| 9cb3e8eb |
/*
* Byte comparison matcher support functions
* |
| e1cbc270 |
* Copyright (C) 2018-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved. |
| 9cb3e8eb |
*
* Authors: Mickey Sola
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA.
*/
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
|
| 55a39cfe |
#include <errno.h>
|
| 9cb3e8eb |
#include "clamav.h"
#include "others.h"
#include "matcher.h"
#include "matcher-ac.h"
#include "matcher-byte-comp.h"
#include "mpool.h"
#include "readdb.h"
#include "str.h"
/* DEBUGGING */ |
| 2ffb4f32 |
//#define MATCHER_BCOMP_DEBUG |
| 9cb3e8eb |
#ifdef MATCHER_BCOMP_DEBUG |
| 288057e9 |
#define bcm_dbgmsg(...) cli_dbgmsg(__VA_ARGS__) |
| 9cb3e8eb |
#else |
| 288057e9 |
#define bcm_dbgmsg(...) |
| 9cb3e8eb |
#endif
#undef MATCHER_BCOMP_DEBUG
/* BCOMP MATCHER FUNCTIONS */
/**
* @brief function to add the byte compare subsig into the matcher root struct
*
* @param root the matcher root struct in question, houses all relevant lsig and subsig info
* @param virname virusname as given by the signature
* @param hexsig the raw sub signature buffer itself which we will be checking/parsing
* @param lsigid the numeric internal reference number which can be used to access this lsig in the root struct
* @param options additional options for pattern matching, stored as a bitmask
*
*/ |
| 288057e9 |
cl_error_t cli_bcomp_addpatt(struct cli_matcher *root, const char *virname, const char *hexsig, const uint32_t *lsigid, unsigned int options)
{ |
| 9cb3e8eb |
|
| 288057e9 |
size_t len = 0;
uint32_t i = 0; |
| 9cb3e8eb |
const char *buf_start = NULL; |
| 288057e9 |
const char *buf_end = NULL;
char *buf = NULL; |
| 1d859d1c |
const char *tokens[4]; |
| 288057e9 |
size_t toks = 0; |
| 9cb3e8eb |
int16_t ref_subsigid = -1;
int64_t offset_param = 0; |
| 288057e9 |
int64_t ret = CL_SUCCESS;
size_t byte_length = 0;
int64_t comp_val = 0;
char *comp_buf = NULL;
char *comp_start = NULL;
char *comp_end = NULL; |
| 9cb3e8eb |
|
| 1d859d1c |
if (!hexsig || !(*hexsig) || !root || !virname) {
return CL_ENULLARG;
}
|
| 9cb3e8eb |
/* we'll be using these to help the root matcher struct keep track of each loaded byte compare pattern */ |
| 288057e9 |
struct cli_bcomp_meta **newmetatable; |
| 9cb3e8eb |
uint32_t bcomp_count = 0;
/* zero out our byte compare data struct and tie it to the root struct's mempool instance */
struct cli_bcomp_meta *bcomp; |
| 544fa973 |
bcomp = (struct cli_bcomp_meta *)MPOOL_CALLOC(root->mempool, 1, sizeof(*bcomp)); |
| 9cb3e8eb |
if (!bcomp) {
cli_errmsg("cli_bcomp_addpatt: Unable to allocate memory for new byte compare meta\n");
return CL_EMEM;
}
/* allocate virname space with the root structure's mempool instance */ |
| 544fa973 |
bcomp->virname = (char *)CLI_MPOOL_VIRNAME(root->mempool, virname, options & CL_DB_OFFICIAL); |
| 288057e9 |
if (!bcomp->virname) { |
| 9cb3e8eb |
cli_errmsg("cli_bcomp_addpatt: Unable to allocate memory for virname or NULL virname\n");
cli_bcomp_freemeta(root, bcomp);
return CL_EMEM;
}
/* bring along the standard lsigid vector, first param marks validity of vector, 2nd is lsigid, 3rd is subsigid */
if (lsigid) {
root->ac_lsigtable[lsigid[0]]->virname = bcomp->virname;
bcomp->lsigid[0] = 1;
bcomp->lsigid[1] = lsigid[0];
bcomp->lsigid[2] = lsigid[1]; |
| 288057e9 |
} else { |
| 9cb3e8eb |
/* sigtool */
bcomp->lsigid[0] = 0;
}
/* first need to grab the subsig reference, we'll use this later to determine our offset */
buf_start = hexsig; |
| 288057e9 |
buf_end = hexsig; |
| 9cb3e8eb |
|
| 288057e9 |
ref_subsigid = strtol(buf_start, (char **)&buf_end, 10); |
| 9cb3e8eb |
if (buf_end && buf_end[0] != '(') {
cli_errmsg("cli_bcomp_addpatt: while byte compare subsig parsing, reference subsig id was invalid or included non-decimal character\n");
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
}
bcomp->ref_subsigid = ref_subsigid;
/* use the passed hexsig buffer to find the start and ending parens and store the param length (minus starting paren) */
buf_start = buf_end;
if (buf_start[0] == '(') { |
| 288057e9 |
if ((buf_end = strchr(buf_start, ')'))) {
len = (size_t)(buf_end - ++buf_start);
} else { |
| 9cb3e8eb |
cli_errmsg("cli_bcomp_addpatt: ending paren not found\n");
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
} |
| 288057e9 |
} else {
cli_errmsg("cli_bcomp_addpatt: opening paren not found\n");
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB; |
| 9cb3e8eb |
}
/* make a working copy of the param buffer */ |
| 2e06875d |
buf = CLI_STRNDUP(buf_start, len); |
| 9cb3e8eb |
/* break up the new param buffer into its component strings and verify we have exactly 3 */ |
| 288057e9 |
toks = cli_strtokenize(buf, '#', 3 + 1, tokens); |
| 9cb3e8eb |
if (3 != toks) {
cli_errmsg("cli_bcomp_addpatt: %zu (or more) params provided, 3 expected\n", toks);
free(buf);
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
} |
| 1d859d1c |
tokens[3] = NULL; |
| 9cb3e8eb |
/* since null termination is super guaranteed thanks to strndup and cli_strokenize, we can use strtol to grab the
* offset params. this has the added benefit of letting us parse hex values too */ |
| 288057e9 |
buf_end = NULL; |
| 9cb3e8eb |
buf_start = tokens[0];
switch (buf_start[0]) {
case '<': |
| ac09aa7d |
if ((++buf_start)[0] == '<') { |
| 288057e9 |
offset_param = strtol(++buf_start, (char **)&buf_end, 0);
if (buf_end && buf_end + 1 != tokens[1]) { |
| 9cb3e8eb |
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), offset parameter included invalid characters\n", tokens[0], tokens[1], tokens[2]);
free(buf);
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
}
/* two's-complement for negative value */
offset_param = (~offset_param) + 1;
|
| 288057e9 |
} else {
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), shift operator not valid\n", tokens[0], tokens[1], tokens[2]);
free(buf);
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
} |
| 9cb3e8eb |
break;
case '>': |
| ac09aa7d |
if ((++buf_start)[0] == '>') { |
| 288057e9 |
offset_param = strtol(++buf_start, (char **)&buf_end, 0);
if (buf_end && buf_end + 1 != tokens[1]) { |
| 9cb3e8eb |
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), offset parameter included invalid characters\n", tokens[0], tokens[1], tokens[2]);
free(buf);
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
}
break;
} else { |
| 288057e9 |
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), shift operator and/or offset not valid\n", tokens[0], tokens[1], tokens[2]);
free(buf);
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB; |
| 9cb3e8eb |
}
case '0':
case '\0':
offset_param = 0;
break;
default:
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), shift operator included invalid characters\n", tokens[0], tokens[1], tokens[2]);
free(buf);
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
}
bcomp->offset = offset_param;
/* the byte length indicator options are stored in a bitmask--by design each option gets its own nibble */
buf_start = tokens[1];
|
| 55a39cfe |
while (!isdigit(*buf_start)) {
switch (*buf_start) {
case 'h': |
| 7a0314d2 |
/* hex, decimal, auto, and binary options are mutually exclusive parameters */
if (bcomp->options & CLI_BCOMP_DEC || bcomp->options & CLI_BCOMP_BIN || bcomp->options & CLI_BCOMP_AUTO) { |
| 55a39cfe |
ret = CL_EMALFDB;
} else {
bcomp->options |= CLI_BCOMP_HEX; |
| 288057e9 |
}
break; |
| 7a0314d2 |
|
| 55a39cfe |
case 'd': |
| 7a0314d2 |
/* hex, decimal, auto, and binary options are mutually exclusive parameters */ |
| ff8953f5 |
/* decimal may not be used with little-endian. big-endian is implied. */
if (bcomp->options & CLI_BCOMP_HEX || bcomp->options & CLI_BCOMP_BIN || bcomp->options & CLI_BCOMP_AUTO || bcomp->options & CLI_BCOMP_LE) { |
| 55a39cfe |
ret = CL_EMALFDB;
} else {
bcomp->options |= CLI_BCOMP_DEC; |
| ff8953f5 |
bcomp->options |= CLI_BCOMP_BE; |
| 288057e9 |
}
break; |
| 7a0314d2 |
|
| 55a39cfe |
case 'i': |
| 7a0314d2 |
/* hex, decimal, auto, and binary options are mutually exclusive parameters */
if (bcomp->options & CLI_BCOMP_HEX || bcomp->options & CLI_BCOMP_DEC || bcomp->options & CLI_BCOMP_AUTO) { |
| 55a39cfe |
ret = CL_EMALFDB;
} else {
bcomp->options |= CLI_BCOMP_BIN; |
| 288057e9 |
}
break; |
| 7a0314d2 |
case 'a':
/* for automatic hex or decimal run-time detection */
/* hex, decimal, auto, and binary options are mutually exclusive parameters */
if (bcomp->options & CLI_BCOMP_HEX || bcomp->options & CLI_BCOMP_DEC || bcomp->options & CLI_BCOMP_BIN) {
ret = CL_EMALFDB;
} else {
bcomp->options |= CLI_BCOMP_AUTO; |
| 288057e9 |
}
break; |
| 7a0314d2 |
|
| 55a39cfe |
case 'l':
/* little and big endian options are mutually exclusive parameters */ |
| ff8953f5 |
/* decimal may not be used with little-endian */
if (bcomp->options & CLI_BCOMP_BE || bcomp->options & CLI_BCOMP_DEC) { |
| 55a39cfe |
ret = CL_EMALFDB;
} else {
bcomp->options |= CLI_BCOMP_LE; |
| 288057e9 |
}
break; |
| 7a0314d2 |
|
| 55a39cfe |
case 'b':
/* little and big endian options are mutually exclusive parameters */
if (bcomp->options & CLI_BCOMP_LE) {
ret = CL_EMALFDB;
} else {
bcomp->options |= CLI_BCOMP_BE; |
| 288057e9 |
}
break; |
| 7a0314d2 |
|
| 55a39cfe |
case 'e':
/* for exact byte length matches */
bcomp->options |= CLI_BCOMP_EXACT;
break; |
| 9cb3e8eb |
|
| 55a39cfe |
default:
ret = CL_EMALFDB;
break;
} |
| 9cb3e8eb |
|
| 55a39cfe |
if (CL_EMALFDB == ret) {
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), option parameter was found invalid\n", tokens[0], tokens[1], tokens[2]); |
| 9cb3e8eb |
free(buf);
cli_bcomp_freemeta(root, bcomp); |
| 55a39cfe |
return ret;
}
buf_start++; |
| 9cb3e8eb |
}
/* parse out the byte length parameter */ |
| 288057e9 |
buf_end = NULL;
byte_length = strtol(buf_start, (char **)&buf_end, 0);
if (buf_end && buf_end + 1 != tokens[2]) { |
| c989fcb2 |
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), byte length parameter included invalid characters\n", tokens[0], tokens[1], tokens[2]); |
| 9cb3e8eb |
free(buf);
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
}
|
| c989fcb2 |
if (bcomp->options & CLI_BCOMP_BIN && (byte_length > CLI_BCOMP_MAX_BIN_BLEN || CLI_BCOMP_MAX_BIN_BLEN % byte_length)) {
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), byte length was either too long or not a valid number of bytes\n", tokens[0], tokens[1], tokens[2]); |
| 55a39cfe |
free(buf);
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
}
|
| 7a0314d2 |
/* same deal with hex byte lengths */
if (bcomp->options & CLI_BCOMP_HEX && (byte_length > CLI_BCOMP_MAX_HEX_BLEN)) {
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), byte length was too long\n", tokens[0], tokens[1], tokens[2]);
free(buf);
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
}
|
| 9cb3e8eb |
bcomp->byte_len = byte_length;
|
| 731d44f2 |
/* we can have up to two comparison eval statements, each sperated by a comma, let's parse them in a separate string */
comp_buf = cli_strdup(tokens[2]);
if (!comp_buf) {
cli_errmsg("cli_bcomp_addpatt: Unable to allocate memory for comparison buffer\n");
cli_bcomp_freemeta(root, bcomp);
return CL_EMEM;
}
/* use different buffer start and end markers so we can keep track of what we need to free later */ |
| 288057e9 |
buf_start = comp_buf; |
| 731d44f2 |
comp_start = strchr(comp_buf, ','); |
| 288057e9 |
comp_end = strrchr(comp_buf, ','); |
| 9cb3e8eb |
|
| 731d44f2 |
/* check to see if we have exactly one comma, then set our count and tokenize our string apropriately */
if (comp_start && comp_end) {
if (comp_end == comp_start) { |
| 288057e9 |
comp_start[0] = '\0'; |
| 731d44f2 |
bcomp->comp_count = 2;
} else {
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), too many commas found in comparison string\n", tokens[0], tokens[1], tokens[2]); |
| 9cb3e8eb |
cli_bcomp_freemeta(root, bcomp); |
| 731d44f2 |
free(buf); |
| 288057e9 |
free((void *)buf_start); |
| 731d44f2 |
return CL_EPARSE;
}
} else { |
| 288057e9 |
comp_start = comp_buf; |
| 731d44f2 |
bcomp->comp_count = 1; |
| 9cb3e8eb |
}
|
| 731d44f2 |
/* allocate comp struct list space with the root structure's mempool instance */ |
| 544fa973 |
bcomp->comps = (struct cli_bcomp_comp **)MPOOL_CALLOC(root->mempool, bcomp->comp_count, sizeof(struct cli_bcomp_comp *)); |
| 288057e9 |
if (!bcomp->comps) { |
| 731d44f2 |
cli_errmsg("cli_bcomp_addpatt: unable to allocate memory for comp struct pointers\n"); |
| 9cb3e8eb |
free(buf); |
| 288057e9 |
free((void *)buf_start); |
| 9cb3e8eb |
cli_bcomp_freemeta(root, bcomp); |
| 731d44f2 |
return CL_EMEM; |
| 9cb3e8eb |
}
|
| 731d44f2 |
/* loop through our new list, allocate, and parse out the needed comparison evaluation bits for this subsig */
for (i = 0; i < bcomp->comp_count; i++) {
|
| 544fa973 |
bcomp->comps[i] = (struct cli_bcomp_comp *)MPOOL_CALLOC(root->mempool, 1, sizeof(struct cli_bcomp_comp)); |
| 288057e9 |
if (!bcomp->virname) { |
| 731d44f2 |
cli_errmsg("cli_bcomp_addpatt: unable to allocate memory for comp struct\n");
free(buf); |
| 288057e9 |
free((void *)buf_start); |
| 731d44f2 |
cli_bcomp_freemeta(root, bcomp);
return CL_EMEM;
}
/* currently only >, <, and = are supported comparison symbols--this makes parsing very simple */
switch (*comp_buf) {
case '<':
case '>':
case '=': |
| 288057e9 |
bcomp->comps[i]->comp_symbol = *comp_buf;
break; |
| 731d44f2 |
default:
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), byte comparison symbol was invalid (>, <, = are supported operators) %s\n", tokens[0], tokens[1], tokens[2], comp_buf);
free(buf); |
| 288057e9 |
free((void *)buf_start); |
| 731d44f2 |
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
}
/* grab the comparison value itself */
comp_end = NULL;
comp_buf++; |
| 288057e9 |
comp_val = strtoll(comp_buf, (char **)&comp_end, 0); |
| 731d44f2 |
if (*comp_end) {
cli_errmsg("cli_bcomp_addpatt: while parsing (%s#%s#%s), comparison value contained invalid input\n", tokens[0], tokens[1], tokens[2]);
free(buf); |
| 288057e9 |
free((void *)buf_start); |
| 731d44f2 |
cli_bcomp_freemeta(root, bcomp);
return CL_EMALFDB;
}
bcomp->comps[i]->comp_value = comp_val;
/* a bit of tricksy pointer stuffs which handles all count cases, taking advantage of where strtoll drops endptr */
if (comp_end == comp_start) {
comp_buf = comp_start;
comp_buf++;
} |
| 9cb3e8eb |
|
| 731d44f2 |
/* manually verify successful pattern parsing */
bcm_dbgmsg("Matcher Byte Compare: (%s%ld#%c%c%s%zu#%c%ld)\n", |
| 288057e9 |
bcomp->offset == 0 ? "" : (bcomp->offset < 0 ? "<<" : ">>"),
bcomp->offset,
bcomp->options & CLI_BCOMP_HEX ? 'h' : (bcomp->options & CLI_BCOMP_DEC ? 'd' : 'i'),
bcomp->options & CLI_BCOMP_LE ? 'l' : 'b',
bcomp->options & CLI_BCOMP_EXACT ? "e" : "",
bcomp->byte_len,
bcomp->comps[i]->comp_symbol,
bcomp->comps[i]->comp_value); |
| 731d44f2 |
} |
| 9cb3e8eb |
|
| 288057e9 |
free((void *)buf_start); |
| 731d44f2 |
buf_start = NULL; |
| 9cb3e8eb |
/* add byte compare info to the root after reallocation */ |
| 288057e9 |
bcomp_count = root->bcomp_metas + 1; |
| 9cb3e8eb |
/* allocate space for new meta table to store in root structure and increment number of byte compare patterns added */ |
| 544fa973 |
newmetatable = (struct cli_bcomp_meta **)MPOOL_REALLOC(root->mempool, root->bcomp_metatable, bcomp_count * sizeof(struct cli_bcomp_meta *)); |
| 288057e9 |
if (!newmetatable) { |
| 9cb3e8eb |
cli_errmsg("cli_bcomp_addpatt: Unable to allocate memory for new bcomp meta table\n");
cli_bcomp_freemeta(root, bcomp);
return CL_EMEM;
}
|
| 288057e9 |
newmetatable[bcomp_count - 1] = bcomp;
root->bcomp_metatable = newmetatable; |
| 9cb3e8eb |
root->bcomp_metas = bcomp_count;
/* if everything went well bcomp has been totally populated, which means we can cleanup and exit */
free(buf);
return CL_SUCCESS;
}
/**
* @brief function to perform all byte compare matching on the file buffer
*
* @param map the file map to perform logical byte comparison upon
* @param res the result structure, primarily used by sigtool
* @param root the root structure in which all byte compare lsig and subsig information is stored
* @param mdata the ac data struct which contains offset information from recent subsig matches
* @param ctx the clamav context struct
*
*/ |
| 288057e9 |
cl_error_t cli_bcomp_scanbuf(const unsigned char *buffer, size_t buffer_length, const char **virname, struct cli_ac_result **res, const struct cli_matcher *root, struct cli_ac_data *mdata, cli_ctx *ctx)
{ |
| 9cb3e8eb |
|
| 102cd430 |
int64_t i = 0, ret = CL_SUCCESS; |
| 9cb3e8eb |
uint32_t lsigid, ref_subsigid; |
| 288057e9 |
uint32_t offset = 0;
uint8_t viruses_found = 0; |
| 9cb3e8eb |
struct cli_bcomp_meta *bcomp = NULL; |
| 39b1609d |
struct cli_ac_result *newres = NULL; |
| 9cb3e8eb |
|
| 5a4fb454 |
uint32_t evalcnt = 0;
uint64_t evalids = 0; |
| 288057e9 |
char *subsigid = NULL; |
| 5a4fb454 |
|
| 9cb3e8eb |
if (!(root) || !(root->bcomp_metas) || !(root->bcomp_metatable) || !(mdata) || !(mdata->offmatrix) || !(ctx)) {
return CL_SUCCESS;
}
|
| 288057e9 |
for (i = 0; i < root->bcomp_metas; i++) { |
| 9cb3e8eb |
|
| 288057e9 |
bcomp = root->bcomp_metatable[i];
lsigid = bcomp->lsigid[1]; |
| 9cb3e8eb |
ref_subsigid = bcomp->ref_subsigid;
|
| 39b1609d |
/* check to see if we are being run in sigtool or not */
if (bcomp->lsigid[0]) { |
| 5a4fb454 |
subsigid = cli_calloc(3, sizeof(char));
sprintf(subsigid, "%hu", bcomp->ref_subsigid);
/* verify the ref_subsigid */
if (cli_ac_chklsig(subsigid, subsigid + strlen(subsigid), |
| 288057e9 |
mdata->lsigcnt[bcomp->lsigid[1]], &evalcnt, &evalids, 0) != 1) { |
| 5a4fb454 |
bcm_dbgmsg("cli_bcomp_scanbuf: could not verify a match for lsig reference subsigid (%s)\n", subsigid);
continue;
}
|
| 39b1609d |
/* ensures the referenced subsig matches as expected, and also ensures mdata has the needed offset */ |
| 288057e9 |
if ((ret = lsig_sub_matched(root, mdata, lsigid, ref_subsigid, CLI_OFF_NONE, 0))) { |
| 5a4fb454 |
break; |
| 39b1609d |
} |
| 9cb3e8eb |
|
| 39b1609d |
/* grab the needed offset using from the last matched subsig offset matrix, i.e. the match performed above */
if (mdata->lsigsuboff_last[lsigid]) {
offset = mdata->lsigsuboff_last[lsigid][ref_subsigid];
} else {
ret = CL_SUCCESS;
continue;
} |
| 9cb3e8eb |
} else { |
| 5a4fb454 |
/* can't run lsig_sub_matched in sigtool, and mdata isn't populated so run the raw matcher stuffs */ |
| 288057e9 |
if (res) { |
| 39b1609d |
newres = (struct cli_ac_result *)cli_calloc(1, sizeof(struct cli_ac_result)); |
| 288057e9 |
if (!newres) { |
| 5a4fb454 |
cli_errmsg("cli_bcomp_scanbuf: can't allocate memory for new result\n"); |
| 39b1609d |
ret = CL_EMEM;
break;
} |
| 288057e9 |
newres->virname = bcomp->virname; |
| 39b1609d |
newres->customdata = NULL; |
| 288057e9 |
newres->next = *res;
*res = newres; |
| 39b1609d |
} |
| 9cb3e8eb |
}
|
| a42ec8d5 |
/* no offset available, make a best effort */
if (offset == CLI_OFF_NONE) {
offset = 0;
}
|
| 9cb3e8eb |
/* now we have all the pieces of the puzzle, so lets do our byte compare check */ |
| 464d801b |
ret = cli_bcomp_compare_check(buffer, buffer_length, offset, bcomp); |
| 9cb3e8eb |
/* set and append our lsig's virus name if the comparison came back positive */
if (CL_VIRUS == ret) {
viruses_found = 1;
if (virname) {
*virname = bcomp->virname;
}
/* if we aren't scanning all, let's just exit here */ |
| faa20835 |
if (!SCAN_ALLMATCHES) { |
| 9cb3e8eb |
break;
} else {
ret = cli_append_virus(ctx, (const char *)bcomp->virname);
}
}
}
if (ret == CL_SUCCESS && viruses_found) {
return CL_VIRUS;
}
return ret;
}
/**
* @brief does a numerical, logical byte comparison on a particular offset given a filemapping and the offset
*
* @param map the file buffer we'll be accessing to do our comparison check
* @param offset the offset of the referenced subsig match from the start of the file buffer
* @param bm the byte comparison meta data struct, contains all the other info needed to do the comparison
*
*/ |
| 288057e9 |
cl_error_t cli_bcomp_compare_check(const unsigned char *f_buffer, size_t buffer_length, int offset, struct cli_bcomp_meta *bm) |
| 9cb3e8eb |
{
|
| 288057e9 |
uint32_t byte_len = 0;
uint32_t pad_len = 0;
uint32_t norm_len = 0;
uint32_t length = 0;
uint32_t i = 0;
cl_error_t ret = 0;
uint16_t opt = 0;
uint16_t opt_val = 0;
int64_t value = 0; |
| 0efcd558 |
int64_t bin_value = 0; |
| 288057e9 |
int16_t compare_check = 0;
unsigned char *end_buf = NULL;
unsigned char *buffer = NULL;
unsigned char *tmp_buffer = NULL; |
| 9cb3e8eb |
|
| ca400eec |
if (!f_buffer || !bm) { |
| a47b151c |
bcm_dbgmsg("cli_bcomp_compare_check: a param is null\n"); |
| 1d859d1c |
return CL_ENULLARG;
}
byte_len = bm->byte_len; |
| 288057e9 |
length = buffer_length;
opt = bm->options; |
| 1d859d1c |
|
| 9cb3e8eb |
/* ensure we won't run off the end of the file buffer */ |
| 6c5805e4 |
if (!(offset + bm->offset + byte_len <= length)) {
bcm_dbgmsg("cli_bcomp_compare_check: %u bytes requested at offset %zu would go past file buffer of %u\n", byte_len, (offset + bm->offset), length);
return CL_CLEAN;
}
if (!(offset + bm->offset > 0)) {
bcm_dbgmsg("cli_bcomp_compare_check: negative offset would underflow buffer\n");
return CL_CLEAN; |
| 9cb3e8eb |
}
/* jump to byte compare offset, then store off specified bytes into a null terminated buffer */
offset += bm->offset; |
| ca400eec |
f_buffer += offset; |
| 464d801b |
|
| ca400eec |
bcm_dbgmsg("cli_bcomp_compare_check: literal extracted bytes before comparison %.*s\n", byte_len, f_buffer);
/* normalize buffer for whitespace */
opt_val = opt & 0x000F; |
| 288057e9 |
if (!(opt_val & CLI_BCOMP_BIN)) { |
| ca400eec |
buffer = cli_bcomp_normalize_buffer(f_buffer, byte_len, &pad_len, opt, 1);
if (NULL == buffer) {
cli_errmsg("cli_bcomp_compare_check: unable to whitespace normalize temp buffer, allocation failed\n");
return CL_EMEM;
}
/* adjust byte_len accordingly */
byte_len -= pad_len;
} |
| 18d57d73 |
/* normalize buffer for little endian vals */
opt_val = opt & 0x00F0;
if (opt_val == CLI_BCOMP_LE) {
opt_val = opt & 0x000F; |
| 288057e9 |
if (!(opt_val & CLI_BCOMP_BIN)) { |
| 2ffb4f32 |
tmp_buffer = cli_bcomp_normalize_buffer(buffer, byte_len, NULL, opt, 0); |
| 18d57d73 |
if (NULL == tmp_buffer) { |
| ca400eec |
cli_errmsg("cli_bcomp_compare_check: unable to normalize temp, allocation failed\n"); |
| 18d57d73 |
return CL_EMEM; |
| 7a0314d2 |
} |
| 18d57d73 |
}
} |
| 7a0314d2 |
|
| 18d57d73 |
opt_val = opt;
if (opt_val & CLI_BCOMP_AUTO) { |
| 2ffb4f32 |
opt = cli_bcomp_chk_hex(buffer, opt_val, byte_len, 0); |
| 18d57d73 |
} |
| 7a0314d2 |
|
| 18d57d73 |
/* grab the first byte to handle byte length options to convert the string appropriately */ |
| 288057e9 |
switch (opt & 0x00FF) { |
| 9cb3e8eb |
/*hl*/
case CLI_BCOMP_HEX | CLI_BCOMP_LE: |
| e0295a9f |
if (byte_len != 1) {
norm_len = (byte_len % 2) == 0 ? byte_len : byte_len + 1;
} else {
norm_len = 1;
} |
| 55a39cfe |
errno = 0; |
| 288057e9 |
value = cli_strntol((char *)tmp_buffer, norm_len, (char **)&end_buf, 16); |
| 55a39cfe |
if ((((value == LONG_MAX) || (value == LONG_MIN)) && errno == ERANGE) || NULL == end_buf) {
|
| 18d57d73 |
free(tmp_buffer); |
| a47b151c |
bcm_dbgmsg("cli_bcomp_compare_check: little endian hex conversion unsuccessful\n"); |
| 9cb3e8eb |
return CL_CLEAN;
} |
| 55a39cfe |
/*hle*/
if (opt & CLI_BCOMP_EXACT) { |
| 288057e9 |
if (tmp_buffer + byte_len != end_buf || pad_len != 0) { |
| 55a39cfe |
|
| 18d57d73 |
free(tmp_buffer); |
| 2ffb4f32 |
free(buffer); |
| a47b151c |
bcm_dbgmsg("cli_bcomp_compare_check: couldn't extract the exact number of requested bytes\n"); |
| 55a39cfe |
return CL_CLEAN;
}
} |
| 9cb3e8eb |
break;
|
| 288057e9 |
/*hb*/ |
| 9cb3e8eb |
case CLI_BCOMP_HEX | CLI_BCOMP_BE: |
| 288057e9 |
value = cli_strntol((char *)buffer, byte_len, (char **)&end_buf, 16); |
| 55a39cfe |
if ((((value == LONG_MAX) || (value == LONG_MIN)) && errno == ERANGE) || NULL == end_buf) { |
| 9cb3e8eb |
|
| a47b151c |
bcm_dbgmsg("cli_bcomp_compare_check: big endian hex conversion unsuccessful\n"); |
| 9cb3e8eb |
return CL_CLEAN;
} |
| 55a39cfe |
/*hbe*/
if (opt & CLI_BCOMP_EXACT) { |
| 288057e9 |
if (buffer + byte_len != end_buf || pad_len != 0) { |
| 9cb3e8eb |
|
| 2ffb4f32 |
free(buffer); |
| a47b151c |
bcm_dbgmsg("cli_bcomp_compare_check: couldn't extract the exact number of requested bytes\n"); |
| 55a39cfe |
return CL_CLEAN;
}
}
|
| 9cb3e8eb |
break;
/*dl*/
case CLI_BCOMP_DEC | CLI_BCOMP_LE: |
| ff8953f5 |
/* it may be possible for the auto option to proc this */ |
| 2ffb4f32 |
if (buffer) {
free(buffer);
} |
| ff8953f5 |
bcm_dbgmsg("cli_bcomp_compare_check: auto detection found ascii decimal for specified little endian byte extraction, which is unsupported\n");
return CL_CLEAN; |
| 9cb3e8eb |
break;
/*db*/
case CLI_BCOMP_DEC | CLI_BCOMP_BE: |
| 288057e9 |
value = cli_strntol((char *)buffer, byte_len, (char **)&end_buf, 10); |
| 55a39cfe |
if ((((value == LONG_MAX) || (value == LONG_MIN)) && errno == ERANGE) || NULL == end_buf) { |
| 9cb3e8eb |
|
| 2ffb4f32 |
free(buffer); |
| a47b151c |
bcm_dbgmsg("cli_bcomp_compare_check: big endian decimal conversion unsuccessful\n"); |
| 9cb3e8eb |
return CL_CLEAN;
} |
| 55a39cfe |
/*dbe*/
if (opt & CLI_BCOMP_EXACT) { |
| 288057e9 |
if (buffer + byte_len != end_buf || pad_len != 0) { |
| 55a39cfe |
|
| 2ffb4f32 |
free(buffer); |
| a47b151c |
bcm_dbgmsg("cli_bcomp_compare_check: couldn't extract the exact number of requested bytes\n"); |
| 55a39cfe |
return CL_CLEAN;
}
} |
| 9cb3e8eb |
break; |
| 5a4fb454 |
|
| c989fcb2 |
/*il*/ |
| 55a39cfe |
case CLI_BCOMP_BIN | CLI_BCOMP_LE: |
| c989fcb2 |
/* exact byte_length option is implied for binary extraction */
switch (byte_len) { |
| 288057e9 |
case 1: |
| 0efcd558 |
bin_value = (int64_t)(*(uint8_t *)f_buffer); |
| 288057e9 |
break;
case 2: |
| 0efcd558 |
bin_value = (int64_t)le16_to_host(*(uint16_t *)f_buffer); |
| 288057e9 |
break;
case 4: |
| 0efcd558 |
bin_value = (int64_t)le32_to_host(*(uint32_t *)f_buffer); |
| 288057e9 |
break;
case 8: |
| 0efcd558 |
bin_value = (int64_t)le64_to_host(*(uint64_t *)f_buffer); |
| 288057e9 |
break; |
| c989fcb2 |
default: |
| a47b151c |
bcm_dbgmsg("cli_bcomp_compare_check: invalid byte size for binary integer field (%u)\n", byte_len); |
| 2ffb4f32 |
free(buffer); |
| c989fcb2 |
return CL_EARG;
} |
| 55a39cfe |
break; |
| 5a4fb454 |
|
| c989fcb2 |
/*ib*/ |
| 55a39cfe |
case CLI_BCOMP_BIN | CLI_BCOMP_BE: |
| c989fcb2 |
/* exact byte_length option is implied for binary extraction */
switch (byte_len) { |
| 288057e9 |
case 1: |
| 0efcd558 |
bin_value = (int64_t)(*(uint8_t *)f_buffer); |
| 288057e9 |
break;
case 2: |
| 0efcd558 |
bin_value = (int64_t)be16_to_host(*(uint16_t *)f_buffer); |
| 288057e9 |
break;
case 4: |
| 0efcd558 |
bin_value = (int64_t)be32_to_host(*(uint32_t *)f_buffer); |
| 288057e9 |
break;
case 8: |
| 0efcd558 |
bin_value = (int64_t)be64_to_host(*(uint64_t *)f_buffer); |
| 288057e9 |
break; |
| c989fcb2 |
default: |
| a47b151c |
bcm_dbgmsg("cli_bcomp_compare_check: invalid byte size for binary integer field (%u)\n", byte_len); |
| 2ffb4f32 |
free(buffer); |
| c989fcb2 |
return CL_EARG;
} |
| 55a39cfe |
break; |
| 5a4fb454 |
|
| 9cb3e8eb |
default: |
| 18d57d73 |
bcm_dbgmsg("cli_bcomp_compare_check: options were found invalid\n");
if (tmp_buffer) {
free(tmp_buffer);
} |
| 2ffb4f32 |
|
| 288057e9 |
if (buffer) { |
| 2ffb4f32 |
free(buffer);
} |
| 9cb3e8eb |
return CL_ENULLARG;
}
|
| 18d57d73 |
if (tmp_buffer) {
free(tmp_buffer);
}
|
| 2ffb4f32 |
if (buffer) {
free(buffer);
}
|
| 9cb3e8eb |
/* do the actual comparison */ |
| 731d44f2 |
ret = CL_CLEAN;
for (i = 0; i < bm->comp_count; i++) {
if (bm->comps && bm->comps[i]) {
switch (bm->comps[i]->comp_symbol) {
case '>': |
| 9703d971 |
if (opt & CLI_BCOMP_BIN) {
compare_check = (bin_value > bm->comps[i]->comp_value);
} else {
compare_check = (value > bm->comps[i]->comp_value);
}
if (compare_check) {
bcm_dbgmsg("cli_bcomp_compare_check: extracted value (%ld) greater than comparison value (%ld)\n", (opt & CLI_BCOMP_BIN) ? bin_value : value, bm->comps[i]->comp_value); |
| 731d44f2 |
ret = CL_VIRUS;
} else {
ret = CL_CLEAN;
}
break; |
| 9cb3e8eb |
|
| 731d44f2 |
case '<': |
| 9703d971 |
if (opt & CLI_BCOMP_BIN) {
compare_check = (bin_value < bm->comps[i]->comp_value);
} else {
compare_check = (value < bm->comps[i]->comp_value);
}
if (compare_check) {
bcm_dbgmsg("cli_bcomp_compare_check: extracted value (%ld) less than comparison value (%ld)\n", (opt & CLI_BCOMP_BIN) ? bin_value : value, bm->comps[i]->comp_value); |
| 731d44f2 |
ret = CL_VIRUS;
} else {
ret = CL_CLEAN;
}
break; |
| 9cb3e8eb |
|
| 731d44f2 |
case '=': |
| 9703d971 |
if (opt & CLI_BCOMP_BIN) {
compare_check = (bin_value == bm->comps[i]->comp_value);
} else {
compare_check = (value == bm->comps[i]->comp_value);
}
if (compare_check) {
bcm_dbgmsg("cli_bcomp_compare_check: extracted value (%ld) equal to comparison value (%ld)\n", (opt & CLI_BCOMP_BIN) ? bin_value : value, bm->comps[i]->comp_value); |
| 731d44f2 |
ret = CL_VIRUS;
} else {
ret = CL_CLEAN;
}
break; |
| 9cb3e8eb |
|
| 731d44f2 |
default:
bcm_dbgmsg("cli_bcomp_compare_check: comparison symbol (%c) invalid\n", bm->comps[i]->comp_symbol);
return CL_ENULLARG; |
| 9cb3e8eb |
}
|
| 731d44f2 |
if (CL_CLEAN == ret) {
/* comparison was not successful */ |
| 9703d971 |
bcm_dbgmsg("cli_bcomp_compare_check: extracted value (%ld) was not %c %ld\n", (opt & CLI_BCOMP_BIN) ? bin_value : value, bm->comps[i]->comp_symbol, bm->comps[i]->comp_value); |
| 731d44f2 |
return CL_CLEAN;
}
} |
| 9cb3e8eb |
} |
| 9703d971 |
|
| 731d44f2 |
return ret; |
| 9cb3e8eb |
}
/** |
| ca400eec |
* @brief checks to see if an ascii buffer should be considered hex or not
*
* @param buffer is the buffer to evaluate
* @param opts the bcomp opts bitfield to set/evaluate during the check
* @param len the length of the buffer, must be larger than 3 bytes
* @param check_only specifies whether to return true/false or the modified opt value
*
* @return if check only is set, it will return true or false, otherwise it returns a modifiied byte compare bitfield
*/ |
| 288057e9 |
uint16_t cli_bcomp_chk_hex(const unsigned char *buffer, uint16_t opt, uint32_t len, uint32_t check_only)
{ |
| ca400eec |
uint16_t check = 0;
if (!buffer || len < 3) { |
| 26b75b35 |
if (buffer && len < 3) {
if ((opt & 0x00F0) & CLI_BCOMP_AUTO) {
opt |= CLI_BCOMP_DEC;
opt ^= CLI_BCOMP_AUTO;
}
} |
| ca400eec |
return check_only ? check : opt;
}
|
| 288057e9 |
if (!strncmp((char *)buffer, "0x", 2) || !strncmp((char *)buffer, "0X", 2)) { |
| ca400eec |
opt |= CLI_BCOMP_HEX;
check = 1;
} else {
opt |= CLI_BCOMP_DEC;
check = 0;
}
opt ^= CLI_BCOMP_AUTO;
return check_only ? check : opt;
}
/**
* @brief multipurpose buffer normalization support function for bytcompare
*
* Currently can be used to normalize a little endian hex buffer to big endian.
* Can also be used to trim whitespace from the front of the buffer.
*
* @param buffer is the ascii bytes which are to be normalized
* @param byte_len is the length of these bytes
* @param pad_len if the address passed is non-null function will store the amount of whitespace found in bytes
* @param opt the byte compare option bitfield
* @param whitespace_only if true will only do whitespace normalization, will not perform whitespace
* normalization if set to no
*
* @return returns an allocated, normalized buffer or NULL if an allocation error has occurred
*/ |
| 288057e9 |
unsigned char *cli_bcomp_normalize_buffer(const unsigned char *buffer, uint32_t byte_len, uint32_t *pad_len, uint16_t opt, uint16_t whitespace_only)
{
uint32_t norm_len = 0;
uint32_t pad = 0;
uint32_t i = 0;
uint16_t opt_val = 0;
uint16_t hex = 0;
unsigned char *tmp_buffer = NULL;
unsigned char *hex_buffer = NULL; |
| ca400eec |
if (!buffer) {
cli_errmsg("cli_bcomp_compare_check: unable to normalize temp buffer, params null\n");
return NULL;
}
if (whitespace_only) { |
| 288057e9 |
for (i = 0; i < byte_len; i++) { |
| ca400eec |
if (isspace(buffer[i])) {
bcm_dbgmsg("cli_bcomp_compare_check: buffer has whitespace \n");
pad++;
} else {
/* break on first non-padding whitespace */
break;
}
}
/* keep in mind byte_len is a stack variable so this won't change byte_len in our calling functioning */ |
| 288057e9 |
byte_len = byte_len - pad;
tmp_buffer = cli_calloc(byte_len + 1, sizeof(char)); |
| ca400eec |
if (NULL == tmp_buffer) {
cli_errmsg("cli_bcomp_compare_check: unable to allocate memory for whitespace normalized temp buffer\n");
return NULL;
} |
| 288057e9 |
memset(tmp_buffer, '0', byte_len + 1);
memcpy(tmp_buffer, buffer + pad, byte_len); |
| ca400eec |
tmp_buffer[byte_len] = '\0';
if (pad_len) {
*pad_len = pad;
}
return tmp_buffer;
}
opt_val = opt & 0x000F;
if (opt_val & CLI_BCOMP_HEX || opt_val & CLI_BCOMP_AUTO) { |
| 288057e9 |
norm_len = (byte_len % 2) == 0 ? byte_len : byte_len + 1;
tmp_buffer = cli_calloc(norm_len + 1, sizeof(char)); |
| ca400eec |
if (NULL == tmp_buffer) {
cli_errmsg("cli_bcomp_compare_check: unable to allocate memory for normalized temp buffer\n");
return NULL;
}
|
| 288057e9 |
hex_buffer = cli_calloc(norm_len + 1, sizeof(char));
if (NULL == hex_buffer) { |
| ca400eec |
free(tmp_buffer);
cli_errmsg("cli_bcomp_compare_check: unable to reallocate memory for hex buffer\n");
return NULL;
}
|
| 288057e9 |
memset(tmp_buffer, '0', norm_len + 1);
memset(hex_buffer, '0', norm_len + 1); |
| ca400eec |
if (byte_len == 1) {
tmp_buffer[0] = buffer[0];
} else {
if (norm_len == byte_len + 1) {
opt_val = opt;
if (cli_bcomp_chk_hex(buffer, opt_val, byte_len, 1)) { |
| 288057e9 |
memcpy(hex_buffer + 3, buffer + 2, byte_len - 2); |
| ca400eec |
hex_buffer[0] = 'x';
} else { |
| 288057e9 |
memcpy(hex_buffer + 1, buffer, byte_len); |
| ca400eec |
}
} else {
opt_val = opt;
memcpy(hex_buffer, buffer, byte_len);
if (cli_bcomp_chk_hex(buffer, opt_val, byte_len, 1)) {
hex_buffer[0] = 'x';
}
}
|
| 288057e9 |
for (i = 0; i < norm_len; i = i + 2) {
if (((int32_t)norm_len - (int32_t)i) - 2 >= 0) { |
| ca400eec |
/* 0000BA -> B0000A */ |
| 288057e9 |
if (isxdigit(hex_buffer[norm_len - i - 2]) || toupper(hex_buffer[norm_len - i - 2]) == 'X') {
if (isxdigit(hex_buffer[norm_len - i - 2])) { |
| ca400eec |
hex = 1;
} |
| 288057e9 |
tmp_buffer[i] = hex_buffer[norm_len - i - 2]; |
| ca400eec |
} else {
/* non-hex detected, our current buffer is invalid so zero it out and continue */ |
| 288057e9 |
memset(tmp_buffer, '0', norm_len + 1); |
| ca400eec |
hex = 0; |
| 26b75b35 |
/* nibbles after this are non-good, so skip them */
continue; |
| ca400eec |
}
}
/* 0000BA -> 0A00B0 */ |
| 288057e9 |
if (isxdigit(hex_buffer[norm_len - i - 1]) || toupper(hex_buffer[norm_len - i - 1]) == 'X') {
if (isxdigit(hex_buffer[norm_len - i - 2])) {
hex = 1;
}
tmp_buffer[i + 1] = hex_buffer[norm_len - i - 1]; |
| ca400eec |
} else {
/* non-hex detected, our current buffer is invalid so zero it out and continue */ |
| 288057e9 |
memset(tmp_buffer, '0', norm_len + 1); |
| ca400eec |
hex = 0;
}
}
} |
| 77ecb701 |
tmp_buffer[norm_len] = '\0'; |
| e0295a9f |
bcm_dbgmsg("cli_bcomp_compare_check: normalized extracted bytes before comparison %.*s\n", norm_len, tmp_buffer); |
| ca400eec |
}
return tmp_buffer;
}
/** |
| 9cb3e8eb |
* @brief cleans up the byte compare data struct
*
* @param root the root matcher struct whose mempool instance the bcomp struct has been allocated with
* @param bm the bcomp struct to be freed
*
*/ |
| 288057e9 |
void cli_bcomp_freemeta(struct cli_matcher *root, struct cli_bcomp_meta *bm)
{ |
| 9cb3e8eb |
|
| 731d44f2 |
int i = 0;
|
| 288057e9 |
if (!root || !bm) { |
| 9cb3e8eb |
return;
} |
| 288057e9 |
|
| 9cb3e8eb |
if (bm->virname) { |
| 544fa973 |
MPOOL_FREE(root->mempool, bm->virname); |
| 9cb3e8eb |
bm->virname = NULL;
} |
| 731d44f2 |
/* can never have more than 2 */
if (bm->comps) {
for (i = 0; i < 2; i++) {
if (bm->comps[i]) { |
| 544fa973 |
MPOOL_FREE(root->mempool, bm->comps[i]); |
| 731d44f2 |
bm->comps[i] = NULL;
}
}
|
| 544fa973 |
MPOOL_FREE(root->mempool, bm->comps); |
| 731d44f2 |
bm->comps = NULL;
}
|
| 544fa973 |
MPOOL_FREE(root->mempool, bm); |
| 9cb3e8eb |
bm = NULL;
return;
} |