... | ... |
@@ -46,7 +46,7 @@ int cli_pcre_addpatt(struct cli_matcher *root, const char *trigger, const char * |
46 | 46 |
return CL_ENULLARG; |
47 | 47 |
} |
48 | 48 |
|
49 |
- /* TODO: trigger and regex checking (string length limitations) */ |
|
49 |
+ /* TODO: trigger and regex checking (string length limitations, no self referencal or other pcre referential) */ |
|
50 | 50 |
|
51 | 51 |
/* allocating entries */ |
52 | 52 |
pm = (struct cli_pcre_meta *)mpool_calloc(root->mempool, 1, sizeof(*pm)); |
... | ... |
@@ -170,7 +170,7 @@ int cli_parse_add(struct cli_matcher *root, const char *virname, const char *hex |
170 | 170 |
|
171 | 171 |
/* check for trigger */ |
172 | 172 |
if (!tlen) { |
173 |
- cli_dbgmsg("cli_parseadd(): cannot add pcre without logical trigger\n"); |
|
173 |
+ cli_errmsg("cli_parseadd(): cannot add pcre without logical trigger\n"); |
|
174 | 174 |
return CL_EMALFDB; |
175 | 175 |
} |
176 | 176 |
|
... | ... |
@@ -216,27 +216,8 @@ int cli_parse_add(struct cli_matcher *root, const char *virname, const char *hex |
216 | 216 |
|
217 | 217 |
cli_dbgmsg("trigger %s; regex %s; cflags %s\n", trigger, regex, cflags); |
218 | 218 |
|
219 |
- /* TODO: allow subsigs to be validated during the subsig counting phase; validation of trigger occurs in cli_pcre_addpatt */ |
|
219 |
+ /* TODO: validation of trigger occurs in cli_pcre_addpatt */ |
|
220 | 220 |
|
221 |
- /* if trigger is PCRE_BYPASS, add to unconditionally run pcres (move to cli_pcre_addpatt) */ |
|
222 |
- /* if (!strncmp(trigger, PCRE_BYPASS, tlen)) { |
|
223 |
- cli_dbgmsg("unconditional pcre regex detected: %s\n", wild); |
|
224 |
- free(trigger); |
|
225 |
- |
|
226 |
- regex = cli_calloc(rlen+1, sizeof(char)); |
|
227 |
- if (!regex) { |
|
228 |
- cli_errmsg("cli_parseadd(): cannot allocate memory\n"); |
|
229 |
- return CL_EMEM; |
|
230 |
- } |
|
231 |
- strncpy(regex, hexsig+tlen+1, rlen); |
|
232 |
- regex[rlen] = '\0'; |
|
233 |
- |
|
234 |
- ret = cli_pcre_adducondpatt(root, regex, lsigid); |
|
235 |
- free(regex); |
|
236 |
- |
|
237 |
- return ret; |
|
238 |
- } |
|
239 |
- */ |
|
240 | 221 |
/* normal trigger */ |
241 | 222 |
cli_dbgmsg("pcre regex detected: %s on trigger: %s with cflags: %s\n", regex, trigger, cflags); |
242 | 223 |
ret = cli_pcre_addpatt(root, trigger, regex, cflags, lsigid); |
... | ... |
@@ -1363,10 +1344,58 @@ static int load_oneldb(char *buffer, int chkpua, struct cl_engine *engine, unsig |
1363 | 1363 |
return CL_EMALFDB; |
1364 | 1364 |
} |
1365 | 1365 |
subsigs++; |
1366 |
- if(subsigs > 64) { |
|
1367 |
- cli_errmsg("cli_loadldb: Broken logical expression or too many subsignatures\n"); |
|
1368 |
- return CL_EMALFDB; |
|
1366 |
+ |
|
1367 |
+#if HAVE_PCRE |
|
1368 |
+ /* Regex LSig Check */ |
|
1369 |
+ for (i = 0; i < tokens_count-3; ++i) { |
|
1370 |
+ char *wild; |
|
1371 |
+ int rssigs; |
|
1372 |
+ |
|
1373 |
+ if ((wild = strchr(tokens[i+3], '/'))) { |
|
1374 |
+ char *trigger; |
|
1375 |
+ size_t tlen = wild-tokens[i+3]; |
|
1376 |
+ |
|
1377 |
+ /* check for trigger */ |
|
1378 |
+ if (!tlen) { |
|
1379 |
+ cli_errmsg("cli_loadldb: cannot add pcre without logical trigger\n"); |
|
1380 |
+ return CL_EMALFDB; |
|
1381 |
+ } |
|
1382 |
+ |
|
1383 |
+ /* get the trigger statement */ |
|
1384 |
+ trigger = cli_calloc(tlen+1, sizeof(char)); |
|
1385 |
+ if (!trigger) { |
|
1386 |
+ cli_errmsg("cli_loadldb: cannot allocate memory for trigger string\n"); |
|
1387 |
+ return CL_EMEM; |
|
1388 |
+ } |
|
1389 |
+ strncpy(trigger, tokens[i+3], tlen); |
|
1390 |
+ trigger[tlen] = '\0'; |
|
1391 |
+ |
|
1392 |
+ /* validate the lsig */ |
|
1393 |
+ rssigs = cli_ac_chklsig(trigger, trigger + strlen(trigger), NULL, NULL, NULL, 1); |
|
1394 |
+ if((strcmp(trigger, PCRE_BYPASS)) && (rssigs == -1)) { |
|
1395 |
+ cli_errmsg("cli_loadldb: regex subsig %d is missing a valid logical trigger\n", i); |
|
1396 |
+ return CL_EMALFDB; |
|
1397 |
+ } |
|
1398 |
+ |
|
1399 |
+ /* overwrite the global subsig count if the local one is greater */ |
|
1400 |
+ if (rssigs+1 > subsigs) |
|
1401 |
+ subsigs = rssigs+1; /* +1 is from the 'subsigs++;' above */ |
|
1402 |
+ |
|
1403 |
+ cli_dbgmsg("cli_loadldb: regex subsig %d uses %d(%d) highest ID\n", i, rssigs, rssigs+1); |
|
1404 |
+ free(trigger); |
|
1405 |
+ } |
|
1369 | 1406 |
} |
1407 |
+#else |
|
1408 |
+ /* Regex Usage and Support Check */ |
|
1409 |
+ for (i = 0; i < subsigs; ++i) { |
|
1410 |
+ if (strchr(tokens[i+3], '/')) { |
|
1411 |
+ cli_dbgmsg("cli_loadldb: logical signature for %s uses PCREs but support is disabled, skipping\n", virname); |
|
1412 |
+ (*sigs)--; |
|
1413 |
+ return CL_SUCCESS; |
|
1414 |
+ } |
|
1415 |
+ } |
|
1416 |
+#endif |
|
1417 |
+ |
|
1370 | 1418 |
if (!line) { |
1371 | 1419 |
/* This is a logical signature from the bytecode, we need all |
1372 | 1420 |
* subsignatures, even if not referenced from the logical expression */ |
... | ... |
@@ -1381,16 +1410,11 @@ static int load_oneldb(char *buffer, int chkpua, struct cl_engine *engine, unsig |
1381 | 1381 |
return CL_EMALFDB; |
1382 | 1382 |
} |
1383 | 1383 |
|
1384 |
- /* Regex Usage and Support Check */ |
|
1385 |
-#if !HAVE_PCRE |
|
1386 |
- for (i = 0; i < subsigs; ++i) { |
|
1387 |
- if (strchr(tokens[i+3], '/')) { |
|
1388 |
- cli_dbgmsg("cli_loadldb: logical signature for %s uses PCREs but support is disabled, skipping\n", virname); |
|
1389 |
- (*sigs)--; |
|
1390 |
- return CL_SUCCESS; |
|
1391 |
- } |
|
1384 |
+ /* enforce 64 subsig cap */ |
|
1385 |
+ if(subsigs > 64) { |
|
1386 |
+ cli_errmsg("cli_loadldb: Broken logical expression or too many subsignatures\n"); |
|
1387 |
+ return CL_EMALFDB; |
|
1392 | 1388 |
} |
1393 |
-#endif |
|
1394 | 1389 |
|
1395 | 1390 |
/* TDB */ |
1396 | 1391 |
memset(&tdb, 0, sizeof(tdb)); |
... | ... |
@@ -183,8 +183,10 @@ static void named_substr_print(struct cli_pcre_data *pd, const unsigned char *bu |
183 | 183 |
|
184 | 184 |
cli_dbgmsg("named_substr: (%d) %*s: %s%s\n", n, name_entry_size - 3, tabptr + 2, |
185 | 185 |
outstr, trunc ? " (trunc)":""); |
186 |
- /*cli_dbgmsg("named_substr: (%d) %*s: %.*s%s\n", n, name_entry_size - 3, tabptr + 2, |
|
187 |
- ovector[2*n+1] - ovector[2*n], subject + ovector[2*n], trunc ? " (trunc)":"");*/ |
|
186 |
+ /* |
|
187 |
+ cli_dbgmsg("named_substr: (%d) %*s: %.*s%s\n", n, name_entry_size - 3, tabptr + 2, |
|
188 |
+ length, start, trunc ? " (trunc)":""); |
|
189 |
+ */ |
|
188 | 190 |
tabptr += name_entry_size; |
189 | 191 |
} |
190 | 192 |
} |