| e3aaff8e |
/* |
| 2023340a |
* Copyright (C) 2007-2008 Sourcefire, Inc. |
| c7543866 |
* |
| 2023340a |
* Authors: Tomasz Kojm |
| e3aaff8e |
*
* This program is free software; you can redistribute it and/or modify |
| bb34cb31 |
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation. |
| e3aaff8e |
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software |
| 48b7b4a7 |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA. |
| e3aaff8e |
*/
|
| 6d6e8271 |
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
|
| e3aaff8e |
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h> |
| b58fdfc2 |
#ifdef HAVE_UNISTD_H |
| a7f5fd00 |
#include <unistd.h> |
| b58fdfc2 |
#endif
#ifdef HAVE_SYS_PARAM_H |
| 15edd45f |
#include <sys/param.h> |
| b58fdfc2 |
#endif |
| e3aaff8e |
#include <fcntl.h> |
| b58fdfc2 |
#ifndef C_WINDOWS |
| e3aaff8e |
#include <dirent.h> |
| d66387b9 |
#include <netinet/in.h> |
| b58fdfc2 |
#endif |
| e3aaff8e |
|
| 888f5794 |
#if HAVE_MMAP
#if HAVE_SYS_MMAN_H
#include <sys/mman.h>
#else /* HAVE_SYS_MMAN_H */
#undef HAVE_MMAP
#endif
#endif
|
| b58fdfc2 |
#ifndef O_BINARY
#define O_BINARY 0
#endif
|
| bc93eda0 |
#define DCONF_ARCH ctx->dconf->archive
#define DCONF_DOC ctx->dconf->doc
#define DCONF_MAIL ctx->dconf->mail
#define DCONF_OTHER ctx->dconf->other
|
| e3aaff8e |
#include "clamav.h"
#include "others.h" |
| bc93eda0 |
#include "dconf.h" |
| 85dd8460 |
#include "scanners.h" |
| 8000d078 |
#include "matcher-ac.h"
#include "matcher-bm.h" |
| e3aaff8e |
#include "matcher.h" |
| 47bbbc56 |
#include "ole2_extract.h"
#include "vba_extract.h" |
| 341e5433 |
#include "msexpand.h" |
| 8d3aca30 |
#include "mbox.h" |
| a5373b64 |
#include "chmunpack.h" |
| a9082ea2 |
#include "pe.h" |
| 8d3aca30 |
#include "elf.h" |
| 888f5794 |
#include "filetypes.h"
#include "htmlnorm.h" |
| 2b259453 |
#include "untar.h" |
| c3a3be2d |
#include "special.h" |
| 6a31c2b4 |
#include "binhex.h" |
| 8d3aca30 |
/* #include "uuencode.h" */ |
| 7bbd5f7f |
#include "tnef.h" |
| bf45bf13 |
#include "sis.h" |
| 2c313298 |
#include "pdf.h" |
| bd988961 |
#include "str.h" |
| 24fd05e1 |
#include "mspack.h"
#include "cab.h" |
| 52c2a8bd |
#include "rtf.h" |
| 9d96e4b6 |
#include "unarj.h" |
| b8ad506b |
#include "nulsft.h" |
| ed93f138 |
#include "autoit.h" |
| 015ce4a8 |
#include "textnorm.h" |
| e3aaff8e |
#include <zlib.h> |
| f133da7a |
#include "unzip.h" |
| e3aaff8e |
#ifdef HAVE_BZLIB_H
#include <bzlib.h>
#endif
|
| 6ce30242 |
#ifdef ENABLE_UNRAR |
| 5ca7fd18 |
#include "libclamunrar_iface/unrar_iface.h" |
| 6ce30242 |
#endif
|
| 2bb229f6 |
#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2)
#include <limits.h> |
| 88794204 |
#include <stddef.h> |
| 2bb229f6 |
#endif
|
| 3c91998b |
static int cli_scanfile(const char *filename, cli_ctx *ctx); |
| 4048c4f6 |
|
| c7543866 |
static int cli_scandir(const char *dirname, cli_ctx *ctx, cli_file_t container)
{
DIR *dd;
struct dirent *dent;
#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2)
union {
struct dirent d;
char b[offsetof(struct dirent, d_name) + NAME_MAX + 1];
} result;
#endif
struct stat statbuf;
char *fname;
int fd, ret = CL_CLEAN;
cli_file_t ftype;
if((dd = opendir(dirname)) != NULL) {
#ifdef HAVE_READDIR_R_3
while(!readdir_r(dd, &result.d, &dent) && dent) {
#elif defined(HAVE_READDIR_R_2)
while((dent = (struct dirent *) readdir_r(dd, &result.d))) {
#else
while((dent = readdir(dd))) {
#endif
#if (!defined(C_CYGWIN)) && (!defined(C_INTERIX)) && (!defined(C_WINDOWS))
if(dent->d_ino)
#endif
{
if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) {
/* build the full name */
fname = cli_malloc(strlen(dirname) + strlen(dent->d_name) + 2);
if(!fname) {
closedir(dd);
return CL_EMEM;
}
sprintf(fname, "%s/%s", dirname, dent->d_name);
/* stat the file */
if(lstat(fname, &statbuf) != -1) {
if(S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) {
if(cli_scandir(fname, ctx, container) == CL_VIRUS) {
free(fname);
closedir(dd);
return CL_VIRUS;
}
} else {
if(S_ISREG(statbuf.st_mode)) {
if(cli_scanfile(fname, ctx) == CL_VIRUS) {
free(fname);
closedir(dd);
return CL_VIRUS;
}
if(container == CL_TYPE_MAIL) {
fd = open(fname, O_RDONLY|O_BINARY);
ftype = cli_filetype2(fd, ctx->engine);
if(ftype >= CL_TYPE_TEXT_ASCII && ftype <= CL_TYPE_TEXT_UTF16BE) {
lseek(fd, 0, SEEK_SET); |
| 6038397e |
ret = cli_scandesc(fd, ctx, CL_TYPE_MAIL, 0, NULL, AC_SCAN_VIR); |
| c7543866 |
}
close(fd);
if(ret == CL_VIRUS) {
free(fname);
closedir(dd);
return CL_VIRUS;
}
}
}
}
}
free(fname);
}
}
}
} else {
cli_dbgmsg("cli_scandir: Can't open directory %s.\n", dirname);
return CL_EOPEN;
}
closedir(dd);
return CL_CLEAN;
}
|
| 6ce30242 |
#ifdef ENABLE_UNRAR |
| 5ca7fd18 |
static int cli_unrar_scanmetadata(int desc, unrar_metadata_t *metadata, cli_ctx *ctx, unsigned int files, uint32_t* sfx_check) |
| e3aaff8e |
{ |
| 133538e0 |
int ret = CL_SUCCESS;
struct cli_meta_node* mdata; |
| 2b259453 |
|
| e3aaff8e |
|
| 133538e0 |
if(files == 1 && sfx_check) {
if(*sfx_check == metadata->crc)
return CL_BREAK;/* break extract loop */
else
*sfx_check = metadata->crc; |
| e3aaff8e |
}
|
| d91ab809 |
cli_dbgmsg("RAR: %s, crc32: 0x%x, encrypted: %u, compressed: %u, normal: %u, method: %u, ratio: %u\n", |
| 794f3f23 |
metadata->filename, metadata->crc, metadata->encrypted, (unsigned int) metadata->pack_size,
(unsigned int) metadata->unpack_size, metadata->method, |
| d91ab809 |
metadata->pack_size ? (unsigned int) (metadata->unpack_size / metadata->pack_size) : 0); |
| a62ae54f |
|
| 133538e0 |
/* Scan metadata */
mdata = ctx->engine->rar_mlist;
if(mdata) do {
if(mdata->encrypted != metadata->encrypted)
continue; |
| a62ae54f |
|
| 133538e0 |
if(mdata->crc32 && (unsigned int) mdata->crc32 != metadata->crc)
continue; |
| a62ae54f |
|
| 133538e0 |
if(mdata->csize > 0 && (unsigned int) mdata->csize != metadata->pack_size)
continue; |
| a62ae54f |
|
| 133538e0 |
if(mdata->size >= 0 && (unsigned int) mdata->size != metadata->unpack_size)
continue; |
| a62ae54f |
|
| 133538e0 |
if(mdata->method >= 0 && mdata->method != metadata->method)
continue; |
| a62ae54f |
|
| 133538e0 |
if(mdata->fileno && mdata->fileno != files)
continue; |
| a62ae54f |
|
| 86e209d6 |
if(mdata->maxdepth && ctx->recursion > mdata->maxdepth) |
| 133538e0 |
continue; |
| a62ae54f |
|
| 133538e0 |
/* TODO add support for regex */
/*if(mdata->filename && !strstr(zdirent.d_name, mdata->filename))*/
if(mdata->filename && strcmp((char *) metadata->filename, mdata->filename))
continue; |
| a62ae54f |
|
| 133538e0 |
break; /* matched */ |
| a62ae54f |
|
| 133538e0 |
} while((mdata = mdata->next)); |
| a62ae54f |
|
| 133538e0 |
if(mdata) {
*ctx->virname = mdata->virname;
return CL_VIRUS;
} |
| a62ae54f |
|
| 133538e0 |
if(DETECT_ENCRYPTED && metadata->encrypted) {
cli_dbgmsg("RAR: Encrypted files found in archive.\n");
lseek(desc, 0, SEEK_SET); |
| 6038397e |
ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR); |
| 133538e0 |
if(ret != CL_VIRUS) {
*ctx->virname = "Encrypted.RAR";
return CL_VIRUS; |
| a62ae54f |
} |
| 133538e0 |
} |
| a62ae54f |
|
| 2dbcf700 |
return ret;
}
|
| 133538e0 |
static int cli_scanrar(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_check)
{
int ret = CL_CLEAN; |
| 5ca7fd18 |
unrar_metadata_t *metadata, *metadata_tmp; |
| 133538e0 |
char *dir; |
| 5ca7fd18 |
unrar_state_t rar_state; |
| e3aaff8e |
|
| 133538e0 |
cli_dbgmsg("in scanrar()\n");
|
| 2b459819 |
if(sfx_offset)
if(lseek(desc, sfx_offset, SEEK_SET) == -1)
return CL_EIO;
|
| 133538e0 |
/* generate the temporary directory */ |
| 5fc380f1 |
if(!(dir = cli_gentemp(NULL)))
return CL_EMEM;
|
| 133538e0 |
if(mkdir(dir, 0700)) {
cli_dbgmsg("RAR: Can't create temporary directory %s\n", dir);
free(dir);
return CL_ETMPDIR;
}
|
| 5ca7fd18 |
if((ret = unrar_open(desc, dir, &rar_state)) != UNRAR_OK) { |
| 133538e0 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir); |
| 5ca7fd18 |
if(ret == UNRAR_EMEM)
return CL_EMEM;
else
return CL_ERAR; |
| 133538e0 |
}
do {
int rc; |
| 5ca7fd18 |
rar_state.ofd = -1;
ret = unrar_extract_next_prepare(&rar_state,dir);
if(ret != UNRAR_OK) {
if(ret == UNRAR_BREAK)
ret = CL_BREAK;
else if(ret == UNRAR_EMEM)
ret = CL_EMEM;
else
ret = CL_ERAR; |
| 2dbcf700 |
break; |
| 5ca7fd18 |
} |
| d91ab809 |
if((ret=cli_checklimits("RAR", ctx, rar_state.metadata_tail->unpack_size, rar_state.metadata_tail->pack_size, 0)!=CL_CLEAN)) { |
| 49dca2e3 |
free(rar_state.file_header->filename);
free(rar_state.file_header); |
| 2dbcf700 |
ret = CL_CLEAN;
continue;
} |
| 5ca7fd18 |
ret = unrar_extract_next(&rar_state,dir);
if(ret == UNRAR_OK)
ret = CL_SUCCESS;
else if(ret == UNRAR_EMEM)
ret = CL_EMEM;
else
ret = CL_ERAR;
if(rar_state.ofd > 0) {
lseek(rar_state.ofd,0,SEEK_SET);
rc = cli_magic_scandesc(rar_state.ofd,ctx);
close(rar_state.ofd); |
| 133538e0 |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(rar_state.filename); |
| 133538e0 |
if(rc == CL_VIRUS ) {
cli_dbgmsg("RAR: infected with %s\n",*ctx->virname);
ret = CL_VIRUS; |
| e3aaff8e |
break;
}
}
|
| 133538e0 |
if(ret == CL_SUCCESS) |
| 44c3b2c8 |
ret = cli_unrar_scanmetadata(desc,rar_state.metadata_tail, ctx, rar_state.file_count, sfx_check); |
| 133538e0 |
} while(ret == CL_SUCCESS);
if(ret == CL_BREAK)
ret = CL_CLEAN;
metadata = metadata_tmp = rar_state.metadata;
|
| c7543866 |
if(cli_scandir(rar_state.comment_dir, ctx, 0) == CL_VIRUS) |
| 133538e0 |
ret = CL_VIRUS; |
| e3aaff8e |
|
| 5ca7fd18 |
unrar_close(&rar_state); |
| cf68af72 |
|
| 478ce4b2 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
| e3aaff8e |
|
| 478ce4b2 |
free(dir); |
| 133538e0 |
|
| 478ce4b2 |
metadata = metadata_tmp;
while (metadata) {
metadata_tmp = metadata->next;
free(metadata->filename);
free(metadata);
metadata = metadata_tmp; |
| e3aaff8e |
} |
| 2b259453 |
cli_dbgmsg("RAR: Exit code: %d\n", ret); |
| 7761c6eb |
|
| e3aaff8e |
return ret;
} |
| 6ce30242 |
#endif /* ENABLE_UNRAR */ |
| e3aaff8e |
|
| 9d96e4b6 |
static int cli_scanarj(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_check)
{
int ret = CL_CLEAN, rc;
arj_metadata_t metadata;
char *dir;
cli_dbgmsg("in cli_scanarj()\n");
/* generate the temporary directory */ |
| 5fc380f1 |
if(!(dir = cli_gentemp(NULL)))
return CL_EMEM;
|
| 9d96e4b6 |
if(mkdir(dir, 0700)) { |
| b865e44a |
cli_dbgmsg("ARJ: Can't create temporary directory %s\n", dir); |
| 9d96e4b6 |
free(dir);
return CL_ETMPDIR;
}
if(sfx_offset)
lseek(desc, sfx_offset, SEEK_SET);
ret = cli_unarj_open(desc, dir);
if (ret != CL_SUCCESS) {
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
cli_dbgmsg("ARJ: Error: %s\n", cl_strerror(ret));
return ret;
}
metadata.filename = NULL;
do {
ret = cli_unarj_prepare_file(desc, dir, &metadata);
if (ret != CL_SUCCESS) {
break;
} |
| d91ab809 |
if ((ret = cli_checklimits("ARJ", ctx, metadata.orig_size, metadata.comp_size, 0))!=CL_CLEAN) {
ret = CL_SUCCESS;
continue; |
| 9d96e4b6 |
}
ret = cli_unarj_extract_file(desc, dir, &metadata);
if (metadata.ofd >= 0) {
lseek(metadata.ofd, 0, SEEK_SET);
rc = cli_magic_scandesc(metadata.ofd, ctx);
close(metadata.ofd);
if (rc == CL_VIRUS) {
cli_dbgmsg("ARJ: infected with %s\n",*ctx->virname);
ret = CL_VIRUS;
break;
}
}
if (metadata.filename) {
free(metadata.filename);
metadata.filename = NULL;
}
} while(ret == CL_SUCCESS);
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
if (metadata.filename) {
free(metadata.filename);
}
cli_dbgmsg("ARJ: Exit code: %d\n", ret); |
| 9f851a24 |
if (ret == CL_BREAK)
ret = CL_CLEAN; |
| 9d96e4b6 |
return ret;
} |
| e3aaff8e |
|
| 3c91998b |
static int cli_scangzip(int desc, cli_ctx *ctx) |
| e3aaff8e |
{
int fd, bytes, ret = CL_CLEAN; |
| 33f89aa5 |
unsigned long int size = 0; |
| f7148839 |
char *buff; |
| 0e621e7d |
char *tmpname; |
| e3aaff8e |
gzFile gd;
|
| fc56deed |
cli_dbgmsg("in cli_scangzip()\n");
|
| e3aaff8e |
if((gd = gzdopen(dup(desc), "rb")) == NULL) { |
| 2b259453 |
cli_dbgmsg("GZip: Can't open descriptor %d\n", desc); |
| e3aaff8e |
return CL_EGZIP;
}
|
| a7ac5978 |
if((ret = cli_gentempfd(NULL, &tmpname, &fd))) { |
| 2b259453 |
cli_dbgmsg("GZip: Can't generate temporary file.\n"); |
| e3aaff8e |
gzclose(gd); |
| a7ac5978 |
return ret; |
| e3aaff8e |
}
|
| fc56deed |
if(!(buff = (char *) cli_malloc(FILEBUFF))) { |
| 794f3f23 |
cli_dbgmsg("GZip: Unable to malloc %u bytes.\n", FILEBUFF); |
| fc56deed |
gzclose(gd); |
| a7ac5978 |
close(fd); |
| 0e621e7d |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| 0e621e7d |
free(tmpname); |
| f7148839 |
return CL_EMEM; |
| fc56deed |
} |
| f7148839 |
|
| fc56deed |
while((bytes = gzread(gd, buff, FILEBUFF)) > 0) { |
| e3aaff8e |
size += bytes;
|
| d91ab809 |
if(cli_checklimits("GZip", ctx, size + FILEBUFF, 0, 0)!=CL_CLEAN)
break; |
| e3aaff8e |
|
| 4152ad50 |
if(cli_writen(fd, buff, bytes) != bytes) { |
| 2b259453 |
cli_dbgmsg("GZip: Can't write to file.\n"); |
| a7ac5978 |
close(fd); |
| 0e621e7d |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| 0e621e7d |
free(tmpname); |
| e3aaff8e |
gzclose(gd); |
| f7148839 |
free(buff); |
| e3aaff8e |
return CL_EGZIP;
}
}
|
| f7148839 |
free(buff); |
| e3aaff8e |
gzclose(gd); |
| 985d9958 |
if(ret == CL_VIRUS) { |
| a7ac5978 |
close(fd); |
| 0e621e7d |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| 0e621e7d |
free(tmpname); |
| 985d9958 |
return ret;
}
|
| e3aaff8e |
lseek(fd, 0, SEEK_SET); |
| 3c91998b |
if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS ) {
cli_dbgmsg("GZip: Infected with %s\n", *ctx->virname); |
| a7ac5978 |
close(fd); |
| 0e621e7d |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| 0e621e7d |
free(tmpname); |
| e3aaff8e |
return CL_VIRUS;
} |
| a7ac5978 |
close(fd); |
| 0e621e7d |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| 0e621e7d |
free(tmpname); |
| e3aaff8e |
return ret;
}
#ifdef HAVE_BZLIB_H
#ifdef NOBZ2PREFIX
#define BZ2_bzReadOpen bzReadOpen
#define BZ2_bzReadClose bzReadClose
#define BZ2_bzRead bzRead
#endif
|
| 3c91998b |
static int cli_scanbzip(int desc, cli_ctx *ctx) |
| e3aaff8e |
{
int fd, bytes, ret = CL_CLEAN, bzerror = 0;
short memlim = 0; |
| 33f89aa5 |
unsigned long int size = 0; |
| f7148839 |
char *buff; |
| a7ac5978 |
FILE *fs; |
| 0e621e7d |
char *tmpname; |
| e3aaff8e |
BZFILE *bfd;
|
| 9e431a95 |
if((fs = fdopen(dup(desc), "rb")) == NULL) { |
| 2b259453 |
cli_dbgmsg("Bzip: Can't open descriptor %d.\n", desc); |
| e3aaff8e |
return CL_EBZIP;
}
|
| 3c91998b |
if(ctx->limits)
if(ctx->limits->archivememlim) |
| e3aaff8e |
memlim = 1;
|
| 68b96877 |
if((bfd = BZ2_bzReadOpen(&bzerror, fs, 0, memlim, NULL, 0)) == NULL) { |
| 2b259453 |
cli_dbgmsg("Bzip: Can't initialize bzip2 library (descriptor: %d).\n", desc); |
| 9e431a95 |
fclose(fs); |
| e3aaff8e |
return CL_EBZIP;
}
|
| a7ac5978 |
if((ret = cli_gentempfd(NULL, &tmpname, &fd))) { |
| 2b259453 |
cli_dbgmsg("Bzip: Can't generate temporary file.\n"); |
| e3aaff8e |
BZ2_bzReadClose(&bzerror, bfd); |
| 9e431a95 |
fclose(fs); |
| a7ac5978 |
return ret; |
| e3aaff8e |
}
|
| cd69cf20 |
if(!(buff = (char *) cli_malloc(FILEBUFF))) {
cli_dbgmsg("Bzip: Unable to malloc %u bytes.\n", FILEBUFF); |
| a7ac5978 |
close(fd); |
| 0e621e7d |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| 0e621e7d |
free(tmpname); |
| 9e431a95 |
fclose(fs);
BZ2_bzReadClose(&bzerror, bfd); |
| f7148839 |
return CL_EMEM; |
| 9e431a95 |
} |
| f7148839 |
|
| fc56deed |
while((bytes = BZ2_bzRead(&bzerror, bfd, buff, FILEBUFF)) > 0) { |
| e3aaff8e |
size += bytes;
|
| d91ab809 |
if(cli_checklimits("Bzip", ctx, size + FILEBUFF, 0, 0)!=CL_CLEAN)
break; |
| e3aaff8e |
|
| 4152ad50 |
if(cli_writen(fd, buff, bytes) != bytes) { |
| 2b259453 |
cli_dbgmsg("Bzip: Can't write to file.\n"); |
| e3aaff8e |
BZ2_bzReadClose(&bzerror, bfd); |
| a7ac5978 |
close(fd); |
| 0e621e7d |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| 0e621e7d |
free(tmpname); |
| f7148839 |
free(buff); |
| 9e431a95 |
fclose(fs); |
| e3aaff8e |
return CL_EGZIP;
}
}
|
| f7148839 |
free(buff); |
| e3aaff8e |
BZ2_bzReadClose(&bzerror, bfd); |
| 985d9958 |
if(ret == CL_VIRUS) { |
| a7ac5978 |
close(fd); |
| 0e621e7d |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| 0e621e7d |
free(tmpname); |
| 985d9958 |
fclose(fs);
return ret;
}
|
| e3aaff8e |
lseek(fd, 0, SEEK_SET); |
| 3c91998b |
if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS ) {
cli_dbgmsg("Bzip: Infected with %s\n", *ctx->virname); |
| e3aaff8e |
} |
| a7ac5978 |
close(fd); |
| 0e621e7d |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| 0e621e7d |
free(tmpname); |
| 9e431a95 |
fclose(fs); |
| e3aaff8e |
return ret;
}
#endif
|
| 3c91998b |
static int cli_scanszdd(int desc, cli_ctx *ctx) |
| 341e5433 |
{ |
| 6e47a652 |
int ofd, ret; |
| 0e621e7d |
char *tmpname; |
| 341e5433 |
|
| 2b259453 |
|
| 5da612a4 |
cli_dbgmsg("in cli_scanszdd()\n");
|
| 6e47a652 |
if((ret = cli_gentempfd(NULL, &tmpname, &ofd))) {
cli_dbgmsg("MSEXPAND: Can't generate temporary file/descriptor\n");
return ret; |
| 341e5433 |
}
|
| 6e47a652 |
lseek(desc, 0, SEEK_SET);
ret = cli_msexpand(desc, ofd, ctx); |
| 341e5433 |
|
| 6e47a652 |
if(ret != CL_SUCCESS) { /* CL_VIRUS or some error */
close(ofd); |
| 0e621e7d |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| 0e621e7d |
free(tmpname); |
| 6e47a652 |
return ret; |
| 341e5433 |
}
|
| 6e47a652 |
cli_dbgmsg("MSEXPAND: Decompressed into %s\n", tmpname);
lseek(ofd, 0, SEEK_SET);
ret = cli_magic_scandesc(ofd, ctx);
close(ofd); |
| 0e621e7d |
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| 0e621e7d |
free(tmpname); |
| 6e47a652 |
|
| 341e5433 |
return ret;
}
|
| d8a5c616 |
static int cli_scanmscab(int desc, cli_ctx *ctx, off_t sfx_offset) |
| 414abe87 |
{
char *tempname; |
| 24fd05e1 |
int ret;
unsigned int files = 0;
struct cab_archive cab;
struct cab_file *file; |
| 414abe87 |
cli_dbgmsg("in cli_scanmscab()\n");
|
| 24fd05e1 |
if((ret = cab_open(desc, sfx_offset, &cab)))
return ret; |
| 414abe87 |
|
| 24fd05e1 |
for(file = cab.files; file; file = file->next) {
files++; |
| 52ab3176 |
|
| d91ab809 |
if(cli_checklimits("CAB", ctx, file->length, 0, 0)!=CL_CLEAN) |
| 24fd05e1 |
continue;
|
| 5fc380f1 |
if(!(tempname = cli_gentemp(NULL))) {
ret = CL_EMEM;
break;
} |
| 5a5e6312 |
cli_dbgmsg("CAB: Extracting file %s to %s, size %u\n", file->name, tempname, file->length);
if((ret = cab_extract(file, tempname))) |
| 24fd05e1 |
cli_dbgmsg("CAB: Failed to extract file: %s\n", cl_strerror(ret));
else
ret = cli_scanfile(tempname, ctx);
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tempname); |
| 24fd05e1 |
free(tempname); |
| 414abe87 |
if(ret == CL_VIRUS)
break;
}
|
| 24fd05e1 |
cab_free(&cab); |
| 414abe87 |
return ret;
}
|
| 3c91998b |
static int cli_vba_scandir(const char *dirname, cli_ctx *ctx) |
| e3aaff8e |
{ |
| 892d2f56 |
int ret = CL_CLEAN, i, fd, ofd, data_len; |
| 467f8b1e |
vba_project_t *vba_project; |
| e3aaff8e |
DIR *dd;
struct dirent *dent; |
| 72a1b240 |
#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2) |
| 88794204 |
union {
struct dirent d;
char b[offsetof(struct dirent, d_name) + NAME_MAX + 1];
} result; |
| 2bb229f6 |
#endif |
| e3aaff8e |
struct stat statbuf; |
| 56bfccb2 |
char *fname, *fullname; |
| 467f8b1e |
unsigned char *data;
|
| 2b259453 |
cli_dbgmsg("VBADir: %s\n", dirname); |
| 11d24f8a |
if((vba_project = (vba_project_t *)cli_vba_readdir(dirname))) { |
| e3aaff8e |
|
| 467f8b1e |
for(i = 0; i < vba_project->count; i++) {
fullname = (char *) cli_malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2); |
| cd69cf20 |
if(!fullname) {
ret = CL_EMEM;
break;
} |
| 467f8b1e |
sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]); |
| b58fdfc2 |
fd = open(fullname, O_RDONLY|O_BINARY); |
| 467f8b1e |
if(fd == -1) { |
| 2b259453 |
cli_dbgmsg("VBADir: Can't open file %s\n", fullname); |
| 467f8b1e |
free(fullname);
ret = CL_EOPEN;
break;
}
free(fullname); |
| 2b259453 |
cli_dbgmsg("VBADir: Decompress VBA project '%s'\n", vba_project->name[i]); |
| 11d24f8a |
data = (unsigned char *)cli_vba_inflate(fd, vba_project->offset[i], &data_len); |
| 467f8b1e |
close(fd);
if(!data) { |
| 2b259453 |
cli_dbgmsg("VBADir: WARNING: VBA project '%s' decompressed to NULL\n", vba_project->name[i]); |
| 467f8b1e |
} else { |
| 3c91998b |
if(ctx->scanned)
*ctx->scanned += data_len / CL_COUNT_PRECISION; |
| cedc2d2a |
|
| 2ac2095a |
if(cli_scanbuff(data, data_len, ctx, CL_TYPE_MSOLE2) == CL_VIRUS) { |
| 467f8b1e |
free(data);
ret = CL_VIRUS;
break;
}
free(data);
}
}
for(i = 0; i < vba_project->count; i++)
free(vba_project->name[i]);
free(vba_project->name);
free(vba_project->dir);
free(vba_project->offset);
free(vba_project); |
| 11d24f8a |
} else if ((fullname = cli_ppt_vba_read(dirname))) { |
| c7543866 |
if(cli_scandir(fullname, ctx, 0) == CL_VIRUS) { |
| c240c32c |
ret = CL_VIRUS;
} |
| 8d5e0ac0 |
if(!cli_leavetemps_flag)
cli_rmdirs(fullname); |
| c240c32c |
free(fullname); |
| 11d24f8a |
} else if ((vba_project = (vba_project_t *)cli_wm_readdir(dirname))) { |
| 2e53806b |
for (i = 0; i < vba_project->count; i++) {
fullname = (char *) cli_malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2); |
| cd69cf20 |
if(!fullname) {
ret = CL_EMEM;
break;
} |
| 2e53806b |
sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]); |
| b58fdfc2 |
fd = open(fullname, O_RDONLY|O_BINARY); |
| 2e53806b |
if(fd == -1) { |
| 2b259453 |
cli_dbgmsg("VBADir: Can't open file %s\n", fullname); |
| 2e53806b |
free(fullname);
ret = CL_EOPEN;
break;
}
free(fullname); |
| c6344923 |
cli_dbgmsg("VBADir: Decompress WM project '%s' macro:%d key:%d length:%d\n", vba_project->name[i], i, vba_project->key[i], vba_project->length[i]); |
| 11d24f8a |
data = (unsigned char *)cli_wm_decrypt_macro(fd, vba_project->offset[i], vba_project->length[i], vba_project->key[i]); |
| 2e53806b |
close(fd);
if(!data) { |
| 2b259453 |
cli_dbgmsg("VBADir: WARNING: WM project '%s' macro %d decrypted to NULL\n", vba_project->name[i], i); |
| 2e53806b |
} else { |
| 3c91998b |
if(ctx->scanned)
*ctx->scanned += vba_project->length[i] / CL_COUNT_PRECISION; |
| 2ac2095a |
if(cli_scanbuff(data, vba_project->length[i], ctx, CL_TYPE_MSOLE2) == CL_VIRUS) { |
| 2e53806b |
free(data);
ret = CL_VIRUS;
break;
}
free(data);
}
}
for(i = 0; i < vba_project->count; i++)
free(vba_project->name[i]);
free(vba_project->key);
free(vba_project->length);
free(vba_project->offset);
free(vba_project->name);
free(vba_project->dir);
free(vba_project); |
| 467f8b1e |
} |
| cd69cf20 |
|
| 467f8b1e |
if(ret != CL_CLEAN)
return ret; |
| e3aaff8e |
|
| 892d2f56 |
/* Check directory for embedded OLE objects */
fullname = (char *) cli_malloc(strlen(dirname) + 16); |
| cd69cf20 |
if(!fullname)
return CL_EMEM;
|
| 892d2f56 |
sprintf(fullname, "%s/_1_Ole10Native", dirname); |
| b58fdfc2 |
fd = open(fullname, O_RDONLY|O_BINARY); |
| 892d2f56 |
free(fullname);
if (fd >= 0) {
ofd = cli_decode_ole_object(fd, dirname);
if (ofd >= 0) { |
| 6038397e |
ret = cli_scandesc(ofd, ctx, 0, 0, NULL, AC_SCAN_VIR); |
| 892d2f56 |
close(ofd);
}
close(fd);
if(ret != CL_CLEAN)
return ret;
}
|
| e3aaff8e |
if((dd = opendir(dirname)) != NULL) { |
| 72a1b240 |
#ifdef HAVE_READDIR_R_3 |
| 88794204 |
while(!readdir_r(dd, &result.d, &dent) && dent) { |
| 72a1b240 |
#elif defined(HAVE_READDIR_R_2) |
| 88794204 |
while((dent = (struct dirent *) readdir_r(dd, &result.d))) { |
| 72a1b240 |
#else |
| e3aaff8e |
while((dent = readdir(dd))) { |
| 72a1b240 |
#endif |
| b58fdfc2 |
#if (!defined(C_CYGWIN)) && (!defined(C_INTERIX)) && (!defined(C_WINDOWS)) |
| feeaa333 |
if(dent->d_ino)
#endif
{ |
| e3aaff8e |
if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) {
/* build the full name */ |
| 6a4078f2 |
fname = cli_malloc(strlen(dirname) + strlen(dent->d_name) + 2); |
| cd69cf20 |
if(!fname) {
ret = CL_EMEM;
break;
} |
| e3aaff8e |
sprintf(fname, "%s/%s", dirname, dent->d_name);
/* stat the file */
if(lstat(fname, &statbuf) != -1) {
if(S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) |
| 3c91998b |
if (cli_vba_scandir(fname, ctx) == CL_VIRUS) { |
| 467f8b1e |
ret = CL_VIRUS;
free(fname);
break;
} |
| e3aaff8e |
}
free(fname);
}
}
}
} else { |
| 2b259453 |
cli_dbgmsg("VBADir: Can't open directory %s.\n", dirname); |
| e3aaff8e |
return CL_EOPEN;
}
closedir(dd); |
| 467f8b1e |
return ret;
}
|
| 3c91998b |
static int cli_scanhtml(int desc, cli_ctx *ctx) |
| a92110df |
{
char *tempname, fullname[1024];
int ret=CL_CLEAN, fd; |
| 572a986c |
struct stat sb; |
| a92110df |
cli_dbgmsg("in cli_scanhtml()\n");
|
| 572a986c |
if(fstat(desc, &sb) == -1) {
cli_errmsg("cli_scanhtml: fstat() failed for descriptor %d\n", desc);
return CL_EIO;
}
/* Because HTML detection is FP-prone and html_normalise_fd() needs to
* mmap the file don't normalise files larger than 10 MB.
*/ |
| 08f0150f |
|
| 572a986c |
if(sb.st_size > 10485760) {
cli_dbgmsg("cli_scanhtml: exiting (file larger than 10 MB)\n");
return CL_CLEAN;
}
|
| 5fc380f1 |
if(!(tempname = cli_gentemp(NULL)))
return CL_EMEM;
|
| a92110df |
if(mkdir(tempname, 0700)) { |
| 572a986c |
cli_errmsg("cli_scanhtml: Can't create temporary directory %s\n", tempname); |
| f0bc32bd |
free(tempname); |
| a92110df |
return CL_ETMPDIR;
}
|
| 5f2fa151 |
cli_dbgmsg("cli_scanhtml: using tempdir %s\n", tempname);
|
| 462e8e5e |
html_normalise_fd(desc, tempname, NULL, ctx->dconf); |
| 0664128a |
snprintf(fullname, 1024, "%s/nocomment.html", tempname); |
| b58fdfc2 |
fd = open(fullname, O_RDONLY|O_BINARY); |
| a92110df |
if (fd >= 0) { |
| 6038397e |
ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR); |
| a92110df |
close(fd);
}
|
| 08f0150f |
if(ret == CL_CLEAN && sb.st_size < 2097152) {
/* limit to 2 MB, we're not interesting in scanning large files in notags form */
/* TODO: don't even create notags if file is over 2 MB */ |
| 0664128a |
snprintf(fullname, 1024, "%s/notags.html", tempname);
fd = open(fullname, O_RDONLY|O_BINARY);
if(fd >= 0) { |
| 6038397e |
ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR); |
| 0664128a |
close(fd);
} |
| a92110df |
}
if (ret == CL_CLEAN) { |
| 0664128a |
snprintf(fullname, 1024, "%s/rfc2397", tempname);
ret = cli_scandir(fullname, ctx, 0); |
| a92110df |
}
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
|
| 015ce4a8 |
static int cli_scanscript(int desc, cli_ctx *ctx)
{
unsigned char buff[FILEBUFF]; |
| 2a138cc5 |
unsigned char* normalized; |
| 015ce4a8 |
struct text_norm_state state;
struct stat sb;
char *tmpname = NULL;
int ofd = -1, ret;
ssize_t nread;
|
| 2a138cc5 |
cli_dbgmsg("in cli_scanscript()\n"); |
| 015ce4a8 |
if(fstat(desc, &sb) == -1) {
cli_errmsg("cli_scanscript: fstat() failed for descriptor %d\n", desc);
return CL_EIO;
}
/* don't normalize files that are too large */ |
| 08f0150f |
if(sb.st_size > 524288) { |
| 63851995 |
cli_dbgmsg("cli_scanscript: exiting (file larger than 400 kB)\n"); |
| 015ce4a8 |
return CL_CLEAN;
}
/* dump to disk only if explicitly asked to,
* otherwise we can process just in-memory */
if(cli_leavetemps_flag) {
if((ret = cli_gentempfd(NULL, &tmpname, &ofd))) {
cli_dbgmsg("cli_scanscript: Can't generate temporary file/descriptor\n");
return ret;
}
}
|
| 2a138cc5 |
if(!(normalized = cli_malloc(SCANBUFF))) {
cli_dbgmsg("cli_scanscript: Unable to malloc %u bytes\n", SCANBUFF);
return CL_EMEM;
}
text_normalize_init(&state, normalized, SCANBUFF); |
| 015ce4a8 |
ret = CL_CLEAN;
do {
nread = cli_readn(desc, buff, sizeof(buff));
if(nread <= 0 || state.out_pos + nread > state.out_len) {
/* flush if error/EOF, or too little buffer space left */
if((ofd != -1) && (write(ofd, state.out, state.out_pos) == -1)) {
cli_errmsg("cli_scanscript: can't write to file %s\n",tmpname);
close(ofd);
ofd = -1;
/* we can continue to scan in memory */
}
/* when we flush the buffer also scan */ |
| 2ac2095a |
if(cli_scanbuff(state.out, state.out_pos, ctx, CL_TYPE_TEXT_ASCII) == CL_VIRUS) { |
| 015ce4a8 |
ret = CL_VIRUS;
break;
}
text_normalize_reset(&state);
} |
| 0664128a |
if(nread > 0 && (text_normalize_buffer(&state, buff, nread) != nread)) { |
| 015ce4a8 |
cli_dbgmsg("cli_scanscript: short read during normalizing\n");
}
/* used a do {}while() here, since we need to flush our buffers at the end,
* and using while(){} loop would mean code duplication */
} while (nread > 0);
if(cli_leavetemps_flag) {
free(tmpname);
close(ofd);
} |
| 2a138cc5 |
free(normalized); |
| 015ce4a8 |
return ret;
}
|
| bd988961 |
static int cli_scanhtml_utf16(int desc, cli_ctx *ctx)
{
char *tempname, buff[512], *decoded;
int ret = CL_CLEAN, fd, bytes;
cli_dbgmsg("in cli_scanhtml_utf16()\n");
|
| 5fc380f1 |
if(!(tempname = cli_gentemp(NULL)))
return CL_EMEM;
|
| bd988961 |
if((fd = open(tempname, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU)) < 0) {
cli_errmsg("cli_scanhtml_utf16: Can't create file %s\n", tempname);
free(tempname);
return CL_EIO;
}
|
| 5f2fa151 |
cli_dbgmsg("cli_scanhtml_utf16: using tempfile %s\n", tempname);
|
| bd988961 |
while((bytes = read(desc, buff, sizeof(buff))) > 0) {
decoded = cli_utf16toascii(buff, bytes);
if(decoded) {
if(write(fd, decoded, strlen(decoded)) == -1) {
cli_errmsg("cli_scanhtml_utf16: Can't write to file %s\n", tempname);
free(decoded); |
| c0a95e0c |
cli_unlink(tempname); |
| bd988961 |
free(tempname);
close(fd);
return CL_EIO;
}
free(decoded);
}
}
lseek(fd, 0, SEEK_SET);
ret = cli_scanhtml(fd, ctx);
close(fd);
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tempname); |
| bd988961 |
else
cli_dbgmsg("cli_scanhtml_utf16: Decoded HTML data saved in %s\n", tempname);
free(tempname);
return ret;
}
|
| 3c91998b |
static int cli_scanole2(int desc, cli_ctx *ctx) |
| 467f8b1e |
{ |
| 56bfccb2 |
char *dir;
int ret = CL_CLEAN; |
| 467f8b1e |
|
| 2b259453 |
|
| 467f8b1e |
cli_dbgmsg("in cli_scanole2()\n");
|
| bbd6ca3f |
if(ctx->limits && ctx->limits->maxreclevel && ctx->recursion >= ctx->limits->maxreclevel)
return CL_EMAXREC;
|
| 467f8b1e |
/* generate the temporary directory */ |
| 5fc380f1 |
if(!(dir = cli_gentemp(NULL)))
return CL_EMEM;
|
| 467f8b1e |
if(mkdir(dir, 0700)) { |
| 2b259453 |
cli_dbgmsg("OLE2: Can't create temporary directory %s\n", dir); |
| f0bc32bd |
free(dir); |
| 467f8b1e |
return CL_ETMPDIR;
}
|
| bbd6ca3f |
if((ret = cli_ole2_extract(desc, dir, ctx))) { |
| 2b259453 |
cli_dbgmsg("OLE2: %s\n", cl_strerror(ret)); |
| 8d5e0ac0 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
| 467f8b1e |
free(dir); |
| bbd6ca3f |
ctx->recursion--; |
| 467f8b1e |
return ret;
}
|
| bbd6ca3f |
ctx->recursion++;
|
| 3c91998b |
if((ret = cli_vba_scandir(dir, ctx)) != CL_VIRUS) { |
| c7543866 |
if(cli_scandir(dir, ctx, 0) == CL_VIRUS) { |
| 56bfccb2 |
ret = CL_VIRUS; |
| 467f8b1e |
}
}
|
| bbd6ca3f |
ctx->recursion--;
|
| 8d5e0ac0 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
| 467f8b1e |
free(dir);
return ret; |
| e3aaff8e |
}
|
| 3c91998b |
static int cli_scantar(int desc, cli_ctx *ctx, unsigned int posix) |
| 2b259453 |
{
char *dir;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scantar()\n");
/* generate temporary directory */ |
| 5fc380f1 |
if(!(dir = cli_gentemp(NULL)))
return CL_EMEM;
|
| 2b259453 |
if(mkdir(dir, 0700)) {
cli_errmsg("Tar: Can't create temporary directory %s\n", dir); |
| f0bc32bd |
free(dir); |
| 2b259453 |
return CL_ETMPDIR;
}
|
| d0d1afd7 |
ret = cli_untar(dir, desc, posix, ctx); |
| 2b259453 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
| 3c91998b |
static int cli_scanbinhex(int desc, cli_ctx *ctx) |
| 667ab9c6 |
{
char *dir;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scanbinhex()\n");
/* generate temporary directory */ |
| 5fc380f1 |
if(!(dir = cli_gentemp(NULL)))
return CL_EMEM; |
| 667ab9c6 |
if(mkdir(dir, 0700)) {
cli_errmsg("Binhex: Can't create temporary directory %s\n", dir); |
| f0bc32bd |
free(dir); |
| 667ab9c6 |
return CL_ETMPDIR;
}
if((ret = cli_binhex(dir, desc)))
cli_dbgmsg("Binhex: %s\n", cl_strerror(ret));
else |
| c7543866 |
ret = cli_scandir(dir, ctx, 0); |
| 667ab9c6 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
| 3c91998b |
static int cli_scanmschm(int desc, cli_ctx *ctx) |
| a5373b64 |
{ |
| b865e44a |
int ret = CL_CLEAN, rc;
chm_metadata_t metadata;
char *dir; |
| a5373b64 |
|
| b865e44a |
cli_dbgmsg("in cli_scanmschm()\n"); |
| a5373b64 |
|
| b865e44a |
/* generate the temporary directory */ |
| 5fc380f1 |
if(!(dir = cli_gentemp(NULL)))
return CL_EMEM;
|
| b865e44a |
if(mkdir(dir, 0700)) {
cli_dbgmsg("CHM: Can't create temporary directory %s\n", dir);
free(dir); |
| a5373b64 |
return CL_ETMPDIR;
}
|
| b865e44a |
ret = cli_chm_open(desc, dir, &metadata);
if (ret != CL_SUCCESS) {
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
cli_dbgmsg("CHM: Error: %s\n", cl_strerror(ret));
return ret;
}
do {
ret = cli_chm_prepare_file(desc, dir, &metadata);
if (ret != CL_SUCCESS) {
break;
}
ret = cli_chm_extract_file(desc, dir, &metadata);
if (ret == CL_SUCCESS) {
lseek(metadata.ofd, 0, SEEK_SET);
rc = cli_magic_scandesc(metadata.ofd, ctx);
close(metadata.ofd);
if (rc == CL_VIRUS) {
cli_dbgmsg("CHM: infected with %s\n",*ctx->virname);
ret = CL_VIRUS;
break;
}
} |
| a5373b64 |
|
| b865e44a |
} while(ret == CL_SUCCESS); |
| 3c9e2d22 |
cli_chm_close(&metadata);
|
| a5373b64 |
if(!cli_leavetemps_flag) |
| b865e44a |
cli_rmdirs(dir);
free(dir);
cli_dbgmsg("CHM: Exit code: %d\n", ret);
if (ret == CL_BREAK)
ret = CL_CLEAN; |
| a5373b64 |
return ret;
}
|
| 3c91998b |
static int cli_scanscrenc(int desc, cli_ctx *ctx) |
| e57fa318 |
{
char *tempname;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scanscrenc()\n");
|
| 5fc380f1 |
if(!(tempname = cli_gentemp(NULL)))
return CL_EMEM;
|
| e57fa318 |
if(mkdir(tempname, 0700)) {
cli_dbgmsg("CHM: Can't create temporary directory %s\n", tempname); |
| f0bc32bd |
free(tempname); |
| e57fa318 |
return CL_ETMPDIR;
}
if (html_screnc_decode(desc, tempname)) |
| c7543866 |
ret = cli_scandir(tempname, ctx, 0); |
| e57fa318 |
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
} |
| 015e31e1 |
|
| 33f89aa5 |
static int cli_scanriff(int desc, const char **virname) |
| eb308794 |
{
int ret = CL_CLEAN;
if(cli_check_riff_exploit(desc) == 2) {
ret = CL_VIRUS;
*virname = "Exploit.W32.MS05-002";
}
return ret;
}
|
| 7afdc309 |
static int cli_scanjpeg(int desc, const char **virname)
{
int ret = CL_CLEAN;
if(cli_check_jpeg_exploit(desc) == 1) {
ret = CL_VIRUS;
*virname = "Exploit.W32.MS04-028";
}
return ret;
}
|
| 3c91998b |
static int cli_scancryptff(int desc, cli_ctx *ctx) |
| 2c6f9d57 |
{ |
| e12c29d2 |
int ret = CL_CLEAN, ndesc;
unsigned int length, i; |
| 2c6f9d57 |
unsigned char *src = NULL, *dest = NULL;
char *tempfile;
struct stat sb;
if(fstat(desc, &sb) == -1) { |
| a687d96c |
cli_errmsg("CryptFF: Can't fstat descriptor %d\n", desc); |
| 2c6f9d57 |
return CL_EIO;
}
/* Skip the CryptFF file header */
if(lseek(desc, 0x10, SEEK_SET) < 0) { |
| a687d96c |
cli_errmsg("CryptFF: Can't lseek descriptor %d\n", desc); |
| 2c6f9d57 |
return ret;
}
length = sb.st_size - 0x10;
|
| 0d0fc120 |
if((dest = (unsigned char *) cli_malloc(length)) == NULL) { |
| 2c6f9d57 |
cli_dbgmsg("CryptFF: Can't allocate memory\n");
return CL_EMEM;
}
|
| 0d0fc120 |
if((src = (unsigned char *) cli_malloc(length)) == NULL) { |
| 2c6f9d57 |
cli_dbgmsg("CryptFF: Can't allocate memory\n");
free(dest);
return CL_EMEM;
}
if((unsigned int) read(desc, src, length) != length) {
cli_dbgmsg("CryptFF: Can't read from descriptor %d\n", desc);
free(dest);
free(src);
return CL_EIO;
}
for(i = 0; i < length; i++)
dest[i] = src[i] ^ (unsigned char) 0xff;
free(src);
|
| 5fc380f1 |
if(!(tempfile = cli_gentemp(NULL))) {
free(dest);
return CL_EMEM;
}
|
| b58fdfc2 |
if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU)) < 0) { |
| 2c6f9d57 |
cli_errmsg("CryptFF: Can't create file %s\n", tempfile);
free(dest);
free(tempfile);
return CL_EIO;
}
if(write(ndesc, dest, length) == -1) {
cli_dbgmsg("CryptFF: Can't write to descriptor %d\n", ndesc);
free(dest);
close(ndesc);
free(tempfile);
return CL_EIO;
}
free(dest);
lseek(ndesc, 0, SEEK_SET);
cli_dbgmsg("CryptFF: Scanning decrypted data\n");
|
| 3c91998b |
if((ret = cli_magic_scandesc(ndesc, ctx)) == CL_VIRUS)
cli_dbgmsg("CryptFF: Infected with %s\n", *ctx->virname); |
| 2c6f9d57 |
close(ndesc);
if(cli_leavetemps_flag)
cli_dbgmsg("CryptFF: Decompressed data saved in %s\n", tempfile);
else |
| c0a95e0c |
cli_unlink(tempfile); |
| 2c6f9d57 |
free(tempfile);
return ret;
}
|
| 3c91998b |
static int cli_scanpdf(int desc, cli_ctx *ctx) |
| 798308de |
{
int ret;
char *dir = cli_gentemp(NULL);
|
| 5fc380f1 |
if(!dir)
return CL_EMEM; |
| 798308de |
if(mkdir(dir, 0700)) {
cli_dbgmsg("Can't create temporary directory for PDF file %s\n", dir);
free(dir);
return CL_ETMPDIR;
}
|
| 2c313298 |
ret = cli_pdf(dir, desc, ctx); |
| 798308de |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
| 3c91998b |
static int cli_scantnef(int desc, cli_ctx *ctx) |
| f0bc32bd |
{
int ret;
char *dir = cli_gentemp(NULL);
|
| 5fc380f1 |
if(!dir)
return CL_EMEM; |
| f0bc32bd |
if(mkdir(dir, 0700)) {
cli_dbgmsg("Can't create temporary directory for tnef file %s\n", dir);
free(dir);
return CL_ETMPDIR;
}
ret = cli_tnef(dir, desc);
if(ret == CL_CLEAN) |
| c7543866 |
ret = cli_scandir(dir, ctx, 0); |
| f0bc32bd |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
| 3c91998b |
static int cli_scanuuencoded(int desc, cli_ctx *ctx) |
| 3953039b |
{
int ret;
char *dir = cli_gentemp(NULL);
|
| 5fc380f1 |
if(!dir)
return CL_EMEM;
|
| 3953039b |
if(mkdir(dir, 0700)) {
cli_dbgmsg("Can't create temporary directory for uuencoded file %s\n", dir);
free(dir);
return CL_ETMPDIR;
}
ret = cli_uuencode(dir, desc);
if(ret == CL_CLEAN) |
| c7543866 |
ret = cli_scandir(dir, ctx, 0); |
| 3953039b |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
| 3c91998b |
static int cli_scanmail(int desc, cli_ctx *ctx) |
| e3aaff8e |
{
char *dir;
int ret;
|
| d91ab809 |
cli_dbgmsg("Starting cli_scanmail(), recursion = %u\n", ctx->recursion); |
| e3aaff8e |
|
| 0c7019c5 |
/* generate the temporary directory */ |
| 5fc380f1 |
if(!(dir = cli_gentemp(NULL)))
return CL_EMEM;
|
| 0c7019c5 |
if(mkdir(dir, 0700)) {
cli_dbgmsg("Mail: Can't create temporary directory %s\n", dir);
free(dir);
return CL_ETMPDIR;
} |
| e3aaff8e |
|
| 0c7019c5 |
/*
* Extract the attachments into the temporary directory
*/ |
| 0f7f7682 |
if((ret = cli_mbox(dir, desc, ctx))) { |
| 8d5e0ac0 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
| e3aaff8e |
free(dir);
return ret; |
| 0c7019c5 |
}
|
| c7543866 |
ret = cli_scandir(dir, ctx, CL_TYPE_MAIL); |
| 0c7019c5 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret; |
| e3aaff8e |
}
|
| ee99255a |
static int cli_scanembpe(int desc, cli_ctx *ctx)
{
int fd, bytes, ret = CL_CLEAN;
unsigned long int size = 0;
char buff[512];
char *tmpname;
tmpname = cli_gentemp(NULL);
if(!tmpname)
return CL_EMEM;
if((fd = open(tmpname, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU)) < 0) {
cli_errmsg("cli_scanembpe: Can't create file %s\n", tmpname);
free(tmpname);
return CL_EIO;
}
while((bytes = read(desc, buff, sizeof(buff))) > 0) {
size += bytes;
|
| d91ab809 |
if(cli_checklimits("cli_scanembpe", ctx, size + sizeof(buff), 0, 0)!=CL_CLEAN) |
| ee99255a |
break;
if(cli_writen(fd, buff, bytes) != bytes) {
cli_dbgmsg("cli_scanembpe: Can't write to temporary file\n");
close(fd);
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| ee99255a |
free(tmpname);
return CL_EIO;
}
}
|
| f0f7f92f |
ctx->recursion++; |
| ee99255a |
lseek(fd, 0, SEEK_SET);
if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS) {
cli_dbgmsg("cli_scanembpe: Infected with %s\n", *ctx->virname);
close(fd);
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| ee99255a |
free(tmpname);
return CL_VIRUS;
} |
| f0f7f92f |
ctx->recursion--; |
| ee99255a |
close(fd);
if(!cli_leavetemps_flag) |
| c0a95e0c |
cli_unlink(tmpname); |
| ee99255a |
free(tmpname);
/* intentionally ignore possible errors from cli_magic_scandesc */
return CL_CLEAN;
}
|
| a810ba50 |
static int cli_scanraw(int desc, cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_file_t *dettype) |
| 555c5390 |
{ |
| 6191ee2c |
int ret = CL_CLEAN, nret = CL_CLEAN; |
| 555c5390 |
struct cli_matched_type *ftoffset = NULL, *fpt; |
| 994ae437 |
uint32_t lastzip, lastrar; |
| ee99255a |
struct cli_exe_info peinfo; |
| 6038397e |
unsigned int acmode = AC_SCAN_VIR, break_loop = 0; |
| 555c5390 |
|
| ded60d81 |
if(typercg) switch(type) { |
| c8f2d060 |
case CL_TYPE_TEXT_ASCII: |
| 555c5390 |
case CL_TYPE_MSEXE: |
| ee99255a |
case CL_TYPE_ZIP: |
| 6038397e |
acmode |= AC_SCAN_FT; |
| 555c5390 |
default: |
| 6038397e |
break; |
| 555c5390 |
}
if(lseek(desc, 0, SEEK_SET) < 0) {
cli_errmsg("cli_scanraw: lseek() failed\n");
return CL_EIO;
}
|
| 6038397e |
ret = cli_scandesc(desc, ctx, type == CL_TYPE_TEXT_ASCII ? 0 : type, 0, &ftoffset, acmode); |
| 555c5390 |
|
| c8b0d9a2 |
if(ret >= CL_TYPENO) { |
| 555c5390 |
|
| d6bf90e6 |
/* |
| c8f2d060 |
if(type == CL_TYPE_TEXT_ASCII) { |
| ee99255a |
lseek(desc, 0, SEEK_SET);
nret = cli_scandesc(desc, ctx, 0, ret, 1, NULL);
if(nret == CL_VIRUS)
cli_dbgmsg("%s found in descriptor %d when scanning file type %u\n", *ctx->virname, desc, ret);
} |
| d6bf90e6 |
*/ |
| 73218de2 |
|
| d68a73d1 |
if(nret != CL_VIRUS && (type == CL_TYPE_MSEXE || type == CL_TYPE_ZIP)) {
lastzip = lastrar = 0xdeadbeef;
fpt = ftoffset;
while(fpt) {
switch(fpt->type) {
case CL_TYPE_RARSFX: |
| 6ce30242 |
#ifdef ENABLE_UNRAR |
| d68a73d1 |
if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_RAR)) {
cli_dbgmsg("RAR-SFX signature found at %u\n", (unsigned int) fpt->offset);
nret = cli_scanrar(desc, ctx, fpt->offset, &lastrar);
} |
| 6ce30242 |
#endif |
| d68a73d1 |
break; |
| 555c5390 |
|
| d68a73d1 |
case CL_TYPE_ZIPSFX: |
| ded60d81 |
if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_ZIP) && fpt->offset) { |
| d68a73d1 |
cli_dbgmsg("ZIP-SFX signature found at %u\n", (unsigned int) fpt->offset); |
| a0426339 |
nret = cli_unzip_single(desc, ctx, fpt->offset); |
| d68a73d1 |
}
break; |
| d8a5c616 |
|
| d68a73d1 |
case CL_TYPE_CABSFX:
if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_CAB)) {
cli_dbgmsg("CAB-SFX signature found at %u\n", (unsigned int) fpt->offset);
nret = cli_scanmscab(desc, ctx, fpt->offset); |
| 555c5390 |
} |
| d68a73d1 |
break; |
| 9d96e4b6 |
case CL_TYPE_ARJSFX:
if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_ARJ)) {
cli_dbgmsg("ARJ-SFX signature found at %u\n", (unsigned int) fpt->offset);
nret = cli_scanarj(desc, ctx, fpt->offset, &lastrar);
}
break; |
| 555c5390 |
|
| faaf436a |
case CL_TYPE_NULSFT: |
| 8fb8d069 |
if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_NSIS) && fpt->offset > 4) { |
| faaf436a |
cli_dbgmsg("NSIS signature found at %u\n", (unsigned int) fpt->offset-4);
nret = cli_scannulsft(desc, ctx, fpt->offset - 4);
}
break;
|
| ed93f138 |
case CL_TYPE_AUTOIT: |
| 7c06afc6 |
if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_AUTOIT)) { |
| ed93f138 |
cli_dbgmsg("AUTOIT signature found at %u\n", (unsigned int) fpt->offset);
nret = cli_scanautoit(desc, ctx, fpt->offset + 23);
}
break;
|
| d68a73d1 |
case CL_TYPE_MSEXE:
if(SCAN_PE && ctx->dconf->pe && fpt->offset) { |
| ee99255a |
cli_dbgmsg("PE signature found at %u\n", (unsigned int) fpt->offset);
memset(&peinfo, 0, sizeof(struct cli_exe_info));
peinfo.offset = fpt->offset;
lseek(desc, fpt->offset, SEEK_SET);
if(cli_peheader(desc, &peinfo) == 0) {
cli_dbgmsg("*** Detected embedded PE file ***\n");
if(peinfo.section)
free(peinfo.section);
lseek(desc, fpt->offset, SEEK_SET); |
| c1decfc2 |
nret = cli_scanembpe(desc, ctx); |
| d68a73d1 |
break_loop = 1; /* we can stop here and other
* embedded executables will
* be found recursively
* through the above call
*/ |
| ee99255a |
}
} |
| d68a73d1 |
break;
default:
cli_warnmsg("cli_scanraw: Type %u not handled in fpt loop\n", fpt->type); |
| ee99255a |
} |
| d68a73d1 |
if(nret == CL_VIRUS || break_loop)
break;
fpt = fpt->next;
}
}
|
| d91ab809 |
ctx->recursion++; |
| d68a73d1 |
if(nret != CL_VIRUS) switch(ret) {
case CL_TYPE_HTML: |
| a810ba50 |
if(SCAN_HTML && type == CL_TYPE_TEXT_ASCII && (DCONF_DOC & DOC_CONF_HTML)) {
*dettype = CL_TYPE_HTML; |
| d68a73d1 |
nret = cli_scanhtml(desc, ctx); |
| a810ba50 |
} |
| d68a73d1 |
break;
case CL_TYPE_MAIL: |
| c8f2d060 |
if(SCAN_MAIL && type == CL_TYPE_TEXT_ASCII && (DCONF_MAIL & MAIL_CONF_MBOX)) |
| d68a73d1 |
nret = cli_scanmail(desc, ctx); |
| ee99255a |
break;
|
| 555c5390 |
default:
break;
} |
| d91ab809 |
ctx->recursion--; |
| 6191ee2c |
ret = nret; |
| 555c5390 |
}
|
| c8b0d9a2 |
while(ftoffset) {
fpt = ftoffset;
ftoffset = ftoffset->next;
free(fpt);
}
if(ret == CL_VIRUS)
cli_dbgmsg("%s found in descriptor %d\n", *ctx->virname, desc);
|
| 555c5390 |
return ret;
}
|
| 3c91998b |
int cli_magic_scandesc(int desc, cli_ctx *ctx) |
| e3aaff8e |
{ |
| 7bbd5f7f |
int ret = CL_CLEAN; |
| a810ba50 |
cli_file_t type, dettype = 0; |
| a7f5fd00 |
struct stat sb; |
| ded60d81 |
uint8_t typercg = 1; |
| a7f5fd00 |
if(fstat(desc, &sb) == -1) { |
| c17ed38c |
cli_errmsg("magic_scandesc: Can't fstat descriptor %d\n", desc); |
| a7f5fd00 |
return CL_EIO;
} |
| e3aaff8e |
|
| a7f5fd00 |
if(sb.st_size <= 5) { |
| 794f3f23 |
cli_dbgmsg("Small data (%u bytes)\n", (unsigned int) sb.st_size); |
| a7f5fd00 |
return CL_CLEAN;
} |
| e3aaff8e |
|
| 3c91998b |
if(!ctx->engine) { |
| 5612732c |
cli_errmsg("CRITICAL: engine == NULL\n"); |
| 322bfd03 |
return CL_EMALFDB; |
| e3aaff8e |
}
|
| 3c91998b |
if(!ctx->options) { /* raw mode (stdin, etc.) */ |
| b68d11d2 |
cli_dbgmsg("Raw mode: No support for special files\n"); |
| 6038397e |
if((ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR)) == CL_VIRUS) |
| 3c91998b |
cli_dbgmsg("%s found in descriptor %d\n", *ctx->virname, desc); |
| d6b5ae47 |
return ret;
}
|
| 850db69e |
if(cli_updatelimits(ctx, sb.st_size)!=CL_CLEAN)
return CL_CLEAN; |
| e3aaff8e |
|
| d91ab809 |
if((SCAN_MAIL || SCAN_ARCHIVE) && ctx->limits && ctx->limits->maxreclevel && ctx->recursion > ctx->limits->maxreclevel) {
cli_dbgmsg("Archive recursion limit exceeded (level = %u).\n", ctx->recursion);
return CL_CLEAN;
} |
| e3aaff8e |
|
| 467f8b1e |
lseek(desc, 0, SEEK_SET); |
| bd988961 |
type = cli_filetype2(desc, ctx->engine); |
| 7db77fbf |
if(type == CL_TYPE_ERROR) {
cli_dbgmsg("cli_magic_scandesc: cli_filetype2 returned CL_TYPE_ERROR\n");
return CL_EIO;
} |
| 2b259453 |
lseek(desc, 0, SEEK_SET); |
| 6d6e8271 |
|
| 7021b545 |
if(type != CL_TYPE_IGNORED && ctx->engine->sdb) { |
| a810ba50 |
if((ret = cli_scanraw(desc, ctx, type, 0, &dettype)) == CL_VIRUS) |
| 555c5390 |
return CL_VIRUS;
lseek(desc, 0, SEEK_SET);
}
|
| d91ab809 |
ctx->recursion++; |
| 888f5794 |
|
| 467f8b1e |
switch(type) { |
| 7021b545 |
case CL_TYPE_IGNORED:
break;
|
| 3805ebcb |
case CL_TYPE_RAR: |
| 6ce30242 |
#ifdef ENABLE_UNRAR |
| bc93eda0 |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_RAR)) |
| 994ae437 |
ret = cli_scanrar(desc, ctx, 0, NULL); |
| 5ca7fd18 |
#else
cli_warnmsg("RAR code not compiled-in\n"); |
| 6ce30242 |
#endif |
| 467f8b1e |
break; |
| 6d6e8271 |
|
| 3805ebcb |
case CL_TYPE_ZIP: |
| bc93eda0 |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP)) |
| a0426339 |
ret = cli_unzip(desc, ctx); |
| 467f8b1e |
break; |
| 6d6e8271 |
|
| 3805ebcb |
case CL_TYPE_GZ: |
| bc93eda0 |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_GZ)) |
| 3c91998b |
ret = cli_scangzip(desc, ctx); |
| 467f8b1e |
break; |
| 6d6e8271 |
|
| 3805ebcb |
case CL_TYPE_BZ: |
| 68a6f51f |
#ifdef HAVE_BZLIB_H |
| bc93eda0 |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_BZ)) |
| 3c91998b |
ret = cli_scanbzip(desc, ctx); |
| e3aaff8e |
#endif |
| 467f8b1e |
break; |
| 9d96e4b6 |
case CL_TYPE_ARJ:
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ARJ))
ret = cli_scanarj(desc, ctx, 0, NULL);
break; |
| 6d6e8271 |
|
| faaf436a |
case CL_TYPE_NULSFT: |
| bbd6ca3f |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_NSIS)) |
| faaf436a |
ret = cli_scannulsft(desc, ctx, 0);
break; |
| ed93f138 |
case CL_TYPE_AUTOIT: |
| ffa6230b |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_AUTOIT)) |
| ed93f138 |
ret = cli_scanautoit(desc, ctx, 23);
break; |
| 6e47a652 |
|
| 3805ebcb |
case CL_TYPE_MSSZDD: |
| bc93eda0 |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_SZDD)) |
| 3c91998b |
ret = cli_scanszdd(desc, ctx); |
| 341e5433 |
break; |
| 6e47a652 |
|
| 3805ebcb |
case CL_TYPE_MSCAB: |
| bc93eda0 |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CAB)) |
| d8a5c616 |
ret = cli_scanmscab(desc, ctx, 0); |
| 414abe87 |
break;
|
| bd988961 |
case CL_TYPE_HTML: |
| bc93eda0 |
if(SCAN_HTML && (DCONF_DOC & DOC_CONF_HTML)) |
| bd988961 |
ret = cli_scanhtml(desc, ctx);
break;
case CL_TYPE_HTML_UTF16: |
| bc93eda0 |
if(SCAN_HTML && (DCONF_DOC & DOC_CONF_HTML)) |
| bd988961 |
ret = cli_scanhtml_utf16(desc, ctx);
break;
|
| 015ce4a8 |
case CL_TYPE_SCRIPT: |
| a810ba50 |
if((DCONF_DOC & DOC_CONF_SCRIPT) && dettype != CL_TYPE_HTML) |
| 015ce4a8 |
ret = cli_scanscript(desc, ctx);
break;
|
| 52c2a8bd |
case CL_TYPE_RTF: |
| d91ab809 |
if(SCAN_ARCHIVE && (DCONF_DOC & DOC_CONF_RTF)) |
| bc93eda0 |
ret = cli_scanrtf(desc, ctx); |
| 52c2a8bd |
break;
|
| 3805ebcb |
case CL_TYPE_MAIL: |
| bc93eda0 |
if(SCAN_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX)) |
| 3c91998b |
ret = cli_scanmail(desc, ctx); |
| 467f8b1e |
break; |
| 6d6e8271 |
|
| 846e4186 |
case CL_TYPE_TNEF: |
| bc93eda0 |
if(SCAN_MAIL && (DCONF_MAIL & MAIL_CONF_TNEF)) |
| 3c91998b |
ret = cli_scantnef(desc, ctx); |
| 846e4186 |
break;
|
| 3953039b |
case CL_TYPE_UUENCODED: |
| bc93eda0 |
if(DCONF_OTHER & OTHER_CONF_UUENC) |
| 3c91998b |
ret = cli_scanuuencoded(desc, ctx); |
| 3953039b |
break;
|
| 3805ebcb |
case CL_TYPE_MSCHM: |
| bc93eda0 |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CHM)) |
| 3c91998b |
ret = cli_scanmschm(desc, ctx); |
| a5373b64 |
break;
|
| 3805ebcb |
case CL_TYPE_MSOLE2: |
| bc93eda0 |
if(SCAN_OLE2 && (DCONF_ARCH & ARCH_CONF_OLE2)) |
| 3c91998b |
ret = cli_scanole2(desc, ctx); |
| 467f8b1e |
break; |
| 6d6e8271 |
|
| a7f5fd00 |
case CL_TYPE_POSIX_TAR: |
| bc93eda0 |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR)) |
| 3c91998b |
ret = cli_scantar(desc, ctx, 1); |
| a7f5fd00 |
break;
case CL_TYPE_OLD_TAR: |
| bc93eda0 |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR)) |
| 3c91998b |
ret = cli_scantar(desc, ctx, 0); |
| 667ab9c6 |
break;
case CL_TYPE_BINHEX: |
| bc93eda0 |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_BINHEX)) |
| 3c91998b |
ret = cli_scanbinhex(desc, ctx); |
| 2b259453 |
break;
|
| 3805ebcb |
case CL_TYPE_SCRENC: |
| bc93eda0 |
if(DCONF_OTHER & OTHER_CONF_SCRENC)
ret = cli_scanscrenc(desc, ctx); |
| eb308794 |
break;
case CL_TYPE_RIFF: |
| bc93eda0 |
if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_RIFF)) |
| 3c91998b |
ret = cli_scanriff(desc, ctx->virname); |
| e57fa318 |
break;
|
| 7afdc309 |
case CL_TYPE_GRAPHICS: |
| bc93eda0 |
if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG)) |
| 3c91998b |
ret = cli_scanjpeg(desc, ctx->virname); |
| 7afdc309 |
break;
|
| d070d475 |
case CL_TYPE_PDF: /* FIXMELIMITS: pdf should be an archive! */ |
| c5107e70 |
if(SCAN_PDF && (DCONF_DOC & DOC_CONF_PDF)) |
| 3c91998b |
ret = cli_scanpdf(desc, ctx); |
| 798308de |
break;
|
| 2c6f9d57 |
case CL_TYPE_CRYPTFF: |
| bc93eda0 |
if(DCONF_OTHER & OTHER_CONF_CRYPTFF)
ret = cli_scancryptff(desc, ctx); |
| 2c6f9d57 |
break;
|
| 3f97a1e7 |
case CL_TYPE_ELF: |
| bc93eda0 |
if(SCAN_ELF && ctx->dconf->elf) |
| 3c91998b |
ret = cli_scanelf(desc, ctx); |
| 094116b2 |
break;
|
| bf45bf13 |
case CL_TYPE_SIS: |
| bc93eda0 |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_SIS)) |
| 3c91998b |
ret = cli_scansis(desc, ctx); |
| bf45bf13 |
break;
|
| c8f2d060 |
case CL_TYPE_BINARY_DATA: |
| 3c91998b |
ret = cli_check_mydoom_log(desc, ctx->virname); |
| 467f8b1e |
break; |
| 216a697f |
default:
break; |
| e3aaff8e |
}
|
| d91ab809 |
ctx->recursion--; |
| 467f8b1e |
|
| ded60d81 |
if(type == CL_TYPE_ZIP && SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP)) {
if(sb.st_size > 1048576) {
cli_dbgmsg("cli_magic_scandesc: Not checking for embedded PEs (zip file > 1 MB)\n");
typercg = 0;
}
}
|
| 08f0150f |
/* CL_TYPE_HTML: raw HTML files are not scanned, unless safety measure activated via DCONF */
if(type != CL_TYPE_IGNORED && (type != CL_TYPE_HTML || !(DCONF_DOC & DOC_CONF_HTML_SKIPRAW)) && ret != CL_VIRUS && !ctx->engine->sdb) { |
| a810ba50 |
if(cli_scanraw(desc, ctx, type, typercg, &dettype) == CL_VIRUS) |
| e3aaff8e |
return CL_VIRUS; |
| 46c2e927 |
} |
| e3aaff8e |
|
| d91ab809 |
ctx->recursion++; |
| 77e4bb11 |
lseek(desc, 0, SEEK_SET);
switch(type) { |
| a810ba50 |
case CL_TYPE_TEXT_ASCII:
if((DCONF_DOC & DOC_CONF_SCRIPT) && dettype != CL_TYPE_HTML)
ret = cli_scanscript(desc, ctx);
break; |
| 77e4bb11 |
/* Due to performance reasons all executables were first scanned
* in raw mode. Now we will try to unpack them
*/ |
| 3805ebcb |
case CL_TYPE_MSEXE: |
| 318f5214 |
if(SCAN_PE && ctx->dconf->pe) |
| 3c91998b |
ret = cli_scanpe(desc, ctx); |
| 77e4bb11 |
break; |
| 8000d078 |
default:
break; |
| 77e4bb11 |
} |
| d91ab809 |
ctx->recursion--; |
| 77e4bb11 |
|
| 322bfd03 |
if(ret == CL_EFORMAT) { |
| 6ee0243f |
cli_dbgmsg("Descriptor[%d]: %s\n", desc, cl_strerror(CL_EFORMAT)); |
| 322bfd03 |
return CL_CLEAN;
} else {
return ret;
} |
| e3aaff8e |
}
|
| 5612732c |
int cl_scandesc(int desc, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, const struct cl_limits *limits, unsigned int options) |
| e3aaff8e |
{ |
| 3c91998b |
cli_ctx ctx; |
| d91ab809 |
struct cl_limits l_limits; |
| 25380806 |
int rc; |
| 3c91998b |
memset(&ctx, '\0', sizeof(cli_ctx));
ctx.engine = engine;
ctx.virname = virname;
ctx.scanned = scanned;
ctx.options = options; |
| 25380806 |
ctx.found_possibly_unwanted = 0; |
| bc93eda0 |
ctx.dconf = (struct cli_dconf *) engine->dconf; |
| d91ab809 |
if (limits) {
ctx.limits = &l_limits;
memcpy(&l_limits, limits, sizeof(struct cl_limits));
} |
| 3c91998b |
|
| 25380806 |
rc = cli_magic_scandesc(desc, &ctx);
if(rc == CL_CLEAN && ctx.found_possibly_unwanted)
rc = CL_VIRUS;
return rc; |
| e3aaff8e |
}
|
| 3c91998b |
static int cli_scanfile(const char *filename, cli_ctx *ctx) |
| 21cf4aeb |
{
int fd, ret;
|
| 22275b15 |
/* internal version of cl_scanfile with arec/mrec preserved */ |
| b58fdfc2 |
if((fd = open(filename, O_RDONLY|O_BINARY)) == -1) |
| 21cf4aeb |
return CL_EOPEN;
|
| 3c91998b |
ret = cli_magic_scandesc(fd, ctx); |
| 21cf4aeb |
close(fd);
return ret;
}
|
| 5612732c |
int cl_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, const struct cl_limits *limits, unsigned int options) |
| e3aaff8e |
{
int fd, ret;
|
| ece009c0 |
|
| b58fdfc2 |
if((fd = open(filename, O_RDONLY|O_BINARY)) == -1) |
| e3aaff8e |
return CL_EOPEN;
|
| 5612732c |
ret = cl_scandesc(fd, virname, scanned, engine, limits, options); |
| e3aaff8e |
close(fd);
return ret;
} |