b151ef55 |
/* |
5918723d |
* Copyright (C) 2002 - 2005 Tomasz Kojm <tkojm@clamav.net> |
b151ef55 |
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software |
30738099 |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA. |
b151ef55 |
*/
|
8b242bb9 |
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
|
b151ef55 |
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h> |
59afa53d |
#ifdef HAVE_UNISTD_H |
255e314c |
#include <unistd.h> |
59afa53d |
#endif
#ifdef HAVE_SYS_PARAM_H |
771e8818 |
#include <sys/param.h> |
59afa53d |
#endif |
b151ef55 |
#include <fcntl.h> |
59afa53d |
#ifndef C_WINDOWS |
b151ef55 |
#include <dirent.h> |
2148d690 |
#include <netinet/in.h> |
59afa53d |
#endif |
b151ef55 |
|
2fe19b26 |
#if HAVE_MMAP
#if HAVE_SYS_MMAN_H
#include <sys/mman.h>
#else /* HAVE_SYS_MMAN_H */
#undef HAVE_MMAP
#endif
#endif
|
59afa53d |
#ifndef O_BINARY
#define O_BINARY 0
#endif
|
1ed6a845 |
extern short cli_leavetemps_flag;
|
4a30feab |
#define DCONF_ARCH ctx->dconf->archive
#define DCONF_DOC ctx->dconf->doc
#define DCONF_MAIL ctx->dconf->mail
#define DCONF_OTHER ctx->dconf->other
|
b151ef55 |
#include "clamav.h"
#include "others.h" |
4a30feab |
#include "dconf.h" |
5ede41fa |
#include "scanners.h" |
f91f55e0 |
#include "matcher-ac.h"
#include "matcher-bm.h" |
b151ef55 |
#include "matcher.h" |
2250cf42 |
#include "unrar.h" |
c561d2a3 |
#include "ole2_extract.h"
#include "vba_extract.h" |
e2dc6ace |
#include "msexpand.h" |
7f7736bb |
#include "mbox.h" |
4ad876ad |
#include "chmunpack.h" |
c2484690 |
#include "pe.h" |
7f7736bb |
#include "elf.h" |
2fe19b26 |
#include "filetypes.h"
#include "htmlnorm.h" |
26c6ace2 |
#include "untar.h" |
958dc41c |
#include "special.h" |
f58ad3be |
#include "binhex.h" |
7f7736bb |
/* #include "uuencode.h" */ |
236b30a3 |
#include "tnef.h" |
7f7736bb |
#include "pst.h" |
5afe9ae6 |
#include "sis.h" |
f3e0aea0 |
#include "pdf.h" |
1e7a21fb |
#include "str.h" |
9d675ddb |
#include "mspack.h"
#include "cab.h" |
f9d258e2 |
#include "rtf.h"
|
b151ef55 |
#ifdef HAVE_ZLIB_H
#include <zlib.h> |
0968c257 |
#include "unzip.h" |
b151ef55 |
#endif
#ifdef HAVE_BZLIB_H
#include <bzlib.h>
#endif
|
a45ec9cc |
#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2)
#include <limits.h> |
8c7e16b8 |
#include <stddef.h> |
a45ec9cc |
#endif
|
771e8818 |
/* Maximum filenames under various systems - njh */
#ifndef NAME_MAX /* e.g. Linux */
# ifdef MAXNAMELEN /* e.g. Solaris */
# define NAME_MAX MAXNAMELEN
# else
# ifdef FILENAME_MAX /* e.g. SCO */
# define NAME_MAX FILENAME_MAX |
8425b1a6 |
# else
# define NAME_MAX 256 |
771e8818 |
# endif
# endif
#endif |
a45ec9cc |
|
5115a5eb |
#define MAX_MAIL_RECURSION 15 |
b151ef55 |
|
605b8cf0 |
static int cli_scanfile(const char *filename, cli_ctx *ctx); |
ff8cb48b |
|
b5ef15ba |
static int cli_unrar_scanmetadata(int desc, rar_metadata_t *metadata, cli_ctx *ctx, unsigned int files, uint32_t* sfx_check) |
b151ef55 |
{ |
b5ef15ba |
int ret = CL_SUCCESS;
struct cli_meta_node* mdata; |
26c6ace2 |
|
b151ef55 |
|
b5ef15ba |
if(files == 1 && sfx_check) {
if(*sfx_check == metadata->crc)
return CL_BREAK;/* break extract loop */
else
*sfx_check = metadata->crc; |
b151ef55 |
}
|
b5ef15ba |
cli_dbgmsg("RAR: %s, crc32: 0x%x, encrypted: %d, compressed: %u, normal: %u, method: %d, ratio: %d (max: %d)\n",
metadata->filename, metadata->crc, metadata->encrypted, metadata->pack_size,
metadata->unpack_size, metadata->method,
metadata->pack_size ? ((unsigned int) metadata->unpack_size / (unsigned int) metadata->pack_size) : 0, ctx->limits ? ctx->limits->maxratio : 0); |
92152740 |
|
b5ef15ba |
/* Scan metadata */
mdata = ctx->engine->rar_mlist;
if(mdata) do {
if(mdata->encrypted != metadata->encrypted)
continue; |
92152740 |
|
b5ef15ba |
if(mdata->crc32 && (unsigned int) mdata->crc32 != metadata->crc)
continue; |
92152740 |
|
b5ef15ba |
if(mdata->csize > 0 && (unsigned int) mdata->csize != metadata->pack_size)
continue; |
92152740 |
|
b5ef15ba |
if(mdata->size >= 0 && (unsigned int) mdata->size != metadata->unpack_size)
continue; |
92152740 |
|
b5ef15ba |
if(mdata->method >= 0 && mdata->method != metadata->method)
continue; |
92152740 |
|
b5ef15ba |
if(mdata->fileno && mdata->fileno != files)
continue; |
92152740 |
|
b5ef15ba |
if(mdata->maxdepth && ctx->arec > mdata->maxdepth)
continue; |
92152740 |
|
b5ef15ba |
/* TODO add support for regex */
/*if(mdata->filename && !strstr(zdirent.d_name, mdata->filename))*/
if(mdata->filename && strcmp((char *) metadata->filename, mdata->filename))
continue; |
92152740 |
|
b5ef15ba |
break; /* matched */ |
92152740 |
|
b5ef15ba |
} while((mdata = mdata->next)); |
92152740 |
|
b5ef15ba |
if(mdata) {
*ctx->virname = mdata->virname;
return CL_VIRUS;
} |
92152740 |
|
b5ef15ba |
if(DETECT_ENCRYPTED && metadata->encrypted) {
cli_dbgmsg("RAR: Encrypted files found in archive.\n");
lseek(desc, 0, SEEK_SET);
ret = cli_scandesc(desc, ctx, 0, 0, 0, NULL);
if(ret != CL_VIRUS) {
*ctx->virname = "Encrypted.RAR";
return CL_VIRUS; |
92152740 |
} |
b5ef15ba |
} |
92152740 |
|
b5ef15ba |
/*
TROG - TODO: multi-volume files
if((rarlist->item.Flags & 0x03) != 0) {
cli_dbgmsg("RAR: Skipping %s (split)\n", rarlist->item.Name);
rarlist = rarlist->next;
continue;
}
*/ |
9bc506de |
return ret;
}
static int cli_unrar_checklimits(const cli_ctx *ctx, const rar_metadata_t *metadata, unsigned int files)
{ |
b5ef15ba |
if(ctx->limits) {
if(ctx->limits->maxratio && metadata->unpack_size && metadata->pack_size) { |
e6b96705 |
if(metadata->unpack_size / metadata->pack_size >= ctx->limits->maxratio) {
cli_dbgmsg("RAR: Max ratio reached (normal: %Lu, compressed: %Lu, max: %u)\n", metadata->unpack_size, metadata->pack_size, ctx->limits->maxratio); |
9bc506de |
if(BLOCKMAX) {
*ctx->virname = "Oversized.RAR";
return CL_VIRUS;
}
return CL_EMAXSIZE; |
a5db7190 |
} |
96a39a27 |
} |
b151ef55 |
|
b5ef15ba |
if(ctx->limits->maxfilesize && (metadata->unpack_size > ctx->limits->maxfilesize)) { |
e6b96705 |
cli_dbgmsg("RAR: %s: Size exceeded (%Lu, max: %lu)\n", metadata->filename, metadata->unpack_size, ctx->limits->maxfilesize); |
b5ef15ba |
if(BLOCKMAX) {
*ctx->virname = "RAR.ExceededFileSize";
return CL_VIRUS; |
728f8802 |
} |
9bc506de |
return CL_EMAXSIZE; |
b5ef15ba |
} |
728f8802 |
|
b5ef15ba |
if(ctx->limits->maxfiles && (files > ctx->limits->maxfiles)) { |
e6b96705 |
cli_dbgmsg("RAR: Files limit reached (max: %u)\n", ctx->limits->maxfiles); |
b5ef15ba |
if(BLOCKMAX) {
*ctx->virname = "RAR.ExceededFilesLimit";
return CL_VIRUS; |
b151ef55 |
} |
9bc506de |
return CL_EMAXFILES; |
b5ef15ba |
}
}
|
9bc506de |
return CL_SUCCESS; |
b5ef15ba |
}
static int cli_scanrar(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_check)
{
int ret = CL_CLEAN;
rar_metadata_t *metadata, *metadata_tmp;
char *dir;
rar_state_t rar_state; |
b151ef55 |
|
b5ef15ba |
cli_dbgmsg("in scanrar()\n");
/* generate the temporary directory */
dir = cli_gentemp(NULL);
if(mkdir(dir, 0700)) {
cli_dbgmsg("RAR: Can't create temporary directory %s\n", dir);
free(dir);
return CL_ETMPDIR;
}
if(sfx_offset)
lseek(desc, sfx_offset, SEEK_SET);
if((ret = cli_unrar_open(desc, dir, &rar_state)) != CL_SUCCESS) {
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
cli_dbgmsg("RAR: Error: %s\n", cl_strerror(ret));
return ret;
}
do {
int rc;
rar_state.unpack_data->ofd = -1; |
9bc506de |
ret = cli_unrar_extract_next_prepare(&rar_state,dir);
if(ret != CL_SUCCESS)
break;
ret = cli_unrar_checklimits(ctx, rar_state.metadata_tail, rar_state.file_count);
if(ret && ret != CL_VIRUS) {
ret = CL_CLEAN;
continue;
} else if(ret == CL_VIRUS) {
break;
} |
b5ef15ba |
ret = cli_unrar_extract_next(&rar_state,dir);
if(rar_state.unpack_data->ofd > 0) {
lseek(rar_state.unpack_data->ofd,0,SEEK_SET);
rc = cli_magic_scandesc(rar_state.unpack_data->ofd,ctx);
close(rar_state.unpack_data->ofd);
if(!cli_leavetemps_flag)
unlink(rar_state.filename);
if(rc == CL_VIRUS ) {
cli_dbgmsg("RAR: infected with %s\n",*ctx->virname);
ret = CL_VIRUS; |
b151ef55 |
break;
}
}
|
b5ef15ba |
if(ret == CL_SUCCESS)
ret = cli_unrar_scanmetadata(desc,rar_state.metadata, ctx, rar_state.file_count, sfx_check);
} while(ret == CL_SUCCESS);
if(ret == CL_BREAK)
ret = CL_CLEAN;
metadata = metadata_tmp = rar_state.metadata;
if(cli_scandir(rar_state.comment_dir, ctx) == CL_VIRUS)
ret = CL_VIRUS; |
b151ef55 |
|
a8763912 |
cli_unrar_close(&rar_state);
|
2250cf42 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
b151ef55 |
|
2250cf42 |
free(dir); |
b5ef15ba |
|
2250cf42 |
metadata = metadata_tmp;
while (metadata) {
metadata_tmp = metadata->next;
free(metadata->filename);
free(metadata);
metadata = metadata_tmp; |
b151ef55 |
} |
26c6ace2 |
cli_dbgmsg("RAR: Exit code: %d\n", ret); |
2c7d6b9a |
|
b151ef55 |
return ret;
}
#ifdef HAVE_ZLIB_H |
d53647d5 |
static int cli_scanzip(int desc, cli_ctx *ctx, off_t sfx_offset, uint32_t *sfx_check) |
b151ef55 |
{ |
0968c257 |
zip_dir *zdir;
zip_dirent zdirent;
zip_file *zfp; |
97de3c9d |
FILE *tmp = NULL; |
7f7736bb |
char *tmpname = NULL, *buff; |
a8b53539 |
int fd, bytes, ret = CL_CLEAN; |
03324793 |
unsigned long int size = 0; |
6219456d |
unsigned int files = 0, encrypted, bfcnt; |
97de3c9d |
struct stat source; |
92152740 |
struct cli_meta_node *mdata; |
0968c257 |
int err; |
6219456d |
uint8_t swarning = 0, fail, success; |
b151ef55 |
|
26c6ace2 |
cli_dbgmsg("in scanzip()\n"); |
b151ef55 |
|
0968c257 |
if((zdir = zip_dir_open(desc, sfx_offset, &err)) == NULL) {
cli_dbgmsg("Zip: zip_dir_open() return code: %d\n", err); |
10971328 |
/* no return with CL_EZIP due to password protected zips */
return CL_CLEAN; |
b151ef55 |
}
|
97de3c9d |
fstat(desc, &source);
|
f5cd5991 |
if(!(buff = (char *) cli_malloc(FILEBUFF))) { |
26c6ace2 |
cli_dbgmsg("Zip: unable to malloc(%d)\n", FILEBUFF); |
0968c257 |
zip_dir_close(zdir); |
f5cd5991 |
return CL_EMEM;
}
|
0968c257 |
while(zip_dir_read(zdir, &zdirent)) { |
eceef468 |
files++; |
97de3c9d |
|
d53647d5 |
if(files == 1 && sfx_check) {
if(*sfx_check == zdirent.d_crc32)
break;
else
*sfx_check = zdirent.d_crc32;
}
|
0968c257 |
if(!zdirent.d_name) { |
b79c993a |
cli_dbgmsg("Zip: zdirent.d_name == NULL\n"); |
605b8cf0 |
*ctx->virname = "Suspect.Zip"; |
97de3c9d |
ret = CL_VIRUS;
break;
}
|
a02f38dd |
/* Bit 0: file is encrypted
* Bit 6: Strong encryption was used
* Bit 13: Encrypted central directory
*/ |
236b30a3 |
encrypted = ((zdirent.d_flags & 0x2041) != 0); |
34e96745 |
|
605b8cf0 |
cli_dbgmsg("Zip: %s, crc32: 0x%x, offset: %d, encrypted: %d, compressed: %u, normal: %u, method: %d, ratio: %d (max: %d)\n", zdirent.d_name, zdirent.d_crc32, zdirent.d_off, encrypted, zdirent.d_csize, zdirent.st_size, zdirent.d_compr, zdirent.d_csize ? (zdirent.st_size / zdirent.d_csize) : 0, ctx->limits ? ctx->limits->maxratio : 0); |
97de3c9d |
|
9bdb71d0 |
if(!zdirent.st_size) { |
70567086 |
if(zdirent.d_crc32) {
cli_dbgmsg("Zip: Broken file or modified information in local header part of archive\n"); |
605b8cf0 |
*ctx->virname = "Exploit.Zip.ModifiedHeaders"; |
70567086 |
ret = CL_VIRUS;
break;
} |
b151ef55 |
continue;
}
|
34e96745 |
/* Scan metadata */ |
605b8cf0 |
mdata = ctx->engine->zip_mlist; |
54f56eaf |
if(mdata) do { |
34e96745 |
if(mdata->encrypted != encrypted)
continue;
|
e2b5770b |
if(mdata->crc32 && mdata->crc32 != zdirent.d_crc32) |
34e96745 |
continue;
|
e2b5770b |
if(mdata->csize > 0 && (uint32_t) mdata->csize != zdirent.d_csize) |
34e96745 |
continue;
|
e2b5770b |
if(mdata->size >= 0 && (uint32_t) mdata->size != zdirent.st_size) |
34e96745 |
continue;
|
e2b5770b |
if(mdata->method >= 0 && (uint16_t) mdata->method != zdirent.d_compr) |
34e96745 |
continue;
|
eceef468 |
if(mdata->fileno && mdata->fileno != files)
continue;
|
605b8cf0 |
if(mdata->maxdepth && ctx->arec > mdata->maxdepth) |
eceef468 |
continue;
/* TODO add support for regex */ |
34e96745 |
/*if(mdata->filename && !strstr(zdirent.d_name, mdata->filename))*/
if(mdata->filename && strcmp(zdirent.d_name, mdata->filename))
continue;
break; /* matched */
} while((mdata = mdata->next));
if(mdata) { |
605b8cf0 |
*ctx->virname = mdata->virname; |
34e96745 |
ret = CL_VIRUS;
break;
}
|
66ae09c6 |
/*
* Workaround for archives created with ICEOWS.
* ZZIP_DIRENT does not contain information on file type
* so we try to determine a directory via a filename
*/
if(zdirent.d_name[strlen(zdirent.d_name) - 1] == '/') {
cli_dbgmsg("Zip: Directory entry with st_size != 0\n");
continue;
}
|
e2b5770b |
if(!zdirent.d_csize) {
cli_dbgmsg("Zip: Malformed file (d_csize == 0 but st_size != 0)\n"); |
605b8cf0 |
*ctx->virname = "Suspect.Zip"; |
97de3c9d |
ret = CL_VIRUS; |
b151ef55 |
break;
}
|
605b8cf0 |
if(ctx->limits && ctx->limits->maxratio > 0 && ((unsigned) zdirent.st_size / (unsigned) zdirent.d_csize) >= ctx->limits->maxratio) {
*ctx->virname = "Oversized.Zip"; |
b44f4315 |
ret = CL_VIRUS;
break;
}
|
34e96745 |
if(DETECT_ENCRYPTED && encrypted) { |
26c6ace2 |
cli_dbgmsg("Zip: Encrypted files found in archive.\n"); |
3cb43aaa |
lseek(desc, 0, SEEK_SET); |
674f4b3c |
ret = cli_scandesc(desc, ctx, 0, 0, 0, NULL); |
a5db7190 |
if(ret < 0) {
break;
} else if(ret != CL_VIRUS) { |
605b8cf0 |
*ctx->virname = "Encrypted.Zip"; |
a5db7190 |
ret = CL_VIRUS;
} |
510c466b |
break;
}
|
605b8cf0 |
if(ctx->limits) {
if(ctx->limits->maxfilesize && ((unsigned int) zdirent.st_size > ctx->limits->maxfilesize)) {
cli_dbgmsg("Zip: %s: Size exceeded (%d, max: %ld)\n", zdirent.d_name, zdirent.st_size, ctx->limits->maxfilesize); |
ae1f747c |
/* ret = CL_EMAXSIZE; */ |
728f8802 |
if(BLOCKMAX) { |
605b8cf0 |
*ctx->virname = "Zip.ExceededFileSize"; |
728f8802 |
ret = CL_VIRUS;
break;
}
continue; /* continue scanning */ |
b151ef55 |
}
|
605b8cf0 |
if(ctx->limits->maxfiles && (files > ctx->limits->maxfiles)) {
cli_dbgmsg("Zip: Files limit reached (max: %d)\n", ctx->limits->maxfiles); |
728f8802 |
if(BLOCKMAX) { |
605b8cf0 |
*ctx->virname = "Zip.ExceededFilesLimit"; |
728f8802 |
ret = CL_VIRUS;
break;
} |
b151ef55 |
break;
}
}
|
0968c257 |
if((zfp = zip_file_open(zdir, zdirent.d_name, zdirent.d_off)) == NULL) {
if(zdir->errcode == CL_ESUPPORT) {
ret = CL_ESUPPORT;
if(!swarning) {
cli_warnmsg("Not supported compression method in one or more files\n");
swarning = 1;
} |
7c6380b0 |
continue; |
0968c257 |
} else {
cli_dbgmsg("Zip: Can't open file %s\n", zdirent.d_name);
ret = CL_EZIP;
break;
} |
e4819192 |
}
|
6219456d |
bfcnt = 0;
success = 0;
while(1) {
fail = 0;
/* generate temporary file and get its descriptor */
if((tmpname = cli_gentempstream(NULL, &tmp)) == NULL) {
cli_dbgmsg("Zip: Can't generate tmpfile().\n");
ret = CL_ETMPFILE;
break;
}
size = 0;
while((bytes = zip_file_read(zfp, buff, FILEBUFF)) > 0) {
size += bytes;
if(fwrite(buff, 1, bytes, tmp) != (size_t) bytes) {
cli_dbgmsg("Zip: Can't write to file.\n");
ret = CL_EIO;
break;
}
}
if(!encrypted) {
if(size != zdirent.st_size) {
cli_dbgmsg("Zip: Incorrectly decompressed (%d != %d)\n", size, zdirent.st_size);
if(zfp->bf[0] == -1) {
ret = CL_EZIP;
break;
} else {
fail = 1;
}
} else {
cli_dbgmsg("Zip: File decompressed to %s\n", tmpname);
success = 1;
}
}
if(!fail) {
if(fflush(tmp) != 0) {
cli_dbgmsg("Zip: fflush() failed\n");
ret = CL_EFSYNC;
break;
}
fd = fileno(tmp);
lseek(fd, 0, SEEK_SET);
if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS ) {
cli_dbgmsg("Zip: Infected with %s\n", *ctx->virname);
ret = CL_VIRUS;
break;
}
} |
b151ef55 |
|
6219456d |
if(tmp) { |
f5cd5991 |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
6219456d |
tmp = NULL; |
b151ef55 |
}
|
6219456d |
if(zfp->bf[bfcnt] == -1) |
396e7ad9 |
break;
|
6219456d |
zfp->method = (uint16_t) zfp->bf[bfcnt];
cli_dbgmsg("Zip: Brute force mode - checking compression method %u\n", zfp->method);
bfcnt++; |
03324793 |
} |
6219456d |
zip_file_close(zfp); |
03324793 |
|
a2c0d76b |
if(!ret && !encrypted && !success) { /* brute-force decompression failed */ |
6219456d |
cli_dbgmsg("Zip: All attempts to decompress file failed\n");
ret = CL_EZIP; |
b151ef55 |
}
|
6219456d |
if(ret) |
b151ef55 |
break;
}
|
0968c257 |
zip_dir_close(zdir);
if(tmp) { |
d3d2fb1e |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
d3d2fb1e |
tmp = NULL;
} |
f5cd5991 |
free(buff); |
b151ef55 |
return ret;
}
|
605b8cf0 |
static int cli_scangzip(int desc, cli_ctx *ctx) |
b151ef55 |
{
int fd, bytes, ret = CL_CLEAN; |
a8b53539 |
unsigned long int size = 0; |
7b7b3ca5 |
char *buff; |
97de3c9d |
FILE *tmp = NULL; |
73c21438 |
char *tmpname; |
b151ef55 |
gzFile gd;
|
97de3c9d |
cli_dbgmsg("in cli_scangzip()\n");
|
b151ef55 |
if((gd = gzdopen(dup(desc), "rb")) == NULL) { |
26c6ace2 |
cli_dbgmsg("GZip: Can't open descriptor %d\n", desc); |
b151ef55 |
return CL_EGZIP;
}
|
73c21438 |
if((tmpname = cli_gentempstream(NULL, &tmp)) == NULL) { |
26c6ace2 |
cli_dbgmsg("GZip: Can't generate temporary file.\n"); |
b151ef55 |
gzclose(gd);
return CL_ETMPFILE;
}
fd = fileno(tmp);
|
97de3c9d |
if(!(buff = (char *) cli_malloc(FILEBUFF))) { |
26c6ace2 |
cli_dbgmsg("GZip: Unable to malloc %d bytes.\n", FILEBUFF); |
97de3c9d |
gzclose(gd); |
73c21438 |
fclose(tmp);
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
7b7b3ca5 |
return CL_EMEM; |
97de3c9d |
} |
7b7b3ca5 |
|
97de3c9d |
while((bytes = gzread(gd, buff, FILEBUFF)) > 0) { |
b151ef55 |
size += bytes;
|
605b8cf0 |
if(ctx->limits)
if(ctx->limits->maxfilesize && (size + FILEBUFF > ctx->limits->maxfilesize)) {
cli_dbgmsg("GZip: Size exceeded (stopped at %ld, max: %ld)\n", size, ctx->limits->maxfilesize); |
9ee9c31b |
if(BLOCKMAX) { |
605b8cf0 |
*ctx->virname = "GZip.ExceededFileSize"; |
9ee9c31b |
ret = CL_VIRUS;
} |
b151ef55 |
break;
}
|
3fc8c606 |
if(cli_writen(fd, buff, bytes) != bytes) { |
26c6ace2 |
cli_dbgmsg("GZip: Can't write to file.\n"); |
d3d2fb1e |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
b151ef55 |
gzclose(gd); |
7b7b3ca5 |
free(buff); |
b151ef55 |
return CL_EGZIP;
}
}
|
7b7b3ca5 |
free(buff); |
b151ef55 |
gzclose(gd); |
9ee9c31b |
if(ret == CL_VIRUS) {
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
9ee9c31b |
return ret;
}
|
b151ef55 |
if(fsync(fd) == -1) { |
26c6ace2 |
cli_dbgmsg("GZip: Can't synchronise descriptor %d\n", fd); |
d3d2fb1e |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
b151ef55 |
return CL_EFSYNC;
}
lseek(fd, 0, SEEK_SET); |
605b8cf0 |
if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS ) {
cli_dbgmsg("GZip: Infected with %s\n", *ctx->virname); |
d3d2fb1e |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
b151ef55 |
return CL_VIRUS;
} |
d3d2fb1e |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
b151ef55 |
return ret;
}
#endif
#ifdef HAVE_BZLIB_H
#ifdef NOBZ2PREFIX
#define BZ2_bzReadOpen bzReadOpen
#define BZ2_bzReadClose bzReadClose
#define BZ2_bzRead bzRead
#endif
|
605b8cf0 |
static int cli_scanbzip(int desc, cli_ctx *ctx) |
b151ef55 |
{
int fd, bytes, ret = CL_CLEAN, bzerror = 0;
short memlim = 0; |
a8b53539 |
unsigned long int size = 0; |
7b7b3ca5 |
char *buff; |
97de3c9d |
FILE *fs, *tmp = NULL; |
73c21438 |
char *tmpname; |
b151ef55 |
BZFILE *bfd;
|
9c1c9007 |
if((fs = fdopen(dup(desc), "rb")) == NULL) { |
26c6ace2 |
cli_dbgmsg("Bzip: Can't open descriptor %d.\n", desc); |
b151ef55 |
return CL_EBZIP;
}
|
605b8cf0 |
if(ctx->limits)
if(ctx->limits->archivememlim) |
b151ef55 |
memlim = 1;
|
61ff3bda |
if((bfd = BZ2_bzReadOpen(&bzerror, fs, 0, memlim, NULL, 0)) == NULL) { |
26c6ace2 |
cli_dbgmsg("Bzip: Can't initialize bzip2 library (descriptor: %d).\n", desc); |
9c1c9007 |
fclose(fs); |
b151ef55 |
return CL_EBZIP;
}
|
73c21438 |
if((tmpname = cli_gentempstream(NULL, &tmp)) == NULL) { |
26c6ace2 |
cli_dbgmsg("Bzip: Can't generate temporary file.\n"); |
b151ef55 |
BZ2_bzReadClose(&bzerror, bfd); |
9c1c9007 |
fclose(fs); |
b151ef55 |
return CL_ETMPFILE;
}
fd = fileno(tmp);
|
9c1c9007 |
if(!(buff = (char *) malloc(FILEBUFF))) { |
26c6ace2 |
cli_dbgmsg("Bzip: Unable to malloc %d bytes.\n", FILEBUFF); |
9c1c9007 |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
9c1c9007 |
fclose(fs);
BZ2_bzReadClose(&bzerror, bfd); |
7b7b3ca5 |
return CL_EMEM; |
9c1c9007 |
} |
7b7b3ca5 |
|
97de3c9d |
while((bytes = BZ2_bzRead(&bzerror, bfd, buff, FILEBUFF)) > 0) { |
b151ef55 |
size += bytes;
|
605b8cf0 |
if(ctx->limits)
if(ctx->limits->maxfilesize && (size + FILEBUFF > ctx->limits->maxfilesize)) {
cli_dbgmsg("Bzip: Size exceeded (stopped at %ld, max: %ld)\n", size, ctx->limits->maxfilesize); |
9ee9c31b |
if(BLOCKMAX) { |
605b8cf0 |
*ctx->virname = "BZip.ExceededFileSize"; |
9ee9c31b |
ret = CL_VIRUS;
} |
b151ef55 |
break;
}
|
3fc8c606 |
if(cli_writen(fd, buff, bytes) != bytes) { |
26c6ace2 |
cli_dbgmsg("Bzip: Can't write to file.\n"); |
b151ef55 |
BZ2_bzReadClose(&bzerror, bfd); |
d3d2fb1e |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
7b7b3ca5 |
free(buff); |
9c1c9007 |
fclose(fs); |
b151ef55 |
return CL_EGZIP;
}
}
|
7b7b3ca5 |
free(buff); |
b151ef55 |
BZ2_bzReadClose(&bzerror, bfd); |
9ee9c31b |
if(ret == CL_VIRUS) {
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
9ee9c31b |
fclose(fs);
return ret;
}
|
b151ef55 |
if(fsync(fd) == -1) { |
26c6ace2 |
cli_dbgmsg("Bzip: Synchronisation failed for descriptor %d\n", fd); |
d3d2fb1e |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
9c1c9007 |
fclose(fs); |
b151ef55 |
return CL_EFSYNC;
}
lseek(fd, 0, SEEK_SET); |
605b8cf0 |
if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS ) {
cli_dbgmsg("Bzip: Infected with %s\n", *ctx->virname); |
b151ef55 |
} |
d3d2fb1e |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
9c1c9007 |
fclose(fs); |
b151ef55 |
return ret;
}
#endif
|
605b8cf0 |
static int cli_scanszdd(int desc, cli_ctx *ctx) |
e2dc6ace |
{ |
8d182af9 |
int fd, ret = CL_CLEAN, dcpy; |
e2dc6ace |
FILE *tmp = NULL, *in; |
73c21438 |
char *tmpname; |
e2dc6ace |
|
26c6ace2 |
|
8d182af9 |
cli_dbgmsg("in cli_scanszdd()\n");
if((dcpy = dup(desc)) == -1) {
cli_dbgmsg("SZDD: Can't duplicate descriptor %d\n", desc);
return CL_EIO;
} |
e2dc6ace |
|
8d182af9 |
if((in = fdopen(dcpy, "rb")) == NULL) { |
26c6ace2 |
cli_dbgmsg("SZDD: Can't open descriptor %d\n", desc); |
8d182af9 |
close(dcpy); |
e2dc6ace |
return CL_EMSCOMP;
}
|
73c21438 |
if((tmpname = cli_gentempstream(NULL, &tmp)) == NULL) { |
26c6ace2 |
cli_dbgmsg("SZDD: Can't generate temporary file.\n"); |
e2dc6ace |
fclose(in);
return CL_ETMPFILE;
}
if(cli_msexpand(in, tmp) == -1) { |
26c6ace2 |
cli_dbgmsg("SZDD: msexpand failed.\n"); |
73c21438 |
fclose(in);
fclose(tmp);
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
e2dc6ace |
return CL_EMSCOMP;
}
fclose(in);
if(fflush(tmp)) { |
26c6ace2 |
cli_dbgmsg("SZDD: fflush() failed.\n"); |
e2dc6ace |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
e2dc6ace |
return CL_EFSYNC;
}
fd = fileno(tmp);
lseek(fd, 0, SEEK_SET); |
605b8cf0 |
if((ret = cli_magic_scandesc(fd, ctx)) == CL_VIRUS) {
cli_dbgmsg("SZDD: Infected with %s\n", *ctx->virname); |
e2dc6ace |
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
e2dc6ace |
return CL_VIRUS;
}
fclose(tmp); |
73c21438 |
if(!cli_leavetemps_flag)
unlink(tmpname);
free(tmpname); |
e2dc6ace |
return ret;
}
|
b408821a |
static int cli_scanmscab(int desc, cli_ctx *ctx, off_t sfx_offset) |
1ed6a845 |
{
char *tempname; |
9d675ddb |
int ret;
unsigned int files = 0;
struct cab_archive cab;
struct cab_file *file; |
1ed6a845 |
cli_dbgmsg("in cli_scanmscab()\n");
|
9d675ddb |
if((ret = cab_open(desc, sfx_offset, &cab)))
return ret; |
1ed6a845 |
|
9d675ddb |
for(file = cab.files; file; file = file->next) {
files++; |
421d947f |
|
9d675ddb |
if(ctx->limits && ctx->limits->maxfilesize && (file->length > ctx->limits->maxfilesize)) {
cli_dbgmsg("CAB: %s: Size exceeded (%u, max: %u)\n", file->name, file->length, ctx->limits->maxfilesize);
if(BLOCKMAX) {
*ctx->virname = "CAB.ExceededFileSize";
cab_free(&cab);
return CL_VIRUS; |
421d947f |
} |
9d675ddb |
continue;
} |
421d947f |
|
9d675ddb |
if(ctx->limits && ctx->limits->maxfiles && (files > ctx->limits->maxfiles)) {
cli_dbgmsg("CAB: Files limit reached (max: %u)\n", ctx->limits->maxfiles);
cab_free(&cab);
if(BLOCKMAX) {
*ctx->virname = "CAB.ExceededFilesLimit";
return CL_VIRUS; |
1ed6a845 |
} |
9d675ddb |
return CL_CLEAN; |
1ed6a845 |
} |
9d675ddb |
tempname = cli_gentemp(NULL); |
db2f0e4d |
cli_dbgmsg("CAB: Extracting file %s to %s, size %u\n", file->name, tempname, file->length);
if((ret = cab_extract(file, tempname))) |
9d675ddb |
cli_dbgmsg("CAB: Failed to extract file: %s\n", cl_strerror(ret));
else
ret = cli_scanfile(tempname, ctx);
if(!cli_leavetemps_flag)
unlink(tempname);
free(tempname); |
1ed6a845 |
if(ret == CL_VIRUS)
break;
}
|
9d675ddb |
cab_free(&cab); |
1ed6a845 |
return ret;
}
|
605b8cf0 |
int cli_scandir(const char *dirname, cli_ctx *ctx) |
c561d2a3 |
{ |
a19f21b6 |
DIR *dd;
struct dirent *dent; |
ec748835 |
#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2) |
8c7e16b8 |
union {
struct dirent d;
char b[offsetof(struct dirent, d_name) + NAME_MAX + 1];
} result; |
a45ec9cc |
#endif |
a19f21b6 |
struct stat statbuf;
char *fname; |
c561d2a3 |
|
a19f21b6 |
if((dd = opendir(dirname)) != NULL) { |
ec748835 |
#ifdef HAVE_READDIR_R_3 |
8c7e16b8 |
while(!readdir_r(dd, &result.d, &dent) && dent) { |
ec748835 |
#elif defined(HAVE_READDIR_R_2) |
8c7e16b8 |
while((dent = (struct dirent *) readdir_r(dd, &result.d))) { |
ec748835 |
#else |
a19f21b6 |
while((dent = readdir(dd))) { |
ec748835 |
#endif |
59afa53d |
#if (!defined(C_CYGWIN)) && (!defined(C_INTERIX)) && (!defined(C_WINDOWS)) |
618a038b |
if(dent->d_ino)
#endif
{ |
a19f21b6 |
if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) {
/* build the full name */
fname = cli_calloc(strlen(dirname) + strlen(dent->d_name) + 2, sizeof(char));
sprintf(fname, "%s/%s", dirname, dent->d_name); |
c561d2a3 |
|
a19f21b6 |
/* stat the file */
if(lstat(fname, &statbuf) != -1) {
if(S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) { |
605b8cf0 |
if (cli_scandir(fname, ctx) == CL_VIRUS) { |
a19f21b6 |
free(fname);
closedir(dd);
return CL_VIRUS;
}
} else
if(S_ISREG(statbuf.st_mode)) |
605b8cf0 |
if(cli_scanfile(fname, ctx) == CL_VIRUS) { |
a19f21b6 |
free(fname);
closedir(dd);
return CL_VIRUS;
} |
c561d2a3 |
|
3ccd73ad |
} |
a19f21b6 |
free(fname); |
c561d2a3 |
}
}
} |
a19f21b6 |
} else { |
26c6ace2 |
cli_dbgmsg("ScanDir: Can't open directory %s.\n", dirname); |
a19f21b6 |
return CL_EOPEN;
} |
c561d2a3 |
|
a19f21b6 |
closedir(dd);
return 0; |
c561d2a3 |
} |
a19f21b6 |
|
605b8cf0 |
static int cli_vba_scandir(const char *dirname, cli_ctx *ctx) |
b151ef55 |
{ |
7f81c1a7 |
int ret = CL_CLEAN, i, fd, ofd, data_len; |
a19f21b6 |
vba_project_t *vba_project; |
b151ef55 |
DIR *dd;
struct dirent *dent; |
ec748835 |
#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2) |
8c7e16b8 |
union {
struct dirent d;
char b[offsetof(struct dirent, d_name) + NAME_MAX + 1];
} result; |
a45ec9cc |
#endif |
b151ef55 |
struct stat statbuf; |
941f3ab8 |
char *fname, *fullname; |
a19f21b6 |
unsigned char *data;
|
26c6ace2 |
cli_dbgmsg("VBADir: %s\n", dirname); |
a19f21b6 |
if((vba_project = (vba_project_t *) vba56_dir_read(dirname))) { |
b151ef55 |
|
a19f21b6 |
for(i = 0; i < vba_project->count; i++) {
fullname = (char *) cli_malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2);
sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]); |
59afa53d |
fd = open(fullname, O_RDONLY|O_BINARY); |
a19f21b6 |
if(fd == -1) { |
26c6ace2 |
cli_dbgmsg("VBADir: Can't open file %s\n", fullname); |
a19f21b6 |
free(fullname);
ret = CL_EOPEN;
break;
}
free(fullname); |
26c6ace2 |
cli_dbgmsg("VBADir: Decompress VBA project '%s'\n", vba_project->name[i]); |
a19f21b6 |
data = (unsigned char *) vba_decompress(fd, vba_project->offset[i], &data_len);
close(fd);
if(!data) { |
26c6ace2 |
cli_dbgmsg("VBADir: WARNING: VBA project '%s' decompressed to NULL\n", vba_project->name[i]); |
a19f21b6 |
} else { |
605b8cf0 |
if(ctx->scanned)
*ctx->scanned += data_len / CL_COUNT_PRECISION; |
24dcd10b |
|
d4405156 |
if(cli_scanbuff(data, data_len, ctx->virname, ctx->engine, CL_TYPE_MSOLE2) == CL_VIRUS) { |
a19f21b6 |
free(data);
ret = CL_VIRUS;
break;
}
free(data);
}
}
for(i = 0; i < vba_project->count; i++)
free(vba_project->name[i]);
free(vba_project->name);
free(vba_project->dir);
free(vba_project->offset);
free(vba_project); |
dc413343 |
} else if ((fullname = ppt_vba_read(dirname))) { |
605b8cf0 |
if(cli_scandir(fullname, ctx) == CL_VIRUS) { |
dc413343 |
ret = CL_VIRUS;
} |
599f27c8 |
if(!cli_leavetemps_flag)
cli_rmdirs(fullname); |
dc413343 |
free(fullname); |
943fc7fe |
} else if ((vba_project = (vba_project_t *) wm_dir_read(dirname))) {
for (i = 0; i < vba_project->count; i++) {
fullname = (char *) cli_malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2);
sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]); |
59afa53d |
fd = open(fullname, O_RDONLY|O_BINARY); |
943fc7fe |
if(fd == -1) { |
26c6ace2 |
cli_dbgmsg("VBADir: Can't open file %s\n", fullname); |
943fc7fe |
free(fullname);
ret = CL_EOPEN;
break;
}
free(fullname); |
04078685 |
cli_dbgmsg("VBADir: Decompress WM project '%s' macro:%d key:%d length:%d\n", vba_project->name[i], i, vba_project->key[i], vba_project->length[i]);
if(vba_project->length[i])
data = (unsigned char *) wm_decrypt_macro(fd, vba_project->offset[i], vba_project->length[i], vba_project->key[i]);
else
data = NULL; |
943fc7fe |
close(fd);
if(!data) { |
26c6ace2 |
cli_dbgmsg("VBADir: WARNING: WM project '%s' macro %d decrypted to NULL\n", vba_project->name[i], i); |
943fc7fe |
} else { |
605b8cf0 |
if(ctx->scanned)
*ctx->scanned += vba_project->length[i] / CL_COUNT_PRECISION; |
d4405156 |
if(cli_scanbuff(data, vba_project->length[i], ctx->virname, ctx->engine, CL_TYPE_MSOLE2) == CL_VIRUS) { |
943fc7fe |
free(data);
ret = CL_VIRUS;
break;
}
free(data);
}
}
for(i = 0; i < vba_project->count; i++)
free(vba_project->name[i]);
free(vba_project->key);
free(vba_project->length);
free(vba_project->offset);
free(vba_project->name);
free(vba_project->dir);
free(vba_project); |
a19f21b6 |
} |
943fc7fe |
|
a19f21b6 |
if(ret != CL_CLEAN)
return ret; |
b151ef55 |
|
7f81c1a7 |
/* Check directory for embedded OLE objects */
fullname = (char *) cli_malloc(strlen(dirname) + 16);
sprintf(fullname, "%s/_1_Ole10Native", dirname); |
59afa53d |
fd = open(fullname, O_RDONLY|O_BINARY); |
7f81c1a7 |
free(fullname);
if (fd >= 0) {
ofd = cli_decode_ole_object(fd, dirname);
if (ofd >= 0) { |
674f4b3c |
ret = cli_scandesc(ofd, ctx, 0, 0, 0, NULL); |
7f81c1a7 |
close(ofd);
}
close(fd);
if(ret != CL_CLEAN)
return ret;
}
|
b151ef55 |
if((dd = opendir(dirname)) != NULL) { |
ec748835 |
#ifdef HAVE_READDIR_R_3 |
8c7e16b8 |
while(!readdir_r(dd, &result.d, &dent) && dent) { |
ec748835 |
#elif defined(HAVE_READDIR_R_2) |
8c7e16b8 |
while((dent = (struct dirent *) readdir_r(dd, &result.d))) { |
ec748835 |
#else |
b151ef55 |
while((dent = readdir(dd))) { |
ec748835 |
#endif |
59afa53d |
#if (!defined(C_CYGWIN)) && (!defined(C_INTERIX)) && (!defined(C_WINDOWS)) |
618a038b |
if(dent->d_ino)
#endif
{ |
b151ef55 |
if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) {
/* build the full name */
fname = cli_calloc(strlen(dirname) + strlen(dent->d_name) + 2, sizeof(char));
sprintf(fname, "%s/%s", dirname, dent->d_name);
/* stat the file */
if(lstat(fname, &statbuf) != -1) {
if(S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) |
605b8cf0 |
if (cli_vba_scandir(fname, ctx) == CL_VIRUS) { |
a19f21b6 |
ret = CL_VIRUS;
free(fname);
break;
} |
b151ef55 |
}
free(fname);
}
}
}
} else { |
26c6ace2 |
cli_dbgmsg("VBADir: Can't open directory %s.\n", dirname); |
b151ef55 |
return CL_EOPEN;
}
closedir(dd); |
a19f21b6 |
return ret;
}
|
605b8cf0 |
static int cli_scanhtml(int desc, cli_ctx *ctx) |
0842e139 |
{
char *tempname, fullname[1024];
int ret=CL_CLEAN, fd; |
5e31d55a |
struct stat sb; |
0842e139 |
cli_dbgmsg("in cli_scanhtml()\n");
|
5e31d55a |
if(fstat(desc, &sb) == -1) {
cli_errmsg("cli_scanhtml: fstat() failed for descriptor %d\n", desc);
return CL_EIO;
}
/* Because HTML detection is FP-prone and html_normalise_fd() needs to
* mmap the file don't normalise files larger than 10 MB.
*/
if(sb.st_size > 10485760) {
cli_dbgmsg("cli_scanhtml: exiting (file larger than 10 MB)\n");
return CL_CLEAN;
}
|
0842e139 |
tempname = cli_gentemp(NULL);
if(mkdir(tempname, 0700)) { |
5e31d55a |
cli_errmsg("cli_scanhtml: Can't create temporary directory %s\n", tempname); |
af5f3346 |
free(tempname); |
0842e139 |
return CL_ETMPDIR;
}
html_normalise_fd(desc, tempname, NULL);
snprintf(fullname, 1024, "%s/comment.html", tempname); |
59afa53d |
fd = open(fullname, O_RDONLY|O_BINARY); |
0842e139 |
if (fd >= 0) { |
674f4b3c |
ret = cli_scandesc(fd, ctx, 0, CL_TYPE_HTML, 0, NULL); |
0842e139 |
close(fd);
}
if(ret < 0 || ret == CL_VIRUS) {
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
if (ret == CL_CLEAN) {
snprintf(fullname, 1024, "%s/nocomment.html", tempname); |
59afa53d |
fd = open(fullname, O_RDONLY|O_BINARY); |
0842e139 |
if (fd >= 0) { |
674f4b3c |
ret = cli_scandesc(fd, ctx, 0, CL_TYPE_HTML, 0, NULL); |
0842e139 |
close(fd);
}
}
if(ret < 0 || ret == CL_VIRUS) {
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
if (ret == CL_CLEAN) {
snprintf(fullname, 1024, "%s/script.html", tempname); |
59afa53d |
fd = open(fullname, O_RDONLY|O_BINARY); |
0842e139 |
if (fd >= 0) { |
674f4b3c |
ret = cli_scandesc(fd, ctx, 0, CL_TYPE_HTML, 0, NULL); |
0842e139 |
close(fd);
}
}
if(ret < 0 || ret == CL_VIRUS) {
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
if (ret == CL_CLEAN) {
snprintf(fullname, 1024, "%s/rfc2397", tempname); |
605b8cf0 |
ret = cli_scandir(fullname, ctx); |
0842e139 |
}
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
|
1e7a21fb |
static int cli_scanhtml_utf16(int desc, cli_ctx *ctx)
{
char *tempname, buff[512], *decoded;
int ret = CL_CLEAN, fd, bytes;
cli_dbgmsg("in cli_scanhtml_utf16()\n");
tempname = cli_gentemp(NULL);
if((fd = open(tempname, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU)) < 0) {
cli_errmsg("cli_scanhtml_utf16: Can't create file %s\n", tempname);
free(tempname);
return CL_EIO;
}
while((bytes = read(desc, buff, sizeof(buff))) > 0) {
decoded = cli_utf16toascii(buff, bytes);
if(decoded) {
if(write(fd, decoded, strlen(decoded)) == -1) {
cli_errmsg("cli_scanhtml_utf16: Can't write to file %s\n", tempname);
free(decoded);
unlink(tempname);
free(tempname);
close(fd);
return CL_EIO;
}
free(decoded);
}
}
fsync(fd);
lseek(fd, 0, SEEK_SET);
ret = cli_scanhtml(fd, ctx);
close(fd);
if(!cli_leavetemps_flag)
unlink(tempname);
else
cli_dbgmsg("cli_scanhtml_utf16: Decoded HTML data saved in %s\n", tempname);
free(tempname);
return ret;
}
|
605b8cf0 |
static int cli_scanole2(int desc, cli_ctx *ctx) |
a19f21b6 |
{ |
941f3ab8 |
char *dir;
int ret = CL_CLEAN; |
a19f21b6 |
|
26c6ace2 |
|
a19f21b6 |
cli_dbgmsg("in cli_scanole2()\n");
/* generate the temporary directory */ |
e5fa5bab |
dir = cli_gentemp(NULL); |
a19f21b6 |
if(mkdir(dir, 0700)) { |
26c6ace2 |
cli_dbgmsg("OLE2: Can't create temporary directory %s\n", dir); |
af5f3346 |
free(dir); |
a19f21b6 |
return CL_ETMPDIR;
}
|
605b8cf0 |
if((ret = cli_ole2_extract(desc, dir, ctx->limits))) { |
26c6ace2 |
cli_dbgmsg("OLE2: %s\n", cl_strerror(ret)); |
599f27c8 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
a19f21b6 |
free(dir);
return ret;
}
|
605b8cf0 |
if((ret = cli_vba_scandir(dir, ctx)) != CL_VIRUS) {
if(cli_scandir(dir, ctx) == CL_VIRUS) { |
941f3ab8 |
ret = CL_VIRUS; |
a19f21b6 |
}
}
|
599f27c8 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
a19f21b6 |
free(dir);
return ret; |
b151ef55 |
}
|
605b8cf0 |
static int cli_scantar(int desc, cli_ctx *ctx, unsigned int posix) |
26c6ace2 |
{
char *dir;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scantar()\n");
/* generate temporary directory */ |
e5fa5bab |
dir = cli_gentemp(NULL); |
26c6ace2 |
if(mkdir(dir, 0700)) {
cli_errmsg("Tar: Can't create temporary directory %s\n", dir); |
af5f3346 |
free(dir); |
26c6ace2 |
return CL_ETMPDIR;
}
|
f16bb0d6 |
if((ret = cli_untar(dir, desc, posix, ctx->limits))) |
26c6ace2 |
cli_dbgmsg("Tar: %s\n", cl_strerror(ret));
else |
605b8cf0 |
ret = cli_scandir(dir, ctx); |
26c6ace2 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
605b8cf0 |
static int cli_scanbinhex(int desc, cli_ctx *ctx) |
c85a3e42 |
{
char *dir;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scanbinhex()\n");
/* generate temporary directory */
dir = cli_gentemp(NULL);
if(mkdir(dir, 0700)) {
cli_errmsg("Binhex: Can't create temporary directory %s\n", dir); |
af5f3346 |
free(dir); |
c85a3e42 |
return CL_ETMPDIR;
}
if((ret = cli_binhex(dir, desc)))
cli_dbgmsg("Binhex: %s\n", cl_strerror(ret));
else |
605b8cf0 |
ret = cli_scandir(dir, ctx); |
c85a3e42 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
605b8cf0 |
static int cli_scanmschm(int desc, cli_ctx *ctx) |
4ad876ad |
{
char *tempname;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scanmschm()\n");
|
e5fa5bab |
tempname = cli_gentemp(NULL); |
4ad876ad |
if(mkdir(tempname, 0700)) { |
26c6ace2 |
cli_dbgmsg("CHM: Can't create temporary directory %s\n", tempname); |
af5f3346 |
free(tempname); |
4ad876ad |
return CL_ETMPDIR;
}
if(chm_unpack(desc, tempname)) |
605b8cf0 |
ret = cli_scandir(tempname, ctx); |
4ad876ad |
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
|
605b8cf0 |
static int cli_scanscrenc(int desc, cli_ctx *ctx) |
a6f7215c |
{
char *tempname;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scanscrenc()\n");
|
e5fa5bab |
tempname = cli_gentemp(NULL); |
a6f7215c |
if(mkdir(tempname, 0700)) {
cli_dbgmsg("CHM: Can't create temporary directory %s\n", tempname); |
af5f3346 |
free(tempname); |
a6f7215c |
return CL_ETMPDIR;
}
if (html_screnc_decode(desc, tempname)) |
605b8cf0 |
ret = cli_scandir(tempname, ctx); |
a6f7215c |
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
} |
9bd73bcb |
|
a8b53539 |
static int cli_scanriff(int desc, const char **virname) |
ed5307d9 |
{
int ret = CL_CLEAN;
if(cli_check_riff_exploit(desc) == 2) {
ret = CL_VIRUS;
*virname = "Exploit.W32.MS05-002";
}
return ret;
}
|
14ae9b9f |
static int cli_scanjpeg(int desc, const char **virname)
{
int ret = CL_CLEAN;
if(cli_check_jpeg_exploit(desc) == 1) {
ret = CL_VIRUS;
*virname = "Exploit.W32.MS04-028";
}
return ret;
}
|
605b8cf0 |
static int cli_scancryptff(int desc, cli_ctx *ctx) |
e2cf58ed |
{ |
e2b5770b |
int ret = CL_CLEAN, ndesc;
unsigned int length, i; |
e2cf58ed |
unsigned char *src = NULL, *dest = NULL;
char *tempfile;
struct stat sb;
if(fstat(desc, &sb) == -1) { |
34a86306 |
cli_errmsg("CryptFF: Can't fstat descriptor %d\n", desc); |
e2cf58ed |
return CL_EIO;
}
/* Skip the CryptFF file header */
if(lseek(desc, 0x10, SEEK_SET) < 0) { |
34a86306 |
cli_errmsg("CryptFF: Can't lseek descriptor %d\n", desc); |
e2cf58ed |
return ret;
}
length = sb.st_size - 0x10;
|
fc81deb5 |
if((dest = (unsigned char *) cli_malloc(length)) == NULL) { |
e2cf58ed |
cli_dbgmsg("CryptFF: Can't allocate memory\n");
return CL_EMEM;
}
|
fc81deb5 |
if((src = (unsigned char *) cli_malloc(length)) == NULL) { |
e2cf58ed |
cli_dbgmsg("CryptFF: Can't allocate memory\n");
free(dest);
return CL_EMEM;
}
if((unsigned int) read(desc, src, length) != length) {
cli_dbgmsg("CryptFF: Can't read from descriptor %d\n", desc);
free(dest);
free(src);
return CL_EIO;
}
for(i = 0; i < length; i++)
dest[i] = src[i] ^ (unsigned char) 0xff;
free(src);
tempfile = cli_gentemp(NULL); |
59afa53d |
if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU)) < 0) { |
e2cf58ed |
cli_errmsg("CryptFF: Can't create file %s\n", tempfile);
free(dest);
free(tempfile);
return CL_EIO;
}
if(write(ndesc, dest, length) == -1) {
cli_dbgmsg("CryptFF: Can't write to descriptor %d\n", ndesc);
free(dest);
close(ndesc);
free(tempfile);
return CL_EIO;
}
free(dest);
if(fsync(ndesc) == -1) {
cli_errmsg("CryptFF: Can't fsync descriptor %d\n", ndesc);
close(ndesc);
free(tempfile);
return CL_EIO;
}
lseek(ndesc, 0, SEEK_SET);
cli_dbgmsg("CryptFF: Scanning decrypted data\n");
|
605b8cf0 |
if((ret = cli_magic_scandesc(ndesc, ctx)) == CL_VIRUS)
cli_dbgmsg("CryptFF: Infected with %s\n", *ctx->virname); |
e2cf58ed |
close(ndesc);
if(cli_leavetemps_flag)
cli_dbgmsg("CryptFF: Decompressed data saved in %s\n", tempfile);
else
unlink(tempfile);
free(tempfile);
return ret;
}
|
605b8cf0 |
static int cli_scanpdf(int desc, cli_ctx *ctx) |
327e0c3c |
{
int ret;
char *dir = cli_gentemp(NULL);
if(mkdir(dir, 0700)) {
cli_dbgmsg("Can't create temporary directory for PDF file %s\n", dir);
free(dir);
return CL_ETMPDIR;
}
|
f3e0aea0 |
ret = cli_pdf(dir, desc, ctx); |
327e0c3c |
if(ret == CL_CLEAN) |
605b8cf0 |
ret = cli_scandir(dir, ctx); |
327e0c3c |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
605b8cf0 |
static int cli_scantnef(int desc, cli_ctx *ctx) |
af5f3346 |
{
int ret;
char *dir = cli_gentemp(NULL);
if(mkdir(dir, 0700)) {
cli_dbgmsg("Can't create temporary directory for tnef file %s\n", dir);
free(dir);
return CL_ETMPDIR;
}
ret = cli_tnef(dir, desc);
if(ret == CL_CLEAN) |
605b8cf0 |
ret = cli_scandir(dir, ctx); |
af5f3346 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
605b8cf0 |
static int cli_scanuuencoded(int desc, cli_ctx *ctx) |
165d8543 |
{
int ret;
char *dir = cli_gentemp(NULL);
if(mkdir(dir, 0700)) {
cli_dbgmsg("Can't create temporary directory for uuencoded file %s\n", dir);
free(dir);
return CL_ETMPDIR;
}
ret = cli_uuencode(dir, desc);
if(ret == CL_CLEAN) |
605b8cf0 |
ret = cli_scandir(dir, ctx); |
165d8543 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
36fbf46f |
/* Outlook PST file */
static int cli_scanpst(int desc, cli_ctx *ctx)
{
int ret;
char *dir = cli_gentemp(NULL);
if(mkdir(dir, 0700)) {
cli_dbgmsg("Can't create temporary directory for PST file %s\n", dir);
free(dir);
return CL_ETMPDIR;
}
ret = cli_pst(dir, desc);
if(ret == CL_SUCCESS)
ret = cli_scandir(dir, ctx);
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
605b8cf0 |
static int cli_scanmail(int desc, cli_ctx *ctx) |
b151ef55 |
{
char *dir;
int ret;
|
605b8cf0 |
cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", ctx->mrec, ctx->arec); |
b151ef55 |
|
e5fa5bab |
/* generate the temporary directory */
dir = cli_gentemp(NULL);
if(mkdir(dir, 0700)) {
cli_dbgmsg("Mail: Can't create temporary directory %s\n", dir);
free(dir);
return CL_ETMPDIR;
} |
b151ef55 |
|
e5fa5bab |
/*
* Extract the attachments into the temporary directory
*/ |
5c86c162 |
if((ret = cli_mbox(dir, desc, ctx))) { |
599f27c8 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
b151ef55 |
free(dir);
return ret; |
e5fa5bab |
}
|
605b8cf0 |
ret = cli_scandir(dir, ctx); |
e5fa5bab |
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret; |
b151ef55 |
}
|
605b8cf0 |
static int cli_scanraw(int desc, cli_ctx *ctx, cli_file_t type) |
66acd7a9 |
{ |
ad94e1cd |
int ret = CL_CLEAN, nret = CL_CLEAN; |
66acd7a9 |
unsigned short ftrec;
struct cli_matched_type *ftoffset = NULL, *fpt; |
d53647d5 |
uint32_t lastzip, lastrar; |
66acd7a9 |
switch(type) {
case CL_TYPE_UNKNOWN_TEXT:
case CL_TYPE_MSEXE:
ftrec = 1;
break;
default:
ftrec = 0;
}
if(lseek(desc, 0, SEEK_SET) < 0) {
cli_errmsg("cli_scanraw: lseek() failed\n");
return CL_EIO;
}
|
674f4b3c |
if((ret = cli_scandesc(desc, ctx, ftrec, type, 0, &ftoffset)) == CL_VIRUS) { |
605b8cf0 |
cli_dbgmsg("%s found in descriptor %d.\n", *ctx->virname, desc); |
66acd7a9 |
return CL_VIRUS;
} else if(ret < 0) {
return ret;
} else if(ret >= CL_TYPENO) {
lseek(desc, 0, SEEK_SET);
|
674f4b3c |
if((nret = cli_scandesc(desc, ctx, 0, ret, 1, NULL)) == CL_VIRUS) {
cli_dbgmsg("%s found in descriptor %d when scanning file type %u\n", *ctx->virname, desc, ret);
return CL_VIRUS;
}
|
605b8cf0 |
ret == CL_TYPE_MAIL ? ctx->mrec++ : ctx->arec++; |
66acd7a9 |
switch(ret) {
case CL_TYPE_HTML: |
4a30feab |
if(SCAN_HTML && type == CL_TYPE_UNKNOWN_TEXT && (DCONF_DOC & DOC_CONF_HTML)) |
ad94e1cd |
if((nret = cli_scanhtml(desc, ctx)) == CL_VIRUS) |
66acd7a9 |
return CL_VIRUS;
break;
case CL_TYPE_MAIL: |
4a30feab |
if(SCAN_MAIL && type == CL_TYPE_UNKNOWN_TEXT && (DCONF_MAIL & MAIL_CONF_MBOX)) |
ad94e1cd |
if((nret = cli_scanmail(desc, ctx)) == CL_VIRUS) |
66acd7a9 |
return CL_VIRUS;
break;
case CL_TYPE_RARSFX:
case CL_TYPE_ZIPSFX: |
b408821a |
case CL_TYPE_CABSFX: |
66acd7a9 |
if(type == CL_TYPE_MSEXE) {
if(SCAN_ARCHIVE) { |
d53647d5 |
lastzip = lastrar = 0xdeadbeef; |
66acd7a9 |
fpt = ftoffset;
while(fpt) { |
4a30feab |
if(fpt->type == CL_TYPE_RARSFX && (DCONF_ARCH & ARCH_CONF_RAR)) { |
66acd7a9 |
cli_dbgmsg("RAR-SFX signature found at %d\n", fpt->offset); |
ad94e1cd |
if((nret = cli_scanrar(desc, ctx, fpt->offset, &lastrar)) == CL_VIRUS) |
66acd7a9 |
break; |
4a30feab |
} else if(fpt->type == CL_TYPE_ZIPSFX && (DCONF_ARCH & ARCH_CONF_ZIP)) { |
66acd7a9 |
cli_dbgmsg("ZIP-SFX signature found at %d\n", fpt->offset); |
ad94e1cd |
if((nret = cli_scanzip(desc, ctx, fpt->offset, &lastzip)) == CL_VIRUS) |
66acd7a9 |
break; |
4a30feab |
} else if(fpt->type == CL_TYPE_CABSFX && (DCONF_ARCH & ARCH_CONF_CAB)) { |
b408821a |
cli_dbgmsg("CAB-SFX signature found at %d\n", fpt->offset);
if((nret = cli_scanmscab(desc, ctx, fpt->offset)) == CL_VIRUS)
break; |
66acd7a9 |
} |
b408821a |
|
66acd7a9 |
fpt = fpt->next;
}
}
while(ftoffset) {
fpt = ftoffset;
ftoffset = ftoffset->next;
free(fpt);
}
|
ad94e1cd |
if(nret == CL_VIRUS)
return nret; |
66acd7a9 |
}
break;
default:
break;
} |
605b8cf0 |
ret == CL_TYPE_MAIL ? ctx->mrec-- : ctx->arec--; |
ad94e1cd |
ret = nret; |
66acd7a9 |
}
return ret;
}
|
605b8cf0 |
int cli_magic_scandesc(int desc, cli_ctx *ctx) |
b151ef55 |
{ |
236b30a3 |
int ret = CL_CLEAN; |
0d01fcb2 |
cli_file_t type; |
255e314c |
struct stat sb;
if(fstat(desc, &sb) == -1) { |
34a86306 |
cli_errmsg("Can't fstat descriptor %d\n", desc); |
255e314c |
return CL_EIO;
} |
b151ef55 |
|
255e314c |
if(sb.st_size <= 5) {
cli_dbgmsg("Small data (%d bytes)\n", sb.st_size);
return CL_CLEAN;
} |
b151ef55 |
|
605b8cf0 |
if(!ctx->engine) { |
f477691c |
cli_errmsg("CRITICAL: engine == NULL\n"); |
bd75bc84 |
return CL_EMALFDB; |
b151ef55 |
}
|
605b8cf0 |
if(!ctx->options) { /* raw mode (stdin, etc.) */ |
df757556 |
cli_dbgmsg("Raw mode: No support for special files\n"); |
674f4b3c |
if((ret = cli_scandesc(desc, ctx, 0, 0, 0, NULL)) == CL_VIRUS) |
605b8cf0 |
cli_dbgmsg("%s found in descriptor %d\n", *ctx->virname, desc); |
a13ed400 |
return ret;
}
|
605b8cf0 |
if(SCAN_ARCHIVE && ctx->limits && ctx->limits->maxreclevel)
if(ctx->arec > ctx->limits->maxreclevel) {
cli_dbgmsg("Archive recursion limit exceeded (arec == %d).\n", ctx->arec); |
78afb537 |
if(BLOCKMAX) { |
605b8cf0 |
*ctx->virname = "Archive.ExceededRecursionLimit"; |
78afb537 |
return CL_VIRUS;
} |
a19f21b6 |
return CL_CLEAN; |
0da7859b |
} |
b151ef55 |
|
0da7859b |
if(SCAN_MAIL) |
605b8cf0 |
if(ctx->mrec > MAX_MAIL_RECURSION) {
cli_dbgmsg("Mail recursion level exceeded (mrec == %d).\n", ctx->mrec); |
0da7859b |
/* return CL_EMAXREC; */
return CL_CLEAN;
} |
b151ef55 |
|
a19f21b6 |
lseek(desc, 0, SEEK_SET); |
1e7a21fb |
type = cli_filetype2(desc, ctx->engine); |
26c6ace2 |
lseek(desc, 0, SEEK_SET); |
8b242bb9 |
|
605b8cf0 |
if(type != CL_TYPE_DATA && ctx->engine->sdb) { |
c1df8240 |
if((ret = cli_scanraw(desc, ctx, type)) == CL_VIRUS) |
66acd7a9 |
return CL_VIRUS;
lseek(desc, 0, SEEK_SET);
}
|
605b8cf0 |
type == CL_TYPE_MAIL ? ctx->mrec++ : ctx->arec++; |
2fe19b26 |
|
a19f21b6 |
switch(type) { |
06d4e856 |
case CL_TYPE_RAR: |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_RAR)) |
d53647d5 |
ret = cli_scanrar(desc, ctx, 0, NULL); |
a19f21b6 |
break; |
8b242bb9 |
|
06d4e856 |
case CL_TYPE_ZIP: |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP)) |
d53647d5 |
ret = cli_scanzip(desc, ctx, 0, NULL); |
a19f21b6 |
break; |
8b242bb9 |
|
06d4e856 |
case CL_TYPE_GZ: |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_GZ)) |
605b8cf0 |
ret = cli_scangzip(desc, ctx); |
a19f21b6 |
break; |
8b242bb9 |
|
06d4e856 |
case CL_TYPE_BZ: |
41b894c7 |
#ifdef HAVE_BZLIB_H |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_BZ)) |
605b8cf0 |
ret = cli_scanbzip(desc, ctx); |
b151ef55 |
#endif |
a19f21b6 |
break; |
8b242bb9 |
|
06d4e856 |
case CL_TYPE_MSSZDD: |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_SZDD)) |
605b8cf0 |
ret = cli_scanszdd(desc, ctx); |
e2dc6ace |
break;
|
06d4e856 |
case CL_TYPE_MSCAB: |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CAB)) |
b408821a |
ret = cli_scanmscab(desc, ctx, 0); |
1ed6a845 |
break;
|
1e7a21fb |
case CL_TYPE_HTML: |
4a30feab |
if(SCAN_HTML && (DCONF_DOC & DOC_CONF_HTML)) |
1e7a21fb |
ret = cli_scanhtml(desc, ctx);
break;
case CL_TYPE_HTML_UTF16: |
4a30feab |
if(SCAN_HTML && (DCONF_DOC & DOC_CONF_HTML)) |
1e7a21fb |
ret = cli_scanhtml_utf16(desc, ctx);
break;
|
f9d258e2 |
case CL_TYPE_RTF: |
4a30feab |
if(DCONF_DOC & DOC_CONF_RTF)
ret = cli_scanrtf(desc, ctx); |
f9d258e2 |
break;
|
06d4e856 |
case CL_TYPE_MAIL: |
4a30feab |
if(SCAN_MAIL && (DCONF_MAIL & MAIL_CONF_MBOX)) |
605b8cf0 |
ret = cli_scanmail(desc, ctx); |
a19f21b6 |
break; |
8b242bb9 |
|
c5a962df |
case CL_TYPE_TNEF: |
4a30feab |
if(SCAN_MAIL && (DCONF_MAIL & MAIL_CONF_TNEF)) |
605b8cf0 |
ret = cli_scantnef(desc, ctx); |
c5a962df |
break;
|
165d8543 |
case CL_TYPE_UUENCODED: |
4a30feab |
if(DCONF_OTHER & OTHER_CONF_UUENC) |
605b8cf0 |
ret = cli_scanuuencoded(desc, ctx); |
165d8543 |
break;
|
36fbf46f |
case CL_TYPE_PST: |
4a30feab |
if(SCAN_MAIL && (DCONF_MAIL & MAIL_CONF_PST)) |
36fbf46f |
ret = cli_scanpst(desc, ctx);
break;
|
06d4e856 |
case CL_TYPE_MSCHM: |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_CHM)) |
605b8cf0 |
ret = cli_scanmschm(desc, ctx); |
4ad876ad |
break;
|
06d4e856 |
case CL_TYPE_MSOLE2: |
4a30feab |
if(SCAN_OLE2 && (DCONF_ARCH & ARCH_CONF_OLE2)) |
605b8cf0 |
ret = cli_scanole2(desc, ctx); |
a19f21b6 |
break; |
8b242bb9 |
|
255e314c |
case CL_TYPE_POSIX_TAR: |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR)) |
605b8cf0 |
ret = cli_scantar(desc, ctx, 1); |
255e314c |
break;
case CL_TYPE_OLD_TAR: |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_TAR)) |
605b8cf0 |
ret = cli_scantar(desc, ctx, 0); |
c85a3e42 |
break;
case CL_TYPE_BINHEX: |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_BINHEX)) |
605b8cf0 |
ret = cli_scanbinhex(desc, ctx); |
26c6ace2 |
break;
|
06d4e856 |
case CL_TYPE_SCRENC: |
4a30feab |
if(DCONF_OTHER & OTHER_CONF_SCRENC)
ret = cli_scanscrenc(desc, ctx); |
ed5307d9 |
break;
case CL_TYPE_RIFF: |
4a30feab |
if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_RIFF)) |
605b8cf0 |
ret = cli_scanriff(desc, ctx->virname); |
a6f7215c |
break;
|
14ae9b9f |
case CL_TYPE_GRAPHICS: |
4a30feab |
if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG)) |
605b8cf0 |
ret = cli_scanjpeg(desc, ctx->virname); |
14ae9b9f |
break;
|
327e0c3c |
case CL_TYPE_PDF: |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_DOC & DOC_CONF_PDF)) /* you may wish to change this line */ |
605b8cf0 |
ret = cli_scanpdf(desc, ctx); |
327e0c3c |
break;
|
e2cf58ed |
case CL_TYPE_CRYPTFF: |
4a30feab |
if(DCONF_OTHER & OTHER_CONF_CRYPTFF)
ret = cli_scancryptff(desc, ctx); |
e2cf58ed |
break;
|
600fad76 |
case CL_TYPE_ELF: |
4a30feab |
if(SCAN_ELF && ctx->dconf->elf) |
605b8cf0 |
ret = cli_scanelf(desc, ctx); |
0c27bce8 |
break;
|
5afe9ae6 |
case CL_TYPE_SIS: |
4a30feab |
if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_SIS)) |
605b8cf0 |
ret = cli_scansis(desc, ctx); |
5afe9ae6 |
break;
|
06d4e856 |
case CL_TYPE_DATA: |
a19f21b6 |
/* it could be a false positive and a standard DOS .COM file */
{
struct stat s;
if(fstat(desc, &s) == 0 && S_ISREG(s.st_mode) && s.st_size < 65536) |
06d4e856 |
type = CL_TYPE_UNKNOWN_DATA; |
a19f21b6 |
}
|
06d4e856 |
case CL_TYPE_UNKNOWN_DATA: |
605b8cf0 |
ret = cli_check_mydoom_log(desc, ctx->virname); |
a19f21b6 |
break; |
2869a454 |
default:
break; |
b151ef55 |
}
|
605b8cf0 |
type == CL_TYPE_MAIL ? ctx->mrec-- : ctx->arec--; |
a19f21b6 |
|
605b8cf0 |
if(type != CL_TYPE_DATA && ret != CL_VIRUS && !ctx->engine->sdb) { |
0f8ab293 |
if(cli_scanraw(desc, ctx, type) == CL_VIRUS) |
b151ef55 |
return CL_VIRUS; |
5aad47ca |
} |
b151ef55 |
|
605b8cf0 |
ctx->arec++; |
28652280 |
lseek(desc, 0, SEEK_SET);
switch(type) {
/* Due to performance reasons all executables were first scanned
* in raw mode. Now we will try to unpack them
*/ |
06d4e856 |
case CL_TYPE_MSEXE: |
1c3ec922 |
if(SCAN_PE && ctx->dconf->pe) |
605b8cf0 |
ret = cli_scanpe(desc, ctx); |
28652280 |
break; |
f91f55e0 |
default:
break; |
28652280 |
} |
605b8cf0 |
ctx->arec--; |
28652280 |
|
bd75bc84 |
if(ret == CL_EFORMAT) { |
83b4c1f1 |
cli_dbgmsg("Descriptor[%d]: %s\n", desc, cl_strerror(CL_EFORMAT)); |
bd75bc84 |
return CL_CLEAN;
} else {
return ret;
} |
b151ef55 |
}
|
f477691c |
int cl_scandesc(int desc, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, const struct cl_limits *limits, unsigned int options) |
b151ef55 |
{ |
605b8cf0 |
cli_ctx ctx;
memset(&ctx, '\0', sizeof(cli_ctx));
ctx.engine = engine;
ctx.virname = virname;
ctx.limits = limits;
ctx.scanned = scanned;
ctx.options = options; |
4a30feab |
ctx.dconf = (struct cli_dconf *) engine->dconf; |
605b8cf0 |
return cli_magic_scandesc(desc, &ctx); |
b151ef55 |
}
|
605b8cf0 |
static int cli_scanfile(const char *filename, cli_ctx *ctx) |
ad640f0b |
{
int fd, ret;
|
0da7859b |
/* internal version of cl_scanfile with arec/mrec preserved */ |
59afa53d |
if((fd = open(filename, O_RDONLY|O_BINARY)) == -1) |
ad640f0b |
return CL_EOPEN;
|
605b8cf0 |
ret = cli_magic_scandesc(fd, ctx); |
ad640f0b |
close(fd);
return ret;
}
|
f477691c |
int cl_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, const struct cl_limits *limits, unsigned int options) |
b151ef55 |
{
int fd, ret;
|
12565a07 |
|
59afa53d |
if((fd = open(filename, O_RDONLY|O_BINARY)) == -1) |
b151ef55 |
return CL_EOPEN;
|
f477691c |
ret = cl_scandesc(fd, virname, scanned, engine, limits, options); |
b151ef55 |
close(fd);
return ret;
} |