...
|
...
|
@@ -232,11 +232,11 @@ static blob *getHrefs(message *m, tag_arguments_t *hrefs);
|
232
|
232
|
static void hrefs_done(blob *b, tag_arguments_t *hrefs);
|
233
|
233
|
static void checkURLs(message *m, mbox_ctx *mctx, mbox_status *rc, int is_html);
|
234
|
234
|
|
235
|
|
-static bool haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx);
|
236
|
|
-static bool hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx);
|
237
|
|
-static bool haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx);
|
238
|
|
-static bool haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx);
|
239
|
|
-static bool haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx);
|
|
235
|
+static bool haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status * rc);
|
|
236
|
+static bool hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool * heuristicFound);
|
|
237
|
+static bool haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool * heuristicFound);
|
|
238
|
+static bool haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool * heuristicFound);
|
|
239
|
+static bool haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool * heuristicFound);
|
240
|
240
|
|
241
|
241
|
/* Maximum line length according to RFC2821 */
|
242
|
242
|
#define RFC2821LENGTH 1000
|
...
|
...
|
@@ -769,7 +769,7 @@ doContinueMultipleEmptyOptions(const char *const line, bool *lastWasOnlySemi)
|
769
|
769
|
}
|
770
|
770
|
|
771
|
771
|
static bool
|
772
|
|
-hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx)
|
|
772
|
+hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool * heuristicFound)
|
773
|
773
|
{
|
774
|
774
|
|
775
|
775
|
if (line) {
|
...
|
...
|
@@ -782,6 +782,7 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx)
|
782
|
782
|
if ((*lineFoldCnt) >= HEURISTIC_EMAIL_MAX_LINE_FOLDS_PER_HEADER) {
|
783
|
783
|
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
|
784
|
784
|
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxLineFoldCnt");
|
|
785
|
+ *heuristicFound = TRUE;
|
785
|
786
|
}
|
786
|
787
|
|
787
|
788
|
return TRUE;
|
...
|
...
|
@@ -791,12 +792,13 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx)
|
791
|
791
|
}
|
792
|
792
|
|
793
|
793
|
static bool
|
794
|
|
-haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx)
|
|
794
|
+haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool * heuristicFound)
|
795
|
795
|
{
|
796
|
796
|
|
797
|
797
|
if (totalLen > HEURISTIC_EMAIL_MAX_HEADER_BYTES) {
|
798
|
798
|
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
|
799
|
799
|
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxHeaderBytes");
|
|
800
|
+ *heuristicFound = TRUE;
|
800
|
801
|
}
|
801
|
802
|
|
802
|
803
|
return TRUE;
|
...
|
...
|
@@ -805,12 +807,13 @@ haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx)
|
805
|
805
|
}
|
806
|
806
|
|
807
|
807
|
static bool
|
808
|
|
-haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx)
|
|
808
|
+haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool * heuristicFound)
|
809
|
809
|
{
|
810
|
810
|
|
811
|
811
|
if (totalHeaderCnt > HEURISTIC_EMAIL_MAX_HEADERS) {
|
812
|
812
|
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
|
813
|
813
|
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxEmailHeaders");
|
|
814
|
+ *heuristicFound = TRUE;
|
814
|
815
|
}
|
815
|
816
|
|
816
|
817
|
return TRUE;
|
...
|
...
|
@@ -819,12 +822,13 @@ haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx)
|
819
|
819
|
}
|
820
|
820
|
|
821
|
821
|
static bool
|
822
|
|
-haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx)
|
|
822
|
+haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status * rc)
|
823
|
823
|
{
|
824
|
824
|
|
825
|
825
|
if (mimePartCnt >= HEURISTIC_EMAIL_MAX_MIME_PARTS_PER_MESSAGE) {
|
826
|
826
|
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
|
827
|
827
|
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEPartsPerMessage");
|
|
828
|
+ *rc = VIRUS;
|
828
|
829
|
}
|
829
|
830
|
|
830
|
831
|
return TRUE;
|
...
|
...
|
@@ -833,12 +837,13 @@ haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx)
|
833
|
833
|
}
|
834
|
834
|
|
835
|
835
|
static bool
|
836
|
|
-haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx)
|
|
836
|
+haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool * heuristicFound)
|
837
|
837
|
{
|
838
|
838
|
|
839
|
839
|
if (argCnt >= HEURISTIC_EMAIL_MAX_ARGUMENTS_PER_HEADER) {
|
840
|
840
|
if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
|
841
|
841
|
cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEArguments");
|
|
842
|
+ *heuristicFound = TRUE;
|
842
|
843
|
}
|
843
|
844
|
|
844
|
845
|
return TRUE;
|
...
|
...
|
@@ -899,8 +904,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
|
899
|
899
|
continue;
|
900
|
900
|
}
|
901
|
901
|
|
902
|
|
- if (hitLineFoldCnt(line, &lineFoldCnt, ctx)) {
|
903
|
|
- *heuristicFound = TRUE;
|
|
902
|
+ if (hitLineFoldCnt(line, &lineFoldCnt, ctx, heuristicFound )) {
|
904
|
903
|
break;
|
905
|
904
|
}
|
906
|
905
|
|
...
|
...
|
@@ -947,8 +951,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
|
947
|
947
|
DO_VERIFY_POINTER(header);
|
948
|
948
|
|
949
|
949
|
totalHeaderCnt++;
|
950
|
|
- if (haveTooManyEmailHeaders(totalHeaderCnt, ctx)) {
|
951
|
|
- *heuristicFound = TRUE;
|
|
950
|
+ if (haveTooManyEmailHeaders(totalHeaderCnt, ctx, heuristicFound)) {
|
952
|
951
|
break;
|
953
|
952
|
}
|
954
|
953
|
needContinue = (parseEmailHeader(ret, header, rfc821, ctx, heuristicFound) < 0);
|
...
|
...
|
@@ -1037,8 +1040,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
|
1037
|
1037
|
|
1038
|
1038
|
if (lineAdded) {
|
1039
|
1039
|
totalHeaderBytes += strlen(line);
|
1040
|
|
- if (haveTooManyHeaderBytes(totalHeaderBytes, ctx)) {
|
1041
|
|
- *heuristicFound = TRUE;
|
|
1040
|
+ if (haveTooManyHeaderBytes(totalHeaderBytes, ctx, heuristicFound)) {
|
1042
|
1041
|
break;
|
1043
|
1042
|
}
|
1044
|
1043
|
}
|
...
|
...
|
@@ -1069,8 +1071,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
|
1069
|
1069
|
|
1070
|
1070
|
if (0 == needContinue) {
|
1071
|
1071
|
totalHeaderCnt++;
|
1072
|
|
- if (haveTooManyEmailHeaders(totalHeaderCnt, ctx)) {
|
1073
|
|
- *heuristicFound = TRUE;
|
|
1072
|
+ if (haveTooManyEmailHeaders(totalHeaderCnt, ctx, heuristicFound)) {
|
1074
|
1073
|
break;
|
1075
|
1074
|
}
|
1076
|
1075
|
needContinue = (parseEmailHeader(ret, header, rfc821, ctx, heuristicFound) < 0);
|
...
|
...
|
@@ -1205,8 +1206,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound)
|
1205
|
1205
|
continue;
|
1206
|
1206
|
}
|
1207
|
1207
|
|
1208
|
|
- if (hitLineFoldCnt(line, &lineFoldCnt, m->ctx)) {
|
1209
|
|
- *heuristicFound = TRUE;
|
|
1208
|
+ if (hitLineFoldCnt(line, &lineFoldCnt, m->ctx, heuristicFound)) {
|
1210
|
1209
|
break;
|
1211
|
1210
|
}
|
1212
|
1211
|
|
...
|
...
|
@@ -1283,8 +1283,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound)
|
1283
|
1283
|
}
|
1284
|
1284
|
|
1285
|
1285
|
if (lineAdded) {
|
1286
|
|
- if (haveTooManyHeaderBytes(fulllinelength, m->ctx)) {
|
1287
|
|
- *heuristicFound = TRUE;
|
|
1286
|
+ if (haveTooManyHeaderBytes(fulllinelength, m->ctx, heuristicFound)) {
|
1288
|
1287
|
break;
|
1289
|
1288
|
}
|
1290
|
1289
|
}
|
...
|
...
|
@@ -1306,8 +1305,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound)
|
1306
|
1306
|
}
|
1307
|
1307
|
|
1308
|
1308
|
totalHeaderCnt++;
|
1309
|
|
- if (haveTooManyEmailHeaders(totalHeaderCnt, m->ctx)) {
|
1310
|
|
- *heuristicFound = TRUE;
|
|
1309
|
+ if (haveTooManyEmailHeaders(totalHeaderCnt, m->ctx, heuristicFound)) {
|
1311
|
1310
|
break;
|
1312
|
1311
|
}
|
1313
|
1312
|
if (parseEmailHeader(ret, fullline, rfc821, m->ctx, heuristicFound) < 0) {
|
...
|
...
|
@@ -2209,9 +2207,8 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re
|
2209
|
2209
|
|
2210
|
2210
|
free((char *)boundary);
|
2211
|
2211
|
|
2212
|
|
- if (haveTooManyMIMEPartsPerMessage(multiparts, mctx->ctx)) {
|
|
2212
|
+ if (haveTooManyMIMEPartsPerMessage(multiparts, mctx->ctx, &rc)) {
|
2213
|
2213
|
DO_FREE(messages);
|
2214
|
|
- rc = VIRUS;
|
2215
|
2214
|
break;
|
2216
|
2215
|
}
|
2217
|
2216
|
|
...
|
...
|
@@ -3290,8 +3287,7 @@ parseMimeHeader(message *m, const char *cmd, const table_t *rfc821Table, const c
|
3290
|
3290
|
cli_dbgmsg("mimeArgs = '%s'\n", buf);
|
3291
|
3291
|
|
3292
|
3292
|
argCnt++;
|
3293
|
|
- if (haveTooManyMIMEArguments(argCnt, ctx)) {
|
3294
|
|
- *heuristicFound = TRUE;
|
|
3293
|
+ if (haveTooManyMIMEArguments(argCnt, ctx, heuristicFound )) {
|
3295
|
3294
|
break;
|
3296
|
3295
|
}
|
3297
|
3296
|
messageAddArguments(m, buf);
|