b151ef55 |
/* |
d119f7a0 |
* Copyright (C) 2002 - 2006 Tomasz Kojm <tkojm@clamav.net> |
b151ef55 |
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software |
30738099 |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA. |
b151ef55 |
*/
|
8b242bb9 |
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
|
b151ef55 |
#include <string.h> |
856d9c84 |
#include <ctype.h>
#include <sys/types.h>
#include <sys/stat.h> |
59afa53d |
#ifdef HAVE_UNISTD_H |
856d9c84 |
#include <unistd.h> |
59afa53d |
#endif |
b151ef55 |
#include "clamav.h"
#include "others.h" |
f91f55e0 |
#include "matcher-ac.h"
#include "matcher-bm.h"
#include "md5.h" |
2fe19b26 |
#include "filetypes.h" |
df757556 |
#include "matcher.h" |
856d9c84 |
#include "pe.h" |
1ec94c6b |
#include "elf.h"
#include "execs.h" |
958dc41c |
#include "special.h" |
7f9ddaeb |
#include "str.h" |
b151ef55 |
|
f477691c |
static int targettab[CL_TARGET_TABLE_SIZE] = { 0, CL_TYPE_MSEXE, CL_TYPE_MSOLE2, CL_TYPE_HTML, CL_TYPE_MAIL, CL_TYPE_GRAPHICS, CL_TYPE_ELF }; |
df757556 |
|
9bdb71d0 |
extern short cli_debug_flag; |
b151ef55 |
|
7def75f3 |
#ifdef HAVE_NCORE |
d119f7a0 |
#include <sn_sigscan/sn_sigscan.h>
#define HWBUFFSIZE 32768 |
538a6756 |
#endif
|
7f9ddaeb |
|
f477691c |
int cli_scanbuff(const char *buffer, unsigned int length, const char **virname, const struct cl_engine *engine, unsigned short ftype) |
f91f55e0 |
{ |
d119f7a0 |
int ret = CL_CLEAN, i, tid = 0, *partcnt; |
f91f55e0 |
unsigned long int *partoff; |
f477691c |
struct cli_matcher *groot, *troot = NULL; |
7def75f3 |
#ifdef HAVE_NCORE |
d119f7a0 |
void *streamhandle;
void *resulthandle; |
2de1f9b7 |
uint32_t datamask[2] = { 0xffffffff, 0xffffffff }; |
d119f7a0 |
int count, hret;
unsigned long long offset; |
7f9ddaeb |
char *pt; |
d119f7a0 |
#endif |
b151ef55 |
|
f477691c |
if(!engine) {
cli_errmsg("cli_scanbuff: engine == NULL\n");
return CL_ENULLARG;
}
|
7def75f3 |
#ifdef HAVE_NCORE
if(engine->ncore) { |
d119f7a0 |
/* TODO: Setup proper data bitmask (need specs) */
if((hret = sn_sigscan_createstream(engine->hwdb, datamask, 2, &streamhandle)) < 0) {
cli_errmsg("cli_scanbuff: can't create new hardware stream: %d\n", hret);
return CL_EHWIO;
}
if((hret = sn_sigscan_writestream(streamhandle, buffer, length)) < 0) {
cli_errmsg("cli_scanbuff: can't write %u bytes to hardware stream: %d\n", length, hret);
sn_sigscan_closestream(streamhandle, &resulthandle);
return CL_EHWIO;
}
if((hret = sn_sigscan_closestream(streamhandle, &resulthandle)) < 0) {
cli_errmsg("cli_scanbuff: can't close hardware stream: %d\n", hret);
return CL_EHWIO;
}
count = sn_sigscan_resultcount(resulthandle); |
7f9ddaeb |
for(i = 0; i < count; i++) {
const char *matchname = NULL, *offsetstring = NULL, *optionalsigdata = NULL;
int targettype = 0;
if((hret = sn_sigscan_resultget_name(resulthandle, i, &matchname) < 0)) {
cli_errmsg("cli_scanbuff: sn_sigscan_resultget_name failed for result %d: %d\n", i, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(!matchname) {
cli_errmsg("cli_scanbuff: HW Result[%d]: Signature without name\n", i);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if((hret = sn_sigscan_resultget_targettype(resulthandle, i, &targettype) < 0)) {
cli_errmsg("cli_scanbuff: sn_sigscan_resultget_targettype failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(targettype && targettab[targettype] != (int) ftype) {
cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Target type: %d, expected: %d\n", i, matchname, targettab[targettype], ftype);
continue;
}
if((hret = sn_sigscan_resultget_offsetstring(resulthandle, i, &offsetstring) < 0)) {
cli_errmsg("cli_scanbuff: sn_sigscan_resultget_offsetstring failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(offsetstring) {
cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Offset based signature not supported in buffer mode\n", i, matchname);
continue;
}
if((hret = sn_sigscan_resultget_extradata(resulthandle, i, &optionalsigdata) < 0)) {
cli_errmsg("cli_scanbuff: sn_sigscan_resultget_extradata failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(optionalsigdata) {
if((pt = cli_strtok(optionalsigdata, 1, ":"))) { /* max version */
if(!isdigit(*pt)) {
free(pt);
cli_errmsg("cli_scanbuff: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(pt) < cl_retflevel()) {
cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Signature max flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel());
free(pt);
continue;
}
free(pt);
if((pt = cli_strtok(optionalsigdata, 0, ":"))) { /* min version */
if(!isdigit(*pt)) {
free(pt);
cli_errmsg("cli_scanbuff: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(pt) > cl_retflevel()) {
cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel());
free(pt);
continue;
}
free(pt);
}
} else {
if(!isdigit(*optionalsigdata)) {
cli_errmsg("cli_scanbuff: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(optionalsigdata) > cl_retflevel()) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(optionalsigdata), cl_retflevel());
continue;
}
}
}
*virname = matchname;
ret = CL_VIRUS;
break;
} |
d119f7a0 |
if((hret = sn_sigscan_resultfree(resulthandle)) < 0) {
cli_errmsg("cli_scanbuff: can't free results: %d\n", ret);
return CL_EHWIO;
}
return ret;
} |
7def75f3 |
#endif /* HAVE_NCORE */ |
d119f7a0 |
|
f477691c |
groot = engine->root[0]; /* generic signatures */
if(ftype) {
for(i = 0; i < CL_TARGET_TABLE_SIZE; i++) {
if(targettab[i] == ftype) {
tid = i;
break;
}
}
if(tid)
troot = engine->root[tid];
}
if(troot) {
if((partcnt = (int *) cli_calloc(troot->ac_partsigs + 1, sizeof(int))) == NULL) { |
50c12868 |
cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(int)); |
f477691c |
return CL_EMEM;
}
if((partoff = (unsigned long int *) cli_calloc(troot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) { |
50c12868 |
cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(unsigned long int)); |
f477691c |
free(partcnt);
return CL_EMEM;
}
|
9f986368 |
if(troot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, troot, 0, ftype, -1)) != CL_VIRUS) |
f477691c |
ret = cli_ac_scanbuff(buffer, length, virname, troot, partcnt, 0, 0, partoff, ftype, -1, NULL);
free(partcnt);
free(partoff);
if(ret == CL_VIRUS)
return ret;
}
if((partcnt = (int *) cli_calloc(groot->ac_partsigs + 1, sizeof(int))) == NULL) { |
50c12868 |
cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(int)); |
f91f55e0 |
return CL_EMEM; |
b151ef55 |
}
|
f477691c |
if((partoff = (unsigned long int *) cli_calloc(groot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) { |
50c12868 |
cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(unsigned long int)); |
f91f55e0 |
free(partcnt); |
e8217f5a |
return CL_EMEM; |
9c1c9007 |
} |
b151ef55 |
|
9f986368 |
if(groot->ac_only || (ret = cli_bm_scanbuff(buffer, length, virname, groot, 0, ftype, -1)) != CL_VIRUS) |
f477691c |
ret = cli_ac_scanbuff(buffer, length, virname, groot, partcnt, 0, 0, partoff, ftype, -1, NULL); |
f91f55e0 |
free(partcnt);
free(partoff);
return ret; |
b151ef55 |
}
|
f477691c |
static struct cli_md5_node *cli_vermd5(const unsigned char *md5, const struct cl_engine *engine) |
b151ef55 |
{ |
f91f55e0 |
struct cli_md5_node *pt; |
b151ef55 |
|
f477691c |
if(!(pt = engine->md5_hlist[md5[0] & 0xff])) |
b151ef55 |
return NULL;
|
f91f55e0 |
while(pt) {
if(!memcmp(pt->md5, md5, 16))
return pt; |
b151ef55 |
|
f91f55e0 |
pt = pt->next; |
e8217f5a |
} |
b151ef55 |
|
f91f55e0 |
return NULL; |
b151ef55 |
}
|
1ec94c6b |
static long int cli_caloff(const char *offstr, int fd, unsigned short ftype) |
856d9c84 |
{ |
1ec94c6b |
struct cli_exe_info exeinfo;
int (*einfo)(int, struct cli_exe_info *) = NULL; |
856d9c84 |
long int offset = -1;
int n;
|
1ec94c6b |
if(ftype == CL_TYPE_MSEXE)
einfo = cli_peheader;
else if(ftype == CL_TYPE_ELF)
einfo = cli_elfheader;
|
856d9c84 |
if(isdigit(offstr[0])) {
return atoi(offstr); |
1ec94c6b |
} else if(einfo && (!strncmp(offstr, "EP+", 3) || !strncmp(offstr, "EP-", 3))) { |
856d9c84 |
if((n = lseek(fd, 0, SEEK_CUR)) == -1) {
cli_dbgmsg("Invalid descriptor\n");
return -1;
}
lseek(fd, 0, SEEK_SET); |
1ec94c6b |
if(einfo(fd, &exeinfo)) { |
9bd73bcb |
lseek(fd, n, SEEK_SET); |
856d9c84 |
return -1; |
9bd73bcb |
} |
1ec94c6b |
free(exeinfo.section); |
856d9c84 |
lseek(fd, n, SEEK_SET); |
3af12024 |
if(offstr[2] == '+') |
1ec94c6b |
return exeinfo.ep + atoi(offstr + 3); |
3af12024 |
else |
1ec94c6b |
return exeinfo.ep - atoi(offstr + 3); |
3af12024 |
|
1ec94c6b |
} else if(einfo && offstr[0] == 'S') { |
856d9c84 |
if((n = lseek(fd, 0, SEEK_CUR)) == -1) {
cli_dbgmsg("Invalid descriptor\n");
return -1;
}
lseek(fd, 0, SEEK_SET); |
1ec94c6b |
if(einfo(fd, &exeinfo)) { |
9bd73bcb |
lseek(fd, n, SEEK_SET); |
856d9c84 |
return -1; |
9bd73bcb |
} |
856d9c84 |
lseek(fd, n, SEEK_SET);
|
d19fc3f0 |
if(!strncmp(offstr, "SL", 2)) { |
856d9c84 |
|
d19fc3f0 |
if(sscanf(offstr, "SL+%ld", &offset) != 1) { |
1ec94c6b |
free(exeinfo.section); |
d19fc3f0 |
return -1;
}
|
1ec94c6b |
offset += exeinfo.section[exeinfo.nsections - 1].raw; |
d19fc3f0 |
} else {
if(sscanf(offstr, "S%d+%ld", &n, &offset) != 2) { |
1ec94c6b |
free(exeinfo.section); |
d19fc3f0 |
return -1;
}
|
1ec94c6b |
if(n >= exeinfo.nsections) {
free(exeinfo.section); |
d19fc3f0 |
return -1;
}
|
1ec94c6b |
offset += exeinfo.section[n].raw; |
856d9c84 |
}
|
1ec94c6b |
free(exeinfo.section); |
856d9c84 |
return offset; |
d19fc3f0 |
|
856d9c84 |
} else if(!strncmp(offstr, "EOF-", 4)) {
struct stat sb;
if(fstat(fd, &sb) == -1)
return -1;
return sb.st_size - atoi(offstr + 4);
}
return -1;
}
|
a2c0f775 |
static int cli_checkfp(int fd, const struct cl_engine *engine) |
3f66a5af |
{
struct cli_md5_node *md5_node; |
3c9c82bf |
unsigned char *digest; |
3f66a5af |
|
f477691c |
if(engine->md5_hlist) { |
3f66a5af |
if(!(digest = cli_md5digest(fd))) {
cli_errmsg("cli_checkfp(): Can't generate MD5 checksum\n");
return 0;
}
|
f477691c |
if((md5_node = cli_vermd5(digest, engine)) && md5_node->fp) { |
3f66a5af |
struct stat sb;
if(fstat(fd, &sb))
return CL_EIO;
|
a8b53539 |
if((unsigned int) sb.st_size != md5_node->size) { |
3f66a5af |
cli_warnmsg("Detected false positive MD5 match. Please report.\n");
} else {
cli_dbgmsg("Eliminated false positive match (fp sig: %s)\n", md5_node->virname);
free(digest);
return 1;
}
}
free(digest);
}
return 0;
}
|
e2b5770b |
int cli_validatesig(unsigned short ftype, const char *offstr, unsigned long int fileoff, int desc, const char *virname) |
856d9c84 |
{
if(offstr && desc != -1) { |
1ec94c6b |
long int off = cli_caloff(offstr, desc, ftype); |
856d9c84 |
if(off == -1) {
cli_dbgmsg("Bad offset in signature (%s)\n", virname);
return 0;
}
|
a8b53539 |
if(fileoff != (unsigned long int) off) { |
59afa53d |
cli_dbgmsg("Virus offset: %ld, expected: %ld (%s)\n", fileoff, off, virname); |
856d9c84 |
return 0;
}
}
return 1;
}
|
605b8cf0 |
int cli_scandesc(int desc, cli_ctx *ctx, unsigned short otfrec, unsigned short ftype, struct cli_matched_type **ftoffset) |
b151ef55 |
{ |
f91f55e0 |
char *buffer, *buff, *endbl, *pt; |
7f7736bb |
int ret = CL_CLEAN, *gpartcnt = NULL, *tpartcnt = NULL, type = CL_CLEAN, i, tid = 0, bytes; |
3b4ee075 |
unsigned int buffersize, length, maxpatlen, shift = 0; |
7f7736bb |
unsigned long int *gpartoff = NULL, *tpartoff = NULL, offset = 0; |
605b8cf0 |
MD5_CTX md5ctx; |
d2a12ffd |
unsigned char digest[16]; |
f91f55e0 |
struct cli_md5_node *md5_node; |
f477691c |
struct cli_matcher *groot, *troot = NULL; |
7def75f3 |
#ifdef HAVE_NCORE |
d119f7a0 |
void *streamhandle;
void *resulthandle;
unsigned long long hoffset; |
2de1f9b7 |
uint32_t datamask[2] = { 0xffffffff, 0xffffffff }; |
d119f7a0 |
int count, hret; |
7f9ddaeb |
off_t origoff; |
d119f7a0 |
#endif |
2fe19b26 |
|
605b8cf0 |
if(!ctx->engine) { |
f477691c |
cli_errmsg("cli_scandesc: engine == NULL\n"); |
f91f55e0 |
return CL_ENULLARG; |
ff8cb48b |
}
|
7def75f3 |
#ifdef HAVE_NCORE
if(ctx->engine->ncore) { |
d119f7a0 |
/* TODO: Setup proper data bitmask (need specs) */
if((hret = sn_sigscan_createstream(ctx->engine->hwdb, datamask, 2, &streamhandle)) < 0) {
cli_errmsg("cli_scandesc: can't create new hardware stream: %d\n", hret);
return CL_EHWIO;
}
if(!(buffer = (char *) cli_calloc(HWBUFFSIZE, sizeof(char)))) {
cli_dbgmsg("cli_scandesc: unable to cli_calloc(%u)\n", HWBUFFSIZE);
return CL_EMEM;
}
|
7f9ddaeb |
if((origoff = lseek(desc, 0, SEEK_CUR)) == -1) {
cli_errmsg("cli_scandesc: lseek() failed for descriptor %d\n", desc);
free(buffer);
return CL_EIO;
}
|
a2c0f775 |
if(ctx->engine->md5_hlist)
MD5_Init(&md5ctx);
|
d119f7a0 |
while((bytes = cli_readn(desc, buffer, HWBUFFSIZE)) > 0) {
if((hret = sn_sigscan_writestream(streamhandle, buffer, bytes)) < 0) {
cli_errmsg("cli_scandesc: can't write to hardware stream: %d\n", hret);
ret = CL_EHWIO;
break;
} else {
if(ctx->scanned)
*ctx->scanned += bytes / CL_COUNT_PRECISION; |
a2c0f775 |
if(ctx->engine->md5_hlist)
MD5_Update(&md5ctx, buffer, bytes); |
d119f7a0 |
}
}
free(buffer);
if((hret = sn_sigscan_closestream(streamhandle, &resulthandle)) < 0) {
cli_errmsg("cli_scandesc: can't close hardware stream: %d\n", hret);
return CL_EHWIO;
}
count = sn_sigscan_resultcount(resulthandle);
|
7f9ddaeb |
for(i = 0; i < count; i++) {
const char *matchname = NULL, *offsetstring = NULL, *optionalsigdata = NULL;
unsigned long long startoffset = 0;
int targettype = 0;
if((hret = sn_sigscan_resultget_name(resulthandle, i, &matchname) < 0)) {
cli_errmsg("cli_scandesc: sn_sigscan_resultget_name failed for result %d: %d\n", i, hret); |
d119f7a0 |
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
} |
7f9ddaeb |
if(!matchname) {
cli_errmsg("cli_scandesc: HW Result[%d]: Signature without name\n", i);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if((hret = sn_sigscan_resultget_targettype(resulthandle, i, &targettype) < 0)) {
cli_errmsg("cli_scandesc: sn_sigscan_resultget_targettype failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(targettype && targettab[targettype] != (int) ftype) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Target type: %d, expected: %d\n", i, matchname, targettab[targettype], ftype);
continue;
}
if((hret = sn_sigscan_resultget_offsetstring(resulthandle, i, &offsetstring) < 0)) {
cli_errmsg("cli_scandesc: sn_sigscan_resultget_offsetstring failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if((hret = sn_sigscan_resultget_startoffset(resulthandle, i, &startoffset) < 0)) {
cli_errmsg("cli_scandesc: sn_sigscan_resultget_startoffset failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(offsetstring && strcmp(offsetstring, "*")) {
long int off = cli_caloff(offsetstring, desc, ftype);
if(off == -1) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Bad offset in signature\n", i, matchname);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(startoffset != (unsigned long long) off) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Virus offset: %Lu, expected: %ld\n", i, matchname, startoffset, off);
continue;
}
}
if((hret = sn_sigscan_resultget_extradata(resulthandle, i, &optionalsigdata) < 0)) {
cli_errmsg("cli_scandesc: sn_sigscan_resultget_extradata failed for result %d, signature %s: %d\n", i, matchname, hret);
sn_sigscan_resultfree(resulthandle);
return CL_EHWIO;
}
if(optionalsigdata) {
if((pt = cli_strtok(optionalsigdata, 1, ":"))) { /* max version */
if(!isdigit(*pt)) {
free(pt);
cli_errmsg("cli_scandesc: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(pt) < cl_retflevel()) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature max flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel());
free(pt);
continue;
}
free(pt);
if((pt = cli_strtok(optionalsigdata, 0, ":"))) { /* min version */
if(!isdigit(*pt)) {
free(pt);
cli_errmsg("cli_scandesc: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(pt) > cl_retflevel()) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel());
free(pt);
continue;
}
free(pt);
}
} else {
if(!isdigit(*optionalsigdata)) {
cli_errmsg("cli_scandesc: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata);
sn_sigscan_resultfree(resulthandle);
return CL_EMALFDB;
}
if(atoi(optionalsigdata) > cl_retflevel()) {
cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(optionalsigdata), cl_retflevel());
continue;
}
}
}
*ctx->virname = matchname;
ret = CL_VIRUS;
break; |
d119f7a0 |
}
if((hret = sn_sigscan_resultfree(resulthandle)) < 0) {
cli_errmsg("cli_scandesc: can't free results: %d\n", ret);
return CL_EHWIO;
}
|
a2c0f775 |
if(ctx->engine->md5_hlist) {
MD5_Final(digest, &md5ctx);
if((md5_node = cli_vermd5(digest, ctx->engine))) {
struct stat sb;
if(fstat(desc, &sb))
return CL_EIO;
if((unsigned int) sb.st_size != md5_node->size) {
cli_warnmsg("Detected false positive MD5 match. Please report.\n");
} else {
if(md5_node->fp) {
cli_dbgmsg("Eliminated false positive match (fp sig: %s)\n", md5_node->virname);
ret = CL_CLEAN;
} else {
if(ctx->virname)
*ctx->virname = md5_node->virname;
ret = CL_VIRUS;
}
}
}
}
|
7f9ddaeb |
if(ret == CL_VIRUS || (ftype != CL_TYPE_UNKNOWN_TEXT && ftype != CL_TYPE_UNKNOWN_DATA))
return ret;
if((origoff = lseek(desc, origoff, SEEK_SET)) == -1) {
cli_errmsg("cli_scandesc: lseek() failed for descriptor %d\n", desc);
return CL_EIO;
} |
d119f7a0 |
} |
7def75f3 |
#endif /* HAVE_NCORE */ |
d119f7a0 |
|
605b8cf0 |
groot = ctx->engine->root[0]; /* generic signatures */ |
f477691c |
if(ftype) {
for(i = 0; i < CL_TARGET_TABLE_SIZE; i++) {
if(targettab[i] == ftype) {
tid = i;
break;
}
}
if(tid) |
605b8cf0 |
troot = ctx->engine->root[tid]; |
f477691c |
}
if(troot)
maxpatlen = MAX(troot->maxpatlen, groot->maxpatlen);
else
maxpatlen = groot->maxpatlen;
|
f91f55e0 |
/* prepare the buffer */ |
cec4e61d |
buffersize = maxpatlen + SCANBUFF;
if(!(buffer = (char *) cli_calloc(buffersize, sizeof(char)))) {
cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d)\n", buffersize); |
f91f55e0 |
return CL_EMEM;
} |
2fe19b26 |
|
f477691c |
if((gpartcnt = (int *) cli_calloc(groot->ac_partsigs + 1, sizeof(int))) == NULL) {
cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(int)); |
f91f55e0 |
free(buffer);
return CL_EMEM;
} |
b151ef55 |
|
f477691c |
if((gpartoff = (unsigned long int *) cli_calloc(groot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) {
cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(unsigned long int)); |
f91f55e0 |
free(buffer); |
f477691c |
free(gpartcnt); |
f91f55e0 |
return CL_EMEM;
} |
b151ef55 |
|
f477691c |
if(troot) {
if((tpartcnt = (int *) cli_calloc(troot->ac_partsigs + 1, sizeof(int))) == NULL) {
cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(int));
free(buffer);
free(gpartcnt);
free(gpartoff);
return CL_EMEM;
}
if((tpartoff = (unsigned long int *) cli_calloc(troot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) {
cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(unsigned long int));
free(buffer);
free(gpartcnt);
free(gpartoff);
free(tpartcnt);
return CL_EMEM;
}
}
|
605b8cf0 |
if(ctx->engine->md5_hlist)
MD5_Init(&md5ctx); |
b151ef55 |
|
9ce8ad74 |
|
f91f55e0 |
buff = buffer; |
f477691c |
buff += maxpatlen; /* pointer to read data block */
endbl = buff + SCANBUFF - maxpatlen; /* pointer to the last block
* length of maxpatlen |
f91f55e0 |
*/ |
b151ef55 |
|
d2a12ffd |
pt = buff; |
cec4e61d |
while((bytes = cli_readn(desc, buff + shift, SCANBUFF - shift)) > 0) { |
b151ef55 |
|
605b8cf0 |
if(ctx->scanned)
*ctx->scanned += bytes / CL_COUNT_PRECISION; |
b151ef55 |
|
cec4e61d |
length = shift + bytes;
if(pt == buffer)
length += maxpatlen; |
ff8cb48b |
|
f477691c |
if(troot) { |
605b8cf0 |
if(troot->ac_only || (ret = cli_bm_scanbuff(pt, length, ctx->virname, troot, offset, ftype, desc)) != CL_VIRUS)
ret = cli_ac_scanbuff(pt, length, ctx->virname, troot, tpartcnt, otfrec, offset, tpartoff, ftype, desc, ftoffset); |
9f986368 |
if(ret == CL_VIRUS) { |
f477691c |
free(buffer);
free(gpartcnt);
free(gpartoff);
free(tpartcnt);
free(tpartoff);
lseek(desc, 0, SEEK_SET); |
605b8cf0 |
if(cli_checkfp(desc, ctx->engine)) |
f477691c |
return CL_CLEAN;
else
return CL_VIRUS;
}
} |
3f66a5af |
|
605b8cf0 |
if(groot->ac_only || (ret = cli_bm_scanbuff(pt, length, ctx->virname, groot, offset, ftype, desc)) != CL_VIRUS)
ret = cli_ac_scanbuff(pt, length, ctx->virname, groot, gpartcnt, otfrec, offset, gpartoff, ftype, desc, ftoffset); |
9f986368 |
if(ret == CL_VIRUS) { |
f477691c |
free(buffer);
free(gpartcnt);
free(gpartoff);
if(troot) {
free(tpartcnt);
free(tpartoff);
} |
3f66a5af |
lseek(desc, 0, SEEK_SET); |
605b8cf0 |
if(cli_checkfp(desc, ctx->engine)) |
3f66a5af |
return CL_CLEAN;
else
return CL_VIRUS; |
b151ef55 |
|
df757556 |
} else if(otfrec && ret >= CL_TYPENO) { |
f91f55e0 |
if(ret >= type)
type = ret;
} |
b151ef55 |
|
cec4e61d |
if(ctx->engine->md5_hlist)
MD5_Update(&md5ctx, buff + shift, bytes);
if(bytes + shift == SCANBUFF) { |
f477691c |
memmove(buffer, endbl, maxpatlen); |
cec4e61d |
offset += SCANBUFF; |
1f73f3ff |
|
cec4e61d |
if(pt == buff) { |
34dd51a6 |
pt = buffer; |
cec4e61d |
offset -= maxpatlen; |
34dd51a6 |
} |
cec4e61d |
shift = 0;
} else {
shift += bytes; |
34dd51a6 |
} |
d898865b |
|
f91f55e0 |
} |
d898865b |
|
f91f55e0 |
free(buffer); |
f477691c |
free(gpartcnt);
free(gpartoff);
if(troot) {
free(tpartcnt);
free(tpartoff);
} |
1f73f3ff |
|
605b8cf0 |
if(ctx->engine->md5_hlist) {
MD5_Final(digest, &md5ctx); |
1f73f3ff |
|
605b8cf0 |
if((md5_node = cli_vermd5(digest, ctx->engine)) && !md5_node->fp) { |
61f31052 |
struct stat sb;
if(fstat(desc, &sb))
return CL_EIO;
|
a8b53539 |
if((unsigned int) sb.st_size != md5_node->size) { |
61f31052 |
cli_warnmsg("Detected false positive MD5 match. Please report.\n");
} else { |
605b8cf0 |
if(ctx->virname)
*ctx->virname = md5_node->virname; |
61f31052 |
return CL_VIRUS;
} |
f91f55e0 |
} |
1f73f3ff |
}
|
df757556 |
return otfrec ? type : CL_CLEAN; |
1f73f3ff |
} |