e3aaff8e |
/* |
f893c0f3 |
* Copyright (C) 2002 - 2004 Tomasz Kojm <tkojm@clamav.net> |
6d6e8271 |
* With enhancements from Thomas Lamy <Thomas.Lamy@in-online.net> |
e3aaff8e |
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
|
6d6e8271 |
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
|
e3aaff8e |
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <dirent.h>
#ifdef CL_THREAD_SAFE
# include <pthread.h>
pthread_mutex_t cli_scanrar_mutex = PTHREAD_MUTEX_INITIALIZER;
#endif |
6d6e8271 |
int cli_scanrar_inuse = 0; |
e3aaff8e |
#include "clamav.h"
#include "others.h"
#include "matcher.h"
#include "unrarlib.h" |
47bbbc56 |
#include "ole2_extract.h"
#include "vba_extract.h" |
e3aaff8e |
#ifdef HAVE_ZLIB_H
#include <zlib.h>
#include <zzip.h>
#endif
#ifdef HAVE_BZLIB_H
#include <bzlib.h>
#endif
|
0f34221a |
#define SCAN_ARCHIVE (options & CL_ARCHIVE)
#define SCAN_MAIL (options & CL_MAIL)
#define SCAN_OLE2 (options & CL_OLE2)
#define DISABLE_RAR (options & CL_DISABLERAR)
#define DETECT_ENCRYPTED (options & CL_ENCRYPTED) |
6d6e8271 |
typedef enum {
CL_UNKNOWN_TYPE = 0,
CL_MAILFILE,
CL_GZFILE,
CL_ZIPFILE,
CL_BZFILE,
CL_RARFILE,
CL_OLE2FILE
} cl_file_t;
struct cl_magic_s {
int offset; |
68a6f51f |
const char *magic; |
6d6e8271 |
size_t length; |
68a6f51f |
const char *descr; |
6d6e8271 |
cl_file_t type;
};
|
a487b2a8 |
#define MAGIC_BUFFER_SIZE 26 |
6d6e8271 |
static const struct cl_magic_s cl_magic[] = { |
a487b2a8 |
{0, "Rar!", 4, "RAR", CL_RARFILE},
{0, "PK\003\004", 4, "ZIP", CL_ZIPFILE},
{0, "\037\213", 2, "GZip", CL_GZFILE},
{0, "BZh", 3, "BZip", CL_BZFILE},
{0, "From ", 5, "MBox", CL_MAILFILE},
{0, "Received: ", 10, "Raw mail", CL_MAILFILE},
{0, "Return-Path: ", 13, "Maildir", CL_MAILFILE},
{0, "Return-path: ", 13, "Maildir", CL_MAILFILE},
{0, "Delivered-To: ", 14, "Mail", CL_MAILFILE},
{0, "X-UIDL: ", 8, "Mail", CL_MAILFILE},
{0, "For: ", 5, "Eserv mail", CL_MAILFILE},
{0, "From: ", 6, "Exim mail", CL_MAILFILE},
{0, "X-Symantec-", 11, "Symantec", CL_MAILFILE},
{0, "Hi. This is the qmail-send", 26, "Qmail bounce", CL_MAILFILE}, |
6d6e8271 |
{0, "\320\317\021\340\241\261\032\341",
8, "OLE2 container", CL_OLE2FILE},
{-1, NULL, 0, NULL, CL_UNKNOWN_TYPE}
};
|
68a6f51f |
static cl_file_t cl_filetype(const char *buf, size_t buflen) |
6d6e8271 |
{
int i;
for (i = 0; cl_magic[i].magic; i++) {
if (buflen >= cl_magic[i].offset+cl_magic[i].length) {
if (memcmp(buf+cl_magic[i].offset, cl_magic[i].magic, cl_magic[i].length) == 0) {
cli_dbgmsg("Recognized %s file\n", cl_magic[i].descr);
return cl_magic[i].type;
}
}
} |
ba5b830f |
|
6d6e8271 |
return CL_UNKNOWN_TYPE;
} |
e3aaff8e |
|
68a6f51f |
static int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev); |
e3aaff8e |
|
68a6f51f |
static int cli_scandesc(int desc, const char **virname, long int *scanned, const struct |
e3aaff8e |
cl_node *root)
{
char *buffer, *buff, *endbl, *pt; |
6d6e8271 |
int bytes, buffsize, length, ret; |
e3aaff8e |
/* prepare the buffer */ |
f7148839 |
buffsize = root->maxpatlen + SCANBUFF; |
9e431a95 |
if(!(buffer = (char *) cli_calloc(buffsize, sizeof(char)))) {
cli_dbgmsg("cli_scandesc(): unable to malloc(%d)\n", buffsize); |
e3aaff8e |
return CL_EMEM; |
9e431a95 |
} |
e3aaff8e |
buff = buffer;
buff += root->maxpatlen; /* pointer to read data block */ |
f7148839 |
endbl = buff + SCANBUFF - root->maxpatlen; /* pointer to the last block |
e3aaff8e |
* length of root->maxpatlen
*/
pt= buff; |
f7148839 |
length = SCANBUFF; |
e3aaff8e |
|
f7148839 |
while((bytes = read(desc, buff, SCANBUFF)) > 0) { |
e3aaff8e |
if(scanned != NULL)
*scanned += bytes / CL_COUNT_PRECISION;
|
f7148839 |
if(bytes < SCANBUFF)
length -= SCANBUFF - bytes; |
e3aaff8e |
|
6d6e8271 |
if((ret = cl_scanbuff(pt, length, virname, root)) != CL_CLEAN) { |
e3aaff8e |
free(buffer); |
6d6e8271 |
return ret; |
e3aaff8e |
}
|
f7148839 |
if(bytes == SCANBUFF) |
e3aaff8e |
memmove(buffer, endbl, root->maxpatlen);
pt = buffer;
length=buffsize;
}
free(buffer);
return CL_CLEAN;
}
#ifdef CL_THREAD_SAFE |
68a6f51f |
static void cli_unlock_mutex(void *mtx) |
e3aaff8e |
{
cli_dbgmsg("Pthread cancelled. Unlocking mutex.\n");
pthread_mutex_unlock(mtx);
}
#endif
|
68a6f51f |
static int cli_scanrar(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev) |
e3aaff8e |
{ |
fc56deed |
FILE *tmp = NULL; |
e3aaff8e |
int files = 0, fd, ret = CL_CLEAN;
ArchiveList_struct *rarlist = NULL; |
68a6f51f |
ArchiveList_struct *rarlist_head = NULL; |
e3aaff8e |
char *rar_data_ptr;
unsigned long rar_data_size;
cli_dbgmsg("Starting scanrar()\n");
#ifdef CL_THREAD_SAFE
pthread_cleanup_push(cli_unlock_mutex, &cli_scanrar_mutex);
pthread_mutex_lock(&cli_scanrar_mutex);
cli_scanrar_inuse = 1;
#endif
if(!urarlib_list(desc, (ArchiveList_struct *) &rarlist)) {
#ifdef CL_THREAD_SAFE
pthread_mutex_unlock(&cli_scanrar_mutex);
cli_scanrar_inuse = 0;
#endif
return CL_ERAR;
}
|
68a6f51f |
rarlist_head = rarlist;
|
e3aaff8e |
while(rarlist) {
if(limits) {
if(limits->maxfilesize && (rarlist->item.UnpSize > limits->maxfilesize)) {
cli_dbgmsg("RAR->%s: Size exceeded (%d, max: %d)\n", rarlist->item.Name, rarlist->item.UnpSize, limits->maxfilesize);
rarlist = rarlist->next;
files++; |
6ccc6990 |
/* ret = CL_EMAXSIZE; */ |
e3aaff8e |
continue;
}
if(limits->maxfiles && (files > limits->maxfiles)) {
cli_dbgmsg("RAR: Files limit reached (max: %d)\n", limits->maxfiles); |
6ccc6990 |
/* ret = CL_EMAXFILES; */ |
e3aaff8e |
break;
}
}
|
68a6f51f |
if(!!( rarlist->item.FileAttr & RAR_FENTRY_ATTR_DIRECTORY)) {
rarlist = rarlist->next;
files++;
continue;
}
|
e3aaff8e |
if((tmp = tmpfile()) == NULL) {
cli_dbgmsg("RAR -> Can't generate tmpfile().\n");
#ifdef CL_THREAD_SAFE
pthread_mutex_unlock(&cli_scanrar_mutex);
cli_scanrar_inuse = 0;
#endif
return CL_ETMPFILE;
}
fd = fileno(tmp);
|
68a6f51f |
if( urarlib_get(&rar_data_ptr, &rar_data_size, rarlist->item.Name, desc, "clam")) { |
e3aaff8e |
cli_dbgmsg("RAR -> Extracted: %s, size: %d\n", rarlist->item.Name, rar_data_size); |
68a6f51f |
if(fwrite(rar_data_ptr, 1, rar_data_size, tmp) != rar_data_size) { |
e3aaff8e |
cli_dbgmsg("RAR -> Can't write() file.\n"); |
cdb0ae9c |
fclose(tmp); |
e3aaff8e |
tmp = NULL;
ret = CL_ERAR; |
cdb0ae9c |
if(rar_data_ptr) { |
e3aaff8e |
free(rar_data_ptr); |
cdb0ae9c |
rar_data_ptr = NULL;
} |
27a3f44a |
break; |
e3aaff8e |
}
|
cdb0ae9c |
if(rar_data_ptr) { |
e3aaff8e |
free(rar_data_ptr); |
cdb0ae9c |
rar_data_ptr = NULL;
}
if(fflush(tmp) != 0) {
cli_dbgmsg("fflush() failed: %s\n", strerror(errno));
fclose(tmp); |
68a6f51f |
urarlib_freelist(rarlist_head); |
e3aaff8e |
#ifdef CL_THREAD_SAFE
pthread_mutex_unlock(&cli_scanrar_mutex);
cli_scanrar_inuse = 0;
#endif
return CL_EFSYNC;
}
lseek(fd, 0, SEEK_SET); |
68a6f51f |
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, reclev)) == CL_VIRUS ) {
cli_dbgmsg("RAR -> Found %s virus.\n", *virname); |
6d6e8271 |
|
cdb0ae9c |
fclose(tmp); |
e3aaff8e |
urarlib_freelist(rarlist);
#ifdef CL_THREAD_SAFE
pthread_mutex_unlock(&cli_scanrar_mutex);
cli_scanrar_inuse = 0;
#endif |
68a6f51f |
return ret; |
e3aaff8e |
}
} else {
cli_dbgmsg("RAR -> Can't decompress file %s\n", rarlist->item.Name); |
cdb0ae9c |
fclose(tmp);
ret = CL_ERAR; /* WinRAR 3.0 ? */
break; |
e3aaff8e |
}
|
cdb0ae9c |
fclose(tmp); |
e3aaff8e |
tmp = NULL;
rarlist = rarlist->next;
files++;
}
|
68a6f51f |
urarlib_freelist(rarlist_head); |
e3aaff8e |
#ifdef CL_THREAD_SAFE
pthread_mutex_unlock(&cli_scanrar_mutex);
cli_scanrar_inuse = 0;
pthread_cleanup_pop(0);
#endif
return ret;
}
#ifdef HAVE_ZLIB_H |
68a6f51f |
static int cli_scanzip(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev) |
e3aaff8e |
{
ZZIP_DIR *zdir;
ZZIP_DIRENT zdirent;
ZZIP_FILE *zfp; |
fc56deed |
FILE *tmp = NULL; |
f7148839 |
char *buff; |
ee039e40 |
int fd, bytes, files = 0, ret = CL_CLEAN; |
fc56deed |
struct stat source; |
ee039e40 |
zzip_error_t err; |
e3aaff8e |
cli_dbgmsg("Starting scanzip()\n");
|
049a18b9 |
if((zdir = zzip_dir_fdopen(dup(desc), &err)) == NULL) {
cli_dbgmsg("Zip -> Not supported file format ?.\n");
cli_dbgmsg("zzip_dir_fdopen() return code: %d\n", err); |
77be7ea9 |
/* no return with CL_EZIP due to password protected zips */
return CL_CLEAN; |
e3aaff8e |
}
|
fc56deed |
fstat(desc, &source);
|
33f40ee5 |
if(!(buff = (char *) cli_malloc(FILEBUFF))) { |
9e431a95 |
cli_dbgmsg("cli_scanzip(): unable to malloc(%d)\n", FILEBUFF); |
33f40ee5 |
zzip_dir_close(zdir);
return CL_EMEM;
}
|
e3aaff8e |
while(zzip_dir_read(zdir, &zdirent)) { |
fc56deed |
if(!zdirent.d_name || !strlen(zdirent.d_name)) { /* Mimail fix */
cli_dbgmsg("strlen(zdirent.d_name) == %d\n", strlen(zdirent.d_name)); |
a0977bfe |
*virname = "Suspected.Zip"; |
fc56deed |
ret = CL_VIRUS;
break;
}
|
0f34221a |
cli_dbgmsg("Zip -> %s, compressed: %d, normal: %d, encrypted flag: %d\n", zdirent.d_name, zdirent.d_csize, zdirent.st_size, zdirent.d_flags); |
e3aaff8e |
|
a6945b5d |
if(limits && limits->maxratio > 0 && source.st_size && (zdirent.st_size / source.st_size) >= limits->maxratio) { |
a0977bfe |
*virname = "Oversized.Zip"; |
fc56deed |
ret = CL_VIRUS;
break;
}
|
e3aaff8e |
if(!zdirent.st_size) { /* omit directories and null files */
files++;
continue;
}
/* work-around for problematic zips (zziplib crashes with them) */
if(zdirent.d_csize < 0 || zdirent.st_size < 0) {
files++;
cli_dbgmsg("Zip -> Malformed archive detected.\n"); |
fc56deed |
/* ret = CL_EMALFZIP; */
/* report it as a virus */ |
a0977bfe |
*virname = "Suspected.Zip"; |
fc56deed |
ret = CL_VIRUS; |
e3aaff8e |
break;
}
|
bddfdc19 |
if(DETECT_ENCRYPTED && (zdirent.d_flags & 1 )) { |
0f34221a |
files++;
cli_dbgmsg("Zip -> Encrypted files found in archive.\n");
*virname = "Encrypted.Zip";
ret = CL_VIRUS;
break;
}
|
e3aaff8e |
if(limits) {
if(limits->maxfilesize && (zdirent.st_size > limits->maxfilesize)) {
cli_dbgmsg("Zip -> %s: Size exceeded (%d, max: %d)\n", zdirent.d_name, zdirent.st_size, limits->maxfilesize);
files++; |
6ccc6990 |
/* ret = CL_EMAXSIZE; */ |
fc56deed |
continue; /* this is not a bug */ |
e3aaff8e |
}
if(limits->maxfiles && (files > limits->maxfiles)) {
cli_dbgmsg("Zip: Files limit reached (max: %d)\n", limits->maxfiles); |
6ccc6990 |
/* ret = CL_EMAXFILES; */ |
e3aaff8e |
break;
}
}
/* generate temporary file and get its descriptor */
if((tmp = tmpfile()) == NULL) {
cli_dbgmsg("Zip -> Can't generate tmpfile().\n"); |
fc56deed |
ret = CL_ETMPFILE;
break; |
e3aaff8e |
}
if((zfp = zzip_file_open(zdir, zdirent.d_name, 0)) == NULL) {
cli_dbgmsg("Zip -> %s: Can't open file.\n", zdirent.d_name);
ret = CL_EZIP; |
fc56deed |
break; |
e3aaff8e |
}
|
f7148839 |
while((bytes = zzip_file_read(zfp, buff, FILEBUFF)) > 0) { |
cdb0ae9c |
if(fwrite(buff, bytes, 1, tmp)*bytes != bytes) {
cli_dbgmsg("Zip -> Can't fwrite() file: %s\n", strerror(errno)); |
e3aaff8e |
zzip_file_close(zfp); |
33f40ee5 |
zzip_dir_close(zdir);
fclose(tmp); |
f7148839 |
free(buff); |
33f40ee5 |
return CL_EZIP; |
e3aaff8e |
}
}
zzip_file_close(zfp);
|
cdb0ae9c |
if(fflush(tmp) != 0) {
cli_errmsg("fflush() failed: %s\n", strerror(errno)); |
fc56deed |
ret = CL_EFSYNC;
break; |
e3aaff8e |
}
|
cdb0ae9c |
fd = fileno(tmp);
|
e3aaff8e |
lseek(fd, 0, SEEK_SET);
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, reclev)) == CL_VIRUS ) {
cli_dbgmsg("Zip -> Found %s virus.\n", *virname);
ret = CL_VIRUS;
break;
} else if(ret == CL_EMALFZIP) {
/* |
fc56deed |
* The trick with detection of ZoD only works with higher (>= 5) |
e3aaff8e |
* recursion limit level.
*/
cli_dbgmsg("Zip -> Malformed Zip, scanning stopped.\n"); |
a0977bfe |
*virname = "Suspected.Zip"; |
e3aaff8e |
ret = CL_VIRUS;
break;
}
|
cdb0ae9c |
if (tmp) {
fclose(tmp);
tmp = NULL;
} |
e3aaff8e |
files++;
}
zzip_dir_close(zdir); |
cdb0ae9c |
if (tmp) {
fclose(tmp);
tmp = NULL;
} |
33f40ee5 |
free(buff); |
e3aaff8e |
return ret;
}
|
68a6f51f |
static int cli_scangzip(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev) |
e3aaff8e |
{
int fd, bytes, ret = CL_CLEAN;
long int size = 0; |
f7148839 |
char *buff; |
fc56deed |
FILE *tmp = NULL; |
e3aaff8e |
gzFile gd;
|
fc56deed |
cli_dbgmsg("in cli_scangzip()\n");
|
e3aaff8e |
if((gd = gzdopen(dup(desc), "rb")) == NULL) {
cli_dbgmsg("Can't gzdopen() descriptor %d.\n", desc);
return CL_EGZIP;
}
if((tmp = tmpfile()) == NULL) {
cli_dbgmsg("Can't generate tmpfile().\n");
gzclose(gd);
return CL_ETMPFILE;
}
fd = fileno(tmp);
|
fc56deed |
if(!(buff = (char *) cli_malloc(FILEBUFF))) { |
9e431a95 |
cli_dbgmsg("cli_scangzip(): unable to malloc(%d)\n", FILEBUFF); |
fc56deed |
gzclose(gd); |
f7148839 |
return CL_EMEM; |
fc56deed |
} |
f7148839 |
|
fc56deed |
while((bytes = gzread(gd, buff, FILEBUFF)) > 0) { |
e3aaff8e |
size += bytes;
if(limits) |
fc56deed |
if(limits->maxfilesize && (size + FILEBUFF > limits->maxfilesize)) { |
68a6f51f |
cli_dbgmsg("Gzip->desc(%d): Size exceeded (stopped at %ld, max: %ld)\n", desc, size, limits->maxfilesize); |
6ccc6990 |
/* ret = CL_EMAXSIZE; */ |
e3aaff8e |
break;
}
if(write(fd, buff, bytes) != bytes) {
cli_dbgmsg("Gzip -> Can't write() file.\n"); |
cdb0ae9c |
fclose(tmp); |
e3aaff8e |
gzclose(gd); |
f7148839 |
free(buff); |
e3aaff8e |
return CL_EGZIP;
}
}
|
f7148839 |
free(buff); |
e3aaff8e |
gzclose(gd);
if(fsync(fd) == -1) {
cli_dbgmsg("fsync() failed for descriptor %d\n", fd); |
cdb0ae9c |
fclose(tmp); |
e3aaff8e |
return CL_EFSYNC;
}
lseek(fd, 0, SEEK_SET);
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, reclev)) == CL_VIRUS ) {
cli_dbgmsg("Gzip -> Found %s virus.\n", *virname); |
cdb0ae9c |
fclose(tmp); |
e3aaff8e |
return CL_VIRUS;
} |
cdb0ae9c |
fclose(tmp); |
e3aaff8e |
return ret;
}
#endif
#ifdef HAVE_BZLIB_H
#ifdef NOBZ2PREFIX
#define BZ2_bzReadOpen bzReadOpen
#define BZ2_bzReadClose bzReadClose
#define BZ2_bzRead bzRead
#endif
|
68a6f51f |
static int cli_scanbzip(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev) |
e3aaff8e |
{
int fd, bytes, ret = CL_CLEAN, bzerror = 0;
short memlim = 0;
long int size = 0; |
f7148839 |
char *buff; |
fc56deed |
FILE *fs, *tmp = NULL; |
e3aaff8e |
BZFILE *bfd;
|
9e431a95 |
if((fs = fdopen(dup(desc), "rb")) == NULL) { |
e3aaff8e |
cli_errmsg("Can't fdopen() descriptor %d.\n", desc);
return CL_EBZIP;
}
if(limits)
if(limits->archivememlim)
memlim = 1;
|
68b96877 |
if((bfd = BZ2_bzReadOpen(&bzerror, fs, 0, memlim, NULL, 0)) == NULL) { |
e3aaff8e |
cli_dbgmsg("Can't initialize bzip2 library (descriptor %d).\n", desc); |
9e431a95 |
fclose(fs); |
e3aaff8e |
return CL_EBZIP;
}
if((tmp = tmpfile()) == NULL) {
cli_dbgmsg("Can't generate tmpfile().\n");
BZ2_bzReadClose(&bzerror, bfd); |
9e431a95 |
fclose(fs); |
e3aaff8e |
return CL_ETMPFILE;
}
fd = fileno(tmp);
|
9e431a95 |
if(!(buff = (char *) malloc(FILEBUFF))) {
cli_dbgmsg("cli_scanbzip(): unable to malloc(%d)\n", FILEBUFF);
fclose(tmp);
fclose(fs);
BZ2_bzReadClose(&bzerror, bfd); |
f7148839 |
return CL_EMEM; |
9e431a95 |
} |
f7148839 |
|
fc56deed |
while((bytes = BZ2_bzRead(&bzerror, bfd, buff, FILEBUFF)) > 0) { |
e3aaff8e |
size += bytes;
if(limits) |
fc56deed |
if(limits->maxfilesize && (size + FILEBUFF > limits->maxfilesize)) { |
68a6f51f |
cli_dbgmsg("Bzip2->desc(%d): Size exceeded (stopped at %ld, max: %ld)\n", desc, size, limits->maxfilesize); |
6ccc6990 |
/* ret = CL_EMAXSIZE; */ |
e3aaff8e |
break;
}
if(write(fd, buff, bytes) != bytes) {
cli_dbgmsg("Bzip2 -> Can't write() file.\n");
BZ2_bzReadClose(&bzerror, bfd); |
cdb0ae9c |
fclose(tmp); |
f7148839 |
free(buff); |
9e431a95 |
fclose(fs); |
e3aaff8e |
return CL_EGZIP;
}
}
|
f7148839 |
free(buff); |
e3aaff8e |
BZ2_bzReadClose(&bzerror, bfd);
if(fsync(fd) == -1) {
cli_dbgmsg("fsync() failed for descriptor %d\n", fd); |
cdb0ae9c |
fclose(tmp); |
9e431a95 |
fclose(fs); |
e3aaff8e |
return CL_EFSYNC;
}
lseek(fd, 0, SEEK_SET);
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, reclev)) == CL_VIRUS ) {
cli_dbgmsg("Bzip2 -> Found %s virus.\n", *virname);
} |
cdb0ae9c |
fclose(tmp); |
9e431a95 |
fclose(fs); |
e3aaff8e |
return ret;
}
#endif
|
68a6f51f |
static int cli_scanole2(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev) |
47bbbc56 |
{
const char *tmpdir;
char *dir, *fullname;
unsigned char *data; |
ea399527 |
int ret = CL_CLEAN, fd, i, data_len; |
47bbbc56 |
vba_project_t *vba_project;
cli_dbgmsg("in cli_scanole2()\n");
tmpdir = getenv("TMPDIR");
if(tmpdir == NULL)
#ifdef P_tmpdir
tmpdir = P_tmpdir;
#else
tmpdir = "/tmp";
#endif
/* generate the temporary directory */
dir = cl_gentemp(tmpdir);
if(mkdir(dir, 0700)) {
cli_errmsg("ScanOLE2 -> Can't create temporary directory %s\n", dir);
return CL_ETMPDIR;
}
if((ret = cli_ole2_extract(desc, dir))) {
cli_errmsg("ScanOLE2 -> %s\n", cl_strerror(ret));
cli_rmdirs(dir);
free(dir);
return ret;
}
if((vba_project = (vba_project_t *) vba56_dir_read(dir))) {
for(i = 0; i < vba_project->count; i++) {
fullname = (char *) malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2);
sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]);
fd = open(fullname, O_RDONLY);
if(fd == -1) {
cli_errmsg("Scan->OLE2 -> Can't open file %s\n", fullname);
free(fullname);
ret = CL_EOPEN;
break;
}
free(fullname); |
bbb90786 |
cli_dbgmsg("decompress VBA project '%s'\n", vba_project->name[i]); |
ea399527 |
data = (unsigned char *) vba_decompress(fd, vba_project->offset[i], &data_len); |
9d0ee50b |
close(fd); |
47bbbc56 |
|
bbb90786 |
if(!data) {
cli_dbgmsg("WARNING: VBA project '%s' decompressed to NULL\n", vba_project->name[i]); |
a14fc921 |
} else { |
ea399527 |
if(cl_scanbuff(data, data_len, virname, root) == CL_VIRUS) { |
bbb90786 |
free(data);
ret = CL_VIRUS;
break;
}
|
47bbbc56 |
free(data);
}
}
|
f893c0f3 |
for(i = 0; i < vba_project->count; i++)
free(vba_project->name[i]);
free(vba_project->name);
free(vba_project->dir);
free(vba_project->offset); |
9d0ee50b |
free(vba_project); |
47bbbc56 |
}
cli_rmdirs(dir);
free(dir);
return ret;
} |
68a6f51f |
static int cli_scandir(char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev) |
e3aaff8e |
{
DIR *dd;
struct dirent *dent;
struct stat statbuf;
char *fname;
if((dd = opendir(dirname)) != NULL) {
while((dent = readdir(dd))) {
if(dent->d_ino) {
if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) {
/* build the full name */
fname = cli_calloc(strlen(dirname) + strlen(dent->d_name) + 2, sizeof(char));
sprintf(fname, "%s/%s", dirname, dent->d_name);
/* stat the file */
if(lstat(fname, &statbuf) != -1) {
if(S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) |
f0d72b10 |
cli_scandir(fname, virname, scanned, root, limits, options, reclev); |
e3aaff8e |
else
if(S_ISREG(statbuf.st_mode))
if(cl_scanfile(fname, virname, scanned, root, limits, options) == CL_VIRUS) {
free(fname);
closedir(dd);
return CL_VIRUS;
}
}
free(fname);
}
}
}
} else {
cli_errmsg("ScanDir -> Can't open directory %s.\n", dirname);
return CL_EOPEN;
}
closedir(dd);
return 0;
}
|
68a6f51f |
static int cli_scanmail(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev) |
e3aaff8e |
{
const char *tmpdir;
char *dir;
int ret;
|
5920e217 |
cli_dbgmsg("Starting cli_scanmail()\n");
|
e1e5b905 |
if(*reclev > 5) /* FIXME: a temporary workaround */ |
5920e217 |
return CL_CLEAN; |
e3aaff8e |
tmpdir = getenv("TMPDIR");
if(tmpdir == NULL)
#ifdef P_tmpdir
tmpdir = P_tmpdir;
#else
tmpdir = "/tmp";
#endif
/* generate the temporary directory */ |
8139fd99 |
dir = cl_gentemp(tmpdir); |
e3aaff8e |
if(mkdir(dir, 0700)) {
cli_errmsg("ScanMail -> Can't create temporary directory %s\n", dir);
return CL_ETMPDIR;
}
/*
* Extract the attachments into the temporary directory
*/
ret = cl_mbox(dir, desc);
/* FIXME: check mbox return code */
ret = cli_scandir(dir, virname, scanned, root, limits, options, reclev);
cli_rmdirs(dir);
free(dir);
return ret;
}
|
68a6f51f |
static int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev) |
e3aaff8e |
{ |
cdb0ae9c |
char magic[MAGIC_BUFFER_SIZE+1]; |
e3aaff8e |
int ret = CL_CLEAN; |
cdb0ae9c |
int bread = 0; |
6d6e8271 |
cl_file_t type; |
e3aaff8e |
if(!root) {
cli_errmsg("root == NULL\n");
return -1;
}
|
0f34221a |
|
cdb0ae9c |
if(SCAN_ARCHIVE || SCAN_MAIL) {
/* Need to examine file type */ |
e3aaff8e |
|
8adf0608 |
if(SCAN_ARCHIVE && limits && limits->maxreclevel) |
e3aaff8e |
if(*reclev > limits->maxreclevel) |
6ccc6990 |
/* return CL_EMAXREC; */
return CL_CLEAN; |
e3aaff8e |
(*reclev)++;
|
cdb0ae9c |
lseek(desc, 0, SEEK_SET);
bread = read(desc, magic, MAGIC_BUFFER_SIZE);
magic[MAGIC_BUFFER_SIZE] = '\0'; /* terminate magic string properly */ |
e3aaff8e |
lseek(desc, 0, SEEK_SET);
|
67940173 |
if (bread != MAGIC_BUFFER_SIZE) {
/* short read: No need to do magic */ |
8139fd99 |
(*reclev)--; |
67940173 |
return ret;
} |
6d6e8271 |
type = cl_filetype(magic, bread);
switch(type) {
case CL_RARFILE:
if(!DISABLE_RAR && SCAN_ARCHIVE && !cli_scanrar_inuse) {
ret = cli_scanrar(desc, virname, scanned, root, limits, options, reclev);
}
break;
case CL_ZIPFILE:
if(SCAN_ARCHIVE) {
ret = cli_scanzip(desc, virname, scanned, root, limits, options, reclev);
}
break;
case CL_GZFILE:
if(SCAN_ARCHIVE) {
ret = cli_scangzip(desc, virname, scanned, root, limits, options, reclev);
}
break;
case CL_BZFILE: |
68a6f51f |
#ifdef HAVE_BZLIB_H |
6d6e8271 |
if(SCAN_ARCHIVE) {
ret = cli_scanbzip(desc, virname, scanned, root, limits, options, reclev);
} |
e3aaff8e |
#endif |
68a6f51f |
break; |
6d6e8271 |
case CL_MAILFILE:
if (SCAN_MAIL) {
ret = cli_scanmail(desc, virname, scanned, root, limits, options, reclev);
}
break;
case CL_OLE2FILE:
if(SCAN_OLE2) {
ret = cli_scanole2(desc, virname, scanned, root, limits, options, reclev);
} |
68a6f51f |
case CL_UNKNOWN_TYPE: |
6d6e8271 |
break; |
e3aaff8e |
} |
6d6e8271 |
|
cdb0ae9c |
(*reclev)--; |
e3aaff8e |
}
|
46c2e927 |
if(ret != CL_VIRUS) { /* scan the raw file */ |
cdb0ae9c |
lseek(desc, 0, SEEK_SET); /* If archive scan didn't rewind desc */ |
e3aaff8e |
if(cli_scandesc(desc, virname, scanned, root) == CL_VIRUS) {
cli_dbgmsg("%s virus found in descriptor %d.\n", *virname, desc);
return CL_VIRUS;
} |
46c2e927 |
} |
e3aaff8e |
return ret;
}
|
68a6f51f |
int cl_scandesc(int desc, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options) |
e3aaff8e |
{
int reclev = 0;
return cli_magic_scandesc(desc, virname, scanned, root, limits, options, &reclev);
}
|
68a6f51f |
int cl_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options) |
e3aaff8e |
{
int fd, ret;
if((fd = open(filename, O_RDONLY)) == -1)
return CL_EOPEN;
cli_dbgmsg("Scanning %s\n", filename);
ret = cl_scandesc(fd, virname, scanned, root, limits, options);
close(fd);
return ret;
} |