/*
* Copyright (C) 2013-2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
* Copyright (C) 2007-2013 Sourcefire, Inc.
*
* Authors: Nigel Horne
*
* Summary: Extract files compressed with TAR compression format.
*
* Acknowledgements: ClamAV untar code is based on a public domain minitar utility
* by Charles G. Waldman.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA.
*/
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
#include <stdio.h>
#include <errno.h>
#include <string.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <sys/stat.h>
#include <fcntl.h>
#ifdef HAVE_SYS_PARAM_H
#include <sys/param.h> /* for NAME_MAX */
#endif
#include "clamav.h"
#include "others.h"
#include "untar.h"
#include "mbox.h"
#include "blob.h"
#include "scanners.h"
#include "matcher.h"
#define TARHEADERSIZE 512
/* BLOCKSIZE must be >= TARHEADERSIZE */
#define BLOCKSIZE TARHEADERSIZE
#define TARSIZEOFFSET 124
#define TARSIZELEN 12
#define TARCHECKSUMOFFSET 148
#define TARCHECKSUMLEN 8
#define TARFILETYPEOFFSET 156
static int
octal(const char *str)
{
int ret;
if (sscanf(str, "%o", (unsigned int *)&ret) != 1)
return -1;
return ret;
}
/**
* Retrieve checksum values from a tar header block.
* @param header Header data block, padded with zeroes to reach BLOCKSIZE
* @return int value of checksum, -1 (from octal()) if bad value
*/
static int
getchecksum(const char *header)
{
char ochecksum[TARCHECKSUMLEN + 1];
int checksum = -1;
strncpy(ochecksum, header + TARCHECKSUMOFFSET, TARCHECKSUMLEN);
ochecksum[TARCHECKSUMLEN] = '\0';
checksum = octal(ochecksum);
return checksum;
}
/**
* Calculate checksum values for tar header blocks.
* @param header Header data block, padded with zeroes to reach BLOCKSIZE
* @param targetsum Check value to match (as int not octal!)
* @return 0 if checksum matches target, -1 if not
*/
static int
testchecksum(const char *header, int targetsum)
{
const unsigned char *posix;
const signed char *legacy;
int posix_sum = 0, legacy_sum = 0;
int i;
// targetsum -1 represents an error from octal()
if (targetsum == -1) {
return -1;
}
/* Build checksums. POSIX is unsigned; some legacy tars use signed. */
posix = (unsigned char *)header;
legacy = (signed char *)header;
for (i = 0; i < BLOCKSIZE; i++) {
if ((i >= TARCHECKSUMOFFSET) && (i < TARCHECKSUMOFFSET + TARCHECKSUMLEN)) {
/* Use ascii value of space in place of checksum value */
posix_sum += 32;
legacy_sum += 32;
} else {
posix_sum += posix[i];
legacy_sum += legacy[i];
}
}
if ((targetsum == posix_sum) || (targetsum == legacy_sum)) {
return 0;
}
return -1;
}
cl_error_t cli_untar(const char *dir, unsigned int posix, cli_ctx *ctx)
{
cl_error_t ret;
size_t size = 0;
int size_int = 0;
int fout = -1;
int in_block = 0;
int last_header_bad = 0;
int limitnear = 0;
unsigned int files = 0;
char fullname[NAME_MAX + 1];
size_t pos = 0;
size_t currsize = 0;
char zero[BLOCKSIZE];
unsigned int num_viruses = 0;
cli_dbgmsg("In untar(%s)\n", dir);
memset(zero, 0, sizeof(zero));
for (;;) {
const char *block;
size_t nread;
block = fmap_need_off_once_len(*ctx->fmap, pos, BLOCKSIZE, &nread);
cli_dbgmsg("cli_untar: pos = %lu\n", (unsigned long)pos);
if (!in_block && !nread)
break;
if (!nread)
block = zero;
if (!block) {
if (fout >= 0)
close(fout);
cli_errmsg("cli_untar: block read error\n");
return CL_EREAD;
}
pos += nread;
if (!in_block) {
char type;
int directory, skipEntry = 0;
int checksum = -1;
char magic[7], name[101], osize[TARSIZELEN + 1];
currsize = 0;
if (fout >= 0) {
lseek(fout, 0, SEEK_SET);
ret = cli_magic_scandesc(fout, fullname, ctx);
close(fout);
if (!ctx->engine->keeptmp)
if (cli_unlink(fullname)) return CL_EUNLINK;
if (ret == CL_VIRUS) {
if (!SCAN_ALLMATCHES)
return CL_VIRUS;
else
num_viruses++;
}
fout = -1;
}
if (block[0] == '\0') /* We're done */
break;
if ((ret = cli_checklimits("cli_untar", ctx, 0, 0, 0)) != CL_CLEAN)
return ret;
if (nread < TARHEADERSIZE) {
return CL_CLEAN;
}
checksum = getchecksum(block);
cli_dbgmsg("cli_untar: Candidate checksum = %d, [%o in octal]\n", checksum, checksum);
if (testchecksum(block, checksum) != 0) {
// If checksum is bad, dump and look for next header block
cli_dbgmsg("cli_untar: Invalid checksum in tar header. Skip to next...\n");
if (last_header_bad == 0) {
last_header_bad++;
cli_dbgmsg("cli_untar: Invalid checksum found inside archive!\n");
}
continue;
} else {
last_header_bad = 0;
cli_dbgmsg("cli_untar: Checksum %d is valid.\n", checksum);
}
if (posix) {
strncpy(magic, block + 257, 5);
magic[5] = '\0';
if (strcmp(magic, "ustar") != 0) {
cli_dbgmsg("cli_untar: Incorrect magic string '%s' in tar header\n", magic);
return CL_EFORMAT;
}
}
type = block[TARFILETYPEOFFSET];
switch (type) {
default:
cli_dbgmsg("cli_untar: unknown type flag %c\n", type);
case '0': /* plain file */
case '\0': /* plain file */
case '7': /* contiguous file */
case 'M': /* continuation of a file from another volume; might as well scan it. */
files++;
directory = 0;
break;
case '1': /* Link to already archived file */
case '5': /* directory */
case '2': /* sym link */
case '3': /* char device */
case '4': /* block device */
case '6': /* fifo special */
case 'V': /* Volume header */
directory = 1;
break;
case 'K':
case 'L':
/* GNU extension - ././@LongLink
* Discard the blocks with the extended filename,
* the last header will contain parts of it anyway
*/
case 'N': /* Old GNU format way of storing long filenames. */
case 'A': /* Solaris ACL */
case 'E': /* Solaris Extended attribute s*/
case 'I': /* Inode only */
case 'g': /* Global extended header */
case 'x': /* Extended attributes */
case 'X': /* Extended attributes (POSIX) */
directory = 0;
skipEntry = 1;
break;
}
if (directory) {
in_block = 0;
continue;
}
strncpy(osize, block + TARSIZEOFFSET, TARSIZELEN);
osize[TARSIZELEN] = '\0';
size_int = octal(osize);
if (size_int < 0) {
cli_dbgmsg("cli_untar: Invalid size in tar header\n");
skipEntry++;
} else {
size = (size_t)size_int;
cli_dbgmsg("cli_untar: size = %zu\n", size);
ret = cli_checklimits("cli_untar", ctx, size, 0, 0);
switch (ret) {
case CL_EMAXFILES: // Scan no more files
skipEntry++;
limitnear = 0;
break;
case CL_EMAXSIZE: // Either single file limit or total byte limit would be exceeded
cli_dbgmsg("cli_untar: would exceed limit, will try up to max");
limitnear = 1;
break;
default: // Ok based on reported content size
limitnear = 0;
break;
}
}
if (skipEntry) {
const int nskip = (size % BLOCKSIZE || !size) ? size + BLOCKSIZE - (size % BLOCKSIZE) : size;
if (nskip < 0) {
cli_dbgmsg("cli_untar: got negative skip size, giving up\n");
return CL_CLEAN;
}
cli_dbgmsg("cli_untar: skipping entry\n");
pos += nskip;
continue;
}
strncpy(name, block, 100);
name[100] = '\0';
if (cli_matchmeta(ctx, name, size, size, 0, files, 0, NULL) == CL_VIRUS) {
if (!SCAN_ALLMATCHES)
return CL_VIRUS;
else
num_viruses++;
}
snprintf(fullname, sizeof(fullname) - 1, "%s" PATHSEP "tar%02u", dir, files);
fullname[sizeof(fullname) - 1] = '\0';
fout = open(fullname, O_RDWR | O_CREAT | O_EXCL | O_TRUNC | O_BINARY, 0600);
if (fout < 0) {
char err[128];
cli_errmsg("cli_untar: Can't create temporary file %s: %s\n", fullname, cli_strerror(errno, err, sizeof(err)));
return CL_ETMPFILE;
}
cli_dbgmsg("cli_untar: extracting to %s\n", fullname);
in_block = 1;
} else { /* write or continue writing file contents */
size_t nbytes, nwritten;
int skipwrite = 0;
char err[128];
nbytes = (size > 512) ? 512 : size;
if (nread && (nread < nbytes))
nbytes = nread;
if (limitnear > 0) {
currsize += nbytes;
cli_dbgmsg("cli_untar: Approaching limit...\n");
if (cli_checklimits("cli_untar", ctx, (unsigned long)currsize, 0, 0) != CL_SUCCESS) {
// Limit would be exceeded by this file, suppress writing beyond limit
// Need to keep reading to get to end of file chunk
skipwrite++;
}
}
if (skipwrite == 0) {
nwritten = cli_writen(fout, block, nbytes);
if (nwritten != nbytes) {
cli_errmsg("cli_untar: only wrote %zu bytes to file %s (out of disc space?): %s\n",
nwritten, fullname, cli_strerror(errno, err, sizeof(err)));
close(fout);
return CL_EWRITE;
}
}
if (nbytes > size) {
cli_warnmsg("cli_untar: More bytes written than requested!\n");
size = 0;
} else {
size -= nbytes;
}
if ((size != 0) && (nread == 0)) {
// Truncated tar file, so end file content like tar behavior
cli_dbgmsg("cli_untar: No bytes read! Forcing end of file content.\n");
size = 0;
}
}
if (size == 0)
in_block = 0;
}
if (fout >= 0) {
lseek(fout, 0, SEEK_SET);
ret = cli_magic_scandesc(fout, fullname, ctx);
close(fout);
if (!ctx->engine->keeptmp)
if (cli_unlink(fullname)) return CL_EUNLINK;
if (ret == CL_VIRUS)
return CL_VIRUS;
}
if (num_viruses)
return CL_VIRUS;
return CL_CLEAN;
}