GitList

libclamav/scanners.c

e3aaff8e	/*
c442ca9c	* Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
43d7f6f6	* Copyright (C) 2007-2013 Sourcefire, Inc.
c7543866	*
2023340a	* Authors: Tomasz Kojm
e3aaff8e	* * This program is free software; you can redistribute it and/or modify
bb34cb31	* it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation.
e3aaff8e	* * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software
48b7b4a7	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA.
e3aaff8e	*/
6d6e8271	#if HAVE_CONFIG_H #include "clamav-config.h" #endif
517f7b7a	#ifndef _WIN32
ee1b2a6c	#include <sys/time.h>
517f7b7a	#endif
e3aaff8e	#include <stdio.h> #include <string.h> #include <stdlib.h>
d39cb658	#include <libgen.h>
0a80bd02	#include <errno.h>
e3aaff8e	#include <sys/types.h> #include <sys/stat.h>
7b1f1aaf	#ifdef HAVE_UNISTD_H
a7f5fd00	#include <unistd.h>
b58fdfc2	#endif
7b1f1aaf	#ifdef HAVE_SYS_PARAM_H
15edd45f	#include <sys/param.h>
b58fdfc2	#endif
e3aaff8e	#include <fcntl.h> #include <dirent.h>
63feb6cd	#ifdef HAVE_SYS_TIMES_H #include <sys/times.h> #endif
888f5794
7b1f1aaf	#define DCONF_ARCH ctx->dconf->archive #define DCONF_DOC ctx->dconf->doc #define DCONF_MAIL ctx->dconf->mail
bc93eda0	#define DCONF_OTHER ctx->dconf->other
e3aaff8e	#include "clamav.h" #include "others.h"
bc93eda0	#include "dconf.h"
85dd8460	#include "scanners.h"
8000d078	#include "matcher-ac.h" #include "matcher-bm.h"
e3aaff8e	#include "matcher.h"
47bbbc56	#include "ole2_extract.h" #include "vba_extract.h"
341e5433	#include "msexpand.h"
8d3aca30	#include "mbox.h"
d3699d57	#include "libmspack.h"
a9082ea2	#include "pe.h"
8d3aca30	#include "elf.h"
888f5794	#include "filetypes.h" #include "htmlnorm.h"
2b259453	#include "untar.h"
c3a3be2d	#include "special.h"
6a31c2b4	#include "binhex.h"
8d3aca30	/* #include "uuencode.h" */
7bbd5f7f	#include "tnef.h"
bf45bf13	#include "sis.h"
2c313298	#include "pdf.h"
bd988961	#include "str.h"
52c2a8bd	#include "rtf.h"
d39cb658	#include "libclamunrar_iface/unrar_iface.h"
9d96e4b6	#include "unarj.h"
517f7b7a	#include "nsis/nulsft.h"
ed93f138	#include "autoit.h"
015ce4a8	#include "textnorm.h"
e3aaff8e	#include <zlib.h>
f133da7a	#include "unzip.h"
a6e38800	#include "dlp.h"
c4934f41	#include "default.h"
85885226	#include "cpio.h"
89c14869	#include "macho.h"
7ebede9b	#include "ishield.h"
0e605501	#include "7z_iface.h"
998bcfa7	#include "fmap.h"
511c2e79	#include "cache.h"
b33354e5	#include "events.h"
1fb9e80c	#include "swf.h" #include "jpeg.h"
419a9d3d	#include "png.h"
583cd65f	#include "iso9660.h"
ca019d6d	#include "dmg.h" #include "xar.h"
2c67b9ab	#include "hfsplus.h"
43d7f6f6	#include "xz_iface.h"
e731850d	#include "mbr.h"
fce85dd7	#include "gpt.h"
6c2feae2	#include "apm.h"
8b77f741	#include "ooxml.h"
30a75097	#include "xdp.h"
a69adec1	#include "json_api.h"
4823482e	#include "msxml.h"
059e90fc	#include "tiff.h"
9103b7e9	#include "hwp.h"
dd2ed14d	#include "msdoc.h"
e3aaff8e	#ifdef HAVE_BZLIB_H #include <bzlib.h> #endif
2bb229f6	#if defined(HAVE_READDIR_R_3) \|\| defined(HAVE_READDIR_R_2) #include <limits.h>
88794204	#include <stddef.h>
2bb229f6	#endif
d39cb658	#include <fcntl.h>
b2e7c931	#include <string.h>
3c91998b	static int cli_scanfile(const char filename, cli_ctx ctx);
4048c4f6
cb680655	static int cli_scandir(const char dirname, cli_ctx ctx)
c7543866	{
7b1f1aaf	DIR dd; struct dirent dent;
c7543866	#if defined(HAVE_READDIR_R_3) \|\| defined(HAVE_READDIR_R_2)
7b1f1aaf	union { struct dirent d; char b[offsetof(struct dirent, d_name) + NAME_MAX + 1]; } result;
c7543866	#endif
7b1f1aaf	STATBUF statbuf; char *fname; unsigned int viruses_found = 0;
c7543866
7b1f1aaf	if ((dd = opendir(dirname)) != NULL) {
c7543866	#ifdef HAVE_READDIR_R_3
7b1f1aaf	while (!readdir_r(dd, &result.d, &dent) && dent) {
c7543866	#elif defined(HAVE_READDIR_R_2)
7b1f1aaf	while ((dent = (struct dirent *)readdir_r(dd, &result.d))) {
c7543866	#else
7b1f1aaf	while ((dent = readdir(dd))) {
c7543866	#endif
7b1f1aaf	if (dent->d_ino) { if (strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) { /* build the full name / fname = cli_malloc(strlen(dirname) + strlen(dent->d_name) + 2); if (!fname) { closedir(dd); cli_dbgmsg("cli_scandir: Unable to allocate memory for filename\n"); return CL_EMEM; } sprintf(fname, "%s" PATHSEP "%s", dirname, dent->d_name); / stat the file */ if (LSTAT(fname, &statbuf) != -1) { if (S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) { if (cli_scandir(fname, ctx) == CL_VIRUS) { free(fname);
d7979d4f	if (SCAN_ALLMATCHES)
7b1f1aaf	{ viruses_found++; continue; }
6ad45a29	closedir(dd); return CL_VIRUS;
7b1f1aaf	} } else { if (S_ISREG(statbuf.st_mode)) { if (cli_scanfile(fname, ctx) == CL_VIRUS) { free(fname);
d7979d4f	if (SCAN_ALLMATCHES)
7b1f1aaf	{ viruses_found++; continue; }
6ad45a29	closedir(dd); return CL_VIRUS;
7b1f1aaf	} } } } free(fname); } } } } else { cli_dbgmsg("cli_scandir: Can't open directory %s.\n", dirname); return CL_EOPEN;
c7543866	} closedir(dd);
d7979d4f	if (SCAN_ALLMATCHES && viruses_found)
7b1f1aaf	return CL_VIRUS;
c7543866	return CL_CLEAN; }
d39cb658	/** * @brief Scan the metadata using cli_matchmeta()
80fd9074	*
d39cb658	* @param metadata unrar metadata structure * @param ctx scanning context structure
80fd9074	* @param files
9739293e	* @return cl_error_t Returns CL_CLEAN if nothing found, CL_VIRUS if something found, CL_EUNPACK if encrypted.
d39cb658	*/
9739293e	static cl_error_t cli_unrar_scanmetadata(unrar_metadata_t* metadata, cli_ctx* ctx, unsigned int files)
e3aaff8e	{
d39cb658	cl_error_t status = CL_CLEAN;
e3aaff8e
d91ab809	cli_dbgmsg("RAR: %s, crc32: 0x%x, encrypted: %u, compressed: %u, normal: %u, method: %u, ratio: %u\n",
d39cb658	metadata->filename, metadata->crc, metadata->encrypted, (unsigned int)metadata->pack_size, (unsigned int)metadata->unpack_size, metadata->method, metadata->pack_size ? (unsigned int)(metadata->unpack_size / metadata->pack_size) : 0);
a62ae54f
d39cb658	if (CL_VIRUS == cli_matchmeta(ctx, metadata->filename, metadata->pack_size, metadata->unpack_size, metadata->encrypted, files, metadata->crc, NULL)) { status = CL_VIRUS; } else if (SCAN_HEURISTIC_ENCRYPTED_ARCHIVE && metadata->encrypted) {
7b1f1aaf	cli_dbgmsg("RAR: Encrypted files found in archive.\n");
d39cb658	status = CL_EUNPACK;
133538e0	}
a62ae54f
d39cb658	return status;
2dbcf700	}
9739293e	static cl_error_t cli_scanrar(const char filepath, int desc, cli_ctx ctx)
133538e0	{
d39cb658	cl_error_t status = CL_EPARSE; cl_unrar_error_t unrar_ret = UNRAR_ERR;
80fd9074
d39cb658	char* extract_dir = NULL; /* temp dir to write extracted files to */ unsigned int file_count = 0;
7b1f1aaf	unsigned int viruses_found = 0;
133538e0
d39cb658	uint32_t nEncryptedFilesFound = 0; uint32_t nTooLargeFilesFound = 0;
133538e0
d39cb658	void * hArchive = NULL;
2b459819
d39cb658	char * comment = NULL; uint32_t comment_size = 0;
7b1f1aaf
d39cb658	unrar_metadata_t metadata; char * filename_base = NULL; char * extract_fullpath = NULL; char * comment_fullpath = NULL; if (filepath == NULL \|\| ctx == NULL) { cli_dbgmsg("RAR: Invalid arguments!\n"); return CL_EARG;
7b1f1aaf	}
d39cb658	cli_dbgmsg("in scanrar()\n"); /* Zero out the metadata struct before we read the header */ memset(&metadata, 0, sizeof(unrar_metadata_t));
80fd9074
d39cb658	/* Determine file basename / if (CL_SUCCESS != cli_basename(filepath, strlen(filepath), &filename_base)) { status = CL_EARG; goto done; } / generate the temporary directory for extracted files. / if (!(extract_dir = cli_gentemp_with_prefix(ctx->engine->tmpdir, filename_base))) { status = CL_EMEM; goto done; } if (mkdir(extract_dir, 0700)) { cli_dbgmsg("RAR: Can't create temporary directory for extracted files %s\n", extract_dir); status = CL_ETMPDIR; goto done; } / * Open the archive. */ if (UNRAR_OK != (unrar_ret = cli_unrar_open(filepath, &hArchive, &comment, &comment_size, cli_debug_flag))) { if (unrar_ret == UNRAR_ENCRYPTED) {
7b1f1aaf	cli_dbgmsg("RAR: Encrypted main header\n");
d39cb658	status = CL_EUNPACK; goto done;
7b1f1aaf	}
d39cb658	if (unrar_ret == UNRAR_EMEM) { status = CL_EMEM; goto done;
80fd9074	} else if (unrar_ret == UNRAR_EOPEN) { status = CL_EOPEN; goto done;
d39cb658	} else { status = CL_EFORMAT; goto done;
7b1f1aaf	} }
d39cb658	/* If the archive header had a comment, write it to the comment dir. */ if ((comment != NULL) && (comment_size > 0)) { int comment_fd = -1; if (!(comment_fullpath = cli_gentemp_with_prefix(extract_dir, "comments"))) { status = CL_EMEM; goto done;
7b1f1aaf	}
d39cb658	comment_fd = open(comment_fullpath, O_WRONLY \| O_CREAT \| O_TRUNC \| O_BINARY, 0600); if (comment_fd < 0) { cli_dbgmsg("RAR: ERROR: Failed to open output file\n"); } else { cli_dbgmsg("RAR: Writing the archive comment to temp file: %s\n", comment_fullpath); if (0 == write(comment_fd, comment, comment_size)) { cli_dbgmsg("RAR: ERROR: Failed to write to output file\n"); } else { close(comment_fd); comment_fd = -1; /* Scan the comment file / status = cli_scanfile(comment_fullpath, ctx); / Delete the tempfile if not --leave-temps */ if (!ctx->engine->keeptmp) if (cli_unlink(comment_fullpath)) cli_dbgmsg("RAR: Failed to unlink the extracted comment file: %s\n", comment_fullpath); if ((status == CL_VIRUS) && SCAN_ALLMATCHES) { status = CL_CLEAN; viruses_found++; } if ((status == CL_VIRUS) \|\| (status == CL_BREAK)) { goto done; } }
7b1f1aaf	}
d39cb658	}
7b1f1aaf
d39cb658	/* * Read & scan each file header. * Extract & scan each file.
80fd9074	*
d39cb658	* Skip files if they will exceed max filesize or max scansize. * Count the number of encrypted file headers and encrypted files. * - Alert if there are encrypted files, * if the Heuristic for encrypted archives is enabled, * and if we have not detected a signature match. */ do { status = CL_CLEAN;
7b1f1aaf
d39cb658	/* Zero out the metadata struct before we read the header / memset(&metadata, 0, sizeof(unrar_metadata_t)); / * Get the header information for the next file in the archive. / unrar_ret = cli_unrar_peek_file_header(hArchive, &metadata); if (unrar_ret != UNRAR_OK) { if (unrar_ret == UNRAR_ENCRYPTED) { / Found an encrypted file header, must skip. / cli_dbgmsg("RAR: Encrypted file header, unable to reading file metadata and file contents. Skipping file...\n"); nEncryptedFilesFound += 1; if (UNRAR_OK != cli_unrar_skip_file(hArchive)) { / Failed to skip! Break extraction loop. / cli_dbgmsg("RAR: Failed to skip file. RAR archive extraction has failed.\n"); break; } } else if (unrar_ret == UNRAR_BREAK) { / No more files. Break extraction loop. / cli_dbgmsg("RAR: No more files in archive.\n"); break; } else { / Memory error or some other error reading the header info. */ cli_dbgmsg("RAR: Error (%u) reading file header!\n", unrar_ret); break;
7b1f1aaf	}
d39cb658	} else { file_count += 1; /* * Scan the metadata for the file in question since the content was clean, or we're running in all-match. */
9739293e	status = cli_unrar_scanmetadata(&metadata, ctx, file_count);
d39cb658	if ((status == CL_VIRUS) && SCAN_ALLMATCHES) { status = CL_CLEAN;
7b1f1aaf	viruses_found++; }
d39cb658	if ((status == CL_VIRUS) \|\| (status == CL_BREAK)) { break; } /* Check if we've already exceeded the scan limit */ if (cli_checklimits("RAR", ctx, 0, 0, 0)) break;
80fd9074
d39cb658	if (metadata.is_dir) { /* Entry is a directory. Skip. / cli_dbgmsg("RAR: Found directory. Skipping to next file.\n"); if (UNRAR_OK != cli_unrar_skip_file(hArchive)) { / Failed to skip! Break extraction loop. */ cli_dbgmsg("RAR: Failed to skip directory. RAR archive extraction has failed.\n"); break; } } else if (cli_checklimits("RAR", ctx, metadata.unpack_size, 0, 0)) {
80fd9074	/* File size exceeds maxfilesize, must skip extraction.
d39cb658	* Although we may be able to scan the metadata / nTooLargeFilesFound += 1; cli_dbgmsg("RAR: Next file is too large (%" PRIu64 " bytes); it would exceed max scansize. Skipping to next file.\n", metadata.unpack_size); if (UNRAR_OK != cli_unrar_skip_file(hArchive)) { / Failed to skip! Break extraction loop. / cli_dbgmsg("RAR: Failed to skip file. RAR archive extraction has failed.\n"); break; } } else if (metadata.encrypted != 0) { / Found an encrypted file, must skip. / cli_dbgmsg("RAR: Encrypted file, unable to extract file contents. Skipping file...\n"); nEncryptedFilesFound += 1; if (UNRAR_OK != cli_unrar_skip_file(hArchive)) { / Failed to skip! Break extraction loop. / cli_dbgmsg("RAR: Failed to skip file. RAR archive extraction has failed.\n"); break; } } else { /
9180468a	* Extract the file... */ extract_fullpath = cli_gentemp(extract_dir);
d39cb658	if (NULL == extract_fullpath) { cli_dbgmsg("RAR: Memory error allocating filename for extracted file."); status = CL_EMEM; break; } cli_dbgmsg("RAR: Extracting file: %s to %s\n", metadata.filename, extract_fullpath); unrar_ret = cli_unrar_extract_file(hArchive, extract_fullpath, NULL); if (unrar_ret != UNRAR_OK) {
80fd9074	/*
d39cb658	* Some other error extracting the file */ cli_dbgmsg("RAR: Error extracting file: %s\n", metadata.filename);
80fd9074	/* TODO:
d39cb658	* may need to manually skip the file depending on what, specifically, cli_unrar_extract_file() returned. / } else { / File should be extracted... * ... scan the extracted file. / cli_dbgmsg("RAR: Extraction complete. Scanning now...\n"); status = cli_scanfile(extract_fullpath, ctx); if (status == CL_EOPEN) { cli_dbgmsg("RAR: File not found, Extraction failed!\n"); status = CL_CLEAN; } else { / Delete the tempfile if not --leave-temps / if (!ctx->engine->keeptmp) if (cli_unlink(extract_fullpath)) cli_dbgmsg("RAR: Failed to unlink the extracted file: %s\n", extract_fullpath); if (status == CL_VIRUS) { cli_dbgmsg("RAR: infected with %s\n", cli_get_last_virus(ctx)); status = CL_VIRUS; viruses_found++; } } } / Free up that the filepath */ if (NULL != extract_fullpath) { free(extract_fullpath); extract_fullpath = NULL; } }
7b1f1aaf	}
d39cb658	if (status == CL_VIRUS) {
d7979d4f	if (SCAN_ALLMATCHES)
d39cb658	status = CL_SUCCESS;
7b1f1aaf	else break; }
d39cb658	if (ctx->engine->maxscansize && ctx->scansize >= ctx->engine->maxscansize) { status = CL_CLEAN; break; }
7b1f1aaf
d39cb658	/* * TODO: Free up any malloced metadata... */ if (metadata.filename != NULL) { free(metadata.filename); metadata.filename = NULL; }
7b1f1aaf
d39cb658	} while (status == CL_CLEAN);
7b1f1aaf
d39cb658	if (status == CL_BREAK) status = CL_CLEAN;
7b1f1aaf
d39cb658	done: if (NULL != comment) { free(comment); comment = NULL; }
e3aaff8e
d39cb658	if (NULL != comment_fullpath) { if (!ctx->engine->keeptmp) { cli_rmdirs(comment_fullpath); } free(comment_fullpath); comment_fullpath = NULL; }
cf68af72
d39cb658	if (NULL != hArchive) { cli_unrar_close(hArchive); hArchive = NULL; }
e3aaff8e
d39cb658	if (NULL != filename_base) { free(filename_base); filename_base = NULL; }
133538e0
d39cb658	if (metadata.filename != NULL) { free(metadata.filename); metadata.filename = NULL; } if (NULL != extract_fullpath) { free(extract_fullpath); extract_fullpath = NULL;
e3aaff8e	}
d39cb658	if (NULL != extract_dir) { if (!ctx->engine->keeptmp) { cli_rmdirs(extract_dir); } free(extract_dir); extract_dir = NULL; } /* If return value was a failure due to encryption, scan the un-extracted archive just in case... / if ((CL_VIRUS != status) && ((CL_EUNPACK == status) \|\| (nEncryptedFilesFound > 0))) { status = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR, NULL); / If no virus, and user requests enabled the Heuristic for encrypted archives... */ if ((status != CL_VIRUS) && SCAN_HEURISTIC_ENCRYPTED_ARCHIVE) { if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Encrypted.RAR")) { status = CL_VIRUS; } } if (status != CL_VIRUS) { status = CL_CLEAN; } } cli_dbgmsg("RAR: Exit code: %d\n", status);
7761c6eb
d7979d4f	if (SCAN_ALLMATCHES && viruses_found)
d39cb658	status = CL_VIRUS; return status;
e3aaff8e	}
9739293e	static int cli_scanarj(cli_ctx *ctx, off_t sfx_offset)
9d96e4b6	{
7b1f1aaf	int ret = CL_CLEAN, rc, file = 0; arj_metadata_t metadata; char *dir; int virus_found = 0;
9d96e4b6	cli_dbgmsg("in cli_scanarj()\n");
0183d242	memset(&metadata, 0, sizeof(arj_metadata_t));
7b1f1aaf	/* generate the temporary directory */ if (!(dir = cli_gentemp(ctx->engine->tmpdir))) return CL_EMEM;
5fc380f1
7b1f1aaf	if (mkdir(dir, 0700)) { cli_dbgmsg("ARJ: Can't create temporary directory %s\n", dir); free(dir); return CL_ETMPDIR;
9d96e4b6	}
3f065bbe	ret = cli_unarj_open(*ctx->fmap, dir, &metadata, sfx_offset);
7b1f1aaf	if (ret != CL_SUCCESS) { if (!ctx->engine->keeptmp) cli_rmdirs(dir); free(dir); cli_dbgmsg("ARJ: Error: %s\n", cl_strerror(ret)); return ret; } do {
fc355be4	metadata.filename = NULL;
7b1f1aaf	ret = cli_unarj_prepare_file(dir, &metadata); if (ret != CL_SUCCESS) { cli_dbgmsg("ARJ: cli_unarj_prepare_file Error: %s\n", cl_strerror(ret)); break; } file++; if (cli_matchmeta(ctx, metadata.filename, metadata.comp_size, metadata.orig_size, metadata.encrypted, file, 0, NULL) == CL_VIRUS) {
d7979d4f	if (!SCAN_ALLMATCHES)
7b1f1aaf	{
7a307529	cli_rmdirs(dir); free(dir); return CL_VIRUS; } virus_found = 1; ret = CL_SUCCESS; }
570b1d00
7b1f1aaf	if ((ret = cli_checklimits("ARJ", ctx, metadata.orig_size, metadata.comp_size, 0)) != CL_CLEAN) { ret = CL_SUCCESS; if (metadata.filename) free(metadata.filename); continue; } ret = cli_unarj_extract_file(dir, &metadata); if (ret != CL_SUCCESS) { cli_dbgmsg("ARJ: cli_unarj_extract_file Error: %s\n", cl_strerror(ret)); } if (metadata.ofd >= 0) { if (lseek(metadata.ofd, 0, SEEK_SET) == -1) { cli_dbgmsg("ARJ: call to lseek() failed\n"); }
d39cb658	rc = cli_magic_scandesc(metadata.ofd, NULL, ctx);
7b1f1aaf	close(metadata.ofd); if (rc == CL_VIRUS) { cli_dbgmsg("ARJ: infected with %s\n", cli_get_last_virus(ctx));
d7979d4f	if (!SCAN_ALLMATCHES)
7b1f1aaf	{
7a307529	ret = CL_VIRUS;
7b1f1aaf	if (metadata.filename) {
7a307529	free(metadata.filename); metadata.filename = NULL; } break; } virus_found = 1; ret = CL_SUCCESS;
7b1f1aaf	} } if (metadata.filename) { free(metadata.filename); metadata.filename = NULL; } } while (ret == CL_SUCCESS); if (!ctx->engine->keeptmp) cli_rmdirs(dir);
9d96e4b6	free(dir);
7b1f1aaf	if (metadata.filename) { free(metadata.filename);
9d96e4b6	}
7a307529	if (virus_found != 0) ret = CL_VIRUS;
9d96e4b6	cli_dbgmsg("ARJ: Exit code: %d\n", ret);
9f851a24	if (ret == CL_BREAK)
7b1f1aaf	ret = CL_CLEAN;
9d96e4b6	return ret; }
e3aaff8e
7b1f1aaf	static int cli_scangzip_with_zib_from_the_80s(cli_ctx ctx, unsigned char buff) {
5a72fce6	int fd, ret, outsize = 0, bytes; fmap_t map = ctx->fmap; char *tmpname; gzFile gz;
0b3b2924	ret = fmap_fd(map);
7b1f1aaf	if (ret < 0) return CL_EDUP;
0b3b2924	fd = dup(ret);
7b1f1aaf	if (fd < 0) return CL_EDUP; if (!(gz = gzdopen(fd, "rb"))) { close(fd); return CL_EOPEN; } if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) { cli_dbgmsg("GZip: Can't generate temporary file.\n"); gzclose(gz); close(fd); return ret; } while ((bytes = gzread(gz, buff, FILEBUFF)) > 0) { outsize += bytes; if (cli_checklimits("GZip", ctx, outsize, 0, 0) != CL_CLEAN) break; if (cli_writen(fd, buff, bytes) != bytes) { close(fd); gzclose(gz); if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EWRITE; }
5a72fce6	} gzclose(gz);
d39cb658	if ((ret = cli_magic_scandesc(fd, tmpname, ctx)) == CL_VIRUS)
7b1f1aaf	{ cli_dbgmsg("GZip: Infected with %s\n", cli_get_last_virus(ctx)); close(fd); if (!ctx->engine->keeptmp) { if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } } free(tmpname); return CL_VIRUS;
5a72fce6	} close(fd);
7b1f1aaf	if (!ctx->engine->keeptmp) if (cli_unlink(tmpname)) ret = CL_EUNLINK;
5a72fce6	free(tmpname); return ret; }
686ed348	static int cli_scangzip(cli_ctx *ctx)
e3aaff8e	{
7b1f1aaf	int fd, ret = CL_CLEAN; unsigned char buff[FILEBUFF]; char tmpname; z_stream z; size_t at = 0, outsize = 0; fmap_t map = *ctx->fmap;
fc56deed	cli_dbgmsg("in cli_scangzip()\n");
686ed348	memset(&z, 0, sizeof(z));
7b1f1aaf	if ((ret = inflateInit2(&z, MAX_WBITS + 16)) != Z_OK) { cli_dbgmsg("GZip: InflateInit failed: %d\n", ret); return cli_scangzip_with_zib_from_the_80s(ctx, buff); } if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) { cli_dbgmsg("GZip: Can't generate temporary file.\n"); inflateEnd(&z); return ret; } while (at < map->len) { unsigned int bytes = MIN(map->len - at, map->pgsz); if (!(z.next_in = (void *)fmap_need_off_once(map, at, bytes))) { cli_dbgmsg("GZip: Can't read %u bytes @ %lu.\n", bytes, (long unsigned)at); inflateEnd(&z); close(fd); if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EREAD; } at += bytes; z.avail_in = bytes; do { int inf; z.avail_out = sizeof(buff);
686ed348	z.next_out = buff;
7b1f1aaf	inf = inflate(&z, Z_NO_FLUSH); if (inf != Z_OK && inf != Z_STREAM_END && inf != Z_BUF_ERROR) { if (sizeof(buff) == z.avail_out) { cli_dbgmsg("GZip: Bad stream, nothing in output buffer.\n"); at = map->len; break; } else { cli_dbgmsg("GZip: Bad stream, data in output buffer.\n"); /* no break yet, flush extracted bytes to file */ } } if (cli_writen(fd, buff, sizeof(buff) - z.avail_out) < 0) { inflateEnd(&z); close(fd); if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EWRITE; } outsize += sizeof(buff) - z.avail_out; if (cli_checklimits("GZip", ctx, outsize, 0, 0) != CL_CLEAN) { at = map->len; break; } if (inf == Z_STREAM_END) { at -= z.avail_in; inflateReset(&z); break; } else if (inf != Z_OK && inf != Z_BUF_ERROR) { at = map->len; break; } } while (z.avail_out == 0); } inflateEnd(&z);
d39cb658	if ((ret = cli_magic_scandesc(fd, tmpname, ctx)) == CL_VIRUS)
7b1f1aaf	{ cli_dbgmsg("GZip: Infected with %s\n", cli_get_last_virus(ctx)); close(fd); if (!ctx->engine->keeptmp) { if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } } free(tmpname); return CL_VIRUS;
e3aaff8e	}
a7ac5978	close(fd);
7b1f1aaf	if (!ctx->engine->keeptmp) if (cli_unlink(tmpname)) ret = CL_EUNLINK;
686ed348	free(tmpname);
e3aaff8e	return ret; }
de472237	#ifndef HAVE_BZLIB_H
7b1f1aaf	static int cli_scanbzip(cli_ctx *ctx) {
de472237	cli_warnmsg("cli_scanbzip: bzip2 support not compiled in\n"); return CL_CLEAN; } #else
e3aaff8e	#ifdef NOBZ2PREFIX
6b89f8e8	#define BZ2_bzDecompressInit bzDecompressInit #define BZ2_bzDecompress bzDecompress #define BZ2_bzDecompressEnd bzDecompressEnd
e3aaff8e	#endif
6b89f8e8	static int cli_scanbzip(cli_ctx *ctx)
e3aaff8e	{
6b89f8e8	int ret = CL_CLEAN, fd, rc; unsigned long int size = 0; char *tmpname; bz_stream strm; size_t off = 0; size_t avail; char buf[FILEBUFF]; memset(&strm, 0, sizeof(strm)); strm.next_out = buf; strm.avail_out = sizeof(buf); rc = BZ2_bzDecompressInit(&strm, 0, 0);
7b1f1aaf	if (BZ_OK != rc) { cli_dbgmsg("Bzip: DecompressInit failed: %d\n", rc); return CL_EOPEN; } if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd))) { cli_dbgmsg("Bzip: Can't generate temporary file.\n"); BZ2_bzDecompressEnd(&strm); return ret; } do { if (!strm.avail_in) { strm.next_in = (void )fmap_need_off_once_len(ctx->fmap, off, FILEBUFF, &avail); strm.avail_in = avail; off += avail; if (!strm.avail_in) { cli_dbgmsg("Bzip: premature end of compressed stream\n"); break; } } rc = BZ2_bzDecompress(&strm); if (BZ_OK != rc && BZ_STREAM_END != rc) { cli_dbgmsg("Bzip: decompress error: %d\n", rc); break; } if (!strm.avail_out \|\| BZ_STREAM_END == rc) { size += sizeof(buf) - strm.avail_out; if (cli_writen(fd, buf, sizeof(buf) - strm.avail_out) != sizeof(buf) - strm.avail_out) { cli_dbgmsg("Bzip: Can't write to file.\n"); BZ2_bzDecompressEnd(&strm); close(fd); if (!ctx->engine->keeptmp) { if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } } free(tmpname); return CL_EWRITE; } if (cli_checklimits("Bzip", ctx, size, 0, 0) != CL_CLEAN) break; strm.next_out = buf; strm.avail_out = sizeof(buf); }
6b89f8e8	} while (BZ_STREAM_END != rc);
e3aaff8e
6b89f8e8	BZ2_bzDecompressEnd(&strm);
985d9958
d39cb658	if ((ret = cli_magic_scandesc(fd, tmpname, ctx)) == CL_VIRUS)
7b1f1aaf	{ cli_dbgmsg("Bzip: Infected with %s\n", cli_get_last_virus(ctx)); close(fd); if (!ctx->engine->keeptmp) { if (cli_unlink(tmpname)) { ret = CL_EUNLINK; free(tmpname); return ret; } } free(tmpname); return CL_VIRUS;
e3aaff8e	}
a7ac5978	close(fd);
7b1f1aaf	if (!ctx->engine->keeptmp) if (cli_unlink(tmpname)) ret = CL_EUNLINK;
6b89f8e8	free(tmpname);
e3aaff8e	return ret; } #endif
43d7f6f6	static int cli_scanxz(cli_ctx ctx) { int ret = CL_CLEAN, fd, rc; unsigned long int size = 0; char tmpname;
8b77f741	struct CLI_XZ strm;
43d7f6f6	size_t off = 0; size_t avail;
8b77f741	unsigned char *buf;
43d7f6f6
8b77f741	buf = cli_malloc(CLI_XZ_OBUF_SIZE);
7b1f1aaf	if (buf == NULL) { cli_errmsg("cli_scanxz: nomemory for decompress buffer.\n");
61fded8b	return CL_EMEM; }
8b77f741	memset(&strm, 0x00, sizeof(struct CLI_XZ));
43d7f6f6	strm.next_out = buf;
61fded8b	strm.avail_out = CLI_XZ_OBUF_SIZE;
43d7f6f6	rc = cli_XzInit(&strm);
7b1f1aaf	if (rc != XZ_RESULT_OK) { cli_errmsg("cli_scanxz: DecompressInit failed: %i\n", rc);
61fded8b	free(buf);
7b1f1aaf	return CL_EOPEN;
43d7f6f6	}
7b1f1aaf	if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd))) { cli_errmsg("cli_scanxz: Can't generate temporary file.\n"); cli_XzShutdown(&strm);
61fded8b	free(buf);
7b1f1aaf	return ret;
43d7f6f6	} cli_dbgmsg("cli_scanxz: decompressing to file %s\n", tmpname);
7b1f1aaf	do {
43d7f6f6	/* set up input buffer */
7b1f1aaf	if (!strm.avail_in) { strm.next_in = (void )fmap_need_off_once_len(ctx->fmap, off, CLI_XZ_IBUF_SIZE, &avail); strm.avail_in = avail; off += avail; if (!strm.avail_in) { cli_errmsg("cli_scanxz: premature end of compressed stream\n");
43d7f6f6	ret = CL_EFORMAT;
7b1f1aaf	goto xz_exit; } }
43d7f6f6	/* xz decompress a chunk */
7b1f1aaf	rc = cli_XzDecode(&strm); if (XZ_RESULT_OK != rc && XZ_STREAM_END != rc) { if (rc == XZ_DIC_HEURISTIC) {
d7979d4f	ret = cli_append_virus(ctx, "Heuristics.XZ.DicSizeLimit");
4ae32e4d	goto xz_exit; }
7b1f1aaf	cli_errmsg("cli_scanxz: decompress error: %d\n", rc);
43d7f6f6	ret = CL_EFORMAT; goto xz_exit;
7b1f1aaf	}
43d7f6f6	//cli_dbgmsg("cli_scanxz: xz decompressed %li of %li available bytes\n", // avail - strm.avail_in, avail);
7b1f1aaf
43d7f6f6	/* write decompress buffer */
7b1f1aaf	if (!strm.avail_out \|\| rc == XZ_STREAM_END) { size_t towrite = CLI_XZ_OBUF_SIZE - strm.avail_out; size += towrite;
43d7f6f6	//cli_dbgmsg("Writing %li bytes to XZ decompress temp file(%li byte total)\n", // towrite, size);
7b1f1aaf	if ((size_t)cli_writen(fd, buf, towrite) != towrite) { cli_errmsg("cli_scanxz: Can't write to file.\n");
43d7f6f6	ret = CL_EWRITE; goto xz_exit;
7b1f1aaf	} if (cli_checklimits("cli_scanxz", ctx, size, 0, 0) != CL_CLEAN) {
43d7f6f6	cli_warnmsg("cli_scanxz: decompress file size exceeds limits - "
7b1f1aaf	"only scanning %li bytes\n", size); break;
43d7f6f6	}
7b1f1aaf	strm.next_out = buf; strm.avail_out = CLI_XZ_OBUF_SIZE; }
43d7f6f6	} while (XZ_STREAM_END != rc); /* scan decompressed file */
d39cb658	if ((ret = cli_magic_scandesc(fd, tmpname, ctx)) == CL_VIRUS)
7b1f1aaf	{ cli_dbgmsg("cli_scanxz: Infected with %s\n", cli_get_last_virus(ctx));
43d7f6f6	}
7b1f1aaf	xz_exit:
43d7f6f6	cli_XzShutdown(&strm); close(fd);
7b1f1aaf	if (!ctx->engine->keeptmp) if (cli_unlink(tmpname) && ret == CL_CLEAN)
43d7f6f6	ret = CL_EUNLINK; free(tmpname);
61fded8b	free(buf);
43d7f6f6	return ret; }
786a7e91	static int cli_scanszdd(cli_ctx *ctx)
341e5433	{
7b1f1aaf	int ofd, ret; char *tmpname;
2b259453
5da612a4	cli_dbgmsg("in cli_scanszdd()\n");
7b1f1aaf	if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &ofd))) { cli_dbgmsg("MSEXPAND: Can't generate temporary file/descriptor\n"); return ret;
341e5433	}
786a7e91	ret = cli_msexpand(ctx, ofd);
341e5433
7b1f1aaf	if (ret != CL_SUCCESS) { /* CL_VIRUS or some error */ close(ofd); if (!ctx->engine->keeptmp) if (cli_unlink(tmpname)) ret = CL_EUNLINK; free(tmpname); return ret;
341e5433	}
6e47a652	cli_dbgmsg("MSEXPAND: Decompressed into %s\n", tmpname);
d39cb658	ret = cli_magic_scandesc(ofd, tmpname, ctx);
6e47a652	close(ofd);
7b1f1aaf	if (!ctx->engine->keeptmp) if (cli_unlink(tmpname)) ret = CL_EUNLINK; free(tmpname);
6e47a652
341e5433	return ret; }
d020ad3f	static int vba_scandata(const unsigned char data, unsigned int len, cli_ctx ctx) {
7b1f1aaf	struct cli_matcher groot = ctx->engine->root[0]; struct cli_matcher troot = ctx->engine->root[2]; struct cli_ac_data gmdata, tmdata; struct cli_ac_data *mdata[2]; int ret; unsigned int viruses_found = 0;
d020ad3f
7b1f1aaf	if ((ret = cli_ac_initdata(&tmdata, troot->ac_partsigs, troot->ac_lsigs, troot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN))) return ret;
d020ad3f
7b1f1aaf	if ((ret = cli_ac_initdata(&gmdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN))) { cli_ac_freedata(&tmdata); return ret;
d020ad3f	} mdata[0] = &tmdata; mdata[1] = &gmdata; ret = cli_scanbuff(data, len, 0, ctx, CL_TYPE_MSOLE2, mdata);
ec5f4a47	if (ret == CL_VIRUS)
7b1f1aaf	viruses_found++;
d020ad3f
d7979d4f	if (ret == CL_CLEAN \|\| (ret == CL_VIRUS && SCAN_ALLMATCHES))
7b1f1aaf	{ fmap_t map = ctx->fmap;
45b97d65	ctx->fmap = cl_fmap_open_memory(data, len); if (ctx->fmap == NULL) return CL_EMEM;
7b1f1aaf	ret = cli_exp_eval(ctx, troot, &tmdata, NULL, NULL); if (ret == CL_VIRUS) viruses_found++;
ec5f4a47
d7979d4f	if (ret == CL_CLEAN \|\| (ret == CL_VIRUS && SCAN_ALLMATCHES))
7b1f1aaf	ret = cli_exp_eval(ctx, groot, &gmdata, NULL, NULL);
45b97d65	funmap(ctx->fmap); ctx->fmap = map;
d020ad3f	} cli_ac_freedata(&tmdata); cli_ac_freedata(&gmdata);
7b1f1aaf	return (ret != CL_CLEAN) ? ret : viruses_found ? CL_VIRUS : CL_CLEAN;
d020ad3f	}
72ce4b70	static int cli_vba_scandir(const char dirname, cli_ctx ctx, struct uniq *U)
e3aaff8e	{
808cab33	cl_error_t ret = CL_CLEAN; int i, j, fd, data_len, hasmacros = 0;
7b1f1aaf	vba_project_t vba_project; DIR dd; struct dirent *dent;
72a1b240	#if defined(HAVE_READDIR_R_3) \|\| defined(HAVE_READDIR_R_2)
7b1f1aaf	union { struct dirent d; char b[offsetof(struct dirent, d_name) + NAME_MAX + 1]; } result;
2bb229f6	#endif
7b1f1aaf	STATBUF statbuf; char fullname, vbaname[1024]; unsigned char data; char *hash;
808cab33	uint32_t hashcnt = 0;
7b1f1aaf	unsigned int viruses_found = 0;
2b259453	cli_dbgmsg("VBADir: %s\n", dirname);
808cab33	if (CL_SUCCESS != (ret = uniq_get(U, "_vba_project", 12, NULL, &hashcnt))) { cli_dbgmsg("VBADir: uniq_get('_vba_project') failed with ret code (%d)!\n", ret); return ret; } while (hashcnt) { if (!(vba_project = (vba_project_t *)cli_vba_readdir(dirname, U, hashcnt))) { hashcnt--;
7b1f1aaf	continue;
808cab33	}
7b1f1aaf	for (i = 0; i < vba_project->count; i++) {
afb25cd1	for (j = 1; (unsigned int)j <= vba_project->colls[i]; j++)
7b1f1aaf	{ snprintf(vbaname, 1024, "%s" PATHSEP "%s_%u", vba_project->dir, vba_project->name[i], j); vbaname[sizeof(vbaname) - 1] = '\0'; fd = open(vbaname, O_RDONLY \| O_BINARY);
808cab33	if (fd == -1) {
7b1f1aaf	continue;
808cab33	}
7b1f1aaf	cli_dbgmsg("VBADir: Decompress VBA project '%s_%u'\n", vba_project->name[i], j); data = (unsigned char )cli_vba_inflate(fd, vba_project->offset[i], &data_len); close(fd); hasmacros++; if (!data) { cli_dbgmsg("VBADir: WARNING: VBA project '%s_%u' decompressed to NULL\n", vba_project->name[i], j); } else { / cli_dbgmsg("Project content:\n%s", data); / if (ctx->scanned) ctx->scanned += data_len / CL_COUNT_PRECISION; if (ctx->engine->keeptmp) { char *tempfile; int of; if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tempfile, &of)) != CL_SUCCESS) { cli_warnmsg("VBADir: WARNING: VBA project '%s_%u' cannot be dumped to file\n", vba_project->name[i], j); return ret; } if (cli_writen(of, data, data_len) != data_len) { cli_warnmsg("VBADir: WARNING: VBA project '%s_%u' failed to write to file\n", vba_project->name[i], j); close(of); free(tempfile); return CL_EWRITE; } cli_dbgmsg("VBADir: VBA project '%s_%u' dumped to %s\n", vba_project->name[i], j, tempfile); free(tempfile); } if (vba_scandata(data, data_len, ctx) == CL_VIRUS) {
d7979d4f	if (SCAN_ALLMATCHES)
7b1f1aaf	viruses_found++; else { free(data); ret = CL_VIRUS; break; } } free(data); } } }
808cab33	cli_free_vba_project(vba_project); vba_project = NULL;
d7979d4f	if (ret == CL_VIRUS && !SCAN_ALLMATCHES)
7b1f1aaf	break;
808cab33	hashcnt--;
7b1f1aaf	}
808cab33	if (ret == CL_CLEAN \|\| (ret == CL_VIRUS && SCAN_ALLMATCHES)) { if (CL_SUCCESS != (ret = uniq_get(U, "powerpoint document", 19, &hash, &hashcnt))) { cli_dbgmsg("VBADir: uniq_get('powerpoint document') failed with ret code (%d)!\n", ret); return ret; } while (hashcnt) {
7b1f1aaf	snprintf(vbaname, 1024, "%s" PATHSEP "%s_%u", dirname, hash, hashcnt); vbaname[sizeof(vbaname) - 1] = '\0'; fd = open(vbaname, O_RDONLY \| O_BINARY);
808cab33	if (fd == -1) { hashcnt--;
7b1f1aaf	continue;
808cab33	} if ((fullname = cli_ppt_vba_read(fd, ctx))) { if (cli_scandir(fullname, ctx) == CL_VIRUS) {
7b1f1aaf	ret = CL_VIRUS; viruses_found++; } if (!ctx->engine->keeptmp) cli_rmdirs(fullname); free(fullname); } close(fd);
808cab33	hashcnt--;
7b1f1aaf	} }
808cab33	if (ret == CL_CLEAN \|\| (ret == CL_VIRUS && SCAN_ALLMATCHES)) { if (CL_SUCCESS != (ret = uniq_get(U, "worddocument", 12, &hash, &hashcnt))) { cli_dbgmsg("VBADir: uniq_get('worddocument') failed with ret code (%d)!\n", ret); return ret; } while (hashcnt) {
7b1f1aaf	snprintf(vbaname, sizeof(vbaname), "%s" PATHSEP "%s_%u", dirname, hash, hashcnt); vbaname[sizeof(vbaname) - 1] = '\0'; fd = open(vbaname, O_RDONLY \| O_BINARY);
808cab33	if (fd == -1) { hashcnt--;
7b1f1aaf	continue;
808cab33	}
7b1f1aaf	if (!(vba_project = (vba_project_t *)cli_wm_readdir(fd))) { close(fd);
808cab33	hashcnt--;
7b1f1aaf	continue; } for (i = 0; i < vba_project->count; i++) { cli_dbgmsg("VBADir: Decompress WM project macro:%d key:%d length:%d\n", i, vba_project->key[i], vba_project->length[i]); data = (unsigned char )cli_wm_decrypt_macro(fd, vba_project->offset[i], vba_project->length[i], vba_project->key[i]); if (!data) { cli_dbgmsg("VBADir: WARNING: WM project '%s' macro %d decrypted to NULL\n", vba_project->name[i], i); } else { cli_dbgmsg("Project content:\n%s", data); if (ctx->scanned) ctx->scanned += vba_project->length[i] / CL_COUNT_PRECISION; if (vba_scandata(data, vba_project->length[i], ctx) == CL_VIRUS) {
d7979d4f	if (SCAN_ALLMATCHES)
7b1f1aaf	viruses_found++; else { free(data); ret = CL_VIRUS; break; } } free(data); } } close(fd);
808cab33	cli_free_vba_project(vba_project); vba_project = NULL; if (ret == CL_VIRUS) {
d7979d4f	if (SCAN_ALLMATCHES)
7b1f1aaf	viruses_found++; else break; }
808cab33	hashcnt--;
7b1f1aaf	} }
d7979d4f	if (ret != CL_CLEAN && !(ret == CL_VIRUS && SCAN_ALLMATCHES))
7b1f1aaf	return ret;
e3aaff8e
35aa42f5	#if HAVE_JSON
09dddc5b	/* JSON Output Summary Information */
808cab33	if (SCAN_COLLECT_METADATA && (ctx->wrkproperty != NULL)) { if (CL_SUCCESS != (ret = uniq_get(U, "_5_summaryinformation", 21, &hash, &hashcnt))) { cli_dbgmsg("VBADir: uniq_get('_5_summaryinformation') failed with ret code (%d)!\n", ret); return ret; } while (hashcnt) {
7b1f1aaf	snprintf(vbaname, sizeof(vbaname), "%s" PATHSEP "%s_%u", dirname, hash, hashcnt); vbaname[sizeof(vbaname) - 1] = '\0'; fd = open(vbaname, O_RDONLY \| O_BINARY); if (fd >= 0) {
35aa42f5	cli_dbgmsg("VBADir: detected a '_5_summaryinformation' stream\n");
a69adec1	/* JSONOLE2 - what to do if something breaks? */
35aa42f5	cli_ole2_summary_json(ctx, fd, 0); close(fd); }
808cab33	hashcnt--;
35aa42f5	}
09dddc5b
808cab33	if (CL_SUCCESS != (ret = uniq_get(U, "_5_documentsummaryinformation", 29, &hash, &hashcnt))) { cli_dbgmsg("VBADir: uniq_get('_5_documentsummaryinformation') failed with ret code (%d)!\n", ret); return ret; } while (hashcnt) {
7b1f1aaf	snprintf(vbaname, sizeof(vbaname), "%s" PATHSEP "%s_%u", dirname, hash, hashcnt); vbaname[sizeof(vbaname) - 1] = '\0'; fd = open(vbaname, O_RDONLY \| O_BINARY); if (fd >= 0) {
35aa42f5	cli_dbgmsg("VBADir: detected a '_5_documentsummaryinformation' stream\n");
a69adec1	/* JSONOLE2 - what to do if something breaks? */
35aa42f5	cli_ole2_summary_json(ctx, fd, 1); close(fd); }
808cab33	hashcnt--;
09dddc5b	} }
7b1f1aaf	#endif
09dddc5b
892d2f56	/* Check directory for embedded OLE objects */
808cab33	if (CL_SUCCESS != (ret = uniq_get(U, "_1_ole10native", 14, &hash, &hashcnt))) { cli_dbgmsg("VBADir: uniq_get('_1_ole10native') failed with ret code (%d)!\n", ret); return ret; } while (hashcnt) {
7b1f1aaf	snprintf(vbaname, sizeof(vbaname), "%s" PATHSEP "%s_%u", dirname, hash, hashcnt); vbaname[sizeof(vbaname) - 1] = '\0'; fd = open(vbaname, O_RDONLY \| O_BINARY); if (fd >= 0) { ret = cli_scan_ole10(fd, ctx); close(fd);
d7979d4f	if (ret != CL_CLEAN && !(ret == CL_VIRUS && SCAN_ALLMATCHES))
7b1f1aaf	return ret; }
808cab33	hashcnt--;
892d2f56	}
72ce4b70	/* ACAB: since we now hash filenames and handle collisions we * could avoid recursion by removing the block below and by * flattening the paths in ole2_walk_property_tree (case 1) */
7b1f1aaf	if ((dd = opendir(dirname)) != NULL) {
72a1b240	#ifdef HAVE_READDIR_R_3
7b1f1aaf	while (!readdir_r(dd, &result.d, &dent) && dent) {
72a1b240	#elif defined(HAVE_READDIR_R_2)
7b1f1aaf	while ((dent = (struct dirent *)readdir_r(dd, &result.d))) {
72a1b240	#else
7b1f1aaf	while ((dent = readdir(dd))) {
72a1b240	#endif
7b1f1aaf	if (dent->d_ino) { if (strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) { /* build the full name / fullname = cli_malloc(strlen(dirname) + strlen(dent->d_name) + 2); if (!fullname) { cli_dbgmsg("cli_vba_scandir: Unable to allocate memory for fullname\n"); ret = CL_EMEM; break; } sprintf(fullname, "%s" PATHSEP "%s", dirname, dent->d_name); / stat the file */ if (LSTAT(fullname, &statbuf) != -1) { if (S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) if (cli_vba_scandir(fullname, ctx, U) == CL_VIRUS) {
d7979d4f	if (SCAN_ALLMATCHES)
7b1f1aaf	viruses_found++; else { ret = CL_VIRUS; free(fullname); break; } } } free(fullname); } } } } else { cli_dbgmsg("VBADir: Can't open directory %s.\n", dirname); return CL_EOPEN;
e3aaff8e	} closedir(dd);
a41009bc	#if HAVE_JSON
d7979d4f	if (hasmacros && SCAN_COLLECT_METADATA && (ctx->wrkproperty != NULL))
f5ea03f9	cli_jsonbool(ctx->wrkproperty, "HasMacros", 1);
a41009bc	#endif
d7979d4f	if (SCAN_HEURISTIC_MACROS && hasmacros)
7b1f1aaf	{ ret = cli_append_virus(ctx, "Heuristics.OLE2.ContainsMacros"); if (ret == CL_VIRUS)
cbf5017a	viruses_found++;
6bee45b3	}
d7979d4f	if (SCAN_ALLMATCHES && viruses_found)
7b1f1aaf	return CL_VIRUS;
467f8b1e	return ret; }
084d19aa	static int cli_scanhtml(cli_ctx *ctx)
a92110df	{
b2726a53	char *tempname, fullname[1024];
7b1f1aaf	int ret = CL_CLEAN, fd;
b2726a53	fmap_t map = ctx->fmap; unsigned int viruses_found = 0; uint64_t curr_len = map->len;
a92110df	cli_dbgmsg("in cli_scanhtml()\n");
b2726a53	/* CL_ENGINE_MAX_HTMLNORMALIZE */
7b1f1aaf	if (curr_len > ctx->engine->maxhtmlnormalize) { cli_dbgmsg("cli_scanhtml: exiting (file larger than MaxHTMLNormalize)\n"); return CL_CLEAN;
572a986c	}
7b1f1aaf	if (!(tempname = cli_gentemp(ctx->engine->tmpdir))) return CL_EMEM;
5fc380f1
7b1f1aaf	if (mkdir(tempname, 0700)) {
572a986c	cli_errmsg("cli_scanhtml: Can't create temporary directory %s\n", tempname);
7b1f1aaf	free(tempname);
a92110df	return CL_ETMPDIR; }
5f2fa151	cli_dbgmsg("cli_scanhtml: using tempdir %s\n", tempname);
084d19aa	html_normalise_map(map, tempname, NULL, ctx->dconf);
7b1f1aaf	snprintf(fullname, 1024, "%s" PATHSEP "nocomment.html", tempname); fd = open(fullname, O_RDONLY \| O_BINARY); if (fd >= 0) { if ((ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL)) == CL_VIRUS) viruses_found++; close(fd);
a92110df	}
d7979d4f	if (ret == CL_CLEAN \|\| (ret == CL_VIRUS && SCAN_ALLMATCHES))
7b1f1aaf	{
b2726a53	/* CL_ENGINE_MAX_HTMLNOTAGS */ curr_len = map->len;
7b1f1aaf	if (curr_len > ctx->engine->maxhtmlnotags) { /* we're not interested in scanning large files in notags form */
b2726a53	/* TODO: don't even create notags if file is over limit */ cli_dbgmsg("cli_scanhtml: skipping notags (normalized size over MaxHTMLNoTags)\n");
7b1f1aaf	} else { snprintf(fullname, 1024, "%s" PATHSEP "notags.html", tempname); fd = open(fullname, O_RDONLY \| O_BINARY); if (fd >= 0) { if ((ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL)) == CL_VIRUS)
b2726a53	viruses_found++; close(fd); } }
a92110df	}
d7979d4f	if (ret == CL_CLEAN \|\| (ret == CL_VIRUS && SCAN_ALLMATCHES))
7b1f1aaf	{ snprintf(fullname, 1024, "%s" PATHSEP "javascript", tempname); fd = open(fullname, O_RDONLY \| O_BINARY); if (fd >= 0) { if ((ret = cli_scandesc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL)) == CL_VIRUS) viruses_found++;
d7979d4f	if (ret == CL_CLEAN \|\| (ret == CL_VIRUS && SCAN_ALLMATCHES))
7b1f1aaf	{ if ((ret = cli_scandesc(fd, ctx, CL_TYPE_TEXT_ASCII, 0, NULL, AC_SCAN_VIR, NULL)) == CL_VIRUS) viruses_found++; } close(fd); }
8be1d5a4	}
d7979d4f	if (ret == CL_CLEAN \|\| (ret == CL_VIRUS && SCAN_ALLMATCHES))
7b1f1aaf	{ snprintf(fullname, 1024, "%s" PATHSEP "rfc2397", tempname); ret = cli_scandir(fullname, ctx);
a92110df	}
7b1f1aaf	if (!ctx->engine->keeptmp)
a92110df	cli_rmdirs(tempname); free(tempname);
d7979d4f	if (SCAN_ALLMATCHES && viruses_found)
7b1f1aaf	return CL_VIRUS;
a92110df	return ret; }
ee1b2a6c	static int cli_scanscript(cli_ctx *ctx)
015ce4a8	{
7b1f1aaf	const unsigned char buff; unsigned char normalized; struct text_norm_state state; char tmpname = NULL; int ofd = -1, ret; struct cli_matcher troot; uint32_t maxpatlen, offset = 0; struct cli_matcher groot; struct cli_ac_data gmdata, tmdata; struct cli_ac_data mdata[2]; fmap_t *map; size_t at = 0; unsigned int viruses_found = 0; uint64_t curr_len; struct cli_target_info info;
c4934f41
7b1f1aaf	if (!ctx \|\| !ctx->engine->root) return CL_ENULLARG; map = ctx->fmap; curr_len = map->len; groot = ctx->engine->root[0]; troot = ctx->engine->root[7]; maxpatlen = troot ? troot->maxpatlen : 0; cli_dbgmsg("in cli_scanscript()\n"); / CL_ENGINE_MAX_SCRIPTNORMALIZE / if (curr_len > ctx->engine->maxscriptnormalize) { cli_dbgmsg("cli_scanscript: exiting (file larger than MaxScriptSize)\n"); return CL_CLEAN; } if (!(normalized = cli_malloc(SCANBUFF + maxpatlen))) { cli_dbgmsg("cli_scanscript: Unable to malloc %u bytes\n", SCANBUFF); return CL_EMEM; } text_normalize_init(&state, normalized, SCANBUFF + maxpatlen); if ((ret = cli_ac_initdata(&tmdata, troot ? troot->ac_partsigs : 0, troot ? troot->ac_lsigs : 0, troot ? troot->ac_reloff_num : 0, CLI_DEFAULT_AC_TRACKLEN))) { free(normalized); return ret; } if ((ret = cli_ac_initdata(&gmdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN))) { cli_ac_freedata(&tmdata); free(normalized); return ret; } / dump to disk only if explicitly asked to * or if necessary to check relative offsets, * otherwise we can process just in-memory / if (ctx->engine->keeptmp \|\| (troot && (troot->ac_reloff_num > 0 \|\| troot->linked_bcs))) { if ((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &ofd))) { cli_dbgmsg("cli_scanscript: Can't generate temporary file/descriptor\n"); goto done; } if (ctx->engine->keeptmp) cli_dbgmsg("cli_scanscript: saving normalized file to %s\n", tmpname); } mdata[0] = &tmdata; mdata[1] = &gmdata; / If there's a relative offset in troot or triggered bytecodes, normalize to file.*/ if (troot && (troot->ac_reloff_num > 0 \|\| troot->linked_bcs)) { size_t map_off = 0; while (map_off < map->len) { size_t written; if (!(written = text_normalize_map(&state, map, map_off))) break; map_off += written; if (write(ofd, state.out, state.out_pos) == -1) { cli_errmsg("cli_scanscript: can't write to file %s\n", tmpname); ret = CL_EWRITE;
f5bc94cf	goto done; }
7b1f1aaf	text_normalize_reset(&state);
f5bc94cf	}
7b1f1aaf	/* Temporarily store the normalized file map in the context. / ctx->fmap = fmap(ofd, 0, 0); if (!(ctx->fmap)) { cli_dbgmsg("cli_scanscript: could not map file %s\n", tmpname); } else { / scan map / ret = cli_fmap_scandesc(ctx, CL_TYPE_TEXT_ASCII, 0, NULL, AC_SCAN_VIR, NULL, NULL); if (ret == CL_VIRUS) { viruses_found++; } funmap(ctx->fmap); } ctx->fmap = map; } else { / Since the above is moderately costly all in all, * do the old stuff if there's no relative offsets. */ if (troot) { cli_targetinfo(&info, 7, map); ret = cli_ac_caloff(troot, &tmdata, &info); if (ret) goto done; }
dabc8c31
7b1f1aaf	while (1) { size_t len = MIN(map->pgsz, map->len - at); buff = fmap_need_off_once(map, at, len); at += len; if (!buff \|\| !len \|\| state.out_pos + len > state.out_len) { /* flush if error/EOF, or too little buffer space left / if ((ofd != -1) && (write(ofd, state.out, state.out_pos) == -1)) { cli_errmsg("cli_scanscript: can't write to file %s\n", tmpname); close(ofd); ofd = -1; / we can continue to scan in memory / } / when we flush the buffer also scan */ if (cli_scanbuff(state.out, state.out_pos, offset, ctx, CL_TYPE_TEXT_ASCII, mdata) == CL_VIRUS) {
d7979d4f	if (SCAN_ALLMATCHES)
7b1f1aaf	viruses_found++; else { ret = CL_VIRUS; break; } } if (ctx->scanned) ctx->scanned += state.out_pos / CL_COUNT_PRECISION; offset += state.out_pos; / carry over maxpatlen from previous buffer */ if (state.out_pos > maxpatlen) memmove(state.out, state.out + state.out_pos - maxpatlen, maxpatlen); text_normalize_reset(&state); state.out_pos = maxpatlen; } if (!len) break; if (!buff \|\| text_normalize_buffer(&state, buff, len) != len) { cli_dbgmsg("cli_scanscript: short read during normalizing\n"); } } }
d7979d4f	if (ret != CL_VIRUS \|\| SCAN_ALLMATCHES)
7b1f1aaf	{ if ((ret = cli_exp_eval(ctx, troot, &tmdata, NULL, NULL)) == CL_VIRUS) viruses_found++;
d7979d4f	if (ret != CL_VIRUS \|\| SCAN_ALLMATCHES)
7b1f1aaf	if ((ret = cli_exp_eval(ctx, groot, &gmdata, NULL, NULL)) == CL_VIRUS) viruses_found++; } done: free(normalized); cli_ac_freedata(&tmdata); cli_ac_freedata(&gmdata); if (ofd != -1) close(ofd); if (tmpname != NULL) { if (!ctx->engine->keeptmp) cli_unlink(tmpname); free(tmpname); } if (viruses_found) return CL_VIRUS; return ret;
015ce4a8	}
084d19aa	static int cli_scanhtml_utf16(cli_ctx *ctx)
bd988961	{
7b1f1aaf	char tempname, decoded; const char buff; int ret = CL_CLEAN, fd, bytes; size_t at = 0; fmap_t map = *ctx->fmap;
bd988961	cli_dbgmsg("in cli_scanhtml_utf16()\n");
7b1f1aaf	if (!(tempname = cli_gentemp(ctx->engine->tmpdir))) return CL_EMEM;
5fc380f1
7b1f1aaf	if ((fd = open(tempname, O_RDWR \| O_CREAT \| O_TRUNC \| O_BINARY, S_IRWXU)) < 0) { cli_errmsg("cli_scanhtml_utf16: Can't create file %s\n", tempname); free(tempname); return CL_EOPEN;
bd988961	}
5f2fa151	cli_dbgmsg("cli_scanhtml_utf16: using tempfile %s\n", tempname);
7b1f1aaf	while (at < map->len) { bytes = MIN(map->len - at, map->pgsz * 16); if (!(buff = fmap_need_off_once(map, at, bytes))) { close(fd); cli_unlink(tempname); free(tempname); return CL_EREAD; } at += bytes; decoded = cli_utf16toascii(buff, bytes); if (decoded) { if (write(fd, decoded, bytes / 2) == -1) { cli_errmsg("cli_scanhtml_utf16: Can't write to file %s\n", tempname); free(decoded); close(fd); cli_unlink(tempname); free(tempname); return CL_EWRITE; } free(decoded); }
bd988961	}
084d19aa	*ctx->fmap = fmap(fd, 0, 0);
7b1f1aaf	if (ctx->fmap) { ret = cli_scanhtml(ctx); funmap(ctx->fmap); } else cli_errmsg("cli_scanhtml_utf16: fmap of %s failed\n", tempname);
084d19aa	*ctx->fmap = map;
bd988961	close(fd);
7b1f1aaf	if (!ctx->engine->keeptmp) { if (cli_unlink(tempname)) ret = CL_EUNLINK; } else cli_dbgmsg("cli_scanhtml_utf16: Decoded HTML data saved in %s\n", tempname);
bd988961	free(tempname); return ret; }
034c02fd	static int cli_scanole2(cli_ctx *ctx)
467f8b1e	{
7b1f1aaf	char dir; int ret = CL_CLEAN; struct uniq vba = NULL;
2b259453
467f8b1e	cli_dbgmsg("in cli_scanole2()\n");
7b1f1aaf	if (ctx->engine->maxreclevel && ctx->recursion >= ctx->engine->maxreclevel)
bbd6ca3f	return CL_EMAXREC;
467f8b1e	/* generate the temporary directory */
7b1f1aaf	if (!(dir = cli_gentemp(ctx->engine->tmpdir))) return CL_EMEM;
5fc380f1
7b1f1aaf	if (mkdir(dir, 0700)) { cli_dbgmsg("OLE2: Can't create temporary directory %s\n", dir); free(dir); return CL_ETMPDIR;
467f8b1e	}
034c02fd	ret = cli_ole2_extract(dir, ctx, &vba);
7b1f1aaf	if (ret != CL_CLEAN && ret != CL_VIRUS) { cli_dbgmsg("OLE2: %s\n", cl_strerror(ret)); if (!ctx->engine->keeptmp) cli_rmdirs(dir); free(dir); return ret;
467f8b1e	}
7b1f1aaf	if (vba) {
72ce4b70	ctx->recursion++;
bbd6ca3f
7b1f1aaf	ret = cli_vba_scandir(dir, ctx, vba); uniq_free(vba); if (ret != CL_VIRUS) if (cli_scandir(dir, ctx) == CL_VIRUS) ret = CL_VIRUS; ctx->recursion--;
467f8b1e	}
7b1f1aaf	if (!ctx->engine->keeptmp) cli_rmdirs(dir);
467f8b1e	free(dir); return ret;
e3aaff8e	}
a91f6d95	static int cli_scantar(cli_ctx *ctx, unsigned int posix)
2b259453	{
7b1f1aaf	char *dir; int ret = CL_CLEAN;
2b259453	cli_dbgmsg("in cli_scantar()\n"); /* generate temporary directory */
7b1f1aaf	if (!(dir = cli_gentemp(ctx->engine->tmpdir))) return CL_EMEM;
5fc380f1
7b1f1aaf	if (mkdir(dir, 0700)) { cli_errmsg("Tar: Can't create temporary directory %s\n", dir); free(dir); return CL_ETMPDIR;
2b259453	}
a91f6d95	ret = cli_untar(dir, posix, ctx);
2b259453
7b1f1aaf	if (!ctx->engine->keeptmp) cli_rmdirs(dir);
2b259453	free(dir); return ret; }
32f7e1d7	static int cli_scanscrenc(cli_ctx *ctx)
e57fa318	{
7b1f1aaf	char *tempname; int ret = CL_CLEAN;
e57fa318	cli_dbgmsg("in cli_scanscrenc()\n");
7b1f1aaf	if (!(tempname = cli_gentemp(ctx->engine->tmpdir))) return CL_EMEM;
5fc380f1
7b1f1aaf	if (mkdir(tempname, 0700)) { cli_dbgmsg("CHM: Can't create temporary directory %s\n", tempname); free(tempname); return CL_ETMPDIR;
e57fa318	}
32f7e1d7	if (html_screnc_decode(*ctx->fmap, tempname))
7b1f1aaf	ret = cli_scandir(tempname, ctx);
e57fa318
7b1f1aaf	if (!ctx->engine->keeptmp) cli_rmdirs(tempname);
e57fa318	free(tempname); return ret; }
015e31e1
bad8bbc7	static int cli_scanriff(cli_ctx *ctx)
eb308794	{
cbf5017a	int ret = CL_CLEAN;
eb308794
cbf5017a	if (cli_check_riff_exploit(ctx) == 2)
7b1f1aaf	ret = cli_append_virus(ctx, "Heuristics.Exploit.W32.MS05-002");
eb308794	return ret; }
32d37729	static int cli_scanjpeg(cli_ctx *ctx)
7afdc309	{
cbf5017a	int ret = CL_CLEAN;
7afdc309
7b1f1aaf	if (cli_check_jpeg_exploit(ctx, 0) == 1)
cbf5017a	ret = cli_append_virus(ctx, "Heuristics.Exploit.W32.MS04-028");
7afdc309	return ret; }
0c9b8840	static int cli_scancryptff(cli_ctx *ctx)
2c6f9d57	{
7b1f1aaf	int ret = CL_CLEAN, ndesc; unsigned int i; const unsigned char src; unsigned char dest = NULL; char *tempfile; size_t pos; size_t bread;
2c6f9d57	/* Skip the CryptFF file header */
0c9b8840	pos = 0x10;
2c6f9d57
7b1f1aaf	if ((dest = (unsigned char *)cli_malloc(FILEBUFF)) == NULL) { cli_dbgmsg("CryptFF: Can't allocate memory\n");
2c6f9d57	return CL_EMEM; }
7b1f1aaf	if (!(tempfile = cli_gentemp(ctx->engine->tmpdir))) { free(dest); return CL_EMEM;
5fc380f1	}
7b1f1aaf	if ((ndesc = open(tempfile, O_RDWR \| O_CREAT \| O_TRUNC \| O_BINARY, S_IRWXU)) < 0) { cli_errmsg("CryptFF: Can't create file %s\n", tempfile); free(dest); free(tempfile); return CL_ECREAT;
2c6f9d57	}
7b1f1aaf	for (; (src = fmap_need_off_once_len(*ctx->fmap, pos, FILEBUFF, &bread)) && bread; pos += bread) { for (i = 0; i < bread; i++) dest[i] = src[i] ^ (unsigned char)0xff; if (cli_writen(ndesc, dest, bread) == -1) { cli_dbgmsg("CryptFF: Can't write to descriptor %d\n", ndesc); free(dest); close(ndesc); free(tempfile); return CL_EWRITE; }
2c6f9d57	} free(dest); cli_dbgmsg("CryptFF: Scanning decrypted data\n");
d39cb658	if ((ret = cli_magic_scandesc(ndesc, tempfile, ctx)) == CL_VIRUS)
7b1f1aaf	cli_dbgmsg("CryptFF: Infected with %s\n", cli_get_last_virus(ctx));
2c6f9d57	close(ndesc);
7b1f1aaf	if (ctx->engine->keeptmp) cli_dbgmsg("CryptFF: Decompressed data saved in %s\n", tempfile); else if (cli_unlink(tempfile)) ret = CL_EUNLINK;
2c6f9d57	free(tempfile); return ret; }
2d5dbc37	static int cli_scanpdf(cli_ctx *ctx, off_t offset)
798308de	{
7b1f1aaf	int ret; char *dir = cli_gentemp(ctx->engine->tmpdir);
798308de
7b1f1aaf	if (!dir) return CL_EMEM;
798308de
7b1f1aaf	if (mkdir(dir, 0700)) { cli_dbgmsg("Can't create temporary directory for PDF file %s\n", dir); free(dir); return CL_ETMPDIR;
798308de	}
2d5dbc37	ret = cli_pdf(dir, ctx, offset);
798308de
7b1f1aaf	if (!ctx->engine->keeptmp) cli_rmdirs(dir);
798308de	free(dir); return ret; }
3d8c1fc7	static int cli_scantnef(cli_ctx *ctx)
f0bc32bd	{
7b1f1aaf	int ret; char *dir = cli_gentemp(ctx->engine->tmpdir);
f0bc32bd
7b1f1aaf	if (!dir) return CL_EMEM;
f0bc32bd
7b1f1aaf	if (mkdir(dir, 0700)) { cli_dbgmsg("Can't create temporary directory for tnef file %s\n", dir); free(dir); return CL_ETMPDIR;
f0bc32bd	}
3d8c1fc7	ret = cli_tnef(dir, ctx);
f0bc32bd
7b1f1aaf	if (ret == CL_CLEAN) ret = cli_scandir(dir, ctx);
f0bc32bd
7b1f1aaf	if (!ctx->engine->keeptmp) cli_rmdirs(dir);
f0bc32bd	free(dir); return ret; }
ee1b2a6c	static int cli_scanuuencoded(cli_ctx *ctx)
3953039b	{
7b1f1aaf	int ret; char *dir = cli_gentemp(ctx->engine->tmpdir);
3953039b
7b1f1aaf	if (!dir) return CL_EMEM;
5fc380f1
7b1f1aaf	if (mkdir(dir, 0700)) { cli_dbgmsg("Can't create temporary directory for uuencoded file %s\n", dir); free(dir); return CL_ETMPDIR;
3953039b	}
ee1b2a6c	ret = cli_uuencode(dir, *ctx->fmap);
3953039b
7b1f1aaf	if (ret == CL_CLEAN) ret = cli_scandir(dir, ctx);
3953039b
7b1f1aaf	if (!ctx->engine->keeptmp) cli_rmdirs(dir);
3953039b	free(dir); return ret; }
2df29bde	static int cli_scanmail(cli_ctx *ctx)
e3aaff8e	{
7b1f1aaf	char *dir; int ret; unsigned int viruses_found = 0;
e3aaff8e
d91ab809	cli_dbgmsg("Starting cli_scanmail(), recursion = %u\n", ctx->recursion);
e3aaff8e
0c7019c5	/* generate the temporary directory */
7b1f1aaf	if (!(dir = cli_gentemp(ctx->engine->tmpdir))) return CL_EMEM;
5fc380f1
7b1f1aaf	if (mkdir(dir, 0700)) { cli_dbgmsg("Mail: Can't create temporary directory %s\n", dir); free(dir); return CL_ETMPDIR;
0c7019c5	}
e3aaff8e
0c7019c5	/* * Extract the attachments into the temporary directory */
7b1f1aaf	if ((ret = cli_mbox(dir, ctx))) {
d7979d4f	if (ret == CL_VIRUS && SCAN_ALLMATCHES)
7b1f1aaf	viruses_found++; else { if (!ctx->engine->keeptmp) cli_rmdirs(dir); free(dir); return ret; }
0c7019c5	}
cb680655	ret = cli_scandir(dir, ctx);
0c7019c5
7b1f1aaf	if (!ctx->engine->keeptmp) cli_rmdirs(dir);
0c7019c5	free(dir);
7a307529	if (viruses_found)
7b1f1aaf	return CL_VIRUS;
0c7019c5	return ret;
e3aaff8e	}
1b4b5675	static int cli_scan_structured(cli_ctx *ctx)
a6e38800	{
7b1f1aaf	char buf[8192]; int result = 0; unsigned int cc_count = 0; unsigned int ssn_count = 0; int done = 0; fmap_t map; size_t pos = 0; int (ccfunc)(const unsigned char buffer, int length); int (ssnfunc)(const unsigned char *buffer, int length); unsigned int viruses_found = 0; if (ctx == NULL) return CL_ENULLARG;
a6e38800
e664809d	map = *ctx->fmap;
b0d2122c
7b1f1aaf	if (ctx->engine->min_cc_count == 1) ccfunc = dlp_has_cc;
a6e38800	else
7b1f1aaf	ccfunc = dlp_get_cc_count;
a6e38800
d7979d4f	switch (SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL \| SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED)
7b1f1aaf	{
d7979d4f	case (CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL \| CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED):
7b1f1aaf	if (ctx->engine->min_ssn_count == 1) ssnfunc = dlp_has_ssn; else ssnfunc = dlp_get_ssn_count; break;
a6e38800
d7979d4f	case CL_SCAN_HEURISTIC_STRUCTURED_SSN_NORMAL:
7b1f1aaf	if (ctx->engine->min_ssn_count == 1) ssnfunc = dlp_has_normal_ssn; else ssnfunc = dlp_get_normal_ssn_count; break;
a6e38800
d7979d4f	case CL_SCAN_HEURISTIC_STRUCTURED_SSN_STRIPPED:
7b1f1aaf	if (ctx->engine->min_ssn_count == 1) ssnfunc = dlp_has_stripped_ssn; else ssnfunc = dlp_get_stripped_ssn_count; break;
26fbf6bd
7b1f1aaf	default: ssnfunc = NULL;
a6e38800	}
7b1f1aaf	while (!done && ((result = fmap_readn(map, buf, pos, 8191)) > 0)) { pos += result; if ((cc_count += ccfunc((const unsigned char *)buf, result)) >= ctx->engine->min_cc_count) { done = 1; }
26fbf6bd
7b1f1aaf	if (ssnfunc && ((ssn_count += ssnfunc((const unsigned char *)buf, result)) >= ctx->engine->min_ssn_count)) { done = 1; }
a6e38800	}
7b1f1aaf	if (cc_count != 0 && cc_count >= ctx->engine->min_cc_count) { cli_dbgmsg("cli_scan_structured: %u credit card numbers detected\n", cc_count); if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Structured.CreditCardNumber")) {
d7979d4f	if (SCAN_ALLMATCHES)
7b1f1aaf	{
cbf5017a	viruses_found++;
7b1f1aaf	}
cbf5017a	else
7b1f1aaf	{
cbf5017a	return CL_VIRUS;
7b1f1aaf	} }
a6e38800	}
7b1f1aaf	if (ssn_count != 0 && ssn_count >= ctx->engine->min_ssn_count) { cli_dbgmsg("cli_scan_structured: %u social security numbers detected\n", ssn_count); if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Structured.SSN")) {
d7979d4f	if (SCAN_ALLMATCHES)
7b1f1aaf	{
cbf5017a	viruses_found++;
7b1f1aaf	}
cbf5017a	else
7b1f1aaf	{
cbf5017a	return CL_VIRUS;
7b1f1aaf	} }
a6e38800	}
7a307529	if (viruses_found)
7b1f1aaf	return CL_VIRUS;
a6e38800	return CL_CLEAN; }
822160b5	static int cli_scanembpe(cli_ctx *ctx, off_t offset)
ee99255a	{
7b1f1aaf	int fd, bytes, ret = CL_CLEAN; unsigned long int size = 0, todo; const char buff; char tmpname; fmap_t map = ctx->fmap; unsigned int corrupted_input;
ee99255a
33068e09	tmpname = cli_gentemp(ctx->engine->tmpdir);
7b1f1aaf	if (!tmpname) return CL_EMEM;
ee99255a
7b1f1aaf	if ((fd = open(tmpname, O_RDWR \| O_CREAT \| O_TRUNC \| O_BINARY, S_IRWXU)) < 0) { cli_errmsg("cli_scanembpe: Can't create file %s\n", tmpname); free(tmpname); return CL_ECREAT;
ee99255a	}
822160b5	todo = map->len - offset;
7b1f1aaf	while (1) { bytes = MIN(todo, map->pgsz); if (!bytes) break; if (!(buff = fmap_need_off_once(map, offset + size, bytes))) { close(fd); if (!ctx->engine->keeptmp) { if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } } free(tmpname); return CL_EREAD; } size += bytes; todo -= bytes; if (cli_checklimits("cli_scanembpe", ctx, size, 0, 0) != CL_CLEAN) break; if (cli_writen(fd, buff, bytes) != bytes) { cli_dbgmsg("cli_scanembpe: Can't write to temporary file\n"); close(fd); if (!ctx->engine->keeptmp) { if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } } free(tmpname); return CL_EWRITE; }
ee99255a	}
f0f7f92f	ctx->recursion++;
cfe6b4a2	corrupted_input = ctx->corrupted_input; ctx->corrupted_input = 1;
d39cb658	ret = cli_magic_scandesc(fd, tmpname, ctx);
cfe6b4a2	ctx->corrupted_input = corrupted_input;
7b1f1aaf	if (ret == CL_VIRUS) { cli_dbgmsg("cli_scanembpe: Infected with %s\n", cli_get_last_virus(ctx)); close(fd); if (!ctx->engine->keeptmp) { if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } } free(tmpname); return CL_VIRUS;
ee99255a	}
f0f7f92f	ctx->recursion--;
ee99255a	close(fd);
7b1f1aaf	if (!ctx->engine->keeptmp) { if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; }
997a0e0b	}
ee99255a	free(tmpname); /* intentionally ignore possible errors from cli_magic_scandesc */ return CL_CLEAN; }
cca445ee	#if defined(_WIN32) \|\| defined(C_LINUX) \|\| defined(C_DARWIN)
63feb6cd	#define PERF_MEASURE #endif #ifdef PERF_MEASURE
7b1f1aaf	static struct {
63feb6cd	enum perfev id; const char *name; enum ev_type type; } perf_events[] = { {PERFT_SCAN, "full scan", ev_time}, {PERFT_PRECB, "prescan cb", ev_time}, {PERFT_POSTCB, "postscan cb", ev_time}, {PERFT_CACHE, "cache", ev_time}, {PERFT_FT, "filetype", ev_time}, {PERFT_CONTAINER, "container", ev_time}, {PERFT_SCRIPT, "script", ev_time}, {PERFT_PE, "pe", ev_time}, {PERFT_RAW, "raw", ev_time}, {PERFT_RAWTYPENO, "raw container", ev_time}, {PERFT_MAP, "map", ev_time},
7b1f1aaf	{PERFT_BYTECODE, "bytecode", ev_time}, {PERFT_KTIME, "kernel", ev_int}, {PERFT_UTIME, "user", ev_int}};
63feb6cd	static void get_thread_times(uint64_t kt, uint64_t ut) { #ifdef _WIN32
7b1f1aaf	FILETIME c, e, k, u; ULARGE_INTEGER kl, ul; if (!GetThreadTimes(GetCurrentThread(), &c, &e, &k, &u)) { kt = ut = 0; return;
63feb6cd	} kl.LowPart = k.dwLowDateTime; kl.HighPart = k.dwHighDateTime; ul.LowPart = u.dwLowDateTime; ul.HighPart = u.dwHighDateTime; kt = kl.QuadPart / 10; ut = ul.QuadPart / 10; #else struct tms tbuf;
7b1f1aaf	if (times(&tbuf) != -1) { clock_t tck = sysconf(_SC_CLK_TCK); kt = ((uint64_t)1000000) tbuf.tms_stime / tck; ut = ((uint64_t)1000000) tbuf.tms_utime / tck; } else { kt = ut = 0;
63feb6cd	} #endif } static inline void perf_init(cli_ctx *ctx) {
7b1f1aaf	uint64_t kt, ut;
63feb6cd	unsigned i;
d7979d4f	if (!SCAN_DEV_COLLECT_PERF_INFO)
7b1f1aaf	return;
63feb6cd	ctx->perf = cli_events_new(PERFT_LAST);
7b1f1aaf	for (i = 0; i < sizeof(perf_events) / sizeof(perf_events[0]); i++) { if (cli_event_define(ctx->perf, perf_events[i].id, perf_events[i].name, perf_events[i].type, multiple_sum) == -1) continue;
63feb6cd	} cli_event_time_start(ctx->perf, PERFT_SCAN); get_thread_times(&kt, &ut); cli_event_int(ctx->perf, PERFT_KTIME, -kt); cli_event_int(ctx->perf, PERFT_UTIME, -ut); }
7b1f1aaf	static inline void perf_done(cli_ctx *ctx)
63feb6cd	{ char timestr[512]; char *p; unsigned i;
7b1f1aaf	uint64_t kt, ut;
b724f199	char *pend;
63feb6cd	cli_events_t *perf = ctx->perf; if (!perf)
7b1f1aaf	return;
63feb6cd	p = timestr;
b724f199	pend = timestr + sizeof(timestr) - 1;
63feb6cd	*pend = 0; cli_event_time_stop(perf, PERFT_SCAN); get_thread_times(&kt, &ut); cli_event_int(perf, PERFT_KTIME, kt); cli_event_int(perf, PERFT_UTIME, ut);
7b1f1aaf	for (i = 0; i < sizeof(perf_events) / sizeof(perf_events[0]); i++) { union ev_val val; unsigned count;
63feb6cd
7b1f1aaf	cli_event_get(perf, perf_events[i].id, &val, &count); if (p < pend) p += snprintf(p, pend - p, "%s: %d.%03ums, ", perf_events[i].name, (signed)(val.v_int / 1000), (unsigned)(val.v_int % 1000));
63feb6cd	} *p = 0; cli_infomsg(ctx, "performance: %s\n", timestr); cli_events_free(perf); ctx->perf = NULL; }
7b1f1aaf	static inline void perf_start(cli_ctx *ctx, int id)
63feb6cd	{ cli_event_time_start(ctx->perf, id); }
7b1f1aaf	static inline void perf_stop(cli_ctx *ctx, int id)
63feb6cd	{ cli_event_time_stop(ctx->perf, id); }
7b1f1aaf	static inline void perf_nested_start(cli_ctx *ctx, int id, int nestedid)
63feb6cd	{ cli_event_time_nested_start(ctx->perf, id, nestedid); }
7b1f1aaf	static inline void perf_nested_stop(cli_ctx *ctx, int id, int nestedid)
63feb6cd	{ cli_event_time_nested_stop(ctx->perf, id, nestedid); } #else
7b1f1aaf	static inline void perf_init(cli_ctx ctx) { UNUSEDPARAM(ctx); } static inline void perf_start(cli_ctx ctx, int id) { UNUSEDPARAM(ctx); UNUSEDPARAM(id); } static inline void perf_stop(cli_ctx ctx, int id) { UNUSEDPARAM(ctx); UNUSEDPARAM(id); } static inline void perf_nested_start(cli_ctx ctx, int id, int nestedid) { UNUSEDPARAM(ctx); UNUSEDPARAM(id); UNUSEDPARAM(nestedid); } static inline void perf_nested_stop(cli_ctx ctx, int id, int nestedid) { UNUSEDPARAM(ctx); UNUSEDPARAM(id); UNUSEDPARAM(nestedid); } static inline void perf_done(cli_ctx ctx) { UNUSEDPARAM(ctx); }
63feb6cd	#endif
548b55be	static int cli_scanraw(cli_ctx ctx, cli_file_t type, uint8_t typercg, cli_file_t dettype, unsigned char *refhash)
555c5390	{
7b1f1aaf	int ret = CL_CLEAN, nret = CL_CLEAN; struct cli_matched_type ftoffset = NULL, fpt; struct cli_exe_info peinfo; unsigned int acmode = AC_SCAN_VIR, break_loop = 0; fmap_t map = ctx->fmap;
555c5390
7b1f1aaf	if (ctx->engine->maxreclevel && ctx->recursion >= ctx->engine->maxreclevel) {
312b7e53	cli_check_blockmax(ctx, CL_EMAXREC);
8df99a92	return CL_EMAXREC;
312b7e53	}
8df99a92
63feb6cd	perf_start(ctx, PERFT_RAW);
7b1f1aaf	if (typercg) acmode \|= AC_SCAN_FT;
555c5390
ffa9b060	ret = cli_fmap_scandesc(ctx, type == CL_TYPE_TEXT_ASCII ? 0 : type, 0, &ftoffset, acmode, NULL, refhash);
63feb6cd	perf_stop(ctx, PERFT_RAW);
555c5390
7b1f1aaf	if (ret >= CL_TYPENO) { perf_nested_start(ctx, PERFT_RAWTYPENO, PERFT_SCAN); ctx->recursion++;
60a1a1a1	fpt = ftoffset;
7b1f1aaf	while (fpt) {
031fe00a	/* set current level as container AFTER recursing */ cli_set_container(ctx, fpt->type, map->len);
7b1f1aaf	if (fpt->offset) switch (fpt->type) {
ef48d7cb	case CL_TYPE_MHTML:
d7979d4f	if (SCAN_PARSE_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX))
7b1f1aaf	{ cli_dbgmsg("MHTML signature found at %u\n", (unsigned int)fpt->offset);
cbf5017a	nret = ret = cli_scanmail(ctx);
ef48d7cb	} break;
30a75097	case CL_TYPE_XDP:
d7979d4f	if (SCAN_PARSE_PDF && (DCONF_DOC & DOC_CONF_PDF))
7b1f1aaf	{ cli_dbgmsg("XDP signature found at %u\n", (unsigned int)fpt->offset);
cbf5017a	nret = ret = cli_scanxdp(ctx);
21f6478f	}
30a75097	break;
4823482e	case CL_TYPE_XML_WORD:
d7979d4f	if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_MSXML))
7b1f1aaf	{ cli_dbgmsg("XML-WORD signature found at %u\n", (unsigned int)fpt->offset);
cbf5017a	nret = ret = cli_scanmsxml(ctx);
21f6478f	}
4823482e	break; case CL_TYPE_XML_XL:
d7979d4f	if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_MSXML))
7b1f1aaf	{ cli_dbgmsg("XML-XL signature found at %u\n", (unsigned int)fpt->offset);
cbf5017a	nret = ret = cli_scanmsxml(ctx);
21f6478f	}
4823482e	break;
d2eea44a	case CL_TYPE_XML_HWP:
d7979d4f	if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_HWP))
7b1f1aaf	{ cli_dbgmsg("XML-HWP signature found at %u\n", (unsigned int)fpt->offset);
cbf5017a	nret = ret = cli_scanhwpml(ctx);
21f6478f	}
d2eea44a	break;
60a1a1a1	case CL_TYPE_RARSFX:
d7979d4f	if (type != CL_TYPE_RAR && have_rar && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_RAR))
7b1f1aaf	{
d39cb658	const char *filepath = NULL; int fd = -1;
32ba85d5	char *tmpname = NULL;
d39cb658	int tmpfd = -1;
031fe00a	size_t csize = map->len - fpt->offset; /* not precise */
d39cb658
031fe00a	cli_set_container(ctx, CL_TYPE_RAR, csize);
7b1f1aaf	cli_dbgmsg("RAR/RAR-SFX signature found at %u\n", (unsigned int)fpt->offset);
d39cb658
80fd9074	#ifdef _WIN32 if ((fpt->offset != 0) \|\| (SCAN_UNPRIVILEGED)\|\| (NULL == ctx->sub_filepath) \|\| (0 != _access_s(ctx->sub_filepath, R_OK))) { #else if ((fpt->offset != 0) \|\| (SCAN_UNPRIVILEGED) \|\| (NULL == ctx->sub_filepath) \|\| (0 != access(ctx->sub_filepath, R_OK))) { #endif
d39cb658	/* * If map is not file-backed, or offset is not at the start of the file... * ...have to dump to file for scanrar. */ nret = fmap_dump_to_file(map, ctx->sub_filepath, ctx->engine->tmpdir, &tmpname, &tmpfd, fpt->offset, fpt->offset + csize); if (nret != CL_SUCCESS) {
32ba85d5	cli_dbgmsg("cli_scanraw: failed to generate temporary file.\n"); ret = nret; break_loop = 1; break; }
d39cb658	filepath = tmpname; fd = tmpfd; } else { /* Use the original file and file descriptor. */ filepath = ctx->sub_filepath; fd = fmap_fd(map);
32ba85d5	}
d39cb658	/* scan file */
9739293e	nret = cli_scanrar(filepath, fd, ctx);
d39cb658
80fd9074	if ((NULL == tmpname) && (CL_EOPEN == nret)) { /* * Failed to open the file using the original filename. * Try writing the file descriptor to a temp file and try again. / nret = fmap_dump_to_file(map, ctx->sub_filepath, ctx->engine->tmpdir, &tmpname, &tmpfd, fpt->offset, fpt->offset + csize); if (nret != CL_SUCCESS) { cli_dbgmsg("cli_scanraw: failed to generate temporary file.\n"); ret = nret; break_loop = 1; break; } filepath = tmpname; fd = tmpfd; / try to scan again */ nret = cli_scanrar(filepath, fd, ctx); }
d39cb658	if (tmpfd != -1)
7b1f1aaf	{
d39cb658	/* If dumped tempfile, need to cleanup */
32ba85d5	close(tmpfd);
d39cb658	if (!ctx->engine->keeptmp) { if (cli_unlink(tmpname)) {
32ba85d5	ret = nret = CL_EUNLINK; break_loop = 1; } }
d39cb658	} if (tmpname != NULL) {
32ba85d5	free(tmpname); }
60a1a1a1	} break; case CL_TYPE_ZIPSFX:
d7979d4f	if (type != CL_TYPE_ZIP && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP))
7b1f1aaf	{
031fe00a	size_t csize = map->len - fpt->offset; /* not precise */ cli_set_container(ctx, CL_TYPE_ZIP, csize);
7b1f1aaf	cli_dbgmsg("ZIP/ZIP-SFX signature found at %u\n", (unsigned int)fpt->offset);
60a1a1a1	nret = cli_unzip_single(ctx, fpt->offset); } break; case CL_TYPE_CABSFX:
d7979d4f	if (type != CL_TYPE_MSCAB && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CAB))
7b1f1aaf	{
031fe00a	size_t csize = map->len - fpt->offset; /* not precise */ cli_set_container(ctx, CL_TYPE_MSCAB, csize);
7b1f1aaf	cli_dbgmsg("CAB/CAB-SFX signature found at %u\n", (unsigned int)fpt->offset);
60a1a1a1	nret = cli_scanmscab(ctx, fpt->offset); } break; case CL_TYPE_ARJSFX:
d7979d4f	if (type != CL_TYPE_ARJ && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ARJ))
7b1f1aaf	{
031fe00a	size_t csize = map->len - fpt->offset; /* not precise */ cli_set_container(ctx, CL_TYPE_ARJ, csize);
7b1f1aaf	cli_dbgmsg("ARJ-SFX signature found at %u\n", (unsigned int)fpt->offset);
9739293e	nret = cli_scanarj(ctx, fpt->offset);
60a1a1a1	} break; case CL_TYPE_7ZSFX:
d7979d4f	if (type != CL_TYPE_7Z && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_7Z))
7b1f1aaf	{
031fe00a	size_t csize = map->len - fpt->offset; /* not precise */ cli_set_container(ctx, CL_TYPE_7Z, csize);
7b1f1aaf	cli_dbgmsg("7Zip-SFX signature found at %u\n", (unsigned int)fpt->offset);
60a1a1a1	nret = cli_7unz(ctx, fpt->offset); } break; case CL_TYPE_ISO9660:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ISO9660))
7b1f1aaf	{
031fe00a	size_t csize = map->len - fpt->offset; /* not precise */ cli_set_container(ctx, CL_TYPE_ISO9660, csize);
7b1f1aaf	cli_dbgmsg("ISO9660 signature found at %u\n", (unsigned int)fpt->offset);
60a1a1a1	nret = cli_scaniso(ctx, fpt->offset); } break; case CL_TYPE_NULSFT:
d7979d4f	if (SCAN_PARSE_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_NSIS) &&
7b1f1aaf	fpt->offset > 4) {
031fe00a	size_t csize = map->len - fpt->offset; /* not precise */ cli_set_container(ctx, CL_TYPE_NULSFT, csize);
7b1f1aaf	cli_dbgmsg("NSIS signature found at %u\n", (unsigned int)fpt->offset - 4);
60a1a1a1	nret = cli_scannulsft(ctx, fpt->offset - 4); } break; case CL_TYPE_AUTOIT:
d7979d4f	if (SCAN_PARSE_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_AUTOIT))
7b1f1aaf	{
031fe00a	size_t csize = map->len - fpt->offset; /* not precise */ cli_set_container(ctx, CL_TYPE_AUTOIT, csize);
7b1f1aaf	cli_dbgmsg("AUTOIT signature found at %u\n", (unsigned int)fpt->offset);
60a1a1a1	nret = cli_scanautoit(ctx, fpt->offset + 23); } break; case CL_TYPE_ISHIELD_MSI:
d7979d4f	if (SCAN_PARSE_ARCHIVE && type == CL_TYPE_MSEXE && (DCONF_ARCH & ARCH_CONF_ISHIELD))
7b1f1aaf	{
031fe00a	size_t csize = map->len - fpt->offset; /* not precise */ cli_set_container(ctx, CL_TYPE_AUTOIT, csize);
7b1f1aaf	cli_dbgmsg("ISHIELD-MSI signature found at %u\n", (unsigned int)fpt->offset);
60a1a1a1	nret = cli_scanishield_msi(ctx, fpt->offset + 14); } break; case CL_TYPE_DMG:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_DMG))
7b1f1aaf	{ cli_dbgmsg("DMG signature found at %u\n", (unsigned int)fpt->offset);
21f6478f	nret = cli_scandmg(ctx);
60a1a1a1	} break;
e5d13808	case CL_TYPE_MBR:
d7979d4f	if (SCAN_PARSE_ARCHIVE)
7b1f1aaf	{
e5d13808	int iret = cli_mbr_check2(ctx, 0);
7b1f1aaf	if ((iret == CL_TYPE_GPT) && (DCONF_ARCH & ARCH_CONF_GPT)) {
e5d13808	cli_dbgmsg("Recognized GUID Partition Table file\n");
031fe00a	cli_set_container(ctx, CL_TYPE_GPT, map->len);
7b1f1aaf	cli_dbgmsg("GPT signature found at %u\n", (unsigned int)fpt->offset);
21f6478f	nret = cli_scangpt(ctx, 0);
e5d13808	}
7b1f1aaf	else if ((iret == CL_CLEAN) && (DCONF_ARCH & ARCH_CONF_MBR)) { cli_dbgmsg("MBR signature found at %u\n", (unsigned int)fpt->offset);
21f6478f	nret = cli_scanmbr(ctx, 0);
e5d13808	} } break;
60a1a1a1	case CL_TYPE_PDF:
d7979d4f	if (type != CL_TYPE_PDF && SCAN_PARSE_PDF && (DCONF_DOC & DOC_CONF_PDF))
7b1f1aaf	{
031fe00a	size_t csize = map->len - fpt->offset; /* not precise */ cli_set_container(ctx, CL_TYPE_PDF, csize);
7b1f1aaf	cli_dbgmsg("PDF signature found at %u\n", (unsigned int)fpt->offset);
60a1a1a1	nret = cli_scanpdf(ctx, fpt->offset); } break; case CL_TYPE_MSEXE:
d7979d4f	if (SCAN_PARSE_PE && (type == CL_TYPE_MSEXE \|\| type == CL_TYPE_ZIP \|\| type == CL_TYPE_MSOLE2) && ctx->dconf->pe)
7b1f1aaf	{
60a1a1a1	uint64_t curr_len = map->len;
031fe00a	size_t csize = map->len - fpt->offset; /* not precise */
60a1a1a1	/* CL_ENGINE_MAX_EMBEDDED_PE */
7b1f1aaf	if (curr_len > ctx->engine->maxembeddedpe) {
60a1a1a1	cli_dbgmsg("cli_scanraw: MaxEmbeddedPE exceeded\n"); break; }
031fe00a	cli_set_container(ctx, CL_TYPE_MSEXE, csize);
60a1a1a1	memset(&peinfo, 0, sizeof(struct cli_exe_info)); peinfo.offset = fpt->offset;
7b1f1aaf	if (cli_peheader(map, &peinfo) == 0) { cli_dbgmsg("* Detected embedded PE file at %u *\n", (unsigned int)fpt->offset); if (peinfo.section)
60a1a1a1	free(peinfo.section); cli_hashset_destroy(&peinfo.vinfo); nret = cli_scanembpe(ctx, fpt->offset); break_loop = 1; /* we can stop here and other * embedded executables will * be found recursively * through the above call */ } } break; default: cli_warnmsg("cli_scanraw: Type %u not handled in fpt loop\n", fpt->type);
7b1f1aaf	}
d68a73d1
7b1f1aaf	if (nret == CL_VIRUS \|\| break_loop)
60a1a1a1	break;
d68a73d1
60a1a1a1	fpt = fpt->next; }
7b1f1aaf	if (nret != CL_VIRUS) switch (ret) { case CL_TYPE_HTML: /* bb#11196 - autoit script file misclassified as HTML */ if (cli_get_container_intermediate(ctx, -2) == CL_TYPE_AUTOIT) { ret = CL_TYPE_TEXT_ASCII; }
d7979d4f	else if (SCAN_PARSE_HTML && (type == CL_TYPE_TEXT_ASCII \|\| type == CL_TYPE_GRAPHICS) &&
7b1f1aaf	(DCONF_DOC & DOC_CONF_HTML)) { *dettype = CL_TYPE_HTML; nret = cli_scanhtml(ctx); } break; case CL_TYPE_MAIL: cli_set_container(ctx, CL_TYPE_MAIL, map->len);
d7979d4f	if (SCAN_PARSE_MAIL && type == CL_TYPE_TEXT_ASCII && (DCONF_MAIL & MAIL_CONF_MBOX))
7b1f1aaf	{ *dettype = CL_TYPE_MAIL; nret = cli_scanmail(ctx); } break; default: break; } perf_nested_stop(ctx, PERFT_RAWTYPENO, PERFT_SCAN); ctx->recursion--; ret = nret; } while (ftoffset) { fpt = ftoffset; ftoffset = ftoffset->next; free(fpt); } if (ret == CL_VIRUS) cli_dbgmsg("%s found\n", cli_get_last_virus(ctx));
c8b0d9a2
555c5390	return ret; }
7b1f1aaf	static void emax_reached(cli_ctx *ctx) {
742b3a0e	fmap_t **ctx_fmap = ctx->fmap;
b6c03fb9	if (!ctx_fmap)
7b1f1aaf	return; while (ctx_fmap) { fmap_t map = *ctx_fmap; map->dont_cache_flag = 1; ctx_fmap--;
742b3a0e	} cli_dbgmsg("emax_reached: marked parents as non cacheable\n"); }
aef8d4ac	#define LINESTR(x) #x #define LINESTR2(x) LINESTR(x)
7b1f1aaf	#define __AT__ " at line " LINESTR2(__LINE__)
60af015e
7b1f1aaf	#define early_ret_from_magicscan(retcode) \ do \ { \ cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", retcode, __AT__); \ return retcode; \ } while (0)
60af015e
ff2d5e61	static int magic_scandesc_cleanup(cli_ctx ctx, cli_file_t type, unsigned char hash, size_t hashed_size, int cache_clean, int retcode, void *parent_property) {
d4742bb1	int cb_retcode;
2a3d247b	#if HAVE_JSON
ff2d5e61	ctx->wrkproperty = (struct json_object *)(parent_property);
8b77f741	#else UNUSEDPARAM(parent_property);
2a3d247b	#endif
8b77f741	UNUSEDPARAM(type);
7b1f1aaf	if (retcode == CL_CLEAN && ctx->found_possibly_unwanted) {
cbf5017a	cli_virus_found_cb(ctx);
f7106b36	cb_retcode = CL_VIRUS;
cbf5017a	}
7b1f1aaf	else {
cbf5017a	if (retcode == CL_CLEAN && ctx->num_viruses != 0) cb_retcode = CL_VIRUS; else cb_retcode = retcode; }
f7106b36
ff2d5e61	cli_dbgmsg("cli_magic_scandesc: returning %d %s\n", retcode, __AT__);
7b1f1aaf	if (ctx->engine->cb_post_scan) { const char *virusname = NULL;
ff2d5e61	perf_start(ctx, PERFT_POSTCB);
f7106b36	if (cb_retcode == CL_VIRUS) virusname = cli_get_last_virus(ctx);
7b1f1aaf	switch (ctx->engine->cb_post_scan(fmap_fd(*ctx->fmap), cb_retcode, virusname, ctx->cb_ctx)) {
ff2d5e61	case CL_BREAK: cli_dbgmsg("cli_magic_scandesc: file whitelisted by post_scan callback\n"); perf_stop(ctx, PERFT_POSTCB); return CL_CLEAN; case CL_VIRUS: cli_dbgmsg("cli_magic_scandesc: file blacklisted by post_scan callback\n"); cli_append_virus(ctx, "Detected.By.Callback"); perf_stop(ctx, PERFT_POSTCB); if (retcode != CL_VIRUS) return cli_checkfp(hash, hashed_size, ctx); return CL_VIRUS; case CL_CLEAN: break; default: cli_warnmsg("cli_magic_scandesc: ignoring bad return code from post_scan callback\n"); } perf_stop(ctx, PERFT_POSTCB);
c27d4056	}
7b1f1aaf	if (cb_retcode == CL_CLEAN && cache_clean) {
ff2d5e61	perf_start(ctx, PERFT_CACHE);
d7979d4f	if (!(SCAN_COLLECT_METADATA))
7d4213a7	cache_add(hash, hashed_size, ctx);
ff2d5e61	perf_stop(ctx, PERFT_CACHE); }
d7979d4f	if (retcode == CL_VIRUS && SCAN_ALLMATCHES)
7a307529	return CL_CLEAN;
ff2d5e61	return retcode; }
c27d4056
ff2d5e61	static int dispatch_prescan(clcb_pre_scan cb, cli_ctx ctx, const char filetype, bitset_t old_hook_lsig_matches, void parent_property, unsigned char hash, size_t hashed_size, int run_cleanup) {
7b1f1aaf	int res = CL_CLEAN;
ff2d5e61
8b77f741	UNUSEDPARAM(parent_property); UNUSEDPARAM(hash); UNUSEDPARAM(hashed_size);
ff2d5e61	*run_cleanup = 0;
7b1f1aaf	if (cb) {
ff2d5e61	perf_start(ctx, PERFT_PRECB);
7b1f1aaf	switch (cb(fmap_fd(*ctx->fmap), filetype, ctx->cb_ctx)) {
ff2d5e61	case CL_BREAK: cli_dbgmsg("cli_magic_scandesc: file whitelisted by callback\n"); perf_stop(ctx, PERFT_PRECB); ctx->hook_lsig_matches = old_hook_lsig_matches;
f82b5e3e	/* returns CL_CLEAN */
ff2d5e61	*run_cleanup = 1;
f82b5e3e	break;
ff2d5e61	case CL_VIRUS: cli_dbgmsg("cli_magic_scandesc: file blacklisted by callback\n"); cli_append_virus(ctx, "Detected.By.Callback"); perf_stop(ctx, PERFT_PRECB); ctx->hook_lsig_matches = old_hook_lsig_matches; *run_cleanup = 1; res = CL_VIRUS;
f82b5e3e	break;
ff2d5e61	case CL_CLEAN: break; default: cli_warnmsg("cli_magic_scandesc: ignoring bad return code from callback\n"); }
c27d4056
ff2d5e61	perf_stop(ctx, PERFT_PRECB); } return res; }
c27d4056
b7ae31f1	static int magic_scandesc(cli_ctx *ctx, cli_file_t type)
e3aaff8e	{
7b1f1aaf	int ret = CL_CLEAN; cli_file_t dettype = 0; uint8_t typercg = 1; size_t hashed_size; unsigned char hash[16] = {'\0'}; bitset_t old_hook_lsig_matches; const char filetype; int cache_clean = 0, res; int run_cleanup = 0;
2a3d247b	#if HAVE_JSON
7b1f1aaf	struct json_object *parent_property = NULL;
ff2d5e61	#else
7b1f1aaf	void *parent_property = NULL;
4e683628	#endif
a7f5fd00
7b1f1aaf	if (!ctx->engine) { cli_errmsg("CRITICAL: engine == NULL\n"); early_ret_from_magicscan(CL_ENULLARG);
b3df93db	}
7b1f1aaf	if (!(ctx->engine->dboptions & CL_DB_COMPILED)) { cli_errmsg("CRITICAL: engine not compiled\n"); early_ret_from_magicscan(CL_EMALFDB);
e3aaff8e	}
7b1f1aaf	if (ctx->engine->maxreclevel && ctx->recursion > ctx->engine->maxreclevel) {
b2726a53	cli_dbgmsg("cli_magic_scandesc: Archive recursion limit exceeded (%u, max: %u)\n", ctx->recursion, ctx->engine->maxreclevel);
7b1f1aaf	emax_reached(ctx);
312b7e53	cli_check_blockmax(ctx, CL_EMAXREC);
7b1f1aaf	early_ret_from_magicscan(CL_CLEAN);
b2726a53	}
7b1f1aaf	if (cli_updatelimits(ctx, (*ctx->fmap)->len) != CL_CLEAN) { emax_reached(ctx);
60af015e	early_ret_from_magicscan(CL_CLEAN);
998bcfa7	}
dd64326e	old_hook_lsig_matches = ctx->hook_lsig_matches;
7b1f1aaf	if (type == CL_TYPE_PART_ANY) { typercg = 0;
1d1c4b15	}
998bcfa7
a217d9a7	perf_start(ctx, PERFT_FT);
7b1f1aaf	if ((type == CL_TYPE_ANY) \|\| type == CL_TYPE_PART_ANY) { type = cli_filetype2(*ctx->fmap, ctx->engine, type);
2612de29	}
a217d9a7	perf_stop(ctx, PERFT_FT);
7b1f1aaf	if (type == CL_TYPE_ERROR) { cli_dbgmsg("cli_magic_scandesc: cli_filetype2 returned CL_TYPE_ERROR\n"); early_ret_from_magicscan(CL_EREAD);
a0eb7910	}
a217d9a7	filetype = cli_ftname(type);
e56f0949
2a3d247b	#if HAVE_JSON
d7979d4f	if (SCAN_COLLECT_METADATA)
7b1f1aaf	{
8b77f741	json_object *arrobj;
4e683628
7b1f1aaf	if (NULL == ctx->properties) { if (type == CL_TYPE_PDF \|\| /* file types we collect properties about */
585717e1	type == CL_TYPE_MSOLE2 \|\| type == CL_TYPE_MSEXE \|\|
7360fe6a	//type == CL_TYPE_ZIP \|\|
585717e1	type == CL_TYPE_OOXML_WORD \|\| type == CL_TYPE_OOXML_PPT \|\|
56895e25	type == CL_TYPE_OOXML_XL \|\| type == CL_TYPE_XML_WORD \|\|
9103b7e9	type == CL_TYPE_XML_XL \|\|
d2eea44a	type == CL_TYPE_HWP3 \|\|
6cd5a9dc	type == CL_TYPE_XML_HWP \|\|
c6f7be55	type == CL_TYPE_HWPOLE2 \|\|
05f58cfa	type == CL_TYPE_OOXML_HWP \|\|
7b1f1aaf	type == CL_TYPE_MHTML) {
585717e1	ctx->properties = json_object_new_object();
7b1f1aaf	if (NULL == ctx->properties) {
585717e1	cli_errmsg("magic_scandesc: no memory for json properties object\n");
7b1f1aaf	early_ret_from_magicscan(CL_EMEM);
585717e1	} ctx->wrkproperty = ctx->properties;
a03db40e	ret = cli_jsonstr(ctx->properties, "Magic", "CLAMJSONv0");
7b1f1aaf	if (ret != CL_SUCCESS) {
de46d3e3	early_ret_from_magicscan(ret); }
5ee5fad2	ret = cli_jsonstr(ctx->properties, "RootFileType", filetype);
7b1f1aaf	if (ret != CL_SUCCESS) {
90f830e7	early_ret_from_magicscan(ret); }
7b1f1aaf	} else { /* turn off property collection flag for file types we don't care about */
d7979d4f	ctx->options->general &= ~CL_SCAN_GENERAL_COLLECT_METADATA;
4e683628	}
e56f0949	}
7b1f1aaf	else {
4e683628	parent_property = ctx->wrkproperty;
7b1f1aaf	if (!json_object_object_get_ex(parent_property, "ContainedObjects", &arrobj)) {
4e683628	arrobj = json_object_new_array();
7b1f1aaf	if (NULL == arrobj) {
4e683628	cli_errmsg("magic_scandesc: no memory for json properties object\n"); early_ret_from_magicscan(CL_EMEM); }
fd151ff6	json_object_object_add(parent_property, "ContainedObjects", arrobj);
4e683628	} ctx->wrkproperty = json_object_new_object();
7b1f1aaf	if (NULL == ctx->wrkproperty) {
4e683628	cli_errmsg("magic_scandesc: no memory for json properties object\n"); early_ret_from_magicscan(CL_EMEM); } json_object_array_add(arrobj, ctx->wrkproperty); }
9ecf6c2b	}
4e683628
d7979d4f	if (SCAN_COLLECT_METADATA)
7b1f1aaf	{ /* separated for cases json is not tracked */
ff2d5e61	ret = cli_jsonstr(ctx->wrkproperty, "FileType", filetype);
7b1f1aaf	if (ret != CL_SUCCESS) {
a69adec1	early_ret_from_magicscan(ret);
e56f0949	}
ff2d5e61	ret = cli_jsonint(ctx->wrkproperty, "FileSize", (*ctx->fmap)->len);
7b1f1aaf	if (ret != CL_SUCCESS) {
a69adec1	early_ret_from_magicscan(ret);
e56f0949	} } #endif
c86a1d4b	hashed_size = 0;
ff2d5e61	ret = dispatch_prescan(ctx->engine->cb_pre_cache, ctx, filetype, old_hook_lsig_matches, parent_property, hash, hashed_size, &run_cleanup);
7b1f1aaf	if (run_cleanup) {
ff2d5e61	if (ret == CL_VIRUS) return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, cli_checkfp(hash, hashed_size, ctx), parent_property); else return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, CL_CLEAN, parent_property); }
a0eb7910
63feb6cd	perf_start(ctx, PERFT_CACHE);
d7979d4f	if (!(SCAN_COLLECT_METADATA))
7d4213a7	res = cache_check(hash, ctx);
ac2bd61e	else res = CL_VIRUS;
a69adec1	#if HAVE_JSON
d7979d4f	if (SCAN_COLLECT_METADATA /* ctx.options->general & CL_SCAN_GENERAL_COLLECT_METADATA && ctx->wrkproperty != NULL */)
7b1f1aaf	{
a69adec1	char hashstr[33];
7d4213a7	ret = cache_get_MD5(hash, ctx);
7b1f1aaf	if (ret != CL_SUCCESS) {
7d4213a7	early_ret_from_magicscan(ret); } snprintf(hashstr, 33, "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7], hash[8], hash[9], hash[10], hash[11], hash[12], hash[13], hash[14], hash[15]);
a69adec1
ff2d5e61	ret = cli_jsonstr(ctx->wrkproperty, "FileMD5", hashstr);
7d4213a7	if (ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_CACHE) memset(hash, 0, sizeof(hash));
7b1f1aaf	if (ret != CL_SUCCESS) {
a69adec1	early_ret_from_magicscan(ret); } } #endif
7b1f1aaf	if (res != CL_VIRUS) { perf_stop(ctx, PERFT_CACHE);
2a3d247b	#if HAVE_JSON
4e683628	ctx->wrkproperty = parent_property;
2a3d247b	#endif
7b1f1aaf	early_ret_from_magicscan(res);
60b21251	}
ed98fae7
63feb6cd	perf_stop(ctx, PERFT_CACHE);
52f52931	hashed_size = (*ctx->fmap)->len;
cbf5017a	memcpy((*ctx->fmap)->maphash, hash, 16);
f4e34215	ctx->hook_lsig_matches = NULL;
52f52931
d7979d4f	if (!((ctx->options->general & ~CL_SCAN_GENERAL_ALLMATCHES) \|\| (ctx->options->parse) \|\| (ctx->options->heuristic) \|\| (ctx->options->mail) \|\| (ctx->options->dev)) \|\| (ctx->recursion == ctx->engine->maxreclevel))
7b1f1aaf	{ /* raw mode (stdin, etc.) or last level of recursion */ if (ctx->recursion == ctx->engine->maxreclevel) {
312b7e53	cli_check_blockmax(ctx, CL_EMAXREC);
7b1f1aaf	cli_dbgmsg("cli_magic_scandesc: Hit recursion limit, only scanning raw file\n");
312b7e53	}
ff2d5e61	else
7b1f1aaf	cli_dbgmsg("Raw mode: No support for special files\n");
aef8d4ac
7b1f1aaf	ret = dispatch_prescan(ctx->engine->cb_pre_scan, ctx, filetype, old_hook_lsig_matches, parent_property, hash, hashed_size, &run_cleanup); if (run_cleanup) { if (ret == CL_VIRUS) return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, cli_checkfp(hash, hashed_size, ctx), parent_property); else return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property); } /* ret_from_magicscan can be used below here/ if ((ret = cli_fmap_scandesc(ctx, 0, 0, NULL, AC_SCAN_VIR, NULL, hash)) == CL_VIRUS) cli_dbgmsg("%s found in descriptor %d\n", cli_get_last_virus(ctx), fmap_fd(ctx->fmap)); else if (ret == CL_CLEAN) { if (ctx->recursion != ctx->engine->maxreclevel) cache_clean = 1; /* Only cache if limits are not reached */ else emax_reached(ctx); } ctx->hook_lsig_matches = old_hook_lsig_matches; return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property);
d91ab809	}
e3aaff8e
ff2d5e61	ret = dispatch_prescan(ctx->engine->cb_pre_scan, ctx, filetype, old_hook_lsig_matches, parent_property, hash, hashed_size, &run_cleanup);
7b1f1aaf	if (run_cleanup) {
ff2d5e61	if (ret == CL_VIRUS) return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, cli_checkfp(hash, hashed_size, ctx), parent_property); else return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property); }
7b1f1aaf	/* ret_from_magicscan can be used below here*/
c27d4056
16b28d07	#ifdef HAVE__INTERNAL__SHA_COLLECT
7b1f1aaf	if (!ctx->sha_collect && type == CL_TYPE_MSEXE) ctx->sha_collect = 1;
16b28d07	#endif
6d6e8271
f4e34215	ctx->hook_lsig_matches = cli_bitset_init();
7b1f1aaf	if (!ctx->hook_lsig_matches) { ctx->hook_lsig_matches = old_hook_lsig_matches; return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, CL_EMEM, parent_property);
17c20e12	}
f4e34215
7b1f1aaf	if (type != CL_TYPE_IGNORED && ctx->engine->sdb) { if ((ret = cli_scanraw(ctx, type, 0, &dettype, (ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_CACHE) ? NULL : hash)) == CL_VIRUS) { ret = cli_checkfp(hash, hashed_size, ctx); cli_bitset_free(ctx->hook_lsig_matches); ctx->hook_lsig_matches = old_hook_lsig_matches; return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property); }
555c5390	}
d91ab809	ctx->recursion++;
63feb6cd	perf_nested_start(ctx, PERFT_CONTAINER, PERFT_SCAN);
031fe00a	/* set current level as container AFTER recursing / cli_set_container(ctx, type, (ctx->fmap)->len);
7b1f1aaf	switch (type) { case CL_TYPE_IGNORED: break; case CL_TYPE_HWP3:
d7979d4f	if (SCAN_PARSE_HWP3 && (DCONF_DOC & DOC_CONF_HWP))
7b1f1aaf	ret = cli_scanhwp3(ctx); break; case CL_TYPE_HWPOLE2:
d7979d4f	if (SCAN_PARSE_OLE2 && (DCONF_ARCH & ARCH_CONF_OLE2))
7b1f1aaf	ret = cli_scanhwpole2(ctx); break; case CL_TYPE_XML_WORD:
d7979d4f	if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_MSXML))
7b1f1aaf	ret = cli_scanmsxml(ctx); break; case CL_TYPE_XML_XL:
d7979d4f	if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_MSXML))
7b1f1aaf	ret = cli_scanmsxml(ctx); break; case CL_TYPE_XML_HWP:
d7979d4f	if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_HWP))
7b1f1aaf	ret = cli_scanhwpml(ctx); break; case CL_TYPE_XDP:
d7979d4f	if (SCAN_PARSE_PDF && (DCONF_DOC & DOC_CONF_PDF))
7b1f1aaf	ret = cli_scanxdp(ctx); break; case CL_TYPE_RAR:
d39cb658	if (have_rar && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_RAR)) { const char *filepath = NULL; int fd = -1;
7b1f1aaf	char *tmpname = NULL;
d39cb658	int tmpfd = -1;
80fd9074	#ifdef _WIN32 if ((SCAN_UNPRIVILEGED) \|\| (NULL == ctx->sub_filepath) \|\| (0 != _access_s(ctx->sub_filepath, R_OK))) { #else if ((SCAN_UNPRIVILEGED) \|\| (NULL == ctx->sub_filepath) \|\| (0 != access(ctx->sub_filepath, R_OK))) { #endif
d39cb658	/* If map is not file-backed have to dump to file for scanrar. / ret = fmap_dump_to_file(ctx->fmap, ctx->sub_filepath, ctx->engine->tmpdir, &tmpname, &tmpfd, 0, SIZE_MAX); if (ret != CL_SUCCESS) { cli_dbgmsg("magic_scandesc: failed to generate temporary file.\n");
7b1f1aaf	break; }
d39cb658	filepath = tmpname; fd = tmpfd; } else { /* Use the original file and file descriptor. / filepath = ctx->sub_filepath; fd = fmap_fd(ctx->fmap);
7b1f1aaf	}
d39cb658	/* scan file */
9739293e	ret = cli_scanrar(filepath, fd, ctx);
d39cb658
80fd9074	if ((NULL == tmpname) && (CL_EOPEN == ret)) { /* * Failed to open the file using the original filename. * Try writing the file descriptor to a temp file and try again. / ret = fmap_dump_to_file(ctx->fmap, ctx->sub_filepath, ctx->engine->tmpdir, &tmpname, &tmpfd, 0, SIZE_MAX); if (ret != CL_SUCCESS) { cli_dbgmsg("cli_scanraw: failed to generate temporary file.\n"); break; } filepath = tmpname; fd = tmpfd; /* try to scan again */ ret = cli_scanrar(filepath, fd, ctx); }
d39cb658	if (tmpfd != -1) { /* If dumped tempfile, need to cleanup */ close(tmpfd); if (!ctx->engine->keeptmp) { if (cli_unlink(tmpname)) { ret = CL_EUNLINK; } } } if (tmpname != NULL) {
7b1f1aaf	free(tmpname); } } break; case CL_TYPE_OOXML_WORD: case CL_TYPE_OOXML_PPT: case CL_TYPE_OOXML_XL: case CL_TYPE_OOXML_HWP:
a69adec1	#if HAVE_JSON
d7979d4f	if (SCAN_PARSE_XMLDOCS && (DCONF_DOC & DOC_CONF_OOXML))
7b1f1aaf	{
d7979d4f	if (SCAN_COLLECT_METADATA && (ctx->wrkproperty != NULL))
7b1f1aaf	{ ret = cli_process_ooxml(ctx, type); if (ret == CL_EMEM \|\| ret == CL_ENULLARG) { /* critical error / break; } else if (ret != CL_SUCCESS) { / * non-critical return => allow for the CL_TYPE_ZIP scan to occur * cli_process_ooxml other possible returns: * CL_ETIMEOUT, CL_EMAXSIZE, CL_EMAXFILES, CL_EPARSE, * CL_EFORMAT, CL_BREAK, CL_ESTAT */ ret = CL_SUCCESS; } } }
a69adec1	#endif
7b1f1aaf	case CL_TYPE_ZIP:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP))
7b1f1aaf	ret = cli_unzip(ctx); break; case CL_TYPE_GZ:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_GZ))
7b1f1aaf	ret = cli_scangzip(ctx); break; case CL_TYPE_BZ:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_BZ))
7b1f1aaf	ret = cli_scanbzip(ctx); break; case CL_TYPE_XZ:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_XZ))
7b1f1aaf	ret = cli_scanxz(ctx); break; case CL_TYPE_GPT:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_GPT))
7b1f1aaf	ret = cli_scangpt(ctx, 0); break; case CL_TYPE_APM:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_APM))
7b1f1aaf	ret = cli_scanapm(ctx); break; case CL_TYPE_ARJ:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ARJ))
9739293e	ret = cli_scanarj(ctx, 0);
7b1f1aaf	break; case CL_TYPE_NULSFT:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_NSIS))
7b1f1aaf	ret = cli_scannulsft(ctx, 0); break; case CL_TYPE_AUTOIT:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_AUTOIT))
7b1f1aaf	ret = cli_scanautoit(ctx, 23); break; case CL_TYPE_MSSZDD:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_SZDD))
7b1f1aaf	ret = cli_scanszdd(ctx); break; case CL_TYPE_MSCAB:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CAB))
7b1f1aaf	ret = cli_scanmscab(ctx, 0); break; case CL_TYPE_HTML:
d7979d4f	if (SCAN_PARSE_HTML && (DCONF_DOC & DOC_CONF_HTML))
7b1f1aaf	ret = cli_scanhtml(ctx); break; case CL_TYPE_HTML_UTF16:
d7979d4f	if (SCAN_PARSE_HTML && (DCONF_DOC & DOC_CONF_HTML))
7b1f1aaf	ret = cli_scanhtml_utf16(ctx); break; case CL_TYPE_SCRIPT: if ((DCONF_DOC & DOC_CONF_SCRIPT) && dettype != CL_TYPE_HTML) ret = cli_scanscript(ctx); break; case CL_TYPE_SWF:
d7979d4f	if (SCAN_PARSE_SWF && (DCONF_DOC & DOC_CONF_SWF))
7b1f1aaf	ret = cli_scanswf(ctx); break; case CL_TYPE_RTF:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_DOC & DOC_CONF_RTF))
7b1f1aaf	ret = cli_scanrtf(ctx); break; case CL_TYPE_MAIL:
d7979d4f	if (SCAN_PARSE_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX))
7b1f1aaf	ret = cli_scanmail(ctx); break; case CL_TYPE_MHTML:
d7979d4f	if (SCAN_PARSE_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX))
7b1f1aaf	ret = cli_scanmail(ctx); break; case CL_TYPE_TNEF:
d7979d4f	if (SCAN_PARSE_MAIL && (DCONF_MAIL & MAIL_CONF_TNEF))
7b1f1aaf	ret = cli_scantnef(ctx); break; case CL_TYPE_UUENCODED: if (DCONF_OTHER & OTHER_CONF_UUENC) ret = cli_scanuuencoded(ctx); break; case CL_TYPE_MSCHM:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CHM))
7b1f1aaf	ret = cli_scanmschm(ctx); break; case CL_TYPE_MSOLE2:
d7979d4f	if (SCAN_PARSE_OLE2 && (DCONF_ARCH & ARCH_CONF_OLE2))
7b1f1aaf	ret = cli_scanole2(ctx); break; case CL_TYPE_7Z:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_7Z))
7b1f1aaf	ret = cli_7unz(ctx, 0); break; case CL_TYPE_POSIX_TAR:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR))
7b1f1aaf	ret = cli_scantar(ctx, 1); break; case CL_TYPE_OLD_TAR:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR))
7b1f1aaf	ret = cli_scantar(ctx, 0); break; case CL_TYPE_CPIO_OLD:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
7b1f1aaf	ret = cli_scancpio_old(ctx); break; case CL_TYPE_CPIO_ODC:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
7b1f1aaf	ret = cli_scancpio_odc(ctx); break; case CL_TYPE_CPIO_NEWC:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
7b1f1aaf	ret = cli_scancpio_newc(ctx, 0); break; case CL_TYPE_CPIO_CRC:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CPIO))
7b1f1aaf	ret = cli_scancpio_newc(ctx, 1); break; case CL_TYPE_BINHEX:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_BINHEX))
7b1f1aaf	ret = cli_binhex(ctx); break; case CL_TYPE_SCRENC: if (DCONF_OTHER & OTHER_CONF_SCRENC) ret = cli_scanscrenc(ctx); break; case CL_TYPE_RIFF:
d7979d4f	if (SCAN_HEURISTICS && (DCONF_OTHER & OTHER_CONF_RIFF))
7b1f1aaf	ret = cli_scanriff(ctx); break; case CL_TYPE_GRAPHICS:
d7979d4f	if (SCAN_HEURISTICS && (DCONF_OTHER & OTHER_CONF_JPEG))
7b1f1aaf	ret = cli_scanjpeg(ctx);
d7979d4f	if (ctx->img_validate && SCAN_HEURISTICS && ret != CL_VIRUS)
7b1f1aaf	ret = cli_parsejpeg(ctx);
d7979d4f	if (ctx->img_validate && SCAN_HEURISTICS && ret != CL_VIRUS && ret != CL_EPARSE)
7b1f1aaf	ret = cli_parsepng(ctx);
d7979d4f	if (ctx->img_validate && SCAN_HEURISTICS && ret != CL_VIRUS && ret != CL_EPARSE)
7b1f1aaf	ret = cli_parsegif(ctx);
d7979d4f	if (ctx->img_validate && SCAN_HEURISTICS && ret != CL_VIRUS && ret != CL_EPARSE)
7b1f1aaf	ret = cli_parsetiff(ctx); break; case CL_TYPE_PDF: /* FIXMELIMITS: pdf should be an archive! */
d7979d4f	if (SCAN_PARSE_PDF && (DCONF_DOC & DOC_CONF_PDF))
7b1f1aaf	ret = cli_scanpdf(ctx, 0); break; case CL_TYPE_CRYPTFF: if (DCONF_OTHER & OTHER_CONF_CRYPTFF) ret = cli_scancryptff(ctx); break; case CL_TYPE_ELF:
d7979d4f	if (SCAN_PARSE_ELF && ctx->dconf->elf)
7b1f1aaf	ret = cli_scanelf(ctx); break; case CL_TYPE_MACHO: if (ctx->dconf->macho) ret = cli_scanmacho(ctx, NULL); break; case CL_TYPE_MACHO_UNIBIN: if (ctx->dconf->macho) ret = cli_scanmacho_unibin(ctx); break; case CL_TYPE_SIS:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_SIS))
7b1f1aaf	ret = cli_scansis(ctx); break; case CL_TYPE_XAR:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_XAR))
7b1f1aaf	ret = cli_scanxar(ctx); break; case CL_TYPE_PART_HFSPLUS:
d7979d4f	if (SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_HFSPLUS))
7b1f1aaf	ret = cli_scanhfsplus(ctx); break; case CL_TYPE_BINARY_DATA: case CL_TYPE_TEXT_UTF16BE:
d7979d4f	if (SCAN_HEURISTICS && (DCONF_OTHER & OTHER_CONF_MYDOOMLOG))
7b1f1aaf	ret = cli_check_mydoom_log(ctx); break; case CL_TYPE_TEXT_ASCII:
d7979d4f	if (SCAN_HEURISTIC_STRUCTURED && (DCONF_OTHER & OTHER_CONF_DLP))
7b1f1aaf	/* TODO: consider calling this from cli_scanscript() for * a normalised text */ ret = cli_scan_structured(ctx); break; default: break;
e3aaff8e	}
63feb6cd	perf_nested_stop(ctx, PERFT_CONTAINER, PERFT_SCAN);
d91ab809	ctx->recursion--;
467f8b1e
d7979d4f	if (ret == CL_VIRUS && !SCAN_ALLMATCHES)
7b1f1aaf	{ cli_bitset_free(ctx->hook_lsig_matches); ctx->hook_lsig_matches = old_hook_lsig_matches; return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property);
998bcfa7	}
a6e38800
d7979d4f	if (type == CL_TYPE_ZIP && SCAN_PARSE_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP))
7b1f1aaf	{ /* CL_ENGINE_MAX_ZIPTYPERCG / uint64_t curr_len = (ctx->fmap)->len; if (curr_len > ctx->engine->maxziptypercg) { cli_dbgmsg("cli_magic_scandesc: Not checking for embedded PEs (zip file > MaxZipTypeRcg)\n"); typercg = 0; }
ded60d81	}
08f0150f	/* CL_TYPE_HTML: raw HTML files are not scanned, unless safety measure activated via DCONF */
d7979d4f	if (type != CL_TYPE_IGNORED && (type != CL_TYPE_HTML \|\| !(SCAN_PARSE_HTML) \|\| !(DCONF_DOC & DOC_CONF_HTML_SKIPRAW)) && !ctx->engine->sdb)
7b1f1aaf	{ res = cli_scanraw(ctx, type, typercg, &dettype, (ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_CACHE) ? NULL : hash); if (res != CL_CLEAN) { switch (res) { /* List of scan halts, runtime errors only! / case CL_EUNLINK: case CL_ESTAT: case CL_ESEEK: case CL_EWRITE: case CL_EDUP: case CL_ETMPFILE: case CL_ETMPDIR: case CL_EMEM: cli_dbgmsg("Descriptor[%d]: cli_scanraw error %s\n", fmap_fd(ctx->fmap), cl_strerror(res)); cli_bitset_free(ctx->hook_lsig_matches); ctx->hook_lsig_matches = old_hook_lsig_matches; return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, res, parent_property); /* CL_VIRUS = malware found, check FP and report */ case CL_VIRUS: ret = res;
d7979d4f	if (SCAN_ALLMATCHES)
7b1f1aaf	break; cli_bitset_free(ctx->hook_lsig_matches); ctx->hook_lsig_matches = old_hook_lsig_matches; return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property);
0359cc57	/* The CL_ETIMEOUT "MAX" condition should set exceeds max flag and exit out quietly. / case CL_ETIMEOUT: cli_check_blockmax(ctx, ret); cli_bitset_free(ctx->hook_lsig_matches); ctx->hook_lsig_matches = old_hook_lsig_matches; cli_dbgmsg("Descriptor[%d]: Stopping after cli_scanraw reached %s\n", fmap_fd(ctx->fmap), cl_strerror(res)); return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, CL_CLEAN, parent_property); /* All other "MAX" conditions should still fully scan the current file */
7b1f1aaf	case CL_EMAXREC: case CL_EMAXSIZE: case CL_EMAXFILES: ret = res; cli_dbgmsg("Descriptor[%d]: Continuing after cli_scanraw reached %s\n", fmap_fd(ctx->fmap), cl_strerror(res)); break; / Other errors must not block further scans below * This specifically includes CL_EFORMAT & CL_EREAD & CL_EUNPACK * Malformed/truncated files could report as any of these three. / default: ret = res; cli_dbgmsg("Descriptor[%d]: Continuing after cli_scanraw error %s\n", fmap_fd(ctx->fmap), cl_strerror(res)); } }
46c2e927	}
e3aaff8e
d91ab809	ctx->recursion++;
7b1f1aaf	switch (type) { /* bytecode hooks triggered by a lsig must be a hook * called from one of the functions here */ case CL_TYPE_TEXT_ASCII: case CL_TYPE_TEXT_UTF16BE: case CL_TYPE_TEXT_UTF16LE: case CL_TYPE_TEXT_UTF8: perf_nested_start(ctx, PERFT_SCRIPT, PERFT_SCAN);
d7979d4f	if ((DCONF_DOC & DOC_CONF_SCRIPT) && dettype != CL_TYPE_HTML && (ret != CL_VIRUS \|\| SCAN_ALLMATCHES) && SCAN_PARSE_HTML)
7b1f1aaf	ret = cli_scanscript(ctx);
d7979d4f	if (SCAN_PARSE_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX) && ret != CL_VIRUS && (cli_get_container(ctx, -1) == CL_TYPE_MAIL \|\| dettype == CL_TYPE_MAIL))
7b1f1aaf	{ ret = cli_fmap_scandesc(ctx, CL_TYPE_MAIL, 0, NULL, AC_SCAN_VIR, NULL, NULL); } perf_nested_stop(ctx, PERFT_SCRIPT, PERFT_SCAN); break; /* Due to performance reasons all executables were first scanned * in raw mode. Now we will try to unpack them */ case CL_TYPE_MSEXE: perf_nested_start(ctx, PERFT_PE, PERFT_SCAN);
d7979d4f	if (SCAN_PARSE_PE && ctx->dconf->pe)
7b1f1aaf	{ unsigned int corrupted_input = ctx->corrupted_input; ret = cli_scanpe(ctx); ctx->corrupted_input = corrupted_input; } perf_nested_stop(ctx, PERFT_PE, PERFT_SCAN); break; case CL_TYPE_BINARY_DATA: ret = cli_fmap_scandesc(ctx, CL_TYPE_OTHER, 0, NULL, AC_SCAN_VIR, NULL, NULL); break; default: break;
77e4bb11	}
2587dbab
d91ab809	ctx->recursion--;
f4e34215	cli_bitset_free(ctx->hook_lsig_matches); ctx->hook_lsig_matches = old_hook_lsig_matches;
77e4bb11
7b1f1aaf	switch (ret) { /* Limits exceeded */
0359cc57	case CL_ETIMEOUT:
7b1f1aaf	case CL_EMAXREC: case CL_EMAXSIZE: case CL_EMAXFILES:
0359cc57	cli_check_blockmax(ctx, ret); /* Malformed file cases */ case CL_EFORMAT: case CL_EREAD: case CL_EUNPACK:
7b1f1aaf	cli_dbgmsg("Descriptor[%d]: %s\n", fmap_fd(*ctx->fmap), cl_strerror(ret));
ff2d5e61	#if HAVE_JSON ctx->wrkproperty = parent_property; #endif return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, CL_CLEAN, parent_property);
7b1f1aaf	case CL_CLEAN: cache_clean = 1;
ff2d5e61	#if HAVE_JSON ctx->wrkproperty = parent_property; #endif return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, CL_CLEAN, parent_property);
7b1f1aaf	default:
ff2d5e61	return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property);
322bfd03	}
e3aaff8e	}
75fa8613	static cl_error_t cli_base_scandesc(int desc, const char filepath, cli_ctx ctx, cli_file_t type)
7770d314	{
a2a004df	STATBUF sb;
75fa8613	cl_error_t status = CL_CLEAN; cl_error_t ret = CL_CLEAN; if (!ctx) { return CL_EARG; }
b7ae31f1
d39cb658	const char *parent_filepath = ctx->sub_filepath; ctx->sub_filepath = filepath;
b7ae31f1	#ifdef HAVE__INTERNAL__SHA_COLLECT
7b1f1aaf	if (ctx->sha_collect > 0) ctx->sha_collect = 0;
b7ae31f1	#endif cli_dbgmsg("in cli_magic_scandesc (reclevel: %u/%u)\n", ctx->recursion, ctx->engine->maxreclevel);
7b1f1aaf	if (FSTAT(desc, &sb) == -1) { cli_errmsg("magic_scandesc: Can't fstat descriptor %d\n", desc);
75fa8613	status = CL_ESTAT; cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);
0359cc57	goto done;
b7ae31f1	}
7b1f1aaf	if (sb.st_size <= 5) { cli_dbgmsg("Small data (%u bytes)\n", (unsigned int)sb.st_size);
75fa8613	status = CL_CLEAN; cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);
0359cc57	goto done;
b7ae31f1	} ctx->fmap++; perf_start(ctx, PERFT_MAP);
7b1f1aaf	if (!(*ctx->fmap = fmap(desc, 0, sb.st_size))) { cli_errmsg("CRITICAL: fmap() failed\n"); ctx->fmap--; perf_stop(ctx, PERFT_MAP);
75fa8613	status = CL_EMEM; cli_dbgmsg("cli_magic_scandesc: returning %d %s (no post, no cache)\n", status, __AT__);
0359cc57	goto done;
b7ae31f1	} perf_stop(ctx, PERFT_MAP);
75fa8613	status = magic_scandesc(ctx, type);
b7ae31f1	funmap(*ctx->fmap); ctx->fmap--;
d39cb658
75fa8613	done:
d39cb658	ctx->sub_filepath = parent_filepath;
75fa8613	return status;
7770d314	}
d39cb658	int cli_magic_scandesc(int desc, const char filepath, cli_ctx ctx)
1d1c4b15	{
d39cb658	return cli_base_scandesc(desc, filepath, ctx, CL_TYPE_ANY);
1d1c4b15	} /* Have to keep partition typing separate */
d39cb658	int cli_partition_scandesc(int desc, const char filepath, cli_ctx ctx)
1d1c4b15	{
d39cb658	return cli_base_scandesc(desc, filepath, ctx, CL_TYPE_PART_ANY);
1d1c4b15	}
b7ae31f1	int cli_magic_scandesc_type(cli_ctx *ctx, cli_file_t type)
7770d314	{
b7ae31f1	return magic_scandesc(ctx, type);
7770d314	}
d39cb658	int cl_scandesc(int desc, const char filename, const char virname, unsigned long int scanned, const struct cl_engine engine, struct cl_scan_options scanoptions)
edbba730	{
d39cb658	return cl_scandesc_callback(desc, filename, virname, scanned, engine, scanoptions, NULL);
edbba730	}
3cab931d	/* For map scans that may be forced to disk */
328a3325	int cli_map_scan(cl_fmap_t map, off_t offset, size_t length, cli_ctx ctx, cli_file_t type)
3cab931d	{ off_t old_off = map->nested_offset; size_t old_len = map->len; int ret = CL_CLEAN; cli_dbgmsg("cli_map_scan: [%ld, +%lu)\n",
7b1f1aaf	(long)offset, (unsigned long)length); if (offset < 0 \|\| (size_t)offset >= old_len) { cli_dbgmsg("Invalid offset: %ld\n", (long)offset); return CL_CLEAN;
3cab931d	}
7b1f1aaf	if (ctx->engine->engine_options & ENGINE_OPTIONS_FORCE_TO_DISK) {
3cab931d	/* if this is forced to disk, then need to write the nested map and scan it / const uint8_t mapdata = NULL; char *tempfile = NULL; int fd = -1; size_t nread = 0;
a4ce85ce	/* Then check length */
7b1f1aaf	if (!length) length = old_len - offset; if (length > old_len - offset) {
a4ce85ce	cli_dbgmsg("cli_map_scan: Data truncated: %lu -> %lu\n", (unsigned long)length, (unsigned long)(old_len - offset)); length = old_len - offset; }
7b1f1aaf	if (length <= 5) { cli_dbgmsg("cli_map_scan: Small data (%u bytes)\n", (unsigned int)length);
a4ce85ce	return CL_CLEAN; }
7b1f1aaf	if (!CLI_ISCONTAINED(old_off, old_len, old_off + offset, length)) {
4cd97da4	cli_dbgmsg("cli_map_scan: map error occurred [%ld, %zu]\n", (long)old_off, old_len);
a4ce85ce	return CL_CLEAN; } /* Length checked, now get map */
3cab931d	mapdata = fmap_need_off_once_len(map, offset, length, &nread);
7b1f1aaf	if (!mapdata \|\| (nread != length)) {
3cab931d	cli_errmsg("cli_map_scan: could not map sub-file\n"); return CL_EMAP; } ret = cli_gentempfd(ctx->engine->tmpdir, &tempfile, &fd);
7b1f1aaf	if (ret != CL_SUCCESS) {
3cab931d	return ret; } cli_dbgmsg("cli_map_scan: writing nested map content to temp file %s\n", tempfile);
7b1f1aaf	if (cli_writen(fd, mapdata, length) < 0) {
3cab931d	cli_errmsg("cli_map_scan: cli_writen error writing subdoc temporary file.\n"); ret = CL_EWRITE; } /* scan the temp file */
d39cb658	ret = cli_base_scandesc(fd, tempfile, ctx, type);
3cab931d	/* remove the temp file, if needed */
7b1f1aaf	if (fd >= 0) {
3cab931d	close(fd); }
7b1f1aaf	if (!ctx->engine->keeptmp) { if (cli_unlink(tempfile)) {
3cab931d	cli_errmsg("cli_map_scan: error unlinking tempfile %s\n", tempfile); ret = CL_EUNLINK; } } free(tempfile); }
7b1f1aaf	else {
3cab931d	/* Not forced to disk, use nested map */
328a3325	ret = cli_map_scandesc(map, offset, length, ctx, type);
3cab931d	} return ret; } /* For map scans that are not forced to disk */
328a3325	int cli_map_scandesc(cl_fmap_t map, off_t offset, size_t length, cli_ctx ctx, cli_file_t type)
c06374fe	{
87f76399	off_t old_off = map->nested_offset; size_t old_len = map->len;
c647912b	size_t old_real_len = map->real_len;
1e2696b0	int ret = CL_CLEAN;
c06374fe
0b3b2924	cli_dbgmsg("cli_map_scandesc: [%ld, +%lu), [%ld, +%lu)\n",
7b1f1aaf	(long)old_off, (unsigned long)old_len, (long)offset, (unsigned long)length); if (offset < 0 \|\| (size_t)offset >= old_len) { cli_dbgmsg("Invalid offset: %ld\n", (long)offset); return CL_CLEAN;
87f76399	}
7b1f1aaf	if (!length) length = old_len - offset; if (length > old_len - offset) { cli_dbgmsg("Data truncated: %zu -> %zu\n", length, old_len - (size_t)offset); length = old_len - (size_t)offset;
87f76399	}
7b1f1aaf	if (length <= 5) { cli_dbgmsg("Small data (%u bytes)\n", (unsigned int)length); return CL_CLEAN;
c06374fe	} ctx->fmap++; *ctx->fmap = map;
87f76399	/* can't change offset because then we'd have to discard/move cached * data, instead use another offset to reuse the already cached data */ map->nested_offset += offset; map->len = length; map->real_len = map->nested_offset + length;
7b1f1aaf	if (CLI_ISCONTAINED(old_off, old_len, map->nested_offset, map->len)) { ret = magic_scandesc(ctx, type); } else { long long len1, len2; len1 = old_off + old_len;
0b3b2924	len2 = map->nested_offset + map->len;
7b1f1aaf	cli_warnmsg("internal map error: %lu, %llu; %lu, %llu\n", (long unsigned)old_off, (long long unsigned)len1, (long unsigned)map->offset, (long long unsigned)len2);
87f76399	}
c06374fe
81e57728	ctx->fmap--;
87f76399	map->nested_offset = old_off; map->len = old_len;
c647912b	map->real_len = old_real_len;
c06374fe	return ret; }
b3a8f998	int cli_mem_scandesc(const void buffer, size_t length, cli_ctx ctx) { int ret; fmap_t *map = cl_fmap_open_memory(buffer, length);
7b1f1aaf	if (!map) { return CL_EMAP;
b3a8f998	}
328a3325	ret = cli_map_scan(map, 0, length, ctx, CL_TYPE_ANY);
b3a8f998	cl_fmap_close(map); return ret; }
d39cb658	/**
80fd9074	* @brief The main function to initiate a scan, that may be invoked with a file descriptor or a file map. *
d39cb658	* @param desc File descriptor of an open file. The caller must provide this or the map. * @param map File map. The caller must provide this or the desc. * @param filepath (optional, recommended) filepath of the open file descriptor or file map. * @param[out] virname Will be set to a statically allocated (i.e. needs not be freed) signature name if the scan matches against a signature. * @param[out] scanned The number of bytes scanned. * @param engine The scanning engine. * @param scanoptions Scanning options. * @param[in/out] context An opaque context structure allowing the caller to record details about the sample being scanned. * @return int CL_CLEAN, CL_VIRUS, or an error code if an error occured during the scan. / static cl_error_t scan_common(int desc, cl_fmap_t map, const char * filepath, const char *virname, unsigned long int scanned, const struct cl_engine engine, struct cl_scan_options scanoptions, void *context)
aa7380df	{ cli_ctx ctx; int rc;
c6f5ef98	STATBUF sb;
99ee2138	/* We have a limit of around 2.17GB (INT_MAX - 2). Enforce it here. */
7b1f1aaf	if (map != NULL) {
99ee2138	if ((size_t)(map->real_len) > (size_t)(INT_MAX - 2)) return CL_CLEAN;
7b1f1aaf	} else {
c6f5ef98	if (FSTAT(desc, &sb)) return CL_ESTAT;
99ee2138	if ((size_t)(sb.st_size) > (size_t)(INT_MAX - 2))
c6f5ef98	return CL_CLEAN; }
aa7380df	memset(&ctx, '\0', sizeof(cli_ctx)); ctx.engine = engine; ctx.virname = virname; ctx.scanned = scanned;
d7979d4f	ctx.options = malloc(sizeof(struct cl_scan_options)); memcpy(ctx.options, scanoptions, sizeof(struct cl_scan_options));
aa7380df	ctx.found_possibly_unwanted = 0;
031fe00a	ctx.containers = cli_calloc(sizeof(cli_ctx_container), ctx.engine->maxreclevel + 2);
7b1f1aaf	if (!ctx.containers) return CL_EMEM;
031fe00a	cli_set_container(&ctx, CL_TYPE_ANY, 0);
7b1f1aaf	ctx.dconf = (struct cli_dconf *)engine->dconf;
aa7380df	ctx.cb_ctx = context; ctx.fmap = cli_calloc(sizeof(fmap_t *), ctx.engine->maxreclevel + 2);
7b1f1aaf	if (!ctx.fmap) return CL_EMEM; if (!(ctx.hook_lsig_matches = cli_bitset_init())) { free(ctx.fmap); return CL_EMEM;
aa7380df	}
63feb6cd	perf_init(&ctx);
aa7380df
0359cc57	if (ctx.engine->maxscantime != 0)
7b1f1aaf	{ if (gettimeofday(&ctx.time_limit, NULL) == 0) {
0359cc57	uint32_t secs = ctx.engine->maxscantime / 1000; uint32_t usecs = (ctx.engine->maxscantime % 1000) * 1000;
49b33289	ctx.time_limit.tv_sec += secs; ctx.time_limit.tv_usec += usecs;
7b1f1aaf	if (ctx.time_limit.tv_usec >= 1000000) {
49b33289	ctx.time_limit.tv_usec -= 1000000; ctx.time_limit.tv_sec++; }
7b1f1aaf	} else {
49b33289	char buf[64];
0359cc57	cli_dbgmsg("scan_common: gettimeofday error: %s\n", cli_strerror(errno, buf, 64));
49b33289	} }
80fd9074	if (filepath != NULL)
7b1f1aaf	{
d39cb658	ctx.target_filepath = strdup(filepath);
7b1f1aaf	}
aa7380df
769f37a6	cli_logg_setup(&ctx);
80fd9074	rc = map ? cli_map_scandesc(map, 0, map->len, &ctx, CL_TYPE_ANY)
d39cb658	: cli_magic_scandesc(desc, ctx.target_filepath, &ctx);
aa7380df
2a3d247b	#if HAVE_JSON
d7979d4f	if (ctx.options->general & CL_SCAN_GENERAL_COLLECT_METADATA && (ctx.properties != NULL))
7b1f1aaf	{
90f830e7	json_object jobj; const char jstring; /* set value of unique root object tag */
7b1f1aaf	if (json_object_object_get_ex(ctx.properties, "FileType", &jobj)) {
90f830e7	enum json_type type; const char *jstr; type = json_object_get_type(jobj);
7b1f1aaf	if (type == json_type_string) {
90f830e7	jstr = json_object_get_string(jobj); cli_jsonstr(ctx.properties, "RootFileType", jstr); } }
6606d050	/* serialize json properties to string */
90f830e7	jstring = json_object_to_json_string(ctx.properties);
7b1f1aaf	if (NULL == jstring) {
e56f0949	cli_errmsg("scan_common: no memory for json serialization.\n");
5043b1f3	rc = CL_EMEM;
e56f0949	}
7b1f1aaf	else {
6606d050	int ret = CL_SUCCESS;
09b1357a	struct cli_matcher *iroot = ctx.engine->root[13];
6606d050	cli_dbgmsg("%s\n", jstring);
f66533de
7b1f1aaf	if (rc != CL_VIRUS) {
514dfa1e	/* run bytecode preclass hook; generate fmap if needed for running hook */
47c2d618	struct cli_bc_ctx *bc_ctx = cli_bytecode_context_alloc();
7b1f1aaf	if (!bc_ctx) {
47c2d618	cli_errmsg("scan_common: can't allocate memory for bc_ctx\n"); rc = CL_EMEM; }
7b1f1aaf	else {
11616983	fmap_t *pc_map = map;
7b1f1aaf	if (!pc_map) {
11616983	perf_start(&ctx, PERFT_MAP);
7b1f1aaf	if (!(pc_map = fmap(desc, 0, sb.st_size))) {
11616983	perf_stop(&ctx, PERFT_MAP); rc = CL_EMEM; } perf_stop(&ctx, PERFT_MAP); }
7b1f1aaf	if (pc_map) {
11616983	cli_bytecode_context_setctx(bc_ctx, &ctx); rc = cli_bytecode_runhook(&ctx, ctx.engine, bc_ctx, BC_PRECLASS, pc_map); cli_bytecode_context_destroy(bc_ctx); if (!map) funmap(pc_map); }
47c2d618	}
514dfa1e	/* backwards compatibility: scan the json string unless a virus was detected */
72691885	if (rc != CL_VIRUS && (iroot->ac_lsigs \|\| iroot->ac_patterns #ifdef HAVE_PCRE \|\| iroot->pcre_metas #endif ))
7b1f1aaf	{
5f1ada67	cli_dbgmsg("scan_common: running deprecated preclass bytecodes for target type 13\n");
d7979d4f	ctx.options->general &= ~CL_SCAN_GENERAL_COLLECT_METADATA;
514dfa1e	rc = cli_mem_scandesc(jstring, strlen(jstring), &ctx); }
6606d050	}
5043b1f3
6606d050	/* Invoke file props callback */
7b1f1aaf	if (ctx.engine->cb_file_props != NULL) {
20a3b53b	ret = ctx.engine->cb_file_props(jstring, rc, ctx.cb_ctx);
6606d050	if (ret != CL_SUCCESS) rc = ret; } /* keeptmp file processing for file properties json string */
7b1f1aaf	if (ctx.engine->keeptmp) {
6606d050	int fd = -1;
7b1f1aaf	char *tmpname = NULL; if ((ret = cli_gentempfd(ctx.engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) {
6606d050	cli_dbgmsg("scan_common: Can't create json properties file, ret = %i.\n", ret);
7b1f1aaf	} else {
6606d050	if (cli_writen(fd, jstring, strlen(jstring)) < 0) cli_dbgmsg("scan_common: cli_writen error writing json properties file.\n"); else
c2ff4bf4	cli_dbgmsg("json written to: %s\n", tmpname);
5043b1f3	}
6606d050	if (fd != -1) close(fd); if (NULL != tmpname) free(tmpname);
5043b1f3	} }
8e586053	cli_json_delobj(ctx.properties); /* frees all json memory */
49b33289	#if 0 // test code - to be deleted if (cli_checktimelimit(&ctx) != CL_SUCCESS) { cli_errmsg("scan_common: timeout!\n"); rc = CL_ETIMEOUT; } #endif
e56f0949	} #endif
7b1f1aaf	if (rc == CL_CLEAN) {
d7979d4f	if ((ctx.found_possibly_unwanted) \|\|
80fd9074	((ctx.num_viruses != 0) && ((ctx.options->general & CL_SCAN_GENERAL_ALLMATCHES) \|\|
d7979d4f	(ctx.options->heuristic & CL_SCAN_HEURISTIC_EXCEEDS_MAX)) ))
7b1f1aaf	rc = CL_VIRUS;
1f1bf36b	}
d7979d4f
d39cb658	if (NULL != ctx.target_filepath) { free(ctx.target_filepath); }
d7979d4f	free(ctx.containers); cli_bitset_free(ctx.hook_lsig_matches); free(ctx.fmap); free(ctx.options);
4aa7baf1	cli_logg_unsetup();
63feb6cd	perf_done(&ctx);
aa7380df	return rc; }
d39cb658	int cl_scandesc_callback(int desc, const char filename, const char virname, unsigned long int scanned, const struct cl_engine engine, struct cl_scan_options scanoptions, void *context)
c06374fe	{
d39cb658	return scan_common(desc, NULL, filename, virname, scanned, engine, scanoptions, context);
c06374fe	}
d39cb658	int cl_scanmap_callback(cl_fmap_t map, const char filename, const char *virname, unsigned long int scanned, const struct cl_engine engine, struct cl_scan_options scanoptions, void *context)
c06374fe	{
d39cb658	return scan_common(-1, map, filename, virname, scanned, engine, scanoptions, context);
c06374fe	}
7b1f1aaf	int cli_found_possibly_unwanted(cli_ctx *ctx)
7f0d1148	{
7b1f1aaf	if (cli_get_last_virus(ctx)) { cli_dbgmsg("found Possibly Unwanted: %s\n", cli_get_last_virus(ctx));
d7979d4f	if (SCAN_HEURISTIC_PRECEDENCE)
7b1f1aaf	{ /* we found a heuristic match, don't scan further, * but consider it a virus. / cli_dbgmsg("cli_found_possibly_unwanted: CL_VIRUS\n"); return CL_VIRUS; } / heuristic scan isn't taking precedence, keep scanning.
80fd9074	* If this is part of an archive, and * we find a real malware we report that instead of the
7b1f1aaf	* heuristic match */ ctx->found_possibly_unwanted = 1; } else { cli_warnmsg("cli_found_possibly_unwanted called, but virname is not set\n");
6ad45a29	} emax_reached(ctx); return CL_CLEAN;
7f0d1148	}
3c91998b	static int cli_scanfile(const char filename, cli_ctx ctx)
21cf4aeb	{
7b1f1aaf	int fd, ret;
21cf4aeb
22275b15	/* internal version of cl_scanfile with arec/mrec preserved */
7b1f1aaf	if ((fd = safe_open(filename, O_RDONLY \| O_BINARY)) == -1) return CL_EOPEN;
21cf4aeb
d39cb658	ret = cli_magic_scandesc(fd, filename, ctx);
21cf4aeb	close(fd); return ret; }
d7979d4f	int cl_scanfile(const char filename, const char virname, unsigned long int scanned, const struct cl_engine engine, struct cl_scan_options scanoptions)
e3aaff8e	{
769f37a6	return cl_scanfile_callback(filename, virname, scanned, engine, scanoptions, NULL);
e3aaff8e	}
72ce4b70
d7979d4f	int cl_scanfile_callback(const char filename, const char virname, unsigned long int scanned, const struct cl_engine engine, struct cl_scan_options scanoptions, void *context)
edbba730	{
7b1f1aaf	int fd, ret; const char *fname = cli_to_utf8_maybe_alloc(filename);
edbba730
7b1f1aaf	if (!fname) return CL_EARG;
8ab47ebe
7b1f1aaf	if ((fd = safe_open(fname, O_RDONLY \| O_BINARY)) == -1) return CL_EOPEN;
edbba730
7b1f1aaf	if (fname != filename)
d39cb658	free((char *)fname);
8ab47ebe
d39cb658	ret = cl_scandesc_callback(fd, filename, virname, scanned, engine, scanoptions, context);
edbba730	close(fd); return ret; }
72ce4b70	/* Local Variables: c-basic-offset: 4 End: */