
337	for (;;)
338	{
339	do
340	i = writev (sock, iov, iovcnt);
341	while (i < `0` && errno == EINTR);
342	if (i <= `0`)
343	{
344	(void) malware_errlog_defer(
345	US"unable to write to mksd UNIX socket (/var/run/mksd/socket)");
346	return -`1`;
347	}
348	for (;;) / check for short write /
349	if (i >= iov->iov_len)
350	{
351	if (--iovcnt == `0`)
352	return `0`;
353	i -= iov->iov_len;
354	iov++;
355	}
356	else
357	{
358	iov->iov_len -= i;
359	iov->iov_base = CS iov->iov_base + i;
360	break;
361	}
362	}
363	}
364
365	static inline int
366	mksd_read_lines (int sock, uschar av_buffer, int* av_buffer_size, int tmo)
367	{
368	int offset = `0`;
369	int i;
370
371	do
372	{
373	i = ip_recv(sock, av_buffer+offset, av_buffer_size-offset, tmo-time(NULL));
374	if (i <= `0`)
375	{
376	(void) malware_errlog_defer(US"unable to read from mksd UNIX socket (/var/run/mksd/socket)");
377	return -`1`;
378	}
379
380	offset += i;
381	/ offset == av_buffer_size -> buffer full /
382	if (offset == av_buffer_size)
383	{
384	(void) malware_errlog_defer(US"malformed reply received from mksd");
385	return -`1`;
386	}
387	} while (av_buffer[offset-`1`] != `'\n'`);
388
389	av_buffer[offset] = `'\0'`;
390	return offset;
391	}
392
393	static inline int
394	mksd_parse_line(struct scan * scanent, char * line)
395	{
396	char *p;
397
398	switch (*line)
399	{
400	case `'O'`: / OK /
401	return OK;
402
403	case `'E'`:
404	case `'A'`: / ERR /
405	if ((p = strchr (line, `'\n'`)) != NULL)
406	*p = `'\0'`;
407	return m_errlog_defer(scanent, NULL,
408	string_sprintf("scanner failed: %s", line));
409
410	default: / VIR /
411	if ((p = strchr (line, `'\n'`)) != NULL)
412	{
413	*p = `'\0'`;
414	if ( p-line > `5`
415	&& line[`3`] == `' '`
416	&& (p = strchr(line+`4`, `' '`)) != NULL
417	&& p-line > `4`
418	)
419	{
420	*p = `'\0'`;
421	malware_name = string_copy(US line+`4`);
422	return OK;
423	}
424	}
425	return m_errlog_defer(scanent, NULL,
426	string_sprintf("malformed reply received: %s", line));
427	}
428	}
429
430	static int
431	mksd_scan_packed(struct scan * scanent, int sock, const uschar * scan_filename,
432	int tmo)
433	{
434	struct iovec iov[`3`];
435	const char *cmd = "MSQ\n";
436	uschar av_buffer[`1024`];
437
438	iov[`0`].iov_base = (void *) cmd;
439	iov[`0`].iov_len = `3`;
440	iov[`1`].iov_base = (void *) scan_filename;
441	iov[`1`].iov_len = Ustrlen(scan_filename);
442	iov[`2`].iov_base = (void *) (cmd + `3`);
443	iov[`2`].iov_len = `1`;
444
445	if (mksd_writev (sock, iov, `3`) < `0`)
446	return DEFER;
447
448	if (mksd_read_lines (sock, av_buffer, sizeof (av_buffer), tmo) < `0`)
449	return DEFER;
450
451	return mksd_parse_line (scanent, CS av_buffer);
452	}
453	#endif /* MKSD */
454
455
456	#ifndef DISABLE_MAL_CLAM
457	static int
458	clamd_option(clamd_address * cd, const uschar * optstr, int * subsep)
459	{
460	uschar * s;
461
462	cd->retry = `0`;
463	while ((s = string_nextinlist(&optstr, subsep, NULL, `0`)))
464	if (Ustrncmp(s, "retry=", `6`) == `0`)
465	{
466	int sec = readconf_readtime((s += `6`), `'\0'`, FALSE);
467	if (sec < `0`)
468	return FAIL;
469	cd->retry = sec;
470	}
471	else
472	return FAIL;
473	return OK;
474	}
475	#endif
476
477
478
479	/*************************************************
480	* Scan content for malware *
481	*************************************************/
482
483	/ This is an internal interface for scanning an email; the normal interface*
484	is via malware(), or there's malware_in_file() used for testing/debugging.
485
486	Arguments:
487	malware_re match condition for "malware="
488	scan_filename the file holding the email to be scanned, if we're faking
489	this up for the -bmalware test, else NULL
490	timeout if nonzero, non-default timeoutl
491
492	Returns: Exim message processing code (OK, FAIL, DEFER, ...)
493	where true means malware was found (condition applies)
494	*/
495	static int
496	malware_internal(const uschar * malware_re, const uschar * scan_filename,
497	int timeout)
498	{
499	int sep = `0`;
500	const uschar *av_scanner_work = av_scanner;
501	uschar *scanner_name;
502	unsigned long mbox_size;
503	FILE *mbox_file;
504	const pcre *re;
505	uschar * errstr;
506	struct scan * scanent;
507	const uschar * scanner_options;
508	int sock = -`1`;
509	time_t tmo;
510	uschar * eml_filename, * eml_dir;
511
512	if (!malware_re)
513	return FAIL; / empty means "don't match anything" /
514
515	/ Ensure the eml mbox file is spooled up /
516
517	if (!(mbox_file = spool_mbox(&mbox_size, scan_filename, &eml_filename)))
518	return malware_errlog_defer(US"error while creating mbox spool file");
519
520	/ None of our current scanners need the mbox file as a stream (they use*
521	the name), so we can close it right away. Get the directory too. /*
522
523	(void) fclose(mbox_file);
524	eml_dir = string_copyn(eml_filename, Ustrrchr(eml_filename, `'/'`) - eml_filename);
525
526	/ parse 1st option /
527	if (strcmpic(malware_re, US"false") == `0` \|\| Ustrcmp(malware_re,"0") == `0`)
528	return FAIL; / explicitly no matching /
529
530	/ special cases (match anything except empty) /
531	if ( strcmpic(malware_re,US"true") == `0`
532	\|\| Ustrcmp(malware_re,"*") == `0`
533	\|\| Ustrcmp(malware_re,"1") == `0`
534	)
535	{
536	if ( !malware_default_re
537	&& !(malware_default_re = m_pcre_compile(malware_regex_default, &errstr)))
538	return malware_errlog_defer(errstr);
539	malware_re = malware_regex_default;
540	re = malware_default_re;
541	}
542
543	/ compile the regex, see if it works /
544	else if (!(re = m_pcre_compile(malware_re, &errstr)))
545	return malware_errlog_defer(errstr);
546
547	/ if av_scanner starts with a dollar, expand it first /
548	if (*av_scanner == `'$'`)
549	{
550	if (!(av_scanner_work = expand_string(av_scanner)))
551	return malware_errlog_defer(
552	string_sprintf("av_scanner starts with $, but expansion failed: %s",
553	expand_string_message));
554
555	DEBUG(D_acl)
556	debug_printf_indent("Expanded av_scanner global: %s\n", av_scanner_work);
557	/ disable result caching in this case /
558	malware_name = NULL;
559	malware_ok = FALSE;
560	}
561
562	/ Do not scan twice (unless av_scanner is dynamic). /
563	if (!malware_ok)
564	{
565	/ find the scanner type from the av_scanner option /
566	if (!(scanner_name = string_nextinlist(&av_scanner_work, &sep, NULL, `0`)))
567	return malware_errlog_defer(US"av_scanner configuration variable is empty");
568	if (!timeout) timeout = MALWARE_TIMEOUT;
569	tmo = time(NULL) + timeout;
570
571	for (scanent = m_scans; ; scanent++)
572	{
573	if (!scanent->name)
574	return malware_errlog_defer(string_sprintf("unknown scanner type '%s'",
575	scanner_name));
576	if (strcmpic(scanner_name, US scanent->name) != `0`)
577	continue;
578	DEBUG(D_acl) debug_printf_indent("Malware scan: %s tmo=%s\n",
579	scanner_name, readconf_printtime(timeout));
580
581	if (!(scanner_options = string_nextinlist(&av_scanner_work, &sep, NULL, `0`)))
582	scanner_options = scanent->options_default;
583	if (scanent->conn == MC_NONE)
584	break;
585
586	DEBUG(D_acl) debug_printf_indent("%15s%10s%s\n", "", "socket: ", scanner_options);
587	switch(scanent->conn)
588	{
589	case MC_TCP: sock = ip_tcpsocket(scanner_options, &errstr, `5`); break;
590	case MC_UNIX: sock = ip_unixsocket(scanner_options, &errstr); break;
591	case MC_STRM: sock = ip_streamsocket(scanner_options, &errstr, `5`); break;
592	default: / compiler quietening / break;
593	}
594	if (sock < `0`)
595	return m_errlog_defer(scanent, CUS callout_address, errstr);
596	break;
597	}
598
599	switch (scanent->scancode)
600	{
601	#ifndef DISABLE_MAL_FFROTD
602	case M_FPROTD: / "f-protd" scanner type -------------------------------- /
603	{
604	uschar *fp_scan_option;
605	unsigned int detected=`0`, par_count=`0`;
606	uschar * scanrequest;
607	uschar buf[`32768`], strhelper, strhelper2;
608	uschar * malware_name_internal = NULL;
609	int len;
610
611	scanrequest = string_sprintf("GET %s", eml_filename);
612
613	while ((fp_scan_option = string_nextinlist(&av_scanner_work, &sep,
614	NULL, `0`)))
615	{
616	scanrequest = string_sprintf("%s%s%s", scanrequest,
617	par_count ? "%20" : "?", fp_scan_option);
618	par_count++;
619	}
620	scanrequest = string_sprintf("%s HTTP/1.0\r\n\r\n", scanrequest);
621	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
622	scanner_name, scanrequest);
623
624	/ send scan request /
625	if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+`1`, &errstr) < `0`)
626	return m_errlog_defer(scanent, CUS callout_address, errstr);
627
628	while ((len = recv_line(sock, buf, sizeof(buf), tmo)) >= `0`)
629	if (len > `0`)
630	{
631	if (Ustrstr(buf, US"<detected type=\"") != NULL)
632	detected = `1`;
633	else if (detected && (strhelper = Ustrstr(buf, US"<name>")))
634	{
635	if ((strhelper2 = Ustrstr(buf, US"</name>")) != NULL)
636	{
637	*strhelper2 = `'\0'`;
638	malware_name_internal = string_copy(strhelper+`6`);
639	}
640	}
641	else if (Ustrstr(buf, US"<summary code=\""))
642	{
643	malware_name = Ustrstr(buf, US"<summary code=\"11\">")
644	? malware_name_internal : NULL;
645	break;
646	}
647	}
648	if (len < -`1`)
649	{
650	(void)close(sock);
651	return DEFER;
652	}
653	break;
654	} / f-protd /
655	#endif
656
657	#ifndef DISABLE_MAL_FFROT6D
658	case M_FPROT6D: / "f-prot6d" scanner type ----------------------------------- /
659	{
660	int bread;
661	uschar * e;
662	uschar * linebuffer;
663	uschar * scanrequest;
664	uschar av_buffer[`1024`];
665
666	if ((!fprot6d_re_virus && !(fprot6d_re_virus = m_pcre_compile(fprot6d_re_virus_str, &errstr)))
667	\|\| (!fprot6d_re_error && !(fprot6d_re_error = m_pcre_compile(fprot6d_re_error_str, &errstr))))
668	return malware_errlog_defer(errstr);
669
670	scanrequest = string_sprintf("SCAN FILE %s\n", eml_filename);
671	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s: %s\n",
672	scanner_name, scanrequest);
673
674	if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest), &errstr) < `0`)
675	return m_errlog_defer(scanent, CUS callout_address, errstr);
676
677	bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
678
679	if (bread <= `0`)
680	return m_errlog_defer_3(scanent, CUS callout_address,
681	string_sprintf("unable to read from socket (%s)", strerror(errno)),
682	sock);
683
684	if (bread == sizeof(av_buffer))
685	return m_errlog_defer_3(scanent, CUS callout_address,
686	US"buffer too small", sock);
687
688	av_buffer[bread] = `'\0'`;
689	linebuffer = string_copy(av_buffer);
690
691	m_sock_send(sock, US"QUIT\n", `5`, `0`);
692
693	if ((e = m_pcre_exec(fprot6d_re_error, linebuffer)))
694	return m_errlog_defer_3(scanent, CUS callout_address,
695	string_sprintf("scanner reported error (%s)", e), sock);
696
697	if (!(malware_name = m_pcre_exec(fprot6d_re_virus, linebuffer)))
698	malware_name = NULL;
699
700	break;
701	} / f-prot6d /
702	#endif
703
704	#ifndef DISABLE_MAL_DRWEB
705	case M_DRWEB: / "drweb" scanner type ----------------------------------- /
706	/ v0.1 - added support for tcp sockets /
707	/ v0.0 - initial release -- support for unix sockets /
708	{
709	int result;
710	off_t fsize;
711	unsigned int fsize_uint;
712	uschar * tmpbuf, *drweb_fbuf;
713	int drweb_rc, drweb_cmd, drweb_flags = `0x0000`, drweb_fd,
714	drweb_vnum, drweb_slen, drweb_fin = `0x0000`;
715
716	/ prepare variables /
717	drweb_cmd = htonl(DRWEBD_SCAN_CMD);
718	drweb_flags = htonl(DRWEBD_RETURN_VIRUSES \| DRWEBD_IS_MAIL);
719
720	if (*scanner_options != `'/'`)
721	{
722	/ calc file size /
723	if ((drweb_fd = open(CCS eml_filename, O_RDONLY)) == -`1`)
724	return m_errlog_defer_3(scanent, NULL,
725	string_sprintf("can't open spool file %s: %s",
726	eml_filename, strerror(errno)),
727	sock);
728
729	if ((fsize = lseek(drweb_fd, `0`, SEEK_END)) == -`1`)
730	{
731	int err;
732	badseek: err = errno;
733	(void)close(drweb_fd);
734	return m_errlog_defer_3(scanent, NULL,
735	string_sprintf("can't seek spool file %s: %s",
736	eml_filename, strerror(err)),
737	sock);
738	}
739	fsize_uint = (unsigned int) fsize;
740	if ((off_t)fsize_uint != fsize)
741	{
742	(void)close(drweb_fd);
743	return m_errlog_defer_3(scanent, NULL,
744	string_sprintf("seeking spool file %s, size overflow",
745	eml_filename),
746	sock);
747	}
748	drweb_slen = htonl(fsize);
749	if (lseek(drweb_fd, `0`, SEEK_SET) < `0`)
750	goto badseek;
751
752	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s remote scan [%s]\n",
753	scanner_name, scanner_options);
754
755	/ send scan request /
756	if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), `0`) < `0`) \|\|
757	(send(sock, &drweb_flags, sizeof(drweb_flags), `0`) < `0`) \|\|
758	(send(sock, &drweb_fin, sizeof(drweb_fin), `0`) < `0`) \|\|
759	(send(sock, &drweb_slen, sizeof(drweb_slen), `0`) < `0`))
760	{
761	(void)close(drweb_fd);
762	return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
763	"unable to send commands to socket (%s)", scanner_options),
764	sock);
765	}
766
767	if (!(drweb_fbuf = US malloc(fsize_uint)))
768	{
769	(void)close(drweb_fd);
770	return m_errlog_defer_3(scanent, NULL,
771	string_sprintf("unable to allocate memory %u for file (%s)",
772	fsize_uint, eml_filename),
773	sock);
774	}
775
776	if ((result = read (drweb_fd, drweb_fbuf, fsize)) == -`1`)
777	{
778	int err = errno;
779	(void)close(drweb_fd);
780	free(drweb_fbuf);
781	return m_errlog_defer_3(scanent, NULL,
782	string_sprintf("can't read spool file %s: %s",
783	eml_filename, strerror(err)),
784	sock);
785	}
786	(void)close(drweb_fd);
787
788	/ send file body to socket /
789	if (send(sock, drweb_fbuf, fsize, `0`) < `0`)
790	{
791	free(drweb_fbuf);
792	return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
793	"unable to send file body to socket (%s)", scanner_options),
794	sock);
795	}
796	}
797	else
798	{
799	drweb_slen = htonl(Ustrlen(eml_filename));
800
801	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s local scan [%s]\n",
802	scanner_name, scanner_options);
803
804	/ send scan request /
805	if ((send(sock, &drweb_cmd, sizeof(drweb_cmd), `0`) < `0`) \|\|
806	(send(sock, &drweb_flags, sizeof(drweb_flags), `0`) < `0`) \|\|
807	(send(sock, &drweb_slen, sizeof(drweb_slen), `0`) < `0`) \|\|
808	(send(sock, eml_filename, Ustrlen(eml_filename), `0`) < `0`) \|\|
809	(send(sock, &drweb_fin, sizeof(drweb_fin), `0`) < `0`))
810	return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
811	"unable to send commands to socket (%s)", scanner_options),
812	sock);
813	}
814
815	/ wait for result /
816	if (!recv_len(sock, &drweb_rc, sizeof(drweb_rc), tmo))
817	return m_errlog_defer_3(scanent, CUS callout_address,
818	US"unable to read return code", sock);
819	drweb_rc = ntohl(drweb_rc);
820
821	if (!recv_len(sock, &drweb_vnum, sizeof(drweb_vnum), tmo))
822	return m_errlog_defer_3(scanent, CUS callout_address,
823	US"unable to read the number of viruses", sock);
824	drweb_vnum = ntohl(drweb_vnum);
825
826	/ "virus(es) found" if virus number is > 0 /
827	if (drweb_vnum)
828	{
829	int i;
830	gstring * g = NULL;
831
832	/ setup default virus name /
833	malware_name = US"unknown";
834
835	/ set up match regex /
836	if (!drweb_re)
837	drweb_re = m_pcre_compile(drweb_re_str, &errstr);
838
839	/ read and concatenate virus names into one string /
840	for (i = `0`; i < drweb_vnum; i++)
841	{
842	int ovector[`10`*`3`];
843
844	/ read the size of report /
845	if (!recv_len(sock, &drweb_slen, sizeof(drweb_slen), tmo))
846	return m_errlog_defer_3(scanent, CUS callout_address,
847	US"cannot read report size", sock);
848	drweb_slen = ntohl(drweb_slen);
849	tmpbuf = store_get(drweb_slen);
850
851	/ read report body /
852	if (!recv_len(sock, tmpbuf, drweb_slen, tmo))
853	return m_errlog_defer_3(scanent, CUS callout_address,
854	US"cannot read report string", sock);
855	tmpbuf[drweb_slen] = `'\0'`;
856
857	/ try matcher on the line, grab substring /
858	result = pcre_exec(drweb_re, NULL, CS tmpbuf, Ustrlen(tmpbuf), `0`, `0`,
859	ovector, nelem(ovector));
860	if (result >= `2`)
861	{
862	const char * pre_malware_nb;
863
864	pcre_get_substring(CS tmpbuf, ovector, result, `1`, &pre_malware_nb);
865
866	if (i==`0`) / the first name we just copy to malware_name /
867	g = string_cat(NULL, US pre_malware_nb);
868
869	/XXX could be string_append_listele? /
870	else / concatenate each new virus name to previous /
871	g = string_append(g, `2`, "/", pre_malware_nb);
872
873	pcre_free_substring(pre_malware_nb);
874	}
875	}
876	malware_name = string_from_gstring(g);
877	}
878	else
879	{
880	const char *drweb_s = NULL;
881
882	if (drweb_rc & DERR_READ_ERR) drweb_s = "read error";
883	if (drweb_rc & DERR_NOMEMORY) drweb_s = "no memory";
884	if (drweb_rc & DERR_TIMEOUT) drweb_s = "timeout";
885	if (drweb_rc & DERR_BAD_CALL) drweb_s = "wrong command";
886	/ retcodes DERR_SYMLINK, DERR_NO_REGFILE, DERR_SKIPPED.*
887	* DERR_TOO_BIG, DERR_TOO_COMPRESSED, DERR_SPAM,
888	* DERR_CRC_ERROR, DERR_READSOCKET, DERR_WRITE_ERR
889	* and others are ignored */
890	if (drweb_s)
891	return m_errlog_defer_3(scanent, CUS callout_address,
892	string_sprintf("drweb daemon retcode 0x%x (%s)", drweb_rc, drweb_s),
893	sock);
894
895	/ no virus found /
896	malware_name = NULL;
897	}
898	break;
899	} / drweb /
900	#endif
901
902	#ifndef DISABLE_MAL_AVE
903	case M_AVES: / "aveserver" scanner type -------------------------------- /
904	{
905	uschar buf[`32768`];
906	int result;
907
908	/ read aveserver's greeting and see if it is ready (2xx greeting) /
909	buf[`0`] = `0`;
910	recv_line(sock, buf, sizeof(buf), tmo);
911
912	if (buf[`0`] != `'2'`) / aveserver is having problems /
913	return m_errlog_defer_3(scanent, CUS callout_address,
914	string_sprintf("unavailable (Responded: %s).",
915	((buf[`0`] != `0`) ? buf : US "nothing") ),
916	sock);
917
918	/ prepare our command /
919	(void)string_format(buf, sizeof(buf), "SCAN bPQRSTUW %s\r\n",
920	eml_filename);
921
922	/ and send it /
923	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s %s\n",
924	scanner_name, buf);
925	if (m_sock_send(sock, buf, Ustrlen(buf), &errstr) < `0`)
926	return m_errlog_defer(scanent, CUS callout_address, errstr);
927
928	malware_name = NULL;
929	result = `0`;
930	/ read response lines, find malware name and final response /
931	while (recv_line(sock, buf, sizeof(buf), tmo) > `0`)
932	{
933	if (buf[`0`] == `'2'`)
934	break;
935	if (buf[`0`] == `'5'`) / aveserver is having problems /
936	{
937	result = m_errlog_defer(scanent, CUS callout_address,
938	string_sprintf("unable to scan file %s (Responded: %s).",
939	eml_filename, buf));
940	break;
941	}
942	if (Ustrncmp(buf,"322",`3`) == `0`)
943	{
944	uschar *p = Ustrchr(&buf[`4`], `' '`);
945	*p = `'\0'`;
946	malware_name = string_copy(&buf[`4`]);
947	}
948	}
949
950	if (m_sock_send(sock, US"quit\r\n", `6`, &errstr) < `0`)
951	return m_errlog_defer(scanent, CUS callout_address, errstr);
952
953	/ read aveserver's greeting and see if it is ready (2xx greeting) /
954	buf[`0`] = `0`;
955	recv_line(sock, buf, sizeof(buf), tmo);
956
957	if (buf[`0`] != `'2'`) / aveserver is having problems /
958	return m_errlog_defer_3(scanent, CUS callout_address,
959	string_sprintf("unable to quit dialogue (Responded: %s).",
960	((buf[`0`] != `0`) ? buf : US "nothing") ),
961	sock);
962
963	if (result == DEFER)
964	{
965	(void)close(sock);
966	return DEFER;
967	}
968	break;
969	} / aveserver /
970	#endif
971
972	#ifndef DISABLE_MAL_FSECURE
973	case M_FSEC: / "fsecure" scanner type ---------------------------------- /
974	{
975	int i, j, bread = `0`;
976	uschar * file_name;
977	uschar av_buffer[`1024`];
978	static uschar *cmdopt[] = { US"CONFIGURE\tARCHIVE\t1\n",
979	US"CONFIGURE\tTIMEOUT\t0\n",
980	US"CONFIGURE\tMAXARCH\t5\n",
981	US"CONFIGURE\tMIME\t1\n" };
982
983	malware_name = NULL;
984
985	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
986	scanner_name, scanner_options);
987	/ pass options /
988	memset(av_buffer, `0`, sizeof(av_buffer));
989	for (i = `0`; i != nelem(cmdopt); i++)
990	{
991
992	if (m_sock_send(sock, cmdopt[i], Ustrlen(cmdopt[i]), &errstr) < `0`)
993	return m_errlog_defer(scanent, CUS callout_address, errstr);
994
995	bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
996	if (bread > `0`) av_buffer[bread]=`'\0'`;
997	if (bread < `0`)
998	return m_errlog_defer_3(scanent, CUS callout_address,
999	string_sprintf("unable to read answer %d (%s)", i, strerror(errno)),
1000	sock);
1001	for (j = `0`; j < bread; j++)
1002	if (av_buffer[j] == `'\r'` \|\| av_buffer[j] == `'\n'`)
1003	av_buffer[j] =`'@'`;
1004	}
1005
1006	/ pass the mailfile to fsecure /
1007	file_name = string_sprintf("SCAN\t%s\n", eml_filename);
1008
1009	if (m_sock_send(sock, file_name, Ustrlen(file_name), &errstr) < `0`)
1010	return m_errlog_defer(scanent, CUS callout_address, errstr);
1011
1012	/ set up match /
1013	/ todo also SUSPICION\t /
1014	if (!fsec_re)
1015	fsec_re = m_pcre_compile(fsec_re_str, &errstr);
1016
1017	/ read report, linewise. Apply a timeout as the Fsecure daemon*
1018	sometimes wants an answer to "PING" but they won't tell us what /*
1019	{
1020	uschar * p = av_buffer;
1021	uschar * q;
1022
1023	for (;;)
1024	{
1025	errno = ETIMEDOUT;
1026	i = av_buffer+sizeof(av_buffer)-p;
1027	if ((bread= ip_recv(sock, p, i-`1`, tmo-time(NULL))) < `0`)
1028	return m_errlog_defer_3(scanent, CUS callout_address,
1029	string_sprintf("unable to read result (%s)", strerror(errno)),
1030	sock);
1031
1032	for (p[bread] = `'\0'`; (q = Ustrchr(p, `'\n'`)); p = q+`1`)
1033	{
1034	*q = `'\0'`;
1035
1036	/ Really search for virus again? /
1037	if (!malware_name)
1038	/ try matcher on the line, grab substring /
1039	malware_name = m_pcre_exec(fsec_re, p);
1040
1041	if (Ustrstr(p, "OK\tScan ok."))
1042	goto fsec_found;
1043	}
1044
1045	/ copy down the trailing partial line then read another chunk /
1046	i = av_buffer+sizeof(av_buffer)-p;
1047	memmove(av_buffer, p, i);
1048	p = av_buffer+i;
1049	}
1050	}
1051
1052	fsec_found:
1053	break;
1054	} / fsecure /
1055	#endif
1056
1057	#ifndef DISABLE_MAL_KAV
1058	case M_KAVD: / "kavdaemon" scanner type -------------------------------- /
1059	{
1060	time_t t;
1061	uschar tmpbuf[`1024`];
1062	uschar * scanrequest;
1063	int kav_rc;
1064	unsigned long kav_reportlen;
1065	int bread;
1066	const pcre *kav_re;
1067	uschar *p;
1068
1069	/ get current date and time, build scan request /
1070	time(&t);
1071	/ pdp note: before the eml_filename parameter, this scanned the*
1072	directory; not finding documentation, so we'll strip off the directory.
1073	The side-effect is that the test framework scanning may end up in
1074	scanning more than was requested, but for the normal interface, this is
1075	fine. /*
1076
1077	strftime(CS tmpbuf, sizeof(tmpbuf), "%d %b %H:%M:%S", localtime(&t));
1078	scanrequest = string_sprintf("<0>%s:%s", CS tmpbuf, eml_filename);
1079	p = Ustrrchr(scanrequest, `'/'`);
1080	if (p)
1081	*p = `'\0'`;
1082
1083	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
1084	scanner_name, scanner_options);
1085
1086	/ send scan request /
1087	if (m_sock_send(sock, scanrequest, Ustrlen(scanrequest)+`1`, &errstr) < `0`)
1088	return m_errlog_defer(scanent, CUS callout_address, errstr);
1089
1090	/ wait for result /
1091	if (!recv_len(sock, tmpbuf, `2`, tmo))
1092	return m_errlog_defer_3(scanent, CUS callout_address,
1093	US"unable to read 2 bytes from socket.", sock);
1094
1095	/ get errorcode from one nibble /
1096	kav_rc = tmpbuf[ test_byte_order()==LITTLE_MY_ENDIAN ? `0` : `1` ] & `0x0F`;
1097	switch(kav_rc)
1098	{
1099	case `5`: case `6`: / improper kavdaemon configuration /
1100	return m_errlog_defer_3(scanent, CUS callout_address,
1101	US"please reconfigure kavdaemon to NOT disinfect or remove infected files.",
1102	sock);
1103	case `1`:
1104	return m_errlog_defer_3(scanent, CUS callout_address,
1105	US"reported 'scanning not completed' (code 1).", sock);
1106	case `7`:
1107	return m_errlog_defer_3(scanent, CUS callout_address,
1108	US"reported 'kavdaemon damaged' (code 7).", sock);
1109	}
1110
1111	/ code 8 is not handled, since it is ambiguous. It appears mostly on*
1112	bounces where part of a file has been cut off /*
1113
1114	/ "virus found" return codes (2-4) /
1115	if (kav_rc > `1` && kav_rc < `5`)
1116	{
1117	int report_flag = `0`;
1118
1119	/ setup default virus name /
1120	malware_name = US"unknown";
1121
1122	report_flag = tmpbuf[ test_byte_order() == LITTLE_MY_ENDIAN ? `1` : `0` ];
1123
1124	/ read the report, if available /
1125	if (report_flag == `1`)
1126	{
1127	/ read report size /
1128	if (!recv_len(sock, &kav_reportlen, `4`, tmo))
1129	return m_errlog_defer_3(scanent, CUS callout_address,
1130	US"cannot read report size", sock);
1131
1132	/ it's possible that avp returns av_buffer[1] == 1 but the*
1133	reportsize is 0 (!?) /*
1134	if (kav_reportlen > `0`)
1135	{
1136	/ set up match regex, depends on retcode /
1137	if (kav_rc == `3`)
1138	{
1139	if (!kav_re_sus) kav_re_sus = m_pcre_compile(kav_re_sus_str, &errstr);
1140	kav_re = kav_re_sus;
1141	}
1142	else
1143	{
1144	if (!kav_re_inf) kav_re_inf = m_pcre_compile(kav_re_inf_str, &errstr);
1145	kav_re = kav_re_inf;
1146	}
1147
1148	/ read report, linewise. Using size from stream to read amount of data*
1149	from same stream is safe enough. /*
1150	/ coverity[tainted_data] /
1151	while (kav_reportlen > `0`)
1152	{
1153	if ((bread = recv_line(sock, tmpbuf, sizeof(tmpbuf), tmo)) < `0`)
1154	break;
1155	kav_reportlen -= bread+`1`;
1156
1157	/ try matcher on the line, grab substring /
1158	if ((malware_name = m_pcre_exec(kav_re, tmpbuf)))
1159	break;
1160	}
1161	}
1162	}
1163	}
1164	else / no virus found /
1165	malware_name = NULL;
1166
1167	break;
1168	}
1169	#endif
1170
1171	#ifndef DISABLE_MAL_CMDLINE
1172	case M_CMDL: / "cmdline" scanner type ---------------------------------- /
1173	{
1174	const uschar *cmdline_scanner = scanner_options;
1175	const pcre *cmdline_trigger_re;
1176	const pcre *cmdline_regex_re;
1177	uschar * file_name;
1178	uschar * commandline;
1179	void (eximsigchld)(int*);
1180	void (eximsigpipe)(int*);
1181	FILE *scanner_out = NULL;
1182	int scanner_fd;
1183	FILE *scanner_record = NULL;
1184	uschar linebuffer[`32767`];
1185	int rcnt;
1186	int trigger = `0`;
1187	uschar *p;
1188
1189	if (!cmdline_scanner)
1190	return m_errlog_defer(scanent, NULL, errstr);
1191
1192	/ find scanner output trigger /
1193	cmdline_trigger_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1194	"missing trigger specification", &errstr);
1195	if (!cmdline_trigger_re)
1196	return m_errlog_defer(scanent, NULL, errstr);
1197
1198	/ find scanner name regex /
1199	cmdline_regex_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1200	"missing virus name regex specification", &errstr);
1201	if (!cmdline_regex_re)
1202	return m_errlog_defer(scanent, NULL, errstr);
1203
1204	/ prepare scanner call; despite the naming, file_name holds a directory*
1205	name which is documented as the value given to %s. /*
1206
1207	file_name = string_copy(eml_filename);
1208	p = Ustrrchr(file_name, `'/'`);
1209	if (p)
1210	*p = `'\0'`;
1211	commandline = string_sprintf(CS cmdline_scanner, file_name);
1212
1213	/ redirect STDERR too /
1214	commandline = string_sprintf("%s 2>&1", commandline);
1215
1216	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
1217	scanner_name, commandline);
1218
1219	/ store exims signal handlers /
1220	eximsigchld = signal(SIGCHLD,SIG_DFL);
1221	eximsigpipe = signal(SIGPIPE,SIG_DFL);
1222
1223	if (!(scanner_out = popen(CS commandline,"r")))
1224	{
1225	int err = errno;
1226	signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1227	return m_errlog_defer(scanent, NULL,
1228	string_sprintf("call (%s) failed: %s.", commandline, strerror(err)));
1229	}
1230	scanner_fd = fileno(scanner_out);
1231
1232	file_name = string_sprintf("%s/%s_scanner_output", eml_dir, message_id);
1233
1234	if (!(scanner_record = modefopen(file_name, "wb", SPOOL_MODE)))
1235	{
1236	int err = errno;
1237	(void) pclose(scanner_out);
1238	signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1239	return m_errlog_defer(scanent, NULL, string_sprintf(
1240	"opening scanner output file (%s) failed: %s.",
1241	file_name, strerror(err)));
1242	}
1243
1244	/ look for trigger while recording output /
1245	while ((rcnt = recv_line(scanner_fd, linebuffer,
1246	sizeof(linebuffer), tmo)))
1247	{
1248	if (rcnt < `0`)
1249	{
1250	int err = errno;
1251	if (rcnt == -`1`)
1252	break;
1253	(void) pclose(scanner_out);
1254	signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1255	return m_errlog_defer(scanent, NULL, string_sprintf(
1256	"unable to read from scanner (%s): %s",
1257	commandline, strerror(err)));
1258	}
1259
1260	if (Ustrlen(linebuffer) > fwrite(linebuffer, `1`, Ustrlen(linebuffer), scanner_record))
1261	{
1262	/ short write /
1263	(void) pclose(scanner_out);
1264	signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1265	return m_errlog_defer(scanent, NULL, string_sprintf(
1266	"short write on scanner output file (%s).", file_name));
1267	}
1268	putc(`'\n'`, scanner_record);
1269	/ try trigger match /
1270	if ( !trigger
1271	&& regex_match_and_setup(cmdline_trigger_re, linebuffer, `0`, -`1`)
1272	)
1273	trigger = `1`;
1274	}
1275
1276	(void)fclose(scanner_record);
1277	sep = pclose(scanner_out);
1278	signal(SIGCHLD,eximsigchld); signal(SIGPIPE,eximsigpipe);
1279	if (sep != `0`)
1280	return m_errlog_defer(scanent, NULL,
1281	sep == -`1`
1282	? string_sprintf("running scanner failed: %s", strerror(sep))
1283	: string_sprintf("scanner returned error code: %d", sep));
1284
1285	if (trigger)
1286	{
1287	uschar * s;
1288	/ setup default virus name /
1289	malware_name = US"unknown";
1290
1291	/ re-open the scanner output file, look for name match /
1292	scanner_record = fopen(CS file_name, "rb");
1293	while (fgets(CS linebuffer, sizeof(linebuffer), scanner_record))
1294	{
1295	/ try match /
1296	if ((s = m_pcre_exec(cmdline_regex_re, linebuffer)))
1297	malware_name = s;
1298	}
1299	(void)fclose(scanner_record);
1300	}
1301	else / no virus found /
1302	malware_name = NULL;
1303	break;
1304	} / cmdline /
1305	#endif
1306
1307	#ifndef DISABLE_MAL_SOPHIE
1308	case M_SOPHIE: / "sophie" scanner type --------------------------------- /
1309	{
1310	int bread = `0`;
1311	uschar *p;
1312	uschar * file_name;
1313	uschar av_buffer[`1024`];
1314
1315	/ pass the scan directory to sophie /
1316	file_name = string_copy(eml_filename);
1317	if ((p = Ustrrchr(file_name, `'/'`)))
1318	*p = `'\0'`;
1319
1320	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan [%s]\n",
1321	scanner_name, scanner_options);
1322
1323	if ( write(sock, file_name, Ustrlen(file_name)) < `0`
1324	\|\| write(sock, "\n", `1`) != `1`
1325	)
1326	return m_errlog_defer_3(scanent, CUS callout_address,
1327	string_sprintf("unable to write to UNIX socket (%s)", scanner_options),
1328	sock);
1329
1330	/ wait for result /
1331	memset(av_buffer, `0`, sizeof(av_buffer));
1332	if ((bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL))) <= `0`)
1333	return m_errlog_defer_3(scanent, CUS callout_address,
1334	string_sprintf("unable to read from UNIX socket (%s)", scanner_options),
1335	sock);
1336
1337	/ infected ? /
1338	if (av_buffer[`0`] == `'1'`) {
1339	uschar * s = Ustrchr(av_buffer, `'\n'`);
1340	if (s)
1341	*s = `'\0'`;
1342	malware_name = string_copy(&av_buffer[`2`]);
1343	}
1344	else if (!strncmp(CS av_buffer, "-1", `2`))
1345	return m_errlog_defer_3(scanent, CUS callout_address,
1346	US"scanner reported error", sock);
1347	else / all ok, no virus /
1348	malware_name = NULL;
1349
1350	break;
1351	}
1352	#endif
1353
1354	#ifndef DISABLE_MAL_CLAM
1355	case M_CLAMD: / "clamd" scanner type ----------------------------------- /
1356	{
1357	/ This code was originally contributed by David Saez /
1358	/ There are three scanning methods available to us:*
1359	* (1) Use the SCAN command, pointing to a file in the filesystem
1360	* (2) Use the STREAM command, send the data on a separate port
1361	* (3) Use the zINSTREAM command, send the data inline
1362	* The zINSTREAM command was introduced with ClamAV 0.95, which marked
1363	* STREAM deprecated; see: http://wiki.clamav.net/bin/view/Main/UpgradeNotes095
1364	* In Exim, we use SCAN if using a Unix-domain socket or explicitly told that
1365	* the TCP-connected daemon is actually local; otherwise we use zINSTREAM
1366	* See Exim bug 926 for details. */
1367
1368	uschar p, vname, *result_tag;
1369	int bread=`0`;
1370	uschar av_buffer[`1024`];
1371	uschar *hostname = US"";
1372	host_item connhost;
1373	uschar *clamav_fbuf;
1374	int clam_fd, result;
1375	off_t fsize;
1376	unsigned int fsize_uint;
1377	BOOL use_scan_command = FALSE;
1378	clamd_address * cv[MAX_CLAMD_SERVERS];
1379	int num_servers = `0`;
1380	uint32_t send_size, send_final_zeroblock;
1381	blob cmd_str;
1382
1383	/XXX if unixdomain socket, only one server supported. Needs fixing;*
1384	there's no reason we should not mix local and remote servers /*
1385
1386	if (*scanner_options == `'/'`)
1387	{
1388	clamd_address * cd;
1389	const uschar * sublist;
1390	int subsep = `' '`;
1391
1392	/ Local file; so we def want to use_scan_command and don't want to try*
1393	* passing IP/port combinations */
1394	use_scan_command = TRUE;
1395	cd = (clamd_address ) store_get(sizeof*(clamd_address));
1396
1397	/ extract socket-path part /
1398	sublist = scanner_options;
1399	cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, `0`);
1400
1401	/ parse options /
1402	if (clamd_option(cd, sublist, &subsep) != OK)
1403	return m_errlog_defer(scanent, NULL,
1404	string_sprintf("bad option '%s'", scanner_options));
1405	cv[`0`] = cd;
1406	}
1407	else
1408	{
1409	/ Go through the rest of the list of host/port and construct an array*
1410	* of servers to try. The first one is the bit we just passed from
1411	* scanner_options so process that first and then scan the remainder of
1412	* the address buffer */
1413	do
1414	{
1415	clamd_address * cd;
1416	const uschar * sublist;
1417	int subsep = `' '`;
1418	uschar * s;
1419
1420	/ The 'local' option means use the SCAN command over the network*
1421	* socket (ie common file storage in use) */
1422	/XXX we could accept this also as a local option? /
1423	if (strcmpic(scanner_options, US"local") == `0`)
1424	{
1425	use_scan_command = TRUE;
1426	continue;
1427	}
1428
1429	cd = (clamd_address ) store_get(sizeof*(clamd_address));
1430
1431	/ extract host and port part /
1432	sublist = scanner_options;
1433	if (!(cd->hostspec = string_nextinlist(&sublist, &subsep, NULL, `0`)))
1434	{
1435	(void) m_errlog_defer(scanent, NULL,
1436	string_sprintf("missing address: '%s'", scanner_options));
1437	continue;
1438	}
1439	if (!(s = string_nextinlist(&sublist, &subsep, NULL, `0`)))
1440	{
1441	(void) m_errlog_defer(scanent, NULL,
1442	string_sprintf("missing port: '%s'", scanner_options));
1443	continue;
1444	}
1445	cd->tcp_port = atoi(CS s);
1446
1447	/ parse options /
1448	/XXX should these options be common over scanner types? /
1449	if (clamd_option(cd, sublist, &subsep) != OK)
1450	return m_errlog_defer(scanent, NULL,
1451	string_sprintf("bad option '%s'", scanner_options));
1452
1453	cv[num_servers++] = cd;
1454	if (num_servers >= MAX_CLAMD_SERVERS)
1455	{
1456	(void) m_errlog_defer(scanent, NULL,
1457	US"More than " MAX_CLAMD_SERVERS_S " clamd servers "
1458	"specified; only using the first " MAX_CLAMD_SERVERS_S );
1459	break;
1460	}
1461	} while ((scanner_options = string_nextinlist(&av_scanner_work, &sep,
1462	NULL, `0`)));
1463
1464	/ check if we have at least one server /
1465	if (!num_servers)
1466	return m_errlog_defer(scanent, NULL,
1467	US"no useable server addresses in malware configuration option.");
1468	}
1469
1470	/ See the discussion of response formats below to see why we really*
1471	don't like colons in filenames when passing filenames to ClamAV. /*
1472	if (use_scan_command && Ustrchr(eml_filename, `':'`))
1473	return m_errlog_defer(scanent, NULL,
1474	string_sprintf("local/SCAN mode incompatible with" \
1475	" : in path to email filename [%s]", eml_filename));
1476
1477	/ Set up the very first data we will be sending /
1478	if (!use_scan_command)
1479	{ cmd_str.data = US"zINSTREAM"; cmd_str.len = `10`; }
1480	else
1481	{
1482	cmd_str.data = string_sprintf("SCAN %s\n", eml_filename);
1483	cmd_str.len = Ustrlen(cmd_str.data);
1484	}
1485
1486	/ We have some network servers specified /
1487	if (num_servers)
1488	{
1489	/ Confirmed in ClamAV source (0.95.3) that the TCPAddr option of clamd*
1490	* only supports AF_INET, but we should probably be looking to the
1491	* future and rewriting this to be protocol-independent anyway. */
1492
1493	while (num_servers > `0`)
1494	{
1495	int i = random_number(num_servers);
1496	clamd_address * cd = cv[i];
1497
1498	DEBUG(D_acl) debug_printf_indent("trying server name %s, port %u\n",
1499	cd->hostspec, cd->tcp_port);
1500
1501	/ Lookup the host. This is to ensure that we connect to the same IP*
1502	* on both connections (as one host could resolve to multiple ips) */
1503	for (;;)
1504	{
1505	if ((sock = m_tcpsocket(cd->hostspec, cd->tcp_port,
1506	&connhost, &errstr, &cmd_str)) >= `0`)
1507	{
1508	/ Connection successfully established with a server /
1509	hostname = cd->hostspec;
1510	cmd_str.len = `0`;
1511	break;
1512	}
1513	if (cd->retry <= `0`) break;
1514	while (cd->retry > `0`) cd->retry = sleep(cd->retry);
1515	}
1516	if (sock >= `0`)
1517	break;
1518
1519	(void) m_errlog_defer(scanent, CUS callout_address, errstr);
1520
1521	/ Remove the server from the list. XXX We should free the memory /
1522	num_servers--;
1523	for (; i < num_servers; i++)
1524	cv[i] = cv[i+`1`];
1525	}
1526
1527	if (num_servers == `0`)
1528	return m_errlog_defer(scanent, NULL, US"all servers failed");
1529	}
1530	else
1531	for (;;)
1532	{
1533	if ((sock = ip_unixsocket(cv[`0`]->hostspec, &errstr)) >= `0`)
1534	{
1535	hostname = cv[`0`]->hostspec;
1536	break;
1537	}
1538	if (cv[`0`]->retry <= `0`)
1539	return m_errlog_defer(scanent, CUS callout_address, errstr);
1540	while (cv[`0`]->retry > `0`) cv[`0`]->retry = sleep(cv[`0`]->retry);
1541	}
1542
1543	/ have socket in variable "sock"; command to use is semi-independent of*
1544	* the socket protocol. We use SCAN if is local (either Unix/local
1545	* domain socket, or explicitly told local) else we stream the data.
1546	* How we stream the data depends upon how we were built. */
1547
1548	if (!use_scan_command)
1549	{
1550	/ New protocol: "zINSTREAM\n" followed by a sequence of <length><data>*
1551	chunks, <n> a 4-byte number (network order), terminated by a zero-length
1552	chunk. /*
1553
1554	DEBUG(D_acl) debug_printf_indent(
1555	"Malware scan: issuing %s new-style remote scan (zINSTREAM)\n",
1556	scanner_name);
1557
1558	/ Pass the string to ClamAV (10 = "zINSTREAM\0"), if not already sent /
1559	if (cmd_str.len)
1560	if (send(sock, cmd_str.data, cmd_str.len, `0`) < `0`)
1561	return m_errlog_defer_3(scanent, CUS hostname,
1562	string_sprintf("unable to send zINSTREAM to socket (%s)",
1563	strerror(errno)),
1564	sock);
1565
1566	/ calc file size /
1567	if ((clam_fd = open(CS eml_filename, O_RDONLY)) < `0`)
1568	{
1569	int err = errno;
1570	return m_errlog_defer_3(scanent, NULL,
1571	string_sprintf("can't open spool file %s: %s",
1572	eml_filename, strerror(err)),
1573	sock);
1574	}
1575	if ((fsize = lseek(clam_fd, `0`, SEEK_END)) < `0`)
1576	{
1577	int err;
1578	b_seek: err = errno;
1579	(void)close(clam_fd);
1580	return m_errlog_defer_3(scanent, NULL,
1581	string_sprintf("can't seek spool file %s: %s",
1582	eml_filename, strerror(err)),
1583	sock);
1584	}
1585	fsize_uint = (unsigned int) fsize;
1586	if ((off_t)fsize_uint != fsize)
1587	{
1588	(void)close(clam_fd);
1589	return m_errlog_defer_3(scanent, NULL,
1590	string_sprintf("seeking spool file %s, size overflow",
1591	eml_filename),
1592	sock);
1593	}
1594	if (lseek(clam_fd, `0`, SEEK_SET) < `0`)
1595	goto b_seek;
1596
1597	if (!(clamav_fbuf = US malloc(fsize_uint)))
1598	{
1599	(void)close(clam_fd);
1600	return m_errlog_defer_3(scanent, NULL,
1601	string_sprintf("unable to allocate memory %u for file (%s)",
1602	fsize_uint, eml_filename),
1603	sock);
1604	}
1605
1606	if ((result = read(clam_fd, clamav_fbuf, fsize_uint)) < `0`)
1607	{
1608	int err = errno;
1609	free(clamav_fbuf); (void)close(clam_fd);
1610	return m_errlog_defer_3(scanent, NULL,
1611	string_sprintf("can't read spool file %s: %s",
1612	eml_filename, strerror(err)),
1613	sock);
1614	}
1615	(void)close(clam_fd);
1616
1617	/ send file body to socket /
1618	send_size = htonl(fsize_uint);
1619	send_final_zeroblock = `0`;
1620	if ((send(sock, &send_size, sizeof(send_size), `0`) < `0`) \|\|
1621	(send(sock, clamav_fbuf, fsize_uint, `0`) < `0`) \|\|
1622	(send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), `0`) < `0`))
1623	{
1624	free(clamav_fbuf);
1625	return m_errlog_defer_3(scanent, NULL,
1626	string_sprintf("unable to send file body to socket (%s)", hostname),
1627	sock);
1628	}
1629
1630	free(clamav_fbuf);
1631	}
1632	else
1633	{ / use scan command /
1634	/ Send a SCAN command pointing to a filename; then in the then in the*
1635	* scan-method-neutral part, read the response back */
1636
1637	/ ================================================================= /
1638
1639	/ Prior to the reworking post-Exim-4.72, this scanned a directory,*
1640	which dates to when ClamAV needed us to break apart the email into the
1641	MIME parts (eg, with the now deprecated demime condition coming first).
1642	Some time back, ClamAV gained the ability to deconstruct the emails, so
1643	doing this would actually have resulted in the mail attachments being
1644	scanned twice, in the broken out files and from the original .eml.
1645	Since ClamAV now handles emails (and has for quite some time) we can
1646	just use the email file itself. /*
1647	/ Pass the string to ClamAV (7 = "SCAN \n" + \0), if not already sent /
1648
1649	DEBUG(D_acl) debug_printf_indent(
1650	"Malware scan: issuing %s local-path scan [%s]\n",
1651	scanner_name, scanner_options);
1652
1653	if (cmd_str.len)
1654	if (send(sock, cmd_str.data, cmd_str.len, `0`) < `0`)
1655	return m_errlog_defer_3(scanent, CUS callout_address,
1656	string_sprintf("unable to write to socket (%s)", strerror(errno)),
1657	sock);
1658
1659	/ Do not shut down the socket for writing; a user report noted that*
1660	* clamd 0.70 does not react well to this. */
1661	}
1662	/ Commands have been sent, no matter which scan method or connection*
1663	* type we're using; now just read the result, independent of method. */
1664
1665	/ Read the result /
1666	memset(av_buffer, `0`, sizeof(av_buffer));
1667	bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1668	(void)close(sock);
1669	sock = -`1`;
1670
1671	if (bread <= `0`)
1672	return m_errlog_defer(scanent, CUS callout_address,
1673	string_sprintf("unable to read from socket (%s)",
1674	errno == `0` ? "EOF" : strerror(errno)));
1675
1676	if (bread == sizeof(av_buffer))
1677	return m_errlog_defer(scanent, CUS callout_address,
1678	US"buffer too small");
1679	/ We're now assured of a NULL at the end of av_buffer /
1680
1681	/ Check the result. ClamAV returns one of two result formats.*
1682	In the basic mode, the response is of the form:
1683	infected: -> "<filename>: <virusname> FOUND"
1684	not-infected: -> "<filename>: OK"
1685	error: -> "<filename>: <errcode> ERROR
1686	If the ExtendedDetectionInfo option has been turned on, then we get:
1687	"<filename>: <virusname>(<virushash>:<virussize>) FOUND"
1688	for the infected case. Compare:
1689	/tmp/eicar.com: Eicar-Test-Signature FOUND
1690	/tmp/eicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
1691
1692	In the streaming case, clamd uses the filename "stream" which you should
1693	be able to verify with { ktrace clamdscan --stream /tmp/eicar.com }. (The
1694	client app will replace "stream" with the original filename before returning
1695	results to stdout, but the trace shows the data).
1696
1697	We will assume that the pathname passed to clamd from Exim does not contain
1698	a colon. We will have whined loudly above if the eml_filename does (and we're
1699	passing a filename to clamd). /*
1700
1701	if (!(*av_buffer))
1702	return m_errlog_defer(scanent, CUS callout_address,
1703	US"ClamAV returned null");
1704
1705	/ strip newline at the end (won't be present for zINSTREAM)*
1706	(also any trailing whitespace, which shouldn't exist, but we depend upon
1707	this below, so double-check) /*
1708	p = av_buffer + Ustrlen(av_buffer) - `1`;
1709	if (p == `'\n'`) p = `'\0'`;
1710
1711	DEBUG(D_acl) debug_printf_indent("Malware response: %s\n", av_buffer);
1712
1713	while (isspace(*--p) && (p > av_buffer))
1714	*p = `'\0'`;
1715	if (*p) ++p;
1716
1717	/ colon in returned output? /
1718	if(!(p = Ustrchr(av_buffer,`':'`)))
1719	return m_errlog_defer(scanent, CUS callout_address, string_sprintf(
1720	"ClamAV returned malformed result (missing colon): %s",
1721	av_buffer));
1722
1723	/ strip filename /
1724	while (p && isspace(++p)) //;
1725	vname = p;
1726
1727	/ It would be bad to encounter a virus with "FOUND" in part of the name,*
1728	but we should at least be resistant to it. /*
1729	p = Ustrrchr(vname, `' '`);
1730	result_tag = p ? p+`1` : vname;
1731
1732	if (Ustrcmp(result_tag, "FOUND") == `0`)
1733	{
1734	/ p should still be the whitespace before the result_tag /
1735	while (isspace(*p)) --p;
1736	*++p = `'\0'`;
1737	/ Strip off the extended information too, which will be in parens*
1738	after the virus name, with no intervening whitespace. /*
1739	if (*--p == `')'`)
1740	{
1741	/ "(hash:size)", so previous '(' will do; if not found, we have*
1742	a curious virus name, but not an error. /*
1743	p = Ustrrchr(vname, `'('`);
1744	if (p)
1745	*p = `'\0'`;
1746	}
1747	malware_name = string_copy(vname);
1748	DEBUG(D_acl) debug_printf_indent("Malware found, name \"%s\"\n", malware_name);
1749
1750	}
1751	else if (Ustrcmp(result_tag, "ERROR") == `0`)
1752	return m_errlog_defer(scanent, CUS callout_address,
1753	string_sprintf("ClamAV returned: %s", av_buffer));
1754
1755	else if (Ustrcmp(result_tag, "OK") == `0`)
1756	{
1757	/ Everything should be OK /
1758	malware_name = NULL;
1759	DEBUG(D_acl) debug_printf_indent("Malware not found\n");
1760
1761	}
1762	else
1763	return m_errlog_defer(scanent, CUS callout_address,
1764	string_sprintf("unparseable response from ClamAV: {%s}", av_buffer));
1765
1766	break;
1767	} / clamd /
1768	#endif
1769
1770	#ifndef DISABLE_MAL_SOCK
1771	case M_SOCK: / "sock" scanner type ------------------------------------- /
1772	/ This code was derived by Martin Poole from the clamd code contributed*
1773	by David Saez and the cmdline code
1774	*/
1775	{
1776	int bread;
1777	uschar * commandline;
1778	uschar av_buffer[`1024`];
1779	uschar * linebuffer;
1780	uschar * sockline_scanner;
1781	uschar sockline_scanner_default[] = "%s\n";
1782	const pcre *sockline_trig_re;
1783	const pcre *sockline_name_re;
1784
1785	/ find scanner command line /
1786	if ( (sockline_scanner = string_nextinlist(&av_scanner_work, &sep,
1787	NULL, `0`))
1788	&& *sockline_scanner
1789	)
1790	{ / check for no expansions apart from one %s /
1791	uschar * s = Ustrchr(sockline_scanner, `'%'`);
1792	if (s++)
1793	if ((s != `'s'` && s != `'%'`) \|\| Ustrchr(s+`1`, `'%'`))
1794	return m_errlog_defer_3(scanent, NULL,
1795	US"unsafe sock scanner call spec", sock);
1796	}
1797	else
1798	sockline_scanner = sockline_scanner_default;
1799	DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "cmdline: ",
1800	string_printing(sockline_scanner));
1801
1802	/ find scanner output trigger /
1803	sockline_trig_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1804	"missing trigger specification", &errstr);
1805	if (!sockline_trig_re)
1806	return m_errlog_defer_3(scanent, NULL, errstr, sock);
1807
1808	/ find virus name regex /
1809	sockline_name_re = m_pcre_nextinlist(&av_scanner_work, &sep,
1810	"missing virus name regex specification", &errstr);
1811	if (!sockline_name_re)
1812	return m_errlog_defer_3(scanent, NULL, errstr, sock);
1813
1814	/ prepare scanner call - security depends on expansions check above /
1815	commandline = string_sprintf( CS sockline_scanner, CS eml_filename);
1816	DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "expanded: ",
1817	string_printing(commandline));
1818
1819	/ Pass the command string to the socket /
1820	if (m_sock_send(sock, commandline, Ustrlen(commandline), &errstr) < `0`)
1821	return m_errlog_defer(scanent, CUS callout_address, errstr);
1822
1823	/ Read the result /
1824	bread = ip_recv(sock, av_buffer, sizeof(av_buffer), tmo-time(NULL));
1825
1826	if (bread <= `0`)
1827	return m_errlog_defer_3(scanent, CUS callout_address,
1828	string_sprintf("unable to read from socket (%s)", strerror(errno)),
1829	sock);
1830
1831	if (bread == sizeof(av_buffer))
1832	return m_errlog_defer_3(scanent, CUS callout_address,
1833	US"buffer too small", sock);
1834	av_buffer[bread] = `'\0'`;
1835	linebuffer = string_copy(av_buffer);
1836	DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "answer: ",
1837	string_printing(linebuffer));
1838
1839	/ try trigger match /
1840	if (regex_match_and_setup(sockline_trig_re, linebuffer, `0`, -`1`))
1841	{
1842	if (!(malware_name = m_pcre_exec(sockline_name_re, av_buffer)))
1843	malware_name = US "unknown";
1844	DEBUG(D_acl) debug_printf_indent("%15s%10s'%s'\n", "", "name: ",
1845	string_printing(malware_name));
1846	}
1847	else / no virus found /
1848	malware_name = NULL;
1849	break;
1850	}
1851	#endif
1852
1853	#ifndef DISABLE_MAL_MKS
1854	case M_MKSD: / "mksd" scanner type ------------------------------------- /
1855	{
1856	char *mksd_options_end;
1857	int mksd_maxproc = `1`; / default, if no option supplied /
1858	int retval;
1859
1860	if (scanner_options)
1861	{
1862	mksd_maxproc = (int)strtol(CS scanner_options, &mksd_options_end, `10`);
1863	if ( *scanner_options == `'\0'`
1864	\|\| *mksd_options_end != `'\0'`
1865	\|\| mksd_maxproc < `1`
1866	\|\| mksd_maxproc > `32`
1867	)
1868	return m_errlog_defer(scanent, CUS callout_address,
1869	string_sprintf("invalid option '%s'", scanner_options));
1870	}
1871
1872	if((sock = ip_unixsocket(US "/var/run/mksd/socket", &errstr)) < `0`)
1873	return m_errlog_defer(scanent, CUS callout_address, errstr);
1874
1875	malware_name = NULL;
1876
1877	DEBUG(D_acl) debug_printf_indent("Malware scan: issuing %s scan\n", scanner_name);
1878
1879	if ((retval = mksd_scan_packed(scanent, sock, eml_filename, tmo)) != OK)
1880	{
1881	close (sock);
1882	return retval;
1883	}
1884	break;
1885	}
1886	#endif
1887
1888	#ifndef DISABLE_MAL_AVAST
1889	case M_AVAST: / "avast" scanner type ----------------------------------- /
1890	{
1891	int ovector[`1`*`3`];
1892	uschar buf[`1024`];
1893	uschar * scanrequest;
1894	enum {AVA_HELO, AVA_OPT, AVA_RSP, AVA_DONE} avast_stage;
1895	int nread;
1896
1897	/ According to Martin Tuma @avast the protocol uses "escaped*
1898	whitespace", that is, every embedded whitespace is backslash
1899	escaped, as well as backslash is protected by backslash.
1900	The returned lines contain the name of the scanned file, a tab
1901	and the [ ] marker.
1902	[+] - not infected
1903	[L] - infected
1904	[E] - some error occured
1905	Such marker follows the first non-escaped TAB. /*
1906	if ( ( !ava_re_clean
1907	&& !(ava_re_clean = m_pcre_compile(ava_re_clean_str, &errstr)))
1908	\|\| ( !ava_re_virus
1909	&& !(ava_re_virus = m_pcre_compile(ava_re_virus_str, &errstr)))
1910	)
1911	return malware_errlog_defer(errstr);
1912
1913	/ wait for result /
1914	for (avast_stage = AVA_HELO;
1915	(nread = recv_line(sock, buf, sizeof(buf), tmo)) > `0`;
1916	)
1917	{
1918	int slen = Ustrlen(buf);
1919	if (slen >= `1`)
1920	{
1921	DEBUG(D_acl) debug_printf_indent("got from avast: %s\n", buf);
1922	switch (avast_stage)
1923	{
1924	case AVA_HELO:
1925	if (Ustrncmp(buf, "220", `3`) != `0`)
1926	goto endloop; / require a 220 /
1927	goto sendreq;
1928
1929	case AVA_OPT:
1930	if (Ustrncmp(buf, "210", `3`) == `0`)
1931	break; / ignore 210 responses /
1932	if (Ustrncmp(buf, "200", `3`) != `0`)
1933	goto endloop; / require a 200 /
1934
1935	sendreq:
1936	{
1937	int len;
1938	/ Check for another option to send. Newline-terminate it. /
1939	if ((scanrequest = string_nextinlist(&av_scanner_work, &sep,
1940	NULL, `0`)))
1941	{
1942	scanrequest = string_sprintf("%s\n", scanrequest);
1943	avast_stage = AVA_OPT; / just sent option /
1944	}
1945	else
1946	{
1947	scanrequest = string_sprintf("SCAN %s\n", eml_dir);
1948	avast_stage = AVA_RSP; / just sent command /
1949	}
1950
1951	/ send config-cmd or scan-request to socket /
1952	len = Ustrlen(scanrequest);
1953	if (send(sock, scanrequest, len, `0`) < `0`)
1954	{
1955	scanrequest[len-`1`] = `'\0'`;
1956	return m_errlog_defer_3(scanent, CUS callout_address, string_sprintf(
1957	"unable to send request '%s' to socket (%s): %s",
1958	scanrequest, scanner_options, strerror(errno)), sock);
1959	}
1960	break;
1961	}
1962
1963	case AVA_RSP:
1964	if (Ustrncmp(buf, "210", `3`) == `0`)
1965	break; / ignore the "210 SCAN DATA" message /
1966
1967	if (pcre_exec(ava_re_clean, NULL, CS buf, slen,
1968	`0`, `0`, ovector, nelem(ovector)) > `0`)
1969	break;
1970
1971	if ( !malware_name
1972	&& (malware_name = m_pcre_exec(ava_re_virus, buf)))
1973	{ / remove backslash in front of [whitespace\|backslash] /
1974	uschar * p, * p0;
1975	for (p = malware_name; *p; ++p)
1976	if (*p == `'\\'` && (isspace(p[`1`]) \|\| p[`1`] == `'\\'`))
1977	for (p0 = p; p0; ++p0) p0 = p0[`1`];
1978
1979	DEBUG(D_acl)
1980	debug_printf_indent("unescaped m-name: '%s'\n", malware_name);
1981	break;
1982	}
1983
1984	if (Ustrncmp(buf, "200 SCAN OK", `11`) == `0`)
1985	{ / we're done finally /
1986	if (send(sock, "QUIT\n", `5`, `0`) < `0`) / courtesy /
1987	return m_errlog_defer_3(scanent, CUS callout_address,
1988	string_sprintf(
1989	"unable to send quit request to socket (%s): %s",
1990	scanner_options, strerror(errno)),
1991	sock);
1992
1993	avast_stage = AVA_DONE;
1994	}
1995
1996	/ here also for any unexpected response from the scanner /
1997	goto endloop;
1998
1999	default: log_write(`0`, LOG_PANIC, "%s:%d:%s: should not happen",
2000	__FILE__, __LINE__, __FUNCTION__);
2001	}
2002	}
2003	}
2004	endloop:
2005
2006	switch(avast_stage)
2007	{
2008	case AVA_HELO:
2009	case AVA_OPT:
2010	case AVA_RSP: return m_errlog_defer_3(scanent, CUS callout_address,
2011	nread >= `0`
2012	? string_sprintf(
2013	"invalid response from scanner: '%s'", buf)
2014	: nread == -`1`
2015	? US"EOF from scanner"
2016	: US"timeout from scanner",
2017	sock);
2018	default: break;
2019	}
2020	break;
2021	}
2022	#endif
2023	} / scanner type switch /
2024
2025	if (sock >= `0`)
2026	(void) close (sock);
2027	malware_ok = TRUE; / set "been here, done that" marker /
2028	}
2029
2030	/ match virus name against pattern (caseless ------->----------v) /
2031	if (malware_name && regex_match_and_setup(re, malware_name, `0`, -`1`))
2032	{
2033	DEBUG(D_acl) debug_printf_indent(
2034	"Matched regex to malware [%s] [%s]\n", malware_re, malware_name);
2035	return OK;
2036	}
2037	else
2038	return FAIL;
2039	}
2040
2041
2042	/*************************************************
2043	* Scan an email for malware *
2044	*************************************************/
2045
2046	/ This is the normal interface for scanning an email, which doesn't need a*
2047	filename; it's a wrapper around the malware_file function.
2048
2049	Arguments:
2050	malware_re match condition for "malware="
2051	timeout if nonzero, timeout in seconds
2052
2053	Returns: Exim message processing code (OK, FAIL, DEFER, ...)
2054	where true means malware was found (condition applies)
2055	*/
2056	int
2057	malware(const uschar * malware_re, int timeout)
2058	{
2059	int ret = malware_internal(malware_re, NULL, timeout);
2060
2061	if (ret == DEFER) av_failed = TRUE;
2062	return ret;
2063	}
2064
2065
2066	/*************************************************
2067	* Scan a file for malware *
2068	*************************************************/
2069
2070	/ This is a test wrapper for scanning an email, which is not used in*
2071	normal processing. Scan any file, using the Exim scanning interface.
2072	This function tampers with various global variables so is unsafe to use
2073	in any other context.
2074
2075	Arguments:
2076	eml_filename a file holding the message to be scanned
2077
2078	Returns: Exim message processing code (OK, FAIL, DEFER, ...)
2079	where true means malware was found (condition applies)
2080	*/
2081	int
2082	malware_in_file(uschar *eml_filename)
2083	{
2084	uschar message_id_buf[`64`];
2085	int ret;
2086
2087	/ spool_mbox() assumes various parameters exist, when creating*
2088	the relevant directory and the email within /*
2089
2090	(void) string_format(message_id_buf, sizeof(message_id_buf),
2091	"dummy-%d", vaguely_random_number(INT_MAX));
2092	message_id = message_id_buf;
2093	sender_address = US"malware-sender@example.net";
2094	return_path = US"";
2095	recipients_list = NULL;
2096	receive_add_recipient(US"malware-victim@example.net", -`1`);
2097	enable_dollar_recipients = TRUE;
2098
2099	ret = malware_internal(US"*", eml_filename, `0`);
2100
2101	Ustrncpy(spooled_message_id, message_id, sizeof(spooled_message_id));
2102	spool_mbox_ok = `1`;
2103
2104	/ don't set no_mbox_unspool; at present, there's no way for it to become*
2105	set, but if that changes, then it should apply to these tests too /*
2106
2107	unspool_mbox();
2108
2109	/ silence static analysis tools /
2110	message_id = NULL;
2111
2112	return ret;
2113	}
2114
2115
2116	void
2117	malware_init(void)
2118	{
2119	if (!malware_default_re)
2120	malware_default_re = regex_must_compile(malware_regex_default, FALSE, TRUE);
2121
2122	#ifndef DISABLE_MAL_DRWEB
2123	if (!drweb_re)
2124	drweb_re = regex_must_compile(drweb_re_str, FALSE, TRUE);
2125	#endif
2126	#ifndef DISABLE_MAL_FSECURE
2127	if (!fsec_re)
2128	fsec_re = regex_must_compile(fsec_re_str, FALSE, TRUE);
2129	#endif
2130	#ifndef DISABLE_MAL_KAV
2131	if (!kav_re_sus)
2132	kav_re_sus = regex_must_compile(kav_re_sus_str, FALSE, TRUE);
2133	if (!kav_re_inf)
2134	kav_re_inf = regex_must_compile(kav_re_inf_str, FALSE, TRUE);
2135	#endif
2136	#ifndef DISABLE_MAL_AVA
2137	if (!ava_re_clean)
2138	ava_re_clean = regex_must_compile(ava_re_clean_str, FALSE, TRUE);
2139	if (!ava_re_virus)
2140	ava_re_virus = regex_must_compile(ava_re_virus_str, FALSE, TRUE);
2141	#endif
2142	#ifndef DISABLE_MAL_FPROT6D
2143	if (!fprot6d_re_error)
2144	fprot6d_re_error = regex_must_compile(fprot6d_re_error_str, FALSE, TRUE);
2145	if (!fprot6d_re_virus)
2146	fprot6d_re_virus = regex_must_compile(fprot6d_re_virus_str, FALSE, TRUE);
2147	#endif
2148	}
2149
2150
2151	void
2152	malware_show_supported(FILE * f)
2153	{
2154	struct scan * sc;
2155	fprintf(f, "Malware:");
2156	for (sc = m_scans; sc->scancode != -`1`; sc++) fprintf(f, " %s", sc->name);
2157	fprintf(f, "\n");
2158	}
2159
2160
2161	# endif /!MACRO_PREDEF/
2162	#endif /WITH_CONTENT_SCAN/
2163	/*
2164	* vi: aw ai sw=2
2165	*/
2166

Browse the source code of exim/src/malware.c