GitList

clamav-devel/libclamav/scanners.c

e3aaff8e	/*
e6b09cf9	* Copyright (C) 2002 - 2005 Tomasz Kojm <tkojm@clamav.net>
e3aaff8e	* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
6d6e8271	#if HAVE_CONFIG_H #include "clamav-config.h" #endif
e3aaff8e	#include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h>
a7f5fd00	#include <unistd.h>
15edd45f	#include <sys/param.h>
e3aaff8e	#include <fcntl.h> #include <dirent.h>
d66387b9	#include <netinet/in.h>
e3aaff8e
888f5794	#if HAVE_MMAP #if HAVE_SYS_MMAN_H #include <sys/mman.h> #else /* HAVE_SYS_MMAN_H */ #undef HAVE_MMAP #endif #endif
414abe87	#include <mspack.h> extern short cli_leavetemps_flag;
bbd2d959	extern int cli_mbox(const char dir, int desc, unsigned int options); / FIXME */
8000d078
e3aaff8e	#include "clamav.h" #include "others.h"
85dd8460	#include "scanners.h"
8000d078	#include "matcher-ac.h" #include "matcher-bm.h"
e3aaff8e	#include "matcher.h"
478ce4b2	#include "unrar.h"
47bbbc56	#include "ole2_extract.h" #include "vba_extract.h"
341e5433	#include "msexpand.h"
a5373b64	#include "chmunpack.h"
a9082ea2	#include "pe.h"
888f5794	#include "filetypes.h" #include "htmlnorm.h"
2b259453	#include "untar.h"
c3a3be2d	#include "special.h"
6a31c2b4	#include "binhex.h"
e3aaff8e	#ifdef HAVE_ZLIB_H #include <zlib.h> #include <zzip.h> #endif #ifdef HAVE_BZLIB_H #include <bzlib.h> #endif
2bb229f6	#if defined(HAVE_READDIR_R_3) \|\| defined(HAVE_READDIR_R_2) #include <limits.h>
88794204	#include <stddef.h>
2bb229f6	#endif
15edd45f	/* Maximum filenames under various systems - njh / #ifndef NAME_MAX / e.g. Linux / # ifdef MAXNAMELEN / e.g. Solaris / # define NAME_MAX MAXNAMELEN # else # ifdef FILENAME_MAX / e.g. SCO */ # define NAME_MAX FILENAME_MAX
3d42cc7a	# else # define NAME_MAX 256
15edd45f	# endif # endif #endif
2bb229f6
3805ebcb	#define SCAN_ARCHIVE (options & CL_SCAN_ARCHIVE) #define SCAN_MAIL (options & CL_SCAN_MAIL) #define SCAN_OLE2 (options & CL_SCAN_OLE2) #define SCAN_HTML (options & CL_SCAN_HTML) #define SCAN_PE (options & CL_SCAN_PE) #define DISABLE_RAR (options & CL_SCAN_DISABLERAR)
08d6b1e3	#define DETECT_ENCRYPTED (options & CL_SCAN_BLOCKENCRYPTED)
3805ebcb	#define BLOCKMAX (options & CL_SCAN_BLOCKMAX)
6d6e8271
03a2d04a	#define MAX_MAIL_RECURSION 15
e3aaff8e
33f89aa5	static int cli_scanfile(const char filename, const char virname, unsigned long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec);
e3aaff8e
478ce4b2	static int cli_scandir(const char dirname, const char virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec);
4048c4f6
27c0b825	/*
e3aaff8e	#ifdef CL_THREAD_SAFE
68a6f51f	static void cli_unlock_mutex(void *mtx)
e3aaff8e	{ cli_dbgmsg("Pthread cancelled. Unlocking mutex.\n"); pthread_mutex_unlock(mtx); } #endif
27c0b825	*/
e3aaff8e
33f89aa5	static int cli_scanrar(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
e3aaff8e	{
33f89aa5	int fd, ret = CL_CLEAN;
478ce4b2	unsigned int files = 0; rar_metadata_t metadata, metadata_tmp;
a62ae54f	struct cli_meta_node *mdata;
478ce4b2	char *dir;
e3aaff8e
2b259453	cli_dbgmsg("in scanrar()\n");
e3aaff8e
478ce4b2	/* generate the temporary directory */ dir = cli_gentemp(NULL); if(mkdir(dir, 0700)) { cli_dbgmsg("RAR: Can't create temporary directory %s\n", dir); free(dir); return CL_ETMPDIR;
e3aaff8e	}
478ce4b2	metadata = metadata_tmp = cli_unrar(desc, dir, limits);
b5f8af0d
478ce4b2	if(cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { ret = CL_VIRUS; } else while(metadata) {
a62ae54f	files++;
478ce4b2	cli_dbgmsg("RAR: %s, crc32: 0x%x, encrypted: %d, compressed: %u, normal: %u, method: %d, ratio: %d (max: %d)\n", metadata->filename, metadata->crc, metadata->encrypted, metadata->pack_size, metadata->unpack_size, metadata->method, metadata->pack_size ? ((unsigned int) metadata->unpack_size / (unsigned int) metadata->pack_size) : 0, limits ? limits->maxratio : 0);
a62ae54f	/* Scan metadata */ mdata = root->rar_mlist; if(mdata) do {
478ce4b2	if(mdata->encrypted != metadata->encrypted)
a62ae54f	continue;
478ce4b2	if(mdata->crc32 && (unsigned int) mdata->crc32 != metadata->crc)
a62ae54f	continue;
478ce4b2	if(mdata->csize > 0 && (unsigned int) mdata->csize != metadata->pack_size)
a62ae54f	continue;
478ce4b2	if(mdata->size >= 0 && (unsigned int) mdata->size != metadata->unpack_size)
a62ae54f	continue;
478ce4b2	if(mdata->method && mdata->method != metadata->method)
a62ae54f	continue; if(mdata->fileno && mdata->fileno != files) continue;
33f89aa5	if(mdata->maxdepth && arec > mdata->maxdepth)
a62ae54f	continue; /* TODO add support for regex / /if(mdata->filename && !strstr(zdirent.d_name, mdata->filename))*/
478ce4b2	if(mdata->filename && strcmp(metadata->filename, mdata->filename))
a62ae54f	continue; break; /* matched / } while((mdata = mdata->next)); if(mdata) { virname = mdata->virname; ret = CL_VIRUS; break; }
478ce4b2	if(DETECT_ENCRYPTED && metadata->encrypted) {
2b259453	cli_dbgmsg("RAR: Encrypted files found in archive.\n");
32c970f8	lseek(desc, 0, SEEK_SET);
3862f7e1	ret = cli_scandesc(desc, virname, scanned, root, 0, 0); if(ret < 0) { break; } else if(ret != CL_VIRUS) {
32c970f8	*virname = "Encrypted.RAR";
3862f7e1	ret = CL_VIRUS; }
dfe7ca62	break; }
e3aaff8e
478ce4b2	/* TROG - TODO: multi-volume files
c464b15f	if((rarlist->item.Flags & 0x03) != 0) {
478ce4b2	cli_dbgmsg("RAR: Skipping %s (split)\n", rarlist->item.Name);
c464b15f	rarlist = rarlist->next; continue; }
478ce4b2	*/
e3aaff8e	if(limits) {
478ce4b2	if(limits->maxratio && metadata->unpack_size && metadata->pack_size) { if((unsigned int) metadata->unpack_size / (unsigned int) metadata->pack_size >= limits->maxratio) { cli_dbgmsg("RAR: Max ratio reached (normal: %u, compressed: %u, max: %ld)\n", metadata->unpack_size, metadata->pack_size, limits->maxratio);
d272908a	*virname = "Oversized.RAR"; ret = CL_VIRUS; break; } }
478ce4b2	if(limits->maxfilesize && (metadata->unpack_size > (unsigned int) limits->maxfilesize)) { cli_dbgmsg("RAR: %s: Size exceeded (%u, max: %lu)\n", metadata->filename, metadata->unpack_size, limits->maxfilesize);
d272908a	if(BLOCKMAX) { *virname = "RAR.ExceededFileSize"; ret = CL_VIRUS; break; }
478ce4b2	metadata = metadata->next;
e3aaff8e	continue; } if(limits->maxfiles && (files > limits->maxfiles)) { cli_dbgmsg("RAR: Files limit reached (max: %d)\n", limits->maxfiles);
d272908a	if(BLOCKMAX) { *virname = "RAR.ExceededFilesLimit"; ret = CL_VIRUS; break; }
e3aaff8e	break; } }
478ce4b2	metadata = metadata->next; }
e3aaff8e
478ce4b2	if(!cli_leavetemps_flag) cli_rmdirs(dir);
e3aaff8e
478ce4b2	free(dir); metadata = metadata_tmp; while (metadata) { metadata_tmp = metadata->next; free(metadata->filename); free(metadata); metadata = metadata_tmp;
e3aaff8e	}
2b259453	cli_dbgmsg("RAR: Exit code: %d\n", ret);
7761c6eb
e3aaff8e	return ret; } #ifdef HAVE_ZLIB_H
33f89aa5	static int cli_scanzip(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
e3aaff8e	{ ZZIP_DIR zdir; ZZIP_DIRENT zdirent; ZZIP_FILE zfp;
fc56deed	FILE *tmp = NULL;
f7148839	char *buff;
33f89aa5	int fd, bytes, ret = CL_CLEAN; unsigned int files = 0, encrypted;
fc56deed	struct stat source;
a62ae54f	struct cli_meta_node *mdata;
ee039e40	zzip_error_t err;
e3aaff8e
2b259453	cli_dbgmsg("in scanzip()\n");
e3aaff8e
049a18b9	if((zdir = zzip_dir_fdopen(dup(desc), &err)) == NULL) {
2b259453	cli_dbgmsg("Zip: Not supported file format ?.\n"); cli_dbgmsg("Zip: zzip_dir_fdopen() return code: %d\n", err);
77be7ea9	/* no return with CL_EZIP due to password protected zips */ return CL_CLEAN;
e3aaff8e	}
fc56deed	fstat(desc, &source);
33f40ee5	if(!(buff = (char *) cli_malloc(FILEBUFF))) {
2b259453	cli_dbgmsg("Zip: unable to malloc(%d)\n", FILEBUFF);
33f40ee5	zzip_dir_close(zdir); return CL_EMEM; }
e3aaff8e	while(zzip_dir_read(zdir, &zdirent)) {
19e2ac07	files++;
fc56deed	if(!zdirent.d_name \|\| !strlen(zdirent.d_name)) { /* Mimail fix */
2b259453	cli_dbgmsg("Zip: strlen(zdirent.d_name) == %d\n", strlen(zdirent.d_name));
161bcf76	*virname = "Suspect.Zip";
fc56deed	ret = CL_VIRUS; break; }
5e0d3ebc	/* Bit 0: file is encrypted * Bit 6: Strong encryption was used * Bit 13: Encrypted central directory */ encrypted = (zdirent.d_flags & 0x2041 != 0);
e5916a51
33f89aa5	cli_dbgmsg("Zip: %s, crc32: 0x%x, encrypted: %d, compressed: %u, normal: %u, method: %d, ratio: %d (max: %d)\n", zdirent.d_name, zdirent.d_crc32, encrypted, zdirent.d_csize, zdirent.st_size, zdirent.d_compr, zdirent.d_csize ? (zdirent.st_size / zdirent.d_csize) : 0, limits ? limits->maxratio : 0);
fc56deed
0c9d7f15	if(!zdirent.st_size) {
d3779101	if(zdirent.d_crc32) { cli_dbgmsg("Zip: Broken file or modified information in local header part of archive\n");
161bcf76	*virname = "Exploit.Zip.ModifiedHeaders";
d3779101	ret = CL_VIRUS; break; }
e3aaff8e	continue; }
e5916a51	/* Scan metadata */ mdata = root->zip_mlist;
1de1c2b8	if(mdata) do {
e5916a51	if(mdata->encrypted != encrypted) continue;
33f89aa5	if(mdata->crc32 && mdata->crc32 != (unsigned int) zdirent.d_crc32)
e5916a51	continue; if(mdata->csize > 0 && mdata->csize != zdirent.d_csize) continue; if(mdata->size >= 0 && mdata->size != zdirent.st_size) continue;
33f89aa5	if(mdata->method && mdata->method != (unsigned int) zdirent.d_compr)
e5916a51	continue;
19e2ac07	if(mdata->fileno && mdata->fileno != files) continue;
33f89aa5	if(mdata->maxdepth && arec > mdata->maxdepth)
19e2ac07	continue; /* TODO add support for regex */
e5916a51	/if(mdata->filename && !strstr(zdirent.d_name, mdata->filename))/ if(mdata->filename && strcmp(zdirent.d_name, mdata->filename)) continue; break; /* matched / } while((mdata = mdata->next)); if(mdata) { virname = mdata->virname; ret = CL_VIRUS; break; }
ba5d2f0b	/* * Workaround for archives created with ICEOWS. * ZZIP_DIRENT does not contain information on file type * so we try to determine a directory via a filename */ if(zdirent.d_name[strlen(zdirent.d_name) - 1] == '/') { cli_dbgmsg("Zip: Directory entry with st_size != 0\n"); continue; }
e3aaff8e	/* work-around for problematic zips (zziplib crashes with them) */
19ca43de	if(zdirent.d_csize <= 0 \|\| zdirent.st_size < 0) {
2b259453	cli_dbgmsg("Zip: Malformed archive detected.\n");
161bcf76	*virname = "Suspect.Zip";
fc56deed	ret = CL_VIRUS;
e3aaff8e	break; }
19ca43de	if(limits && limits->maxratio > 0 && ((unsigned) zdirent.st_size / (unsigned) zdirent.d_csize) >= limits->maxratio) { *virname = "Oversized.Zip"; ret = CL_VIRUS; break; }
e5916a51	if(DETECT_ENCRYPTED && encrypted) {
2b259453	cli_dbgmsg("Zip: Encrypted files found in archive.\n");
32c970f8	lseek(desc, 0, SEEK_SET);
3862f7e1	ret = cli_scandesc(desc, virname, scanned, root, 0, 0); if(ret < 0) { break; } else if(ret != CL_VIRUS) {
32c970f8	*virname = "Encrypted.Zip";
3862f7e1	ret = CL_VIRUS; }
0f34221a	break; }
e3aaff8e	if(limits) {
33f89aa5	if(limits->maxfilesize && ((unsigned int) zdirent.st_size > limits->maxfilesize)) {
2b259453	cli_dbgmsg("Zip: %s: Size exceeded (%d, max: %ld)\n", zdirent.d_name, zdirent.st_size, limits->maxfilesize);
6ccc6990	/* ret = CL_EMAXSIZE; */
d272908a	if(BLOCKMAX) { virname = "Zip.ExceededFileSize"; ret = CL_VIRUS; break; } continue; / continue scanning */
e3aaff8e	} if(limits->maxfiles && (files > limits->maxfiles)) { cli_dbgmsg("Zip: Files limit reached (max: %d)\n", limits->maxfiles);
d272908a	if(BLOCKMAX) { *virname = "Zip.ExceededFilesLimit"; ret = CL_VIRUS; break; }
e3aaff8e	break; } }
c4098620	if((zfp = zzip_file_open(zdir, zdirent.d_name, 0)) == NULL) { cli_dbgmsg("Zip: Can't open file %s\n", zdirent.d_name); ret = CL_EZIP; break; }
e3aaff8e	/* generate temporary file and get its descriptor */ if((tmp = tmpfile()) == NULL) {
2b259453	cli_dbgmsg("Zip: Can't generate tmpfile().\n");
bde7f6d1	zzip_file_close(zfp);
fc56deed	ret = CL_ETMPFILE; break;
e3aaff8e	}
f7148839	while((bytes = zzip_file_read(zfp, buff, FILEBUFF)) > 0) {
467f8b1e	if(fwrite(buff, 1, bytes, tmp) != (size_t) bytes) {
2b259453	cli_dbgmsg("Zip: Can't write to file.\n");
e3aaff8e	zzip_file_close(zfp);
33f40ee5	zzip_dir_close(zdir); fclose(tmp);
f7148839	free(buff);
c4098620	return CL_EIO;
e3aaff8e	} } zzip_file_close(zfp);
cdb0ae9c	if(fflush(tmp) != 0) {
2b259453	cli_dbgmsg("Zip: fflush() failed: %s\n", strerror(errno));
fc56deed	ret = CL_EFSYNC; break;
e3aaff8e	}
cdb0ae9c	fd = fileno(tmp);
e3aaff8e	lseek(fd, 0, SEEK_SET);
22275b15	if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS ) {
2b259453	cli_dbgmsg("Zip: Infected with %s\n", *virname);
e3aaff8e	ret = CL_VIRUS; break; } else if(ret == CL_EMALFZIP) {
2b259453	cli_dbgmsg("Zip: Malformed Zip file, scanning stopped.\n");
161bcf76	*virname = "Suspect.Zip";
e3aaff8e	ret = CL_VIRUS; break; }
cdb0ae9c	if (tmp) { fclose(tmp); tmp = NULL; }
e3aaff8e	} zzip_dir_close(zdir);
cdb0ae9c	if (tmp) { fclose(tmp); tmp = NULL; }
33f40ee5	free(buff);
e3aaff8e	return ret; }
33f89aa5	static int cli_scangzip(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
e3aaff8e	{ int fd, bytes, ret = CL_CLEAN;
33f89aa5	unsigned long int size = 0;
f7148839	char *buff;
fc56deed	FILE *tmp = NULL;
e3aaff8e	gzFile gd;
fc56deed	cli_dbgmsg("in cli_scangzip()\n");
e3aaff8e	if((gd = gzdopen(dup(desc), "rb")) == NULL) {
2b259453	cli_dbgmsg("GZip: Can't open descriptor %d\n", desc);
e3aaff8e	return CL_EGZIP; } if((tmp = tmpfile()) == NULL) {
2b259453	cli_dbgmsg("GZip: Can't generate temporary file.\n");
e3aaff8e	gzclose(gd); return CL_ETMPFILE; } fd = fileno(tmp);
fc56deed	if(!(buff = (char *) cli_malloc(FILEBUFF))) {
2b259453	cli_dbgmsg("GZip: Unable to malloc %d bytes.\n", FILEBUFF);
fc56deed	gzclose(gd);
f7148839	return CL_EMEM;
fc56deed	}
f7148839
fc56deed	while((bytes = gzread(gd, buff, FILEBUFF)) > 0) {
e3aaff8e	size += bytes; if(limits)
fc56deed	if(limits->maxfilesize && (size + FILEBUFF > limits->maxfilesize)) {
2b259453	cli_dbgmsg("GZip: Size exceeded (stopped at %ld, max: %ld)\n", size, limits->maxfilesize);
985d9958	if(BLOCKMAX) { *virname = "GZip.ExceededFileSize"; ret = CL_VIRUS; }
e3aaff8e	break; }
4152ad50	if(cli_writen(fd, buff, bytes) != bytes) {
2b259453	cli_dbgmsg("GZip: Can't write to file.\n");
cdb0ae9c	fclose(tmp);
e3aaff8e	gzclose(gd);
f7148839	free(buff);
e3aaff8e	return CL_EGZIP; } }
f7148839	free(buff);
e3aaff8e	gzclose(gd);
985d9958	if(ret == CL_VIRUS) { fclose(tmp); return ret; }
e3aaff8e	if(fsync(fd) == -1) {
2b259453	cli_dbgmsg("GZip: Can't synchronise descriptor %d\n", fd);
cdb0ae9c	fclose(tmp);
e3aaff8e	return CL_EFSYNC; } lseek(fd, 0, SEEK_SET);
22275b15	if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS ) {
2b259453	cli_dbgmsg("GZip: Infected with %s\n", *virname);
cdb0ae9c	fclose(tmp);
e3aaff8e	return CL_VIRUS; }
cdb0ae9c	fclose(tmp);
e3aaff8e	return ret; } #endif #ifdef HAVE_BZLIB_H #ifdef NOBZ2PREFIX #define BZ2_bzReadOpen bzReadOpen #define BZ2_bzReadClose bzReadClose #define BZ2_bzRead bzRead #endif
33f89aa5	static int cli_scanbzip(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
e3aaff8e	{ int fd, bytes, ret = CL_CLEAN, bzerror = 0; short memlim = 0;
33f89aa5	unsigned long int size = 0;
f7148839	char *buff;
fc56deed	FILE fs, tmp = NULL;
e3aaff8e	BZFILE *bfd;
9e431a95	if((fs = fdopen(dup(desc), "rb")) == NULL) {
2b259453	cli_dbgmsg("Bzip: Can't open descriptor %d.\n", desc);
e3aaff8e	return CL_EBZIP; } if(limits) if(limits->archivememlim) memlim = 1;
68b96877	if((bfd = BZ2_bzReadOpen(&bzerror, fs, 0, memlim, NULL, 0)) == NULL) {
2b259453	cli_dbgmsg("Bzip: Can't initialize bzip2 library (descriptor: %d).\n", desc);
9e431a95	fclose(fs);
e3aaff8e	return CL_EBZIP; } if((tmp = tmpfile()) == NULL) {
2b259453	cli_dbgmsg("Bzip: Can't generate temporary file.\n");
e3aaff8e	BZ2_bzReadClose(&bzerror, bfd);
9e431a95	fclose(fs);
e3aaff8e	return CL_ETMPFILE; } fd = fileno(tmp);
9e431a95	if(!(buff = (char *) malloc(FILEBUFF))) {
2b259453	cli_dbgmsg("Bzip: Unable to malloc %d bytes.\n", FILEBUFF);
9e431a95	fclose(tmp); fclose(fs); BZ2_bzReadClose(&bzerror, bfd);
f7148839	return CL_EMEM;
9e431a95	}
f7148839
fc56deed	while((bytes = BZ2_bzRead(&bzerror, bfd, buff, FILEBUFF)) > 0) {
e3aaff8e	size += bytes; if(limits)
fc56deed	if(limits->maxfilesize && (size + FILEBUFF > limits->maxfilesize)) {
2b259453	cli_dbgmsg("Bzip: Size exceeded (stopped at %ld, max: %ld)\n", size, limits->maxfilesize);
985d9958	if(BLOCKMAX) { *virname = "BZip.ExceededFileSize"; ret = CL_VIRUS; }
e3aaff8e	break; }
4152ad50	if(cli_writen(fd, buff, bytes) != bytes) {
2b259453	cli_dbgmsg("Bzip: Can't write to file.\n");
e3aaff8e	BZ2_bzReadClose(&bzerror, bfd);
cdb0ae9c	fclose(tmp);
f7148839	free(buff);
9e431a95	fclose(fs);
e3aaff8e	return CL_EGZIP; } }
f7148839	free(buff);
e3aaff8e	BZ2_bzReadClose(&bzerror, bfd);
985d9958	if(ret == CL_VIRUS) { fclose(tmp); fclose(fs); return ret; }
e3aaff8e	if(fsync(fd) == -1) {
2b259453	cli_dbgmsg("Bzip: Synchronisation failed for descriptor %d\n", fd);
cdb0ae9c	fclose(tmp);
9e431a95	fclose(fs);
e3aaff8e	return CL_EFSYNC; } lseek(fd, 0, SEEK_SET);
22275b15	if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS ) {
2b259453	cli_dbgmsg("Bzip: Infected with %s\n", *virname);
e3aaff8e	}
cdb0ae9c	fclose(tmp);
9e431a95	fclose(fs);
e3aaff8e	return ret; } #endif
33f89aa5	static int cli_scanszdd(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
341e5433	{ int fd, ret = CL_CLEAN; FILE tmp = NULL, in;
2b259453
341e5433	cli_dbgmsg("in cli_scanmscomp()\n"); if((in = fdopen(dup(desc), "rb")) == NULL) {
2b259453	cli_dbgmsg("SZDD: Can't open descriptor %d\n", desc);
341e5433	return CL_EMSCOMP; } if((tmp = tmpfile()) == NULL) {
2b259453	cli_dbgmsg("SZDD: Can't generate temporary file.\n");
341e5433	fclose(in); return CL_ETMPFILE; } if(cli_msexpand(in, tmp) == -1) {
2b259453	cli_dbgmsg("SZDD: msexpand failed.\n");
341e5433	return CL_EMSCOMP; } fclose(in); if(fflush(tmp)) {
2b259453	cli_dbgmsg("SZDD: fflush() failed.\n");
341e5433	fclose(tmp); return CL_EFSYNC; } fd = fileno(tmp); lseek(fd, 0, SEEK_SET);
22275b15	if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS) {
2b259453	cli_dbgmsg("SZDD: Infected with %s\n", *virname);
341e5433	fclose(tmp); return CL_VIRUS; } fclose(tmp); return ret; }
33f89aa5	static int cli_scanmscab(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
414abe87	{ struct mscab_decompressor cabd = NULL; struct mscabd_cabinet base, cab; struct mscabd_file file; char *tempname; int ret = CL_CLEAN; cli_dbgmsg("in cli_scanmscab()\n"); if((cabd = mspack_create_cab_decompressor(NULL)) == NULL) {
2b259453	cli_dbgmsg("MSCAB: Can't create libmspack CAB decompressor\n");
414abe87	return CL_EMSCAB; }
0c9d7f15	if((base = cabd->dsearch(cabd, dup(desc))) == NULL) {
2b259453	cli_dbgmsg("MSCAB: I/O error or no valid cabinets found\n");
414abe87	mspack_destroy_cab_decompressor(cabd); return CL_EMSCAB; } for(cab = base; cab; cab = cab->next) { for(file = cab->files; file; file = file->next) {
52ab3176	if(limits && limits->maxfilesize && (file->length > (unsigned int) limits->maxfilesize)) { cli_dbgmsg("MSCAB: %s: Size exceeded (%u, max: %lu)\n", file->filename, file->length, limits->maxfilesize); if(BLOCKMAX) { *virname = "MSCAB.ExceededFileSize"; cabd->close(cabd, base); mspack_destroy_cab_decompressor(cabd); return CL_VIRUS; } continue; }
0c7019c5	tempname = cli_gentemp(NULL);
2b259453	cli_dbgmsg("MSCAB: Extracting data to %s\n", tempname);
414abe87	if(cabd->extract(cabd, file, tempname)) {
2b259453	cli_dbgmsg("MSCAB: libmscab error code: %d\n", cabd->last_error(cabd));
414abe87	} else {
22275b15	ret = cli_scanfile(tempname, virname, scanned, root, limits, options, arec, mrec);
414abe87	} if(!cli_leavetemps_flag) unlink(tempname); free(tempname); if(ret == CL_VIRUS) break; } if(ret == CL_VIRUS) break; } cabd->close(cabd, base); mspack_destroy_cab_decompressor(cabd); return ret; }
33f89aa5	static int cli_scandir(const char dirname, const char virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
47bbbc56	{
467f8b1e	DIR dd; struct dirent dent;
72a1b240	#if defined(HAVE_READDIR_R_3) \|\| defined(HAVE_READDIR_R_2)
88794204	union { struct dirent d; char b[offsetof(struct dirent, d_name) + NAME_MAX + 1]; } result;
2bb229f6	#endif
467f8b1e	struct stat statbuf; char *fname;
47bbbc56
467f8b1e	if((dd = opendir(dirname)) != NULL) {
72a1b240	#ifdef HAVE_READDIR_R_3
88794204	while(!readdir_r(dd, &result.d, &dent) && dent) {
72a1b240	#elif defined(HAVE_READDIR_R_2)
88794204	while((dent = (struct dirent *) readdir_r(dd, &result.d))) {
72a1b240	#else
467f8b1e	while((dent = readdir(dd))) {
72a1b240	#endif
feeaa333	#ifndef C_INTERIX if(dent->d_ino) #endif {
467f8b1e	if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) { /* build the full name */ fname = cli_calloc(strlen(dirname) + strlen(dent->d_name) + 2, sizeof(char)); sprintf(fname, "%s/%s", dirname, dent->d_name);
47bbbc56
467f8b1e	/* stat the file */ if(lstat(fname, &statbuf) != -1) { if(S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) {
22275b15	if (cli_scandir(fname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) {
467f8b1e	free(fname); closedir(dd); return CL_VIRUS; } } else if(S_ISREG(statbuf.st_mode))
22275b15	if(cli_scanfile(fname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) {
467f8b1e	free(fname); closedir(dd); return CL_VIRUS; }
47bbbc56
bbb90786	}
467f8b1e	free(fname);
47bbbc56	} } }
467f8b1e	} else {
2b259453	cli_dbgmsg("ScanDir: Can't open directory %s.\n", dirname);
467f8b1e	return CL_EOPEN; }
47bbbc56
467f8b1e	closedir(dd); return 0;
47bbbc56	}
467f8b1e
33f89aa5	static int cli_vba_scandir(const char dirname, const char virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
e3aaff8e	{
892d2f56	int ret = CL_CLEAN, i, fd, ofd, data_len;
467f8b1e	vba_project_t *vba_project;
e3aaff8e	DIR dd; struct dirent dent;
72a1b240	#if defined(HAVE_READDIR_R_3) \|\| defined(HAVE_READDIR_R_2)
88794204	union { struct dirent d; char b[offsetof(struct dirent, d_name) + NAME_MAX + 1]; } result;
2bb229f6	#endif
e3aaff8e	struct stat statbuf;
56bfccb2	char fname, fullname;
467f8b1e	unsigned char *data;
2b259453	cli_dbgmsg("VBADir: %s\n", dirname);
467f8b1e	if((vba_project = (vba_project_t *) vba56_dir_read(dirname))) {
e3aaff8e
467f8b1e	for(i = 0; i < vba_project->count; i++) { fullname = (char *) cli_malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2); sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]); fd = open(fullname, O_RDONLY); if(fd == -1) {
2b259453	cli_dbgmsg("VBADir: Can't open file %s\n", fullname);
467f8b1e	free(fullname); ret = CL_EOPEN; break; } free(fullname);
2b259453	cli_dbgmsg("VBADir: Decompress VBA project '%s'\n", vba_project->name[i]);
467f8b1e	data = (unsigned char *) vba_decompress(fd, vba_project->offset[i], &data_len); close(fd); if(!data) {
2b259453	cli_dbgmsg("VBADir: WARNING: VBA project '%s' decompressed to NULL\n", vba_project->name[i]);
467f8b1e	} else {
cedc2d2a	if(scanned) *scanned += data_len / CL_COUNT_PRECISION;
7ec67e94	if(cli_scanbuff(data, data_len, virname, root, CL_TYPE_MSOLE2) == CL_VIRUS) {
467f8b1e	free(data); ret = CL_VIRUS; break; } free(data); } } for(i = 0; i < vba_project->count; i++) free(vba_project->name[i]); free(vba_project->name); free(vba_project->dir); free(vba_project->offset); free(vba_project);
c240c32c	} else if ((fullname = ppt_vba_read(dirname))) {
22275b15	if(cli_scandir(fullname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) {
c240c32c	ret = CL_VIRUS; }
8d5e0ac0	if(!cli_leavetemps_flag) cli_rmdirs(fullname);
c240c32c	free(fullname);
2e53806b	} else if ((vba_project = (vba_project_t ) wm_dir_read(dirname))) { for (i = 0; i < vba_project->count; i++) { fullname = (char ) cli_malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2); sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]); fd = open(fullname, O_RDONLY); if(fd == -1) {
2b259453	cli_dbgmsg("VBADir: Can't open file %s\n", fullname);
2e53806b	free(fullname); ret = CL_EOPEN; break; } free(fullname);
2b259453	cli_dbgmsg("VBADir: Decompress WM project '%s' macro:%d key:%d\n", vba_project->name[i], i, vba_project->key[i]);
2e53806b	data = (unsigned char *) wm_decrypt_macro(fd, vba_project->offset[i], vba_project->length[i], vba_project->key[i]); close(fd); if(!data) {
2b259453	cli_dbgmsg("VBADir: WARNING: WM project '%s' macro %d decrypted to NULL\n", vba_project->name[i], i);
2e53806b	} else {
cedc2d2a	if(scanned) *scanned += vba_project->length[i] / CL_COUNT_PRECISION;
7ec67e94	if(cli_scanbuff(data, vba_project->length[i], virname, root, CL_TYPE_MSOLE2) == CL_VIRUS) {
2e53806b	free(data); ret = CL_VIRUS; break; } free(data); } } for(i = 0; i < vba_project->count; i++) free(vba_project->name[i]); free(vba_project->key); free(vba_project->length); free(vba_project->offset); free(vba_project->name); free(vba_project->dir); free(vba_project);
467f8b1e	}
2e53806b
467f8b1e	if(ret != CL_CLEAN) return ret;
e3aaff8e
892d2f56	/* Check directory for embedded OLE objects / fullname = (char ) cli_malloc(strlen(dirname) + 16); sprintf(fullname, "%s/_1_Ole10Native", dirname); fd = open(fullname, O_RDONLY); free(fullname); if (fd >= 0) { ofd = cli_decode_ole_object(fd, dirname); if (ofd >= 0) { ret = cli_scandesc(ofd, virname, scanned, root, 0, 0); close(ofd); } close(fd); if(ret != CL_CLEAN) return ret; }
e3aaff8e	if((dd = opendir(dirname)) != NULL) {
72a1b240	#ifdef HAVE_READDIR_R_3
88794204	while(!readdir_r(dd, &result.d, &dent) && dent) {
72a1b240	#elif defined(HAVE_READDIR_R_2)
88794204	while((dent = (struct dirent *) readdir_r(dd, &result.d))) {
72a1b240	#else
e3aaff8e	while((dent = readdir(dd))) {
72a1b240	#endif
feeaa333	#ifndef C_INTERIX if(dent->d_ino) #endif {
e3aaff8e	if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) { /* build the full name / fname = cli_calloc(strlen(dirname) + strlen(dent->d_name) + 2, sizeof(char)); sprintf(fname, "%s/%s", dirname, dent->d_name); / stat the file */ if(lstat(fname, &statbuf) != -1) { if(S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode))
22275b15	if (cli_vba_scandir(fname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) {
467f8b1e	ret = CL_VIRUS; free(fname); break; }
e3aaff8e	} free(fname); } } } } else {
2b259453	cli_dbgmsg("VBADir: Can't open directory %s.\n", dirname);
e3aaff8e	return CL_EOPEN; } closedir(dd);
467f8b1e	return ret; }
33f89aa5	static int cli_scanhtml(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
a92110df	{ char *tempname, fullname[1024]; int ret=CL_CLEAN, fd; cli_dbgmsg("in cli_scanhtml()\n"); tempname = cli_gentemp(NULL); if(mkdir(tempname, 0700)) { cli_dbgmsg("ScanHTML -> Can't create temporary directory %s\n", tempname);
f0bc32bd	free(tempname);
a92110df	return CL_ETMPDIR; } html_normalise_fd(desc, tempname, NULL); snprintf(fullname, 1024, "%s/comment.html", tempname); fd = open(fullname, O_RDONLY); if (fd >= 0) { ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML); close(fd); } if(ret < 0 \|\| ret == CL_VIRUS) { if(!cli_leavetemps_flag) cli_rmdirs(tempname); free(tempname); return ret; } if (ret == CL_CLEAN) { snprintf(fullname, 1024, "%s/nocomment.html", tempname); fd = open(fullname, O_RDONLY); if (fd >= 0) { ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML); close(fd); } } if(ret < 0 \|\| ret == CL_VIRUS) { if(!cli_leavetemps_flag) cli_rmdirs(tempname); free(tempname); return ret; } if (ret == CL_CLEAN) { snprintf(fullname, 1024, "%s/script.html", tempname); fd = open(fullname, O_RDONLY); if (fd >= 0) { ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML); close(fd); } } if(ret < 0 \|\| ret == CL_VIRUS) { if(!cli_leavetemps_flag) cli_rmdirs(tempname); free(tempname); return ret; } if (ret == CL_CLEAN) { snprintf(fullname, 1024, "%s/rfc2397", tempname); ret = cli_scandir(fullname, virname, scanned, root, limits, options, arec, mrec); } if(!cli_leavetemps_flag) cli_rmdirs(tempname); free(tempname); return ret; }
33f89aa5	static int cli_scanole2(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
467f8b1e	{
56bfccb2	char *dir; int ret = CL_CLEAN;
467f8b1e
2b259453
467f8b1e	cli_dbgmsg("in cli_scanole2()\n"); /* generate the temporary directory */
0c7019c5	dir = cli_gentemp(NULL);
467f8b1e	if(mkdir(dir, 0700)) {
2b259453	cli_dbgmsg("OLE2: Can't create temporary directory %s\n", dir);
f0bc32bd	free(dir);
467f8b1e	return CL_ETMPDIR; }
e5a5b2f2	if((ret = cli_ole2_extract(desc, dir, limits))) {
2b259453	cli_dbgmsg("OLE2: %s\n", cl_strerror(ret));
8d5e0ac0	if(!cli_leavetemps_flag) cli_rmdirs(dir);
467f8b1e	free(dir); return ret; }
22275b15	if((ret = cli_vba_scandir(dir, virname, scanned, root, limits, options, arec, mrec)) != CL_VIRUS) { if(cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) {
56bfccb2	ret = CL_VIRUS;
467f8b1e	} }
8d5e0ac0	if(!cli_leavetemps_flag) cli_rmdirs(dir);
467f8b1e	free(dir); return ret;
e3aaff8e	}
a7f5fd00	static int cli_scantar(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec, unsigned int posix)
2b259453	{ char dir; int ret = CL_CLEAN; cli_dbgmsg("in cli_scantar()\n"); / generate temporary directory */
0c7019c5	dir = cli_gentemp(NULL);
2b259453	if(mkdir(dir, 0700)) { cli_errmsg("Tar: Can't create temporary directory %s\n", dir);
f0bc32bd	free(dir);
2b259453	return CL_ETMPDIR; }
a7f5fd00	if((ret = cli_untar(dir, desc, posix)))
2b259453	cli_dbgmsg("Tar: %s\n", cl_strerror(ret)); else ret = cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec); if(!cli_leavetemps_flag) cli_rmdirs(dir); free(dir); return ret; }
33f89aa5	static int cli_scanbinhex(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
667ab9c6	{ char dir; int ret = CL_CLEAN; cli_dbgmsg("in cli_scanbinhex()\n"); / generate temporary directory */ dir = cli_gentemp(NULL); if(mkdir(dir, 0700)) { cli_errmsg("Binhex: Can't create temporary directory %s\n", dir);
f0bc32bd	free(dir);
667ab9c6	return CL_ETMPDIR; } if((ret = cli_binhex(dir, desc))) cli_dbgmsg("Binhex: %s\n", cl_strerror(ret)); else ret = cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec); if(!cli_leavetemps_flag) cli_rmdirs(dir); free(dir); return ret; }
33f89aa5	static int cli_scanmschm(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
a5373b64	{ char *tempname; int ret = CL_CLEAN; cli_dbgmsg("in cli_scanmschm()\n");
0c7019c5	tempname = cli_gentemp(NULL);
a5373b64	if(mkdir(tempname, 0700)) {
2b259453	cli_dbgmsg("CHM: Can't create temporary directory %s\n", tempname);
f0bc32bd	free(tempname);
a5373b64	return CL_ETMPDIR; } if(chm_unpack(desc, tempname)) ret = cli_scandir(tempname, virname, scanned, root, limits, options, arec, mrec); if(!cli_leavetemps_flag) cli_rmdirs(tempname); free(tempname); return ret; }
33f89aa5	static int cli_scanscrenc(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
e57fa318	{ char *tempname; int ret = CL_CLEAN; cli_dbgmsg("in cli_scanscrenc()\n");
0c7019c5	tempname = cli_gentemp(NULL);
e57fa318	if(mkdir(tempname, 0700)) { cli_dbgmsg("CHM: Can't create temporary directory %s\n", tempname);
f0bc32bd	free(tempname);
e57fa318	return CL_ETMPDIR; } if (html_screnc_decode(desc, tempname)) ret = cli_scandir(tempname, virname, scanned, root, limits, options, arec, mrec); if(!cli_leavetemps_flag) cli_rmdirs(tempname); free(tempname); return ret; }
015e31e1
33f89aa5	static int cli_scanriff(int desc, const char **virname)
eb308794	{ int ret = CL_CLEAN; if(cli_check_riff_exploit(desc) == 2) { ret = CL_VIRUS; *virname = "Exploit.W32.MS05-002"; } return ret; }
7afdc309	static int cli_scanjpeg(int desc, const char *virname) { int ret = CL_CLEAN; if(cli_check_jpeg_exploit(desc) == 1) { ret = CL_VIRUS; virname = "Exploit.W32.MS04-028"; } return ret; }
f0bc32bd	static int cli_scantnef(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec) { int ret; char *dir = cli_gentemp(NULL); if(mkdir(dir, 0700)) { cli_dbgmsg("Can't create temporary directory for tnef file %s\n", dir); free(dir); return CL_ETMPDIR; } ret = cli_tnef(dir, desc); if(ret == CL_CLEAN) ret = cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec); if(!cli_leavetemps_flag) cli_rmdirs(dir); free(dir); return ret; }
33f89aa5	static int cli_scanmail(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
e3aaff8e	{ char *dir; int ret;
33f89aa5	cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", mrec, arec);
e3aaff8e
0c7019c5	/* generate the temporary directory */ dir = cli_gentemp(NULL); if(mkdir(dir, 0700)) { cli_dbgmsg("Mail: Can't create temporary directory %s\n", dir); free(dir); return CL_ETMPDIR; }
e3aaff8e
0c7019c5	/* * Extract the attachments into the temporary directory */ if((ret = cli_mbox(dir, desc, options))) {
8d5e0ac0	if(!cli_leavetemps_flag) cli_rmdirs(dir);
e3aaff8e	free(dir); return ret;
0c7019c5	} ret = cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec); if(!cli_leavetemps_flag) cli_rmdirs(dir); free(dir); return ret;
e3aaff8e	}
33f89aa5	int cli_magic_scandesc(int desc, const char *virname, long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
e3aaff8e	{
888f5794	int ret = CL_CLEAN, nret;
cdb0ae9c	int bread = 0;
9b8e00a0	cli_file_t type;
a7f5fd00	struct stat sb; if(fstat(desc, &sb) == -1) { cli_errmsg("Can's fstat descriptor %d\n", desc); return CL_EIO; }
e3aaff8e
a7f5fd00	if(sb.st_size <= 5) { cli_dbgmsg("Small data (%d bytes)\n", sb.st_size); return CL_CLEAN; }
e3aaff8e	if(!root) {
414abe87	cli_errmsg("CRITICAL: root == NULL\n");
322bfd03	return CL_EMALFDB;
e3aaff8e	}
d6b5ae47	if(!options) { /* raw mode (stdin, etc.) */
b68d11d2	cli_dbgmsg("Raw mode: No support for special files\n"); if((ret = cli_scandesc(desc, virname, scanned, root, 0, 0) == CL_VIRUS))
2b259453	cli_dbgmsg("%s found in descriptor %d\n", *virname, desc);
d6b5ae47	return ret; }
467f8b1e	if(SCAN_ARCHIVE && limits && limits->maxreclevel)
33f89aa5	if(arec > limits->maxreclevel) { cli_dbgmsg("Archive recursion limit exceeded (arec == %d).\n", arec);
031555fe	if(BLOCKMAX) { *virname = "Archive.ExceededRecursionLimit"; return CL_VIRUS; }
467f8b1e	return CL_CLEAN;
22275b15	}
e3aaff8e
22275b15	if(SCAN_MAIL)
33f89aa5	if(mrec > MAX_MAIL_RECURSION) { cli_dbgmsg("Mail recursion level exceeded (mrec == %d).\n", mrec);
22275b15	/* return CL_EMAXREC; */ return CL_CLEAN; }
e3aaff8e
467f8b1e	lseek(desc, 0, SEEK_SET);
a7f5fd00	type = cli_filetype2(desc);
2b259453	lseek(desc, 0, SEEK_SET);
6d6e8271
33f89aa5	type == CL_TYPE_MAIL ? mrec++ : arec++;
888f5794
467f8b1e	switch(type) {
3805ebcb	case CL_TYPE_RAR:
478ce4b2	if(!DISABLE_RAR && SCAN_ARCHIVE)
22275b15	ret = cli_scanrar(desc, virname, scanned, root, limits, options, arec, mrec);
467f8b1e	break;
6d6e8271
3805ebcb	case CL_TYPE_ZIP:
467f8b1e	if(SCAN_ARCHIVE)
22275b15	ret = cli_scanzip(desc, virname, scanned, root, limits, options, arec, mrec);
467f8b1e	break;
6d6e8271
3805ebcb	case CL_TYPE_GZ:
467f8b1e	if(SCAN_ARCHIVE)
22275b15	ret = cli_scangzip(desc, virname, scanned, root, limits, options, arec, mrec);
467f8b1e	break;
6d6e8271
3805ebcb	case CL_TYPE_BZ:
68a6f51f	#ifdef HAVE_BZLIB_H
467f8b1e	if(SCAN_ARCHIVE)
22275b15	ret = cli_scanbzip(desc, virname, scanned, root, limits, options, arec, mrec);
e3aaff8e	#endif
467f8b1e	break;
6d6e8271
3805ebcb	case CL_TYPE_MSSZDD:
341e5433	if(SCAN_ARCHIVE)
3805ebcb	ret = cli_scanszdd(desc, virname, scanned, root, limits, options, arec, mrec);
341e5433	break;
3805ebcb	case CL_TYPE_MSCAB:
414abe87	if(SCAN_ARCHIVE)
22275b15	ret = cli_scanmscab(desc, virname, scanned, root, limits, options, arec, mrec);
414abe87	break;
3805ebcb	case CL_TYPE_MAIL:
467f8b1e	if(SCAN_MAIL)
22275b15	ret = cli_scanmail(desc, virname, scanned, root, limits, options, arec, mrec);
467f8b1e	break;
6d6e8271
846e4186	case CL_TYPE_TNEF: if(SCAN_MAIL) ret = cli_scantnef(desc, virname, scanned, root, limits, options, arec, mrec); break;
3805ebcb	case CL_TYPE_MSCHM:
a5373b64	if(SCAN_ARCHIVE) ret = cli_scanmschm(desc, virname, scanned, root, limits, options, arec, mrec); break;
3805ebcb	case CL_TYPE_MSOLE2:
467f8b1e	if(SCAN_OLE2)
22275b15	ret = cli_scanole2(desc, virname, scanned, root, limits, options, arec, mrec);
467f8b1e	break;
6d6e8271
a7f5fd00	case CL_TYPE_POSIX_TAR: if(SCAN_ARCHIVE) ret = cli_scantar(desc, virname, scanned, root, limits, options, arec, mrec, 1); break; case CL_TYPE_OLD_TAR:
2b259453	if(SCAN_ARCHIVE)
a7f5fd00	ret = cli_scantar(desc, virname, scanned, root, limits, options, arec, mrec, 0);
667ab9c6	break; case CL_TYPE_BINHEX: if(SCAN_ARCHIVE) ret = cli_scanbinhex(desc, virname, scanned, root, limits, options, arec, mrec);
2b259453	break;
3805ebcb	case CL_TYPE_SCRENC:
e57fa318	ret = cli_scanscrenc(desc, virname, scanned, root, limits, options, arec, mrec);
eb308794	break; case CL_TYPE_RIFF:
33f89aa5	ret = cli_scanriff(desc, virname);
e57fa318	break;
7afdc309	case CL_TYPE_GRAPHICS: ret = cli_scanjpeg(desc, virname); break;
3805ebcb	case CL_TYPE_DATA:
467f8b1e	/* it could be a false positive and a standard DOS .COM file */ { struct stat s; if(fstat(desc, &s) == 0 && S_ISREG(s.st_mode) && s.st_size < 65536)
3805ebcb	type = CL_TYPE_UNKNOWN_DATA;
467f8b1e	}
3805ebcb	case CL_TYPE_UNKNOWN_DATA:
c3a3be2d	ret = cli_check_mydoom_log(desc, virname);
467f8b1e	break;
216a697f	default: break;
e3aaff8e	}
33f89aa5	type == CL_TYPE_MAIL ? mrec-- : arec--;
467f8b1e
3805ebcb	if(type != CL_TYPE_DATA && ret != CL_VIRUS) { /* scan the raw file */
77e4bb11	int typerec;
888f5794
3805ebcb	type == CL_TYPE_UNKNOWN_TEXT ? (typerec = 1) : (typerec = 0);
0c9d7f15	if(lseek(desc, 0, SEEK_SET) < 0) cli_errmsg("lseek() failed, trying to continue anyway...\n");
22275b15
b68d11d2	if((nret = cli_scandesc(desc, virname, scanned, root, typerec, type)) == CL_VIRUS) {
2b259453	cli_dbgmsg("%s found in descriptor %d.\n", *virname, desc);
e3aaff8e	return CL_VIRUS;
888f5794
3862f7e1	} else if(nret < 0) { return nret;
888f5794	} else if(nret >= CL_TYPENO) { lseek(desc, 0, SEEK_SET);
33f89aa5	nret == CL_TYPE_MAIL ? mrec++ : arec++;
888f5794	switch(nret) {
3805ebcb	case CL_TYPE_HTML:
888f5794	if(SCAN_HTML)
22275b15	if(cli_scanhtml(desc, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS)
888f5794	return CL_VIRUS; break;
ece009c0
3805ebcb	case CL_TYPE_MAIL:
ece009c0	if(SCAN_MAIL)
22275b15	if(cli_scanmail(desc, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS)
ece009c0	return CL_VIRUS; break;
888f5794	}
33f89aa5	nret == CL_TYPE_MAIL ? mrec-- : arec--;
e3aaff8e	}
46c2e927	}
e3aaff8e
33f89aa5	arec++;
77e4bb11	lseek(desc, 0, SEEK_SET); switch(type) { /* Due to performance reasons all executables were first scanned * in raw mode. Now we will try to unpack them */
3805ebcb	case CL_TYPE_MSEXE:
77e4bb11	if(SCAN_PE) ret = cli_scanpe(desc, virname, scanned, root, limits, options, arec, mrec); break;
8000d078	default: break;
77e4bb11	}
33f89aa5	arec--;
77e4bb11
322bfd03	if(ret == CL_EFORMAT) {
6ee0243f	cli_dbgmsg("Descriptor[%d]: %s\n", desc, cl_strerror(CL_EFORMAT));
322bfd03	return CL_CLEAN; } else { return ret; }
e3aaff8e	}
3805ebcb	int cl_scandesc(int desc, const char *virname, unsigned long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options)
e3aaff8e	{
33f89aa5	return cli_magic_scandesc(desc, virname, scanned, root, limits, options, 0, 0);
e3aaff8e	}
33f89aa5	static int cli_scanfile(const char filename, const char virname, unsigned long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options, unsigned int arec, unsigned int mrec)
21cf4aeb	{ int fd, ret;
a9082ea2
22275b15	/* internal version of cl_scanfile with arec/mrec preserved */
21cf4aeb	if((fd = open(filename, O_RDONLY)) == -1) return CL_EOPEN;
22275b15	ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec);
21cf4aeb	close(fd); return ret; }
3805ebcb	int cl_scanfile(const char filename, const char virname, unsigned long int scanned, const struct cl_node root, const struct cl_limits limits, unsigned int options)
e3aaff8e	{ int fd, ret;
ece009c0
e3aaff8e	if((fd = open(filename, O_RDONLY)) == -1) return CL_EOPEN; ret = cl_scandesc(fd, virname, scanned, root, limits, options); close(fd); return ret; }