b151ef55 |
/* |
1f301ecc |
* Copyright (C) 2002 - 2004 Tomasz Kojm <tkojm@clamav.net> |
b151ef55 |
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
|
8b242bb9 |
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
|
b151ef55 |
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <dirent.h>
|
2fe19b26 |
#if HAVE_MMAP
#if HAVE_SYS_MMAN_H
#include <sys/mman.h>
#else /* HAVE_SYS_MMAN_H */
#undef HAVE_MMAP
#endif
#endif
|
1ed6a845 |
#include <mspack.h>
|
b151ef55 |
#ifdef CL_THREAD_SAFE
# include <pthread.h>
pthread_mutex_t cli_scanrar_mutex = PTHREAD_MUTEX_INITIALIZER;
#endif |
8b242bb9 |
int cli_scanrar_inuse = 0; |
b151ef55 |
|
1ed6a845 |
extern short cli_leavetemps_flag;
|
f91f55e0 |
extern int cli_mbox(const char *dir, int desc); /* FIXME */
|
b151ef55 |
#include "clamav.h"
#include "others.h" |
5ede41fa |
#include "scanners.h" |
f91f55e0 |
#include "matcher-ac.h"
#include "matcher-bm.h" |
b151ef55 |
#include "matcher.h"
#include "unrarlib.h" |
c561d2a3 |
#include "ole2_extract.h"
#include "vba_extract.h" |
e2dc6ace |
#include "msexpand.h" |
4ad876ad |
#include "chmunpack.h" |
c2484690 |
#include "pe.h" |
2fe19b26 |
#include "filetypes.h"
#include "htmlnorm.h" |
b151ef55 |
#ifdef HAVE_ZLIB_H
#include <zlib.h>
#include <zzip.h>
#endif
#ifdef HAVE_BZLIB_H
#include <bzlib.h>
#endif
|
510c466b |
#define SCAN_ARCHIVE (options & CL_ARCHIVE)
#define SCAN_MAIL (options & CL_MAIL)
#define SCAN_OLE2 (options & CL_OLE2) |
2fe19b26 |
#define SCAN_HTML (options & CL_HTML) |
c2484690 |
#define SCAN_PE (options & CL_PE) |
510c466b |
#define DISABLE_RAR (options & CL_DISABLERAR)
#define DETECT_ENCRYPTED (options & CL_ENCRYPTED) |
8b242bb9 |
|
5115a5eb |
#define MAX_MAIL_RECURSION 15 |
b151ef55 |
|
0da7859b |
static int cli_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec); |
b151ef55 |
|
ff8cb48b |
|
b151ef55 |
#ifdef CL_THREAD_SAFE |
41b894c7 |
static void cli_unlock_mutex(void *mtx) |
b151ef55 |
{
cli_dbgmsg("Pthread cancelled. Unlocking mutex.\n");
pthread_mutex_unlock(mtx);
}
#endif
|
0da7859b |
static int cli_scanrar(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
b151ef55 |
{ |
97de3c9d |
FILE *tmp = NULL; |
1d1ffc91 |
int files = 0, fd, ret = CL_CLEAN, afiles; |
b151ef55 |
ArchiveList_struct *rarlist = NULL; |
41b894c7 |
ArchiveList_struct *rarlist_head = NULL; |
b151ef55 |
char *rar_data_ptr;
unsigned long rar_data_size;
cli_dbgmsg("Starting scanrar()\n");
#ifdef CL_THREAD_SAFE
pthread_cleanup_push(cli_unlock_mutex, &cli_scanrar_mutex);
pthread_mutex_lock(&cli_scanrar_mutex);
cli_scanrar_inuse = 1;
#endif
|
1d1ffc91 |
if(! (afiles = urarlib_list(desc, (ArchiveList_struct *) &rarlist))) { |
b151ef55 |
#ifdef CL_THREAD_SAFE
pthread_mutex_unlock(&cli_scanrar_mutex);
cli_scanrar_inuse = 0;
#endif
return CL_ERAR;
}
|
1d1ffc91 |
cli_dbgmsg("Rar -> Number of archived files: %d\n", afiles);
|
41b894c7 |
rarlist_head = rarlist;
|
b151ef55 |
while(rarlist) { |
96a39a27 |
if(DETECT_ENCRYPTED && (rarlist->item.Flags & 4)) {
files++;
cli_dbgmsg("Rar -> Encrypted files found in archive.\n"); |
3cb43aaa |
lseek(desc, 0, SEEK_SET); |
2fe19b26 |
if(cli_scandesc(desc, virname, scanned, root, 0) != CL_VIRUS) |
3cb43aaa |
*virname = "Encrypted.RAR"; |
96a39a27 |
ret = CL_VIRUS;
break;
} |
b151ef55 |
if(limits) { |
896e9af1 |
if(limits->maxfilesize && (rarlist->item.UnpSize > (unsigned int) limits->maxfilesize)) {
cli_dbgmsg("RAR->%s: Size exceeded (%u, max: %lu)\n", rarlist->item.Name, (unsigned int) rarlist->item.UnpSize, limits->maxfilesize); |
b151ef55 |
rarlist = rarlist->next;
files++; |
ae1f747c |
/* ret = CL_EMAXSIZE; */ |
b151ef55 |
continue;
}
if(limits->maxfiles && (files > limits->maxfiles)) {
cli_dbgmsg("RAR: Files limit reached (max: %d)\n", limits->maxfiles); |
ae1f747c |
/* ret = CL_EMAXFILES; */ |
b151ef55 |
break;
}
}
|
2fe19b26 |
if(!(rarlist->item.FileAttr & RAR_FENTRY_ATTR_DIRECTORY)) { |
41b894c7 |
rarlist = rarlist->next;
files++;
continue;
}
|
b151ef55 |
if((tmp = tmpfile()) == NULL) {
cli_dbgmsg("RAR -> Can't generate tmpfile().\n");
#ifdef CL_THREAD_SAFE
pthread_mutex_unlock(&cli_scanrar_mutex);
cli_scanrar_inuse = 0;
#endif
return CL_ETMPFILE;
}
fd = fileno(tmp);
|
41b894c7 |
if( urarlib_get(&rar_data_ptr, &rar_data_size, rarlist->item.Name, desc, "clam")) { |
896e9af1 |
cli_dbgmsg("RAR -> Extracted: %s, size: %lu\n", rarlist->item.Name, rar_data_size); |
41b894c7 |
if(fwrite(rar_data_ptr, 1, rar_data_size, tmp) != rar_data_size) { |
b151ef55 |
cli_dbgmsg("RAR -> Can't write() file.\n"); |
d3d2fb1e |
fclose(tmp); |
b151ef55 |
tmp = NULL;
ret = CL_ERAR; |
d3d2fb1e |
if(rar_data_ptr) { |
b151ef55 |
free(rar_data_ptr); |
d3d2fb1e |
rar_data_ptr = NULL;
} |
60286ab1 |
break; |
b151ef55 |
}
|
d3d2fb1e |
if(rar_data_ptr) { |
b151ef55 |
free(rar_data_ptr); |
d3d2fb1e |
rar_data_ptr = NULL;
}
if(fflush(tmp) != 0) {
cli_dbgmsg("fflush() failed: %s\n", strerror(errno));
fclose(tmp); |
41b894c7 |
urarlib_freelist(rarlist_head); |
b151ef55 |
#ifdef CL_THREAD_SAFE
pthread_mutex_unlock(&cli_scanrar_mutex);
cli_scanrar_inuse = 0;
#endif
return CL_EFSYNC;
}
lseek(fd, 0, SEEK_SET); |
0da7859b |
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS ) { |
41b894c7 |
cli_dbgmsg("RAR -> Found %s virus.\n", *virname); |
8b242bb9 |
|
d3d2fb1e |
fclose(tmp); |
b151ef55 |
urarlib_freelist(rarlist);
#ifdef CL_THREAD_SAFE
pthread_mutex_unlock(&cli_scanrar_mutex);
cli_scanrar_inuse = 0;
#endif |
41b894c7 |
return ret; |
b151ef55 |
}
} else {
cli_dbgmsg("RAR -> Can't decompress file %s\n", rarlist->item.Name); |
d3d2fb1e |
fclose(tmp); |
2c7d6b9a |
tmp = NULL; |
d3d2fb1e |
ret = CL_ERAR; /* WinRAR 3.0 ? */
break; |
b151ef55 |
}
|
d3d2fb1e |
fclose(tmp); |
b151ef55 |
tmp = NULL;
rarlist = rarlist->next;
files++;
}
|
41b894c7 |
urarlib_freelist(rarlist_head); |
b151ef55 |
#ifdef CL_THREAD_SAFE
pthread_mutex_unlock(&cli_scanrar_mutex);
cli_scanrar_inuse = 0;
pthread_cleanup_pop(0);
#endif |
2c7d6b9a |
cli_dbgmsg("RAR -> Exit code: %d\n", ret);
|
b151ef55 |
return ret;
}
#ifdef HAVE_ZLIB_H |
0da7859b |
static int cli_scanzip(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
b151ef55 |
{
ZZIP_DIR *zdir;
ZZIP_DIRENT zdirent;
ZZIP_FILE *zfp; |
97de3c9d |
FILE *tmp = NULL; |
7b7b3ca5 |
char *buff; |
50099661 |
int fd, bytes, files = 0, ret = CL_CLEAN; |
97de3c9d |
struct stat source; |
50099661 |
zzip_error_t err; |
b151ef55 |
cli_dbgmsg("Starting scanzip()\n");
|
c6259ac5 |
if((zdir = zzip_dir_fdopen(dup(desc), &err)) == NULL) {
cli_dbgmsg("Zip -> Not supported file format ?.\n");
cli_dbgmsg("zzip_dir_fdopen() return code: %d\n", err); |
10971328 |
/* no return with CL_EZIP due to password protected zips */
return CL_CLEAN; |
b151ef55 |
}
|
97de3c9d |
fstat(desc, &source);
|
f5cd5991 |
if(!(buff = (char *) cli_malloc(FILEBUFF))) { |
9c1c9007 |
cli_dbgmsg("cli_scanzip(): unable to malloc(%d)\n", FILEBUFF); |
f5cd5991 |
zzip_dir_close(zdir);
return CL_EMEM;
}
|
b151ef55 |
while(zzip_dir_read(zdir, &zdirent)) { |
97de3c9d |
if(!zdirent.d_name || !strlen(zdirent.d_name)) { /* Mimail fix */
cli_dbgmsg("strlen(zdirent.d_name) == %d\n", strlen(zdirent.d_name)); |
1065f138 |
*virname = "Suspected.Zip"; |
97de3c9d |
ret = CL_VIRUS;
break;
}
|
a19f21b6 |
cli_dbgmsg("Zip -> %s, compressed: %u, normal: %u, ratio: %d (max: %d)\n", zdirent.d_name, zdirent.d_csize, zdirent.st_size, zdirent.st_size / (zdirent.d_csize+1), limits ? limits->maxratio : -1 ); |
97de3c9d |
|
b44f4315 |
if(!zdirent.st_size) { /* omit directories and empty files */ |
b151ef55 |
files++;
continue;
}
/* work-around for problematic zips (zziplib crashes with them) */ |
b44f4315 |
if(zdirent.d_csize <= 0 || zdirent.st_size < 0) { |
b151ef55 |
files++;
cli_dbgmsg("Zip -> Malformed archive detected.\n"); |
97de3c9d |
/* ret = CL_EMALFZIP; */
/* report it as a virus */ |
1065f138 |
*virname = "Suspected.Zip"; |
97de3c9d |
ret = CL_VIRUS; |
b151ef55 |
break;
}
|
b44f4315 |
if(limits && limits->maxratio > 0 && ((unsigned) zdirent.st_size / (unsigned) zdirent.d_csize) >= limits->maxratio) {
*virname = "Oversized.Zip";
ret = CL_VIRUS;
break;
}
|
233c32f2 |
if(DETECT_ENCRYPTED && (zdirent.d_flags & 1 )) { |
510c466b |
files++;
cli_dbgmsg("Zip -> Encrypted files found in archive.\n"); |
3cb43aaa |
lseek(desc, 0, SEEK_SET); |
2fe19b26 |
if(cli_scandesc(desc, virname, scanned, root, 0) != CL_VIRUS) |
3cb43aaa |
*virname = "Encrypted.Zip"; |
510c466b |
ret = CL_VIRUS;
break;
}
|
b151ef55 |
if(limits) {
if(limits->maxfilesize && (zdirent.st_size > limits->maxfilesize)) { |
896e9af1 |
cli_dbgmsg("Zip -> %s: Size exceeded (%d, max: %ld)\n", zdirent.d_name, zdirent.st_size, limits->maxfilesize); |
b151ef55 |
files++; |
ae1f747c |
/* ret = CL_EMAXSIZE; */ |
97de3c9d |
continue; /* this is not a bug */ |
b151ef55 |
}
if(limits->maxfiles && (files > limits->maxfiles)) {
cli_dbgmsg("Zip: Files limit reached (max: %d)\n", limits->maxfiles); |
ae1f747c |
/* ret = CL_EMAXFILES; */ |
b151ef55 |
break;
}
}
/* generate temporary file and get its descriptor */
if((tmp = tmpfile()) == NULL) {
cli_dbgmsg("Zip -> Can't generate tmpfile().\n"); |
97de3c9d |
ret = CL_ETMPFILE;
break; |
b151ef55 |
}
if((zfp = zzip_file_open(zdir, zdirent.d_name, 0)) == NULL) {
cli_dbgmsg("Zip -> %s: Can't open file.\n", zdirent.d_name);
ret = CL_EZIP; |
97de3c9d |
break; |
b151ef55 |
}
|
7b7b3ca5 |
while((bytes = zzip_file_read(zfp, buff, FILEBUFF)) > 0) { |
a19f21b6 |
if(fwrite(buff, 1, bytes, tmp) != (size_t) bytes) { |
d3d2fb1e |
cli_dbgmsg("Zip -> Can't fwrite() file: %s\n", strerror(errno)); |
b151ef55 |
zzip_file_close(zfp); |
f5cd5991 |
zzip_dir_close(zdir);
fclose(tmp); |
7b7b3ca5 |
free(buff); |
f5cd5991 |
return CL_EZIP; |
b151ef55 |
}
}
zzip_file_close(zfp);
|
8b243778 |
|
d3d2fb1e |
if(fflush(tmp) != 0) { |
1ed6a845 |
cli_dbgmsg("fflush() failed: %s\n", strerror(errno)); |
97de3c9d |
ret = CL_EFSYNC;
break; |
b151ef55 |
}
|
d3d2fb1e |
fd = fileno(tmp);
|
b151ef55 |
lseek(fd, 0, SEEK_SET); |
0da7859b |
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS ) { |
b151ef55 |
cli_dbgmsg("Zip -> Found %s virus.\n", *virname);
ret = CL_VIRUS;
break;
} else if(ret == CL_EMALFZIP) {
/* |
97de3c9d |
* The trick with detection of ZoD only works with higher (>= 5) |
b151ef55 |
* recursion limit level.
*/
cli_dbgmsg("Zip -> Malformed Zip, scanning stopped.\n"); |
1065f138 |
*virname = "Suspected.Zip"; |
b151ef55 |
ret = CL_VIRUS;
break;
}
|
d3d2fb1e |
if (tmp) {
fclose(tmp);
tmp = NULL;
} |
b151ef55 |
files++;
}
zzip_dir_close(zdir); |
d3d2fb1e |
if (tmp) {
fclose(tmp);
tmp = NULL;
} |
f5cd5991 |
free(buff); |
b151ef55 |
return ret;
}
|
0da7859b |
static int cli_scangzip(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
b151ef55 |
{
int fd, bytes, ret = CL_CLEAN;
long int size = 0; |
7b7b3ca5 |
char *buff; |
97de3c9d |
FILE *tmp = NULL; |
b151ef55 |
gzFile gd;
|
97de3c9d |
cli_dbgmsg("in cli_scangzip()\n");
|
b151ef55 |
if((gd = gzdopen(dup(desc), "rb")) == NULL) {
cli_dbgmsg("Can't gzdopen() descriptor %d.\n", desc);
return CL_EGZIP;
}
if((tmp = tmpfile()) == NULL) {
cli_dbgmsg("Can't generate tmpfile().\n");
gzclose(gd);
return CL_ETMPFILE;
}
fd = fileno(tmp);
|
97de3c9d |
if(!(buff = (char *) cli_malloc(FILEBUFF))) { |
9c1c9007 |
cli_dbgmsg("cli_scangzip(): unable to malloc(%d)\n", FILEBUFF); |
97de3c9d |
gzclose(gd); |
7b7b3ca5 |
return CL_EMEM; |
97de3c9d |
} |
7b7b3ca5 |
|
97de3c9d |
while((bytes = gzread(gd, buff, FILEBUFF)) > 0) { |
b151ef55 |
size += bytes;
if(limits) |
97de3c9d |
if(limits->maxfilesize && (size + FILEBUFF > limits->maxfilesize)) { |
41b894c7 |
cli_dbgmsg("Gzip->desc(%d): Size exceeded (stopped at %ld, max: %ld)\n", desc, size, limits->maxfilesize); |
ae1f747c |
/* ret = CL_EMAXSIZE; */ |
b151ef55 |
break;
}
|
3fc8c606 |
if(cli_writen(fd, buff, bytes) != bytes) { |
b151ef55 |
cli_dbgmsg("Gzip -> Can't write() file.\n"); |
d3d2fb1e |
fclose(tmp); |
b151ef55 |
gzclose(gd); |
7b7b3ca5 |
free(buff); |
b151ef55 |
return CL_EGZIP;
}
}
|
7b7b3ca5 |
free(buff); |
b151ef55 |
gzclose(gd);
if(fsync(fd) == -1) {
cli_dbgmsg("fsync() failed for descriptor %d\n", fd); |
d3d2fb1e |
fclose(tmp); |
b151ef55 |
return CL_EFSYNC;
}
lseek(fd, 0, SEEK_SET); |
0da7859b |
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS ) { |
b151ef55 |
cli_dbgmsg("Gzip -> Found %s virus.\n", *virname); |
d3d2fb1e |
fclose(tmp); |
b151ef55 |
return CL_VIRUS;
} |
d3d2fb1e |
fclose(tmp); |
b151ef55 |
return ret;
}
#endif
#ifdef HAVE_BZLIB_H
#ifdef NOBZ2PREFIX
#define BZ2_bzReadOpen bzReadOpen
#define BZ2_bzReadClose bzReadClose
#define BZ2_bzRead bzRead
#endif
|
0da7859b |
static int cli_scanbzip(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
b151ef55 |
{
int fd, bytes, ret = CL_CLEAN, bzerror = 0;
short memlim = 0;
long int size = 0; |
7b7b3ca5 |
char *buff; |
97de3c9d |
FILE *fs, *tmp = NULL; |
b151ef55 |
BZFILE *bfd;
|
9c1c9007 |
if((fs = fdopen(dup(desc), "rb")) == NULL) { |
1ed6a845 |
cli_dbgmsg("Can't fdopen() descriptor %d.\n", desc); |
b151ef55 |
return CL_EBZIP;
}
if(limits)
if(limits->archivememlim)
memlim = 1;
|
61ff3bda |
if((bfd = BZ2_bzReadOpen(&bzerror, fs, 0, memlim, NULL, 0)) == NULL) { |
b151ef55 |
cli_dbgmsg("Can't initialize bzip2 library (descriptor %d).\n", desc); |
9c1c9007 |
fclose(fs); |
b151ef55 |
return CL_EBZIP;
}
if((tmp = tmpfile()) == NULL) {
cli_dbgmsg("Can't generate tmpfile().\n");
BZ2_bzReadClose(&bzerror, bfd); |
9c1c9007 |
fclose(fs); |
b151ef55 |
return CL_ETMPFILE;
}
fd = fileno(tmp);
|
9c1c9007 |
if(!(buff = (char *) malloc(FILEBUFF))) {
cli_dbgmsg("cli_scanbzip(): unable to malloc(%d)\n", FILEBUFF);
fclose(tmp);
fclose(fs);
BZ2_bzReadClose(&bzerror, bfd); |
7b7b3ca5 |
return CL_EMEM; |
9c1c9007 |
} |
7b7b3ca5 |
|
97de3c9d |
while((bytes = BZ2_bzRead(&bzerror, bfd, buff, FILEBUFF)) > 0) { |
b151ef55 |
size += bytes;
if(limits) |
97de3c9d |
if(limits->maxfilesize && (size + FILEBUFF > limits->maxfilesize)) { |
41b894c7 |
cli_dbgmsg("Bzip2->desc(%d): Size exceeded (stopped at %ld, max: %ld)\n", desc, size, limits->maxfilesize); |
ae1f747c |
/* ret = CL_EMAXSIZE; */ |
b151ef55 |
break;
}
|
3fc8c606 |
if(cli_writen(fd, buff, bytes) != bytes) { |
b151ef55 |
cli_dbgmsg("Bzip2 -> Can't write() file.\n");
BZ2_bzReadClose(&bzerror, bfd); |
d3d2fb1e |
fclose(tmp); |
7b7b3ca5 |
free(buff); |
9c1c9007 |
fclose(fs); |
b151ef55 |
return CL_EGZIP;
}
}
|
7b7b3ca5 |
free(buff); |
b151ef55 |
BZ2_bzReadClose(&bzerror, bfd);
if(fsync(fd) == -1) {
cli_dbgmsg("fsync() failed for descriptor %d\n", fd); |
d3d2fb1e |
fclose(tmp); |
9c1c9007 |
fclose(fs); |
b151ef55 |
return CL_EFSYNC;
}
lseek(fd, 0, SEEK_SET); |
0da7859b |
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS ) { |
b151ef55 |
cli_dbgmsg("Bzip2 -> Found %s virus.\n", *virname);
} |
d3d2fb1e |
fclose(tmp); |
9c1c9007 |
fclose(fs); |
b151ef55 |
return ret;
}
#endif
|
0da7859b |
static int cli_scanmscomp(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
e2dc6ace |
{
int fd, ret = CL_CLEAN;
FILE *tmp = NULL, *in;
cli_dbgmsg("in cli_scanmscomp()\n");
if((in = fdopen(dup(desc), "rb")) == NULL) {
cli_dbgmsg("Can't fdopen() descriptor %d.\n", desc);
return CL_EMSCOMP;
}
if((tmp = tmpfile()) == NULL) {
cli_dbgmsg("Can't generate tmpfile().\n");
fclose(in);
return CL_ETMPFILE;
}
if(cli_msexpand(in, tmp) == -1) {
cli_dbgmsg("msexpand failed.\n");
return CL_EMSCOMP;
}
fclose(in);
if(fflush(tmp)) {
cli_dbgmsg("fflush() failed\n");
fclose(tmp);
return CL_EFSYNC;
}
fd = fileno(tmp);
lseek(fd, 0, SEEK_SET); |
0da7859b |
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS) { |
e2dc6ace |
cli_dbgmsg("MSCompress -> Found %s virus.\n", *virname);
fclose(tmp);
return CL_VIRUS;
}
fclose(tmp);
return ret;
}
|
0da7859b |
static int cli_scanmscab(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
1ed6a845 |
{
struct mscab_decompressor *cabd = NULL;
struct mscabd_cabinet *base, *cab;
struct mscabd_file *file;
const char *tmpdir;
char *tempname;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scanmscab()\n");
if((cabd = mspack_create_cab_decompressor(NULL)) == NULL) {
cli_dbgmsg("Can't create libmspack CAB decompressor\n");
return CL_EMSCAB;
}
if((base = cabd->dsearch(cabd, desc)) == NULL) {
cli_dbgmsg("I/O error or no valid cabinets found\n");
mspack_destroy_cab_decompressor(cabd);
return CL_EMSCAB;
}
if((tmpdir = getenv("TMPDIR")) == NULL)
#ifdef P_tmpdir
tmpdir = P_tmpdir;
#else
tmpdir = "/tmp";
#endif
for(cab = base; cab; cab = cab->next) {
for(file = cab->files; file; file = file->next) { |
f91f55e0 |
tempname = cli_gentemp(tmpdir); |
1ed6a845 |
cli_dbgmsg("Extracting data to %s\n", tempname);
if(cabd->extract(cabd, file, tempname)) {
cli_dbgmsg("libmscab error code: %d\n", cabd->last_error(cabd));
} else { |
0da7859b |
ret = cli_scanfile(tempname, virname, scanned, root, limits, options, arec, mrec); |
1ed6a845 |
}
if(!cli_leavetemps_flag)
unlink(tempname);
free(tempname);
if(ret == CL_VIRUS)
break;
}
if(ret == CL_VIRUS)
break;
}
cabd->close(cabd, base);
mspack_destroy_cab_decompressor(cabd);
return ret;
}
|
0da7859b |
static int cli_scanhtml(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
2fe19b26 |
{
unsigned char *membuff, *newbuff, *newbuff2;
struct stat statbuf;
int ret;
|
8f744726 |
|
2fe19b26 |
cli_dbgmsg("in cli_scanhtml()\n");
if(fstat(desc, &statbuf) != 0) {
cli_dbgmsg("fstat failed\n");
return CL_EIO;
}
#ifdef HAVE_MMAP
membuff = mmap(NULL, statbuf.st_size, PROT_READ, MAP_PRIVATE, desc, 0);
/* TODO: do file operations if mmap fails */
if(membuff == MAP_FAILED) {
cli_dbgmsg("mmap failed\n");
return CL_EMEM;
}
|
8f744726 |
newbuff = html_normalize(membuff, statbuf.st_size); |
2fe19b26 |
if(newbuff) {
newbuff2 = remove_html_comments(newbuff);
free(newbuff);
newbuff = remove_html_char_ref(newbuff2);
free(newbuff2);
/* Normalise a second time as the above can leave inconsistent white
* space
*/
newbuff2 = html_normalize(newbuff, strlen(newbuff));
free(newbuff); |
8f744726 |
newbuff = newbuff2; |
2fe19b26 |
}
|
8f744726 |
ret = cl_scanbuff(newbuff, strlen(newbuff), virname, root); |
2fe19b26 |
|
8f744726 |
free(newbuff); |
2fe19b26 |
return ret; |
61f31052 |
#else /* FIXME */
return CL_CLEAN;
#endif |
2fe19b26 |
}
|
0da7859b |
static int cli_scandir(const char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
c561d2a3 |
{ |
a19f21b6 |
DIR *dd;
struct dirent *dent;
struct stat statbuf;
char *fname; |
c561d2a3 |
|
a19f21b6 |
if((dd = opendir(dirname)) != NULL) {
while((dent = readdir(dd))) { |
618a038b |
#ifndef C_INTERIX
if(dent->d_ino)
#endif
{ |
a19f21b6 |
if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) {
/* build the full name */
fname = cli_calloc(strlen(dirname) + strlen(dent->d_name) + 2, sizeof(char));
sprintf(fname, "%s/%s", dirname, dent->d_name); |
c561d2a3 |
|
a19f21b6 |
/* stat the file */
if(lstat(fname, &statbuf) != -1) {
if(S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) { |
0da7859b |
if (cli_scandir(fname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { |
a19f21b6 |
free(fname);
closedir(dd);
return CL_VIRUS;
}
} else
if(S_ISREG(statbuf.st_mode)) |
0da7859b |
if(cli_scanfile(fname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { |
a19f21b6 |
free(fname);
closedir(dd);
return CL_VIRUS;
} |
c561d2a3 |
|
3ccd73ad |
} |
a19f21b6 |
free(fname); |
c561d2a3 |
}
}
} |
a19f21b6 |
} else { |
1ed6a845 |
cli_dbgmsg("ScanDir -> Can't open directory %s.\n", dirname); |
a19f21b6 |
return CL_EOPEN;
} |
c561d2a3 |
|
a19f21b6 |
closedir(dd);
return 0; |
c561d2a3 |
} |
a19f21b6 |
|
0da7859b |
static int cli_vba_scandir(const char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
b151ef55 |
{ |
a19f21b6 |
int ret = CL_CLEAN, i, fd, data_len;
vba_project_t *vba_project; |
b151ef55 |
DIR *dd;
struct dirent *dent;
struct stat statbuf; |
941f3ab8 |
char *fname, *fullname; |
a19f21b6 |
unsigned char *data;
cli_dbgmsg("VBA scan dir: %s\n", dirname);
if((vba_project = (vba_project_t *) vba56_dir_read(dirname))) { |
b151ef55 |
|
a19f21b6 |
for(i = 0; i < vba_project->count; i++) {
fullname = (char *) cli_malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2);
sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]);
fd = open(fullname, O_RDONLY);
if(fd == -1) { |
1ed6a845 |
cli_dbgmsg("Scan->OLE2 -> Can't open file %s\n", fullname); |
a19f21b6 |
free(fullname);
ret = CL_EOPEN;
break;
}
free(fullname);
cli_dbgmsg("decompress VBA project '%s'\n", vba_project->name[i]);
data = (unsigned char *) vba_decompress(fd, vba_project->offset[i], &data_len);
close(fd);
if(!data) {
cli_dbgmsg("WARNING: VBA project '%s' decompressed to NULL\n", vba_project->name[i]);
} else {
if(cl_scanbuff(data, data_len, virname, root) == CL_VIRUS) {
free(data);
ret = CL_VIRUS;
break;
}
free(data);
}
}
for(i = 0; i < vba_project->count; i++)
free(vba_project->name[i]);
free(vba_project->name);
free(vba_project->dir);
free(vba_project->offset);
free(vba_project); |
dc413343 |
} else if ((fullname = ppt_vba_read(dirname))) { |
0da7859b |
if(cli_scandir(fullname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { |
dc413343 |
ret = CL_VIRUS;
}
cli_rmdirs(fullname);
free(fullname); |
943fc7fe |
} else if ((vba_project = (vba_project_t *) wm_dir_read(dirname))) {
for (i = 0; i < vba_project->count; i++) {
fullname = (char *) cli_malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2);
sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]);
fd = open(fullname, O_RDONLY);
if(fd == -1) { |
1ed6a845 |
cli_dbgmsg("Scan->OLE2 -> Can't open file %s\n", fullname); |
943fc7fe |
free(fullname);
ret = CL_EOPEN;
break;
}
free(fullname);
cli_dbgmsg("decompress WM project '%s' macro:%d key:%d\n", vba_project->name[i], i, vba_project->key[i]);
data = (unsigned char *) wm_decrypt_macro(fd, vba_project->offset[i], vba_project->length[i], vba_project->key[i]);
close(fd);
if(!data) {
cli_dbgmsg("WARNING: WM project '%s' macro %d decrypted to NULL\n", vba_project->name[i], i);
} else {
if(cl_scanbuff(data, vba_project->length[i], virname, root) == CL_VIRUS) {
free(data);
ret = CL_VIRUS;
break;
}
free(data);
}
}
for(i = 0; i < vba_project->count; i++)
free(vba_project->name[i]);
free(vba_project->key);
free(vba_project->length);
free(vba_project->offset);
free(vba_project->name);
free(vba_project->dir);
free(vba_project); |
a19f21b6 |
} |
943fc7fe |
|
a19f21b6 |
if(ret != CL_CLEAN)
return ret; |
b151ef55 |
if((dd = opendir(dirname)) != NULL) {
while((dent = readdir(dd))) { |
618a038b |
#ifndef C_INTERIX
if(dent->d_ino)
#endif
{ |
b151ef55 |
if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) {
/* build the full name */
fname = cli_calloc(strlen(dirname) + strlen(dent->d_name) + 2, sizeof(char));
sprintf(fname, "%s/%s", dirname, dent->d_name);
/* stat the file */
if(lstat(fname, &statbuf) != -1) {
if(S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) |
0da7859b |
if (cli_vba_scandir(fname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { |
a19f21b6 |
ret = CL_VIRUS;
free(fname);
break;
} |
b151ef55 |
}
free(fname);
}
}
}
} else { |
1ed6a845 |
cli_dbgmsg("ScanDir -> Can't open directory %s.\n", dirname); |
b151ef55 |
return CL_EOPEN;
}
closedir(dd); |
a19f21b6 |
return ret;
}
|
0da7859b |
static int cli_scanole2(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
a19f21b6 |
{
const char *tmpdir; |
941f3ab8 |
char *dir;
int ret = CL_CLEAN; |
a19f21b6 |
cli_dbgmsg("in cli_scanole2()\n");
|
1ed6a845 |
if((tmpdir = getenv("TMPDIR")) == NULL) |
a19f21b6 |
#ifdef P_tmpdir
tmpdir = P_tmpdir;
#else
tmpdir = "/tmp";
#endif
/* generate the temporary directory */ |
f91f55e0 |
dir = cli_gentemp(tmpdir); |
a19f21b6 |
if(mkdir(dir, 0700)) { |
1ed6a845 |
cli_dbgmsg("ScanOLE2 -> Can't create temporary directory %s\n", dir); |
a19f21b6 |
return CL_ETMPDIR;
}
|
21aa0b4d |
if((ret = cli_ole2_extract(desc, dir, limits))) { |
1ed6a845 |
cli_dbgmsg("ScanOLE2 -> %s\n", cl_strerror(ret)); |
a19f21b6 |
cli_rmdirs(dir);
free(dir);
return ret;
}
|
0da7859b |
if((ret = cli_vba_scandir(dir, virname, scanned, root, limits, options, arec, mrec)) != CL_VIRUS) {
if(cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { |
941f3ab8 |
ret = CL_VIRUS; |
a19f21b6 |
}
}
cli_rmdirs(dir);
free(dir);
return ret; |
b151ef55 |
}
|
4ad876ad |
static int cli_scanmschm(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec)
{
const char *tmpdir;
char *tempname;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scanmschm()\n");
if((tmpdir = getenv("TMPDIR")) == NULL)
#ifdef P_tmpdir
tmpdir = P_tmpdir;
#else
tmpdir = "/tmp";
#endif
tempname = cli_gentemp(tmpdir);
if(mkdir(tempname, 0700)) {
cli_dbgmsg("ScanCHM -> Can't create temporary directory %s\n", tempname);
return CL_ETMPDIR;
}
if(chm_unpack(desc, tempname))
ret = cli_scandir(tempname, virname, scanned, root, limits, options, arec, mrec);
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
|
0da7859b |
static int cli_scanmail(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
b151ef55 |
{
const char *tmpdir;
char *dir;
int ret;
|
5115a5eb |
cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", *mrec, *arec); |
b151ef55 |
|
1ed6a845 |
if((tmpdir = getenv("TMPDIR")) == NULL) |
b151ef55 |
#ifdef P_tmpdir
tmpdir = P_tmpdir;
#else
tmpdir = "/tmp";
#endif
/* generate the temporary directory */ |
f91f55e0 |
dir = cli_gentemp(tmpdir); |
b151ef55 |
if(mkdir(dir, 0700)) { |
1ed6a845 |
cli_dbgmsg("ScanMail -> Can't create temporary directory %s\n", dir); |
b151ef55 |
return CL_ETMPDIR;
}
/*
* Extract the attachments into the temporary directory
*/ |
f91f55e0 |
ret = cli_mbox(dir, desc); |
b151ef55 |
/* FIXME: check mbox return code */
|
0da7859b |
ret = cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec); |
b151ef55 |
cli_rmdirs(dir);
free(dir);
return ret;
}
|
5ede41fa |
int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
b151ef55 |
{ |
d3d2fb1e |
char magic[MAGIC_BUFFER_SIZE+1]; |
2fe19b26 |
int ret = CL_CLEAN, nret; |
d3d2fb1e |
int bread = 0; |
0d01fcb2 |
cli_file_t type; |
b151ef55 |
if(!root) { |
1ed6a845 |
cli_errmsg("CRITICAL: root == NULL\n"); |
b151ef55 |
return -1;
}
|
a13ed400 |
if(!options) { /* raw mode (stdin, etc.) */ |
12565a07 |
cli_dbgmsg("Raw mode: no support for archives.\n"); |
2fe19b26 |
if((ret = cli_scandesc(desc, virname, scanned, root, 0) == CL_VIRUS)) |
a13ed400 |
cli_dbgmsg("%s virus found in descriptor %d.\n", *virname, desc);
return ret;
}
|
a19f21b6 |
if(SCAN_ARCHIVE && limits && limits->maxreclevel) |
0da7859b |
if(*arec > limits->maxreclevel) {
cli_dbgmsg("Archive recursion limit exceeded (arec == %d).\n", *arec); |
a19f21b6 |
/* return CL_EMAXREC; */
return CL_CLEAN; |
0da7859b |
} |
b151ef55 |
|
0da7859b |
if(SCAN_MAIL)
if(*mrec > MAX_MAIL_RECURSION) {
cli_dbgmsg("Mail recursion level exceeded (mrec == %d).\n", *mrec);
/* return CL_EMAXREC; */
return CL_CLEAN;
} |
b151ef55 |
|
a19f21b6 |
lseek(desc, 0, SEEK_SET);
bread = read(desc, magic, MAGIC_BUFFER_SIZE);
magic[MAGIC_BUFFER_SIZE] = '\0';
lseek(desc, 0, SEEK_SET); |
b151ef55 |
|
2fe19b26 |
if(bread != MAGIC_BUFFER_SIZE) { |
a19f21b6 |
/* short read: No need to do magic */ |
2fe19b26 |
if((ret = cli_scandesc(desc, virname, scanned, root, 0) == CL_VIRUS))
cli_dbgmsg("%s virus found in descriptor %d.\n", *virname, desc); |
a19f21b6 |
return ret;
} |
b151ef55 |
|
a19f21b6 |
type = cli_filetype(magic, bread); |
8b242bb9 |
|
0da7859b |
type == CL_MAILFILE ? (*mrec)++ : (*arec)++; |
2fe19b26 |
|
a19f21b6 |
switch(type) {
case CL_RARFILE:
if(!DISABLE_RAR && SCAN_ARCHIVE && !cli_scanrar_inuse) |
0da7859b |
ret = cli_scanrar(desc, virname, scanned, root, limits, options, arec, mrec); |
a19f21b6 |
break; |
8b242bb9 |
|
a19f21b6 |
case CL_ZIPFILE:
if(SCAN_ARCHIVE) |
0da7859b |
ret = cli_scanzip(desc, virname, scanned, root, limits, options, arec, mrec); |
a19f21b6 |
break; |
8b242bb9 |
|
a19f21b6 |
case CL_GZFILE:
if(SCAN_ARCHIVE) |
0da7859b |
ret = cli_scangzip(desc, virname, scanned, root, limits, options, arec, mrec); |
a19f21b6 |
break; |
8b242bb9 |
|
a19f21b6 |
case CL_BZFILE: |
41b894c7 |
#ifdef HAVE_BZLIB_H |
a19f21b6 |
if(SCAN_ARCHIVE) |
0da7859b |
ret = cli_scanbzip(desc, virname, scanned, root, limits, options, arec, mrec); |
b151ef55 |
#endif |
a19f21b6 |
break; |
8b242bb9 |
|
e2dc6ace |
case CL_MSCFILE:
if(SCAN_ARCHIVE) |
0da7859b |
ret = cli_scanmscomp(desc, virname, scanned, root, limits, options, arec, mrec); |
e2dc6ace |
break;
|
1ed6a845 |
case CL_MSCABFILE:
if(SCAN_ARCHIVE) |
0da7859b |
ret = cli_scanmscab(desc, virname, scanned, root, limits, options, arec, mrec); |
1ed6a845 |
break;
|
a19f21b6 |
case CL_MAILFILE:
if(SCAN_MAIL) |
0da7859b |
ret = cli_scanmail(desc, virname, scanned, root, limits, options, arec, mrec); |
a19f21b6 |
break; |
8b242bb9 |
|
4ad876ad |
case CL_MSCHMFILE:
if(SCAN_ARCHIVE)
ret = cli_scanmschm(desc, virname, scanned, root, limits, options, arec, mrec);
break;
|
a19f21b6 |
case CL_OLE2FILE:
if(SCAN_OLE2) |
0da7859b |
ret = cli_scanole2(desc, virname, scanned, root, limits, options, arec, mrec); |
a19f21b6 |
break; |
8b242bb9 |
|
a19f21b6 |
case CL_DATAFILE:
/* it could be a false positive and a standard DOS .COM file */
{
struct stat s;
if(fstat(desc, &s) == 0 && S_ISREG(s.st_mode) && s.st_size < 65536)
type = CL_UNKNOWN_TYPE;
}
|
f91f55e0 |
default: |
a19f21b6 |
break; |
b151ef55 |
}
|
0da7859b |
type == CL_MAILFILE ? (*mrec)-- : (*arec)--; |
a19f21b6 |
if(type != CL_DATAFILE && ret != CL_VIRUS) { /* scan the raw file */ |
28652280 |
int typerec; |
2fe19b26 |
|
28652280 |
type == CL_UNKNOWN_TYPE ? (typerec = 1) : (typerec = 0);
lseek(desc, 0, SEEK_SET); |
0da7859b |
|
28652280 |
if((nret = cli_scandesc(desc, virname, scanned, root, typerec)) == CL_VIRUS) { |
b151ef55 |
cli_dbgmsg("%s virus found in descriptor %d.\n", *virname, desc);
return CL_VIRUS; |
2fe19b26 |
} else if(nret >= CL_TYPENO) {
lseek(desc, 0, SEEK_SET);
switch(nret) {
case CL_HTMLFILE:
if(SCAN_HTML) |
0da7859b |
if(cli_scanhtml(desc, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) |
2fe19b26 |
return CL_VIRUS;
break; |
12565a07 |
case CL_MAILFILE:
if(SCAN_MAIL) |
0da7859b |
if(cli_scanmail(desc, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) |
12565a07 |
return CL_VIRUS;
break; |
2fe19b26 |
} |
b151ef55 |
} |
5aad47ca |
} |
b151ef55 |
|
28652280 |
(*arec)++;
lseek(desc, 0, SEEK_SET);
switch(type) {
/* Due to performance reasons all executables were first scanned
* in raw mode. Now we will try to unpack them
*/
case CL_DOSEXE:
if(SCAN_PE)
ret = cli_scanpe(desc, virname, scanned, root, limits, options, arec, mrec);
break; |
f91f55e0 |
default:
break; |
28652280 |
}
(*arec)--;
|
b151ef55 |
return ret;
}
|
41b894c7 |
int cl_scandesc(int desc, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options) |
b151ef55 |
{ |
0da7859b |
int arec = 0, mrec = 0; |
b151ef55 |
|
0da7859b |
return cli_magic_scandesc(desc, virname, scanned, root, limits, options, &arec, &mrec); |
b151ef55 |
}
|
0da7859b |
static int cli_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
ad640f0b |
{
int fd, ret;
|
c2484690 |
|
0da7859b |
/* internal version of cl_scanfile with arec/mrec preserved */ |
ad640f0b |
if((fd = open(filename, O_RDONLY)) == -1)
return CL_EOPEN;
|
0da7859b |
ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec); |
ad640f0b |
close(fd);
return ret;
}
|
41b894c7 |
int cl_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options) |
b151ef55 |
{
int fd, ret;
|
12565a07 |
|
b151ef55 |
if((fd = open(filename, O_RDONLY)) == -1)
return CL_EOPEN;
ret = cl_scandesc(fd, virname, scanned, root, limits, options);
close(fd);
return ret;
} |