| e3aaff8e |
/* |
| f51e962f |
* Copyright (C) 2002 - 2006 Tomasz Kojm <tkojm@clamav.net> |
| e3aaff8e |
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software |
| 48b7b4a7 |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA. |
| e3aaff8e |
*/
|
| 6d6e8271 |
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
|
| e3aaff8e |
#include <string.h> |
| 7ec67e94 |
#include <ctype.h>
#include <sys/types.h>
#include <sys/stat.h> |
| b58fdfc2 |
#ifdef HAVE_UNISTD_H |
| 7ec67e94 |
#include <unistd.h> |
| b58fdfc2 |
#endif |
| e3aaff8e |
#include "clamav.h"
#include "others.h" |
| 8000d078 |
#include "matcher-ac.h"
#include "matcher-bm.h"
#include "md5.h" |
| 888f5794 |
#include "filetypes.h" |
| b68d11d2 |
#include "matcher.h" |
| 7ec67e94 |
#include "pe.h" |
| 01302683 |
#include "elf.h"
#include "execs.h" |
| c3a3be2d |
#include "special.h" |
| c9c463fe |
#include "str.h" |
| e3aaff8e |
|
| 5612732c |
static int targettab[CL_TARGET_TABLE_SIZE] = { 0, CL_TYPE_MSEXE, CL_TYPE_MSOLE2, CL_TYPE_HTML, CL_TYPE_MAIL, CL_TYPE_GRAPHICS, CL_TYPE_ELF }; |
| b68d11d2 |
|
| 0c9d7f15 |
extern short cli_debug_flag; |
| e3aaff8e |
|
| b5456d64 |
#ifdef HAVE_NCORE |
| f51e962f |
#include <sn_sigscan/sn_sigscan.h>
#define HWBUFFSIZE 32768 |
| 40107990 |
#endif
|
| c9c463fe |
|
| 5612732c |
int cli_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cl_engine *engine, unsigned short ftype) |
| 8000d078 |
{ |
| f51e962f |
int ret = CL_CLEAN, i, tid = 0, *partcnt; |
| 8000d078 |
unsigned long int *partoff; |
| 5612732c |
struct cli_matcher *groot, *troot = NULL; |
| b5456d64 |
#ifdef HAVE_NCORE |
| f51e962f |
void *streamhandle;
void *resulthandle; |
| d36d3b46 |
uint32_t datamask[2] = { 0xffffffff, 0xffffffff }; |
| f51e962f |
int count, hret;
unsigned long long offset; |
| c9c463fe |
char *pt; |
| f51e962f |
#endif |
| e3aaff8e |
|
| 5612732c |
if(!engine) {
cli_errmsg("cli_scanbuff: engine == NULL\n");
return CL_ENULLARG;
}
|
| b5456d64 |
#ifdef HAVE_NCORE
if(engine->ncore) { |
| f51e962f |
/* TODO: Setup proper data bitmask (need specs) */ |
| b4ff5537 |
if((hret = sn_sigscan_createstream(engine->ncdb, datamask, 2, &streamhandle)) < 0) { |
| f51e962f |
cli_errmsg("cli_scanbuff: can't create new hardware stream: %d\n", hret);
return CL_EHWIO;
}
if((hret = sn_sigscan_writestream(streamhandle, buffer, length)) < 0) {
cli_errmsg("cli_scanbuff: can't write %u bytes to hardware stream: %d\n", length, hret);
sn_sigscan_closestream(streamhandle, &resulthandle);
return CL_EHWIO;
}
if((hret = sn_sigscan_closestream(streamhandle, &resulthandle)) < 0) {
cli_errmsg("cli_scanbuff: can't close hardware stream: %d\n", hret);
return CL_EHWIO;
}
count = sn_sigscan_resultcount(resulthandle); |
| c9c463fe |
for(i = 0; i < count; i++) {
const char *matchname = NULL, *offsetstring = NULL, *optionalsigdata = NULL;
int targettype = 0;
if((hret = sn_sigscan_resultget_name(resulthandle, i, &matchname) < 0)) {
cli_errmsg("cli_scanbuff: sn_sigscan_resultget_name failed for result %d: %d\n", i, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(!matchname) {
cli_errmsg("cli_scanbuff: HW Result[%d]: Signature without name\n", i);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if((hret = sn_sigscan_resultget_targettype(resulthandle, i, &targettype) < 0)) {
cli_errmsg("cli_scanbuff: sn_sigscan_resultget_targettype failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(targettype && targettab[targettype] != (int) ftype) {
cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Target type: %d, expected: %d\n", i, matchname, targettab[targettype], ftype);
continue;
}
if((hret = sn_sigscan_resultget_offsetstring(resulthandle, i, &offsetstring) < 0)) {
cli_errmsg("cli_scanbuff: sn_sigscan_resultget_offsetstring failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(offsetstring) {
cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Offset based signature not supported in buffer mode\n", i, matchname);
continue;
}
if((hret = sn_sigscan_resultget_extradata(resulthandle, i, &optionalsigdata) < 0)) {
cli_errmsg("cli_scanbuff: sn_sigscan_resultget_extradata failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
} |
| b4ff5537 |
if(optionalsigdata && strlen(optionalsigdata)) { |
| c9c463fe |
if((pt = cli_strtok(optionalsigdata, 1, ":"))) { /* max version */
if(!isdigit(*pt)) {
free(pt);
cli_errmsg("cli_scanbuff: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(pt) < cl_retflevel()) {
cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Signature max flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel());
free(pt);
continue;
}
free(pt);
if((pt = cli_strtok(optionalsigdata, 0, ":"))) { /* min version */
if(!isdigit(*pt)) {
free(pt);
cli_errmsg("cli_scanbuff: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(pt) > cl_retflevel()) {
cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel());
free(pt);
continue;
}
free(pt);
}
} else {
if(!isdigit(*optionalsigdata)) {
cli_errmsg("cli_scanbuff: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(optionalsigdata) > cl_retflevel()) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(optionalsigdata), cl_retflevel());
continue;
}
}
}
*virname = matchname;
ret = CL_VIRUS;
break;
} |
| f51e962f |
if((hret = sn_sigscan_resultfree(resulthandle)) < 0) {
cli_errmsg("cli_scanbuff: can't free results: %d\n", ret);
return CL_EHWIO;
}
return ret;
} |
| b5456d64 |
#endif /* HAVE_NCORE */ |
| f51e962f |
|
| 5612732c |
groot = engine->root[0]; /* generic signatures */
if(ftype) {
for(i = 0; i < CL_TARGET_TABLE_SIZE; i++) {
if(targettab[i] == ftype) {
tid = i;
break;
}
}
if(tid)
troot = engine->root[tid];
}
if(troot) {
if((partcnt = (int *) cli_calloc(troot->ac_partsigs + 1, sizeof(int))) == NULL) { |
| fbc255a1 |
cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(int)); |
| 5612732c |
return CL_EMEM;
}
if((partoff = (unsigned long int *) cli_calloc(troot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) { |
| fbc255a1 |
cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(unsigned long int)); |
| 5612732c |
free(partcnt);
return CL_EMEM;
}
|
| 83fa5305 |
if(troot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, troot, 0, ftype, -1)) != CL_VIRUS) |
| 5612732c |
ret = cli_ac_scanbuff(buffer, length, virname, troot, partcnt, 0, 0, partoff, ftype, -1, NULL);
free(partcnt);
free(partoff);
if(ret == CL_VIRUS)
return ret;
}
if((partcnt = (int *) cli_calloc(groot->ac_partsigs + 1, sizeof(int))) == NULL) { |
| fbc255a1 |
cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(int)); |
| 8000d078 |
return CL_EMEM; |
| e3aaff8e |
}
|
| 5612732c |
if((partoff = (unsigned long int *) cli_calloc(groot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) { |
| fbc255a1 |
cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(unsigned long int)); |
| 8000d078 |
free(partcnt); |
| 2d70a403 |
return CL_EMEM; |
| 9e431a95 |
} |
| e3aaff8e |
|
| 83fa5305 |
if(groot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, groot, 0, ftype, -1)) != CL_VIRUS) |
| 5612732c |
ret = cli_ac_scanbuff(buffer, length, virname, groot, partcnt, 0, 0, partoff, ftype, -1, NULL); |
| 8000d078 |
free(partcnt);
free(partoff);
return ret; |
| e3aaff8e |
}
|
| 5612732c |
static struct cli_md5_node *cli_vermd5(const unsigned char *md5, const struct cl_engine *engine) |
| e3aaff8e |
{ |
| 8000d078 |
struct cli_md5_node *pt; |
| e3aaff8e |
|
| 5612732c |
if(!(pt = engine->md5_hlist[md5[0] & 0xff])) |
| e3aaff8e |
return NULL;
|
| 8000d078 |
while(pt) {
if(!memcmp(pt->md5, md5, 16))
return pt; |
| e3aaff8e |
|
| 8000d078 |
pt = pt->next; |
| 2d70a403 |
} |
| e3aaff8e |
|
| 8000d078 |
return NULL; |
| e3aaff8e |
}
|
| 01302683 |
static long int cli_caloff(const char *offstr, int fd, unsigned short ftype) |
| 7ec67e94 |
{ |
| 01302683 |
struct cli_exe_info exeinfo;
int (*einfo)(int, struct cli_exe_info *) = NULL; |
| 7ec67e94 |
long int offset = -1;
int n;
|
| 01302683 |
if(ftype == CL_TYPE_MSEXE)
einfo = cli_peheader;
else if(ftype == CL_TYPE_ELF)
einfo = cli_elfheader;
|
| 7ec67e94 |
if(isdigit(offstr[0])) {
return atoi(offstr); |
| 01302683 |
} else if(einfo && (!strncmp(offstr, "EP+", 3) || !strncmp(offstr, "EP-", 3))) { |
| 7ec67e94 |
if((n = lseek(fd, 0, SEEK_CUR)) == -1) {
cli_dbgmsg("Invalid descriptor\n");
return -1;
}
lseek(fd, 0, SEEK_SET); |
| 01302683 |
if(einfo(fd, &exeinfo)) { |
| 015e31e1 |
lseek(fd, n, SEEK_SET); |
| 7ec67e94 |
return -1; |
| 015e31e1 |
} |
| 01302683 |
free(exeinfo.section); |
| 7ec67e94 |
lseek(fd, n, SEEK_SET); |
| 4d1136fe |
if(offstr[2] == '+') |
| 01302683 |
return exeinfo.ep + atoi(offstr + 3); |
| 4d1136fe |
else |
| 01302683 |
return exeinfo.ep - atoi(offstr + 3); |
| 4d1136fe |
|
| 01302683 |
} else if(einfo && offstr[0] == 'S') { |
| 7ec67e94 |
if((n = lseek(fd, 0, SEEK_CUR)) == -1) {
cli_dbgmsg("Invalid descriptor\n");
return -1;
}
lseek(fd, 0, SEEK_SET); |
| 01302683 |
if(einfo(fd, &exeinfo)) { |
| 015e31e1 |
lseek(fd, n, SEEK_SET); |
| 7ec67e94 |
return -1; |
| 015e31e1 |
} |
| 7ec67e94 |
lseek(fd, n, SEEK_SET);
|
| 399bd596 |
if(!strncmp(offstr, "SL", 2)) { |
| 7ec67e94 |
|
| 399bd596 |
if(sscanf(offstr, "SL+%ld", &offset) != 1) { |
| 01302683 |
free(exeinfo.section); |
| 399bd596 |
return -1;
}
|
| 01302683 |
offset += exeinfo.section[exeinfo.nsections - 1].raw; |
| 399bd596 |
} else {
if(sscanf(offstr, "S%d+%ld", &n, &offset) != 2) { |
| 01302683 |
free(exeinfo.section); |
| 399bd596 |
return -1;
}
|
| 01302683 |
if(n >= exeinfo.nsections) {
free(exeinfo.section); |
| 399bd596 |
return -1;
}
|
| 01302683 |
offset += exeinfo.section[n].raw; |
| 7ec67e94 |
}
|
| 01302683 |
free(exeinfo.section); |
| 7ec67e94 |
return offset; |
| 399bd596 |
|
| 7ec67e94 |
} else if(!strncmp(offstr, "EOF-", 4)) {
struct stat sb;
if(fstat(fd, &sb) == -1)
return -1;
return sb.st_size - atoi(offstr + 4);
}
return -1;
}
|
| 8acd1cee |
static int cli_checkfp(int fd, const struct cl_engine *engine) |
| db65451b |
{
struct cli_md5_node *md5_node; |
| 1f089aa7 |
unsigned char *digest; |
| db65451b |
|
| 5612732c |
if(engine->md5_hlist) { |
| db65451b |
if(!(digest = cli_md5digest(fd))) {
cli_errmsg("cli_checkfp(): Can't generate MD5 checksum\n");
return 0;
}
|
| 5612732c |
if((md5_node = cli_vermd5(digest, engine)) && md5_node->fp) { |
| db65451b |
struct stat sb;
if(fstat(fd, &sb))
return CL_EIO;
|
| 33f89aa5 |
if((unsigned int) sb.st_size != md5_node->size) { |
| db65451b |
cli_warnmsg("Detected false positive MD5 match. Please report.\n");
} else {
cli_dbgmsg("Eliminated false positive match (fp sig: %s)\n", md5_node->virname);
free(digest);
return 1;
}
}
free(digest);
}
return 0;
}
|
| e12c29d2 |
int cli_validatesig(unsigned short ftype, const char *offstr, unsigned long int fileoff, int desc, const char *virname) |
| 7ec67e94 |
{
if(offstr && desc != -1) { |
| 01302683 |
long int off = cli_caloff(offstr, desc, ftype); |
| 7ec67e94 |
if(off == -1) {
cli_dbgmsg("Bad offset in signature (%s)\n", virname);
return 0;
}
|
| 33f89aa5 |
if(fileoff != (unsigned long int) off) { |
| b58fdfc2 |
cli_dbgmsg("Virus offset: %ld, expected: %ld (%s)\n", fileoff, off, virname); |
| 7ec67e94 |
return 0;
}
}
return 1;
}
|
| 3c91998b |
int cli_scandesc(int desc, cli_ctx *ctx, unsigned short otfrec, unsigned short ftype, struct cli_matched_type **ftoffset) |
| e3aaff8e |
{ |
| 8000d078 |
char *buffer, *buff, *endbl, *pt; |
| 8d3aca30 |
int ret = CL_CLEAN, *gpartcnt = NULL, *tpartcnt = NULL, type = CL_CLEAN, i, tid = 0, bytes; |
| 13868beb |
unsigned int buffersize, length, maxpatlen, shift = 0; |
| 8d3aca30 |
unsigned long int *gpartoff = NULL, *tpartoff = NULL, offset = 0; |
| 3c91998b |
MD5_CTX md5ctx; |
| 335d1663 |
unsigned char digest[16]; |
| 8000d078 |
struct cli_md5_node *md5_node; |
| 5612732c |
struct cli_matcher *groot, *troot = NULL; |
| b5456d64 |
#ifdef HAVE_NCORE |
| f51e962f |
void *streamhandle;
void *resulthandle;
unsigned long long hoffset; |
| d36d3b46 |
uint32_t datamask[2] = { 0xffffffff, 0xffffffff }; |
| f51e962f |
int count, hret; |
| c9c463fe |
off_t origoff; |
| f51e962f |
#endif |
| 888f5794 |
|
| 3c91998b |
if(!ctx->engine) { |
| 5612732c |
cli_errmsg("cli_scandesc: engine == NULL\n"); |
| 8000d078 |
return CL_ENULLARG; |
| 4048c4f6 |
}
|
| b5456d64 |
#ifdef HAVE_NCORE
if(ctx->engine->ncore) { |
| f51e962f |
/* TODO: Setup proper data bitmask (need specs) */ |
| b4ff5537 |
if((hret = sn_sigscan_createstream(ctx->engine->ncdb, datamask, 2, &streamhandle)) < 0) { |
| f51e962f |
cli_errmsg("cli_scandesc: can't create new hardware stream: %d\n", hret);
return CL_EHWIO;
}
if(!(buffer = (char *) cli_calloc(HWBUFFSIZE, sizeof(char)))) {
cli_dbgmsg("cli_scandesc: unable to cli_calloc(%u)\n", HWBUFFSIZE);
return CL_EMEM;
}
|
| c9c463fe |
if((origoff = lseek(desc, 0, SEEK_CUR)) == -1) {
cli_errmsg("cli_scandesc: lseek() failed for descriptor %d\n", desc);
free(buffer);
return CL_EIO;
}
|
| 8acd1cee |
if(ctx->engine->md5_hlist)
MD5_Init(&md5ctx);
|
| f51e962f |
while((bytes = cli_readn(desc, buffer, HWBUFFSIZE)) > 0) {
if((hret = sn_sigscan_writestream(streamhandle, buffer, bytes)) < 0) {
cli_errmsg("cli_scandesc: can't write to hardware stream: %d\n", hret);
ret = CL_EHWIO;
break;
} else {
if(ctx->scanned)
*ctx->scanned += bytes / CL_COUNT_PRECISION; |
| 8acd1cee |
if(ctx->engine->md5_hlist)
MD5_Update(&md5ctx, buffer, bytes); |
| f51e962f |
}
}
free(buffer);
if((hret = sn_sigscan_closestream(streamhandle, &resulthandle)) < 0) {
cli_errmsg("cli_scandesc: can't close hardware stream: %d\n", hret);
return CL_EHWIO;
}
count = sn_sigscan_resultcount(resulthandle);
|
| c9c463fe |
for(i = 0; i < count; i++) {
const char *matchname = NULL, *offsetstring = NULL, *optionalsigdata = NULL;
unsigned long long startoffset = 0;
int targettype = 0;
if((hret = sn_sigscan_resultget_name(resulthandle, i, &matchname) < 0)) {
cli_errmsg("cli_scandesc: sn_sigscan_resultget_name failed for result %d: %d\n", i, hret); |
| f51e962f |
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
} |
| c9c463fe |
if(!matchname) {
cli_errmsg("cli_scandesc: HW Result[%d]: Signature without name\n", i);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if((hret = sn_sigscan_resultget_targettype(resulthandle, i, &targettype) < 0)) {
cli_errmsg("cli_scandesc: sn_sigscan_resultget_targettype failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(targettype && targettab[targettype] != (int) ftype) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Target type: %d, expected: %d\n", i, matchname, targettab[targettype], ftype);
continue;
}
if((hret = sn_sigscan_resultget_offsetstring(resulthandle, i, &offsetstring) < 0)) {
cli_errmsg("cli_scandesc: sn_sigscan_resultget_offsetstring failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if((hret = sn_sigscan_resultget_startoffset(resulthandle, i, &startoffset) < 0)) {
cli_errmsg("cli_scandesc: sn_sigscan_resultget_startoffset failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(offsetstring && strcmp(offsetstring, "*")) {
long int off = cli_caloff(offsetstring, desc, ftype);
if(off == -1) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Bad offset in signature\n", i, matchname);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(startoffset != (unsigned long long) off) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Virus offset: %Lu, expected: %ld\n", i, matchname, startoffset, off);
continue;
}
}
if((hret = sn_sigscan_resultget_extradata(resulthandle, i, &optionalsigdata) < 0)) {
cli_errmsg("cli_scandesc: sn_sigscan_resultget_extradata failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
} |
| b4ff5537 |
if(optionalsigdata && strlen(optionalsigdata)) { |
| c9c463fe |
if((pt = cli_strtok(optionalsigdata, 1, ":"))) { /* max version */
if(!isdigit(*pt)) {
free(pt);
cli_errmsg("cli_scandesc: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(pt) < cl_retflevel()) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature max flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel());
free(pt);
continue;
}
free(pt);
if((pt = cli_strtok(optionalsigdata, 0, ":"))) { /* min version */
if(!isdigit(*pt)) {
free(pt);
cli_errmsg("cli_scandesc: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(pt) > cl_retflevel()) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel());
free(pt);
continue;
}
free(pt);
}
} else {
if(!isdigit(*optionalsigdata)) {
cli_errmsg("cli_scandesc: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(optionalsigdata) > cl_retflevel()) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(optionalsigdata), cl_retflevel());
continue;
}
}
}
*ctx->virname = matchname;
ret = CL_VIRUS;
break; |
| f51e962f |
}
if((hret = sn_sigscan_resultfree(resulthandle)) < 0) {
cli_errmsg("cli_scandesc: can't free results: %d\n", ret);
return CL_EHWIO;
}
|
| 8acd1cee |
if(ctx->engine->md5_hlist) {
MD5_Final(digest, &md5ctx);
if((md5_node = cli_vermd5(digest, ctx->engine))) {
struct stat sb;
if(fstat(desc, &sb))
return CL_EIO;
if((unsigned int) sb.st_size != md5_node->size) {
cli_warnmsg("Detected false positive MD5 match. Please report.\n");
} else {
if(md5_node->fp) {
cli_dbgmsg("Eliminated false positive match (fp sig: %s)\n", md5_node->virname);
ret = CL_CLEAN;
} else {
if(ctx->virname)
*ctx->virname = md5_node->virname;
ret = CL_VIRUS;
}
}
}
}
|
| c9c463fe |
if(ret == CL_VIRUS || (ftype != CL_TYPE_UNKNOWN_TEXT && ftype != CL_TYPE_UNKNOWN_DATA))
return ret;
if((origoff = lseek(desc, origoff, SEEK_SET)) == -1) {
cli_errmsg("cli_scandesc: lseek() failed for descriptor %d\n", desc);
return CL_EIO;
} |
| f51e962f |
} |
| b5456d64 |
#endif /* HAVE_NCORE */ |
| f51e962f |
|
| 3c91998b |
groot = ctx->engine->root[0]; /* generic signatures */ |
| 5612732c |
if(ftype) {
for(i = 0; i < CL_TARGET_TABLE_SIZE; i++) {
if(targettab[i] == ftype) {
tid = i;
break;
}
}
if(tid) |
| 3c91998b |
troot = ctx->engine->root[tid]; |
| 5612732c |
}
if(troot)
maxpatlen = MAX(troot->maxpatlen, groot->maxpatlen);
else
maxpatlen = groot->maxpatlen;
|
| 8000d078 |
/* prepare the buffer */ |
| 0710165d |
buffersize = maxpatlen + SCANBUFF;
if(!(buffer = (char *) cli_calloc(buffersize, sizeof(char)))) {
cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d)\n", buffersize); |
| 8000d078 |
return CL_EMEM;
} |
| 888f5794 |
|
| 5612732c |
if((gpartcnt = (int *) cli_calloc(groot->ac_partsigs + 1, sizeof(int))) == NULL) {
cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(int)); |
| 8000d078 |
free(buffer);
return CL_EMEM;
} |
| e3aaff8e |
|
| 5612732c |
if((gpartoff = (unsigned long int *) cli_calloc(groot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) {
cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(unsigned long int)); |
| 8000d078 |
free(buffer); |
| 5612732c |
free(gpartcnt); |
| 8000d078 |
return CL_EMEM;
} |
| e3aaff8e |
|
| 5612732c |
if(troot) {
if((tpartcnt = (int *) cli_calloc(troot->ac_partsigs + 1, sizeof(int))) == NULL) {
cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(int));
free(buffer);
free(gpartcnt);
free(gpartoff);
return CL_EMEM;
}
if((tpartoff = (unsigned long int *) cli_calloc(troot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) {
cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(unsigned long int));
free(buffer);
free(gpartcnt);
free(gpartoff);
free(tpartcnt);
return CL_EMEM;
}
}
|
| 3c91998b |
if(ctx->engine->md5_hlist)
MD5_Init(&md5ctx); |
| e3aaff8e |
|
| cfeb200c |
|
| 8000d078 |
buff = buffer; |
| 5612732c |
buff += maxpatlen; /* pointer to read data block */
endbl = buff + SCANBUFF - maxpatlen; /* pointer to the last block
* length of maxpatlen |
| 8000d078 |
*/ |
| e3aaff8e |
|
| 335d1663 |
pt = buff; |
| 0710165d |
while((bytes = cli_readn(desc, buff + shift, SCANBUFF - shift)) > 0) { |
| e3aaff8e |
|
| 3c91998b |
if(ctx->scanned)
*ctx->scanned += bytes / CL_COUNT_PRECISION; |
| e3aaff8e |
|
| 0710165d |
length = shift + bytes;
if(pt == buffer)
length += maxpatlen; |
| 4048c4f6 |
|
| 5612732c |
if(troot) { |
| 3c91998b |
if(troot->ac_only || (ret = cli_bm_scanbuff(pt, length, ctx->virname, troot, offset, ftype, desc)) != CL_VIRUS)
ret = cli_ac_scanbuff(pt, length, ctx->virname, troot, tpartcnt, otfrec, offset, tpartoff, ftype, desc, ftoffset); |
| 83fa5305 |
if(ret == CL_VIRUS) { |
| 5612732c |
free(buffer);
free(gpartcnt);
free(gpartoff);
free(tpartcnt);
free(tpartoff);
lseek(desc, 0, SEEK_SET); |
| 3c91998b |
if(cli_checkfp(desc, ctx->engine)) |
| 5612732c |
return CL_CLEAN;
else
return CL_VIRUS;
}
} |
| db65451b |
|
| 3c91998b |
if(groot->ac_only || (ret = cli_bm_scanbuff(pt, length, ctx->virname, groot, offset, ftype, desc)) != CL_VIRUS)
ret = cli_ac_scanbuff(pt, length, ctx->virname, groot, gpartcnt, otfrec, offset, gpartoff, ftype, desc, ftoffset); |
| 83fa5305 |
if(ret == CL_VIRUS) { |
| 5612732c |
free(buffer);
free(gpartcnt);
free(gpartoff);
if(troot) {
free(tpartcnt);
free(tpartoff);
} |
| db65451b |
lseek(desc, 0, SEEK_SET); |
| 3c91998b |
if(cli_checkfp(desc, ctx->engine)) |
| db65451b |
return CL_CLEAN;
else
return CL_VIRUS; |
| e3aaff8e |
|
| b68d11d2 |
} else if(otfrec && ret >= CL_TYPENO) { |
| 8000d078 |
if(ret >= type)
type = ret;
} |
| e3aaff8e |
|
| 0710165d |
if(ctx->engine->md5_hlist)
MD5_Update(&md5ctx, buff + shift, bytes);
if(bytes + shift == SCANBUFF) { |
| 5612732c |
memmove(buffer, endbl, maxpatlen); |
| 0710165d |
offset += SCANBUFF; |
| fc8e8ca2 |
|
| 0710165d |
if(pt == buff) { |
| 102ef209 |
pt = buffer; |
| 0710165d |
offset -= maxpatlen; |
| 102ef209 |
} |
| 0710165d |
shift = 0;
} else {
shift += bytes; |
| 102ef209 |
} |
| 084ee140 |
|
| 8000d078 |
} |
| 084ee140 |
|
| 8000d078 |
free(buffer); |
| 5612732c |
free(gpartcnt);
free(gpartoff);
if(troot) {
free(tpartcnt);
free(tpartoff);
} |
| fc8e8ca2 |
|
| 3c91998b |
if(ctx->engine->md5_hlist) {
MD5_Final(digest, &md5ctx); |
| fc8e8ca2 |
|
| 3c91998b |
if((md5_node = cli_vermd5(digest, ctx->engine)) && !md5_node->fp) { |
| 022a21cf |
struct stat sb;
if(fstat(desc, &sb))
return CL_EIO;
|
| 33f89aa5 |
if((unsigned int) sb.st_size != md5_node->size) { |
| 022a21cf |
cli_warnmsg("Detected false positive MD5 match. Please report.\n");
} else { |
| 3c91998b |
if(ctx->virname)
*ctx->virname = md5_node->virname; |
| 022a21cf |
return CL_VIRUS;
} |
| 8000d078 |
} |
| fc8e8ca2 |
}
|
| b68d11d2 |
return otfrec ? type : CL_CLEAN; |
| fc8e8ca2 |
} |