Browse code

Modified mbox.c only mark files as infected with heuristic alerts if heuristic alerts are enabled.

Andy Ragusa authored on 2019/11/20 08:55:47
Showing 1 changed files
... ...
@@ -232,11 +232,11 @@ static blob *getHrefs(message *m, tag_arguments_t *hrefs);
232 232
 static void hrefs_done(blob *b, tag_arguments_t *hrefs);
233 233
 static void checkURLs(message *m, mbox_ctx *mctx, mbox_status *rc, int is_html);
234 234
 
235
-static bool haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx);
236
-static bool hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx);
237
-static bool haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx);
238
-static bool haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx);
239
-static bool haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx);
235
+static bool haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status  * rc);
236
+static bool hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool * heuristicFound);
237
+static bool haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool * heuristicFound);
238
+static bool haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool * heuristicFound);
239
+static bool haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool * heuristicFound);
240 240
 
241 241
 /* Maximum line length according to RFC2821 */
242 242
 #define RFC2821LENGTH 1000
... ...
@@ -769,7 +769,7 @@ doContinueMultipleEmptyOptions(const char *const line, bool *lastWasOnlySemi)
769 769
 }
770 770
 
771 771
 static bool
772
-hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx)
772
+hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool * heuristicFound)
773 773
 {
774 774
 
775 775
     if (line) {
... ...
@@ -782,6 +782,7 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx)
782 782
         if ((*lineFoldCnt) >= HEURISTIC_EMAIL_MAX_LINE_FOLDS_PER_HEADER) {
783 783
             if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
784 784
                 cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxLineFoldCnt");
785
+                *heuristicFound = TRUE;
785 786
             }
786 787
 
787 788
             return TRUE;
... ...
@@ -791,12 +792,13 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx)
791 791
 }
792 792
 
793 793
 static bool
794
-haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx)
794
+haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool * heuristicFound)
795 795
 {
796 796
 
797 797
     if (totalLen > HEURISTIC_EMAIL_MAX_HEADER_BYTES) {
798 798
         if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
799 799
             cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxHeaderBytes");
800
+            *heuristicFound = TRUE;
800 801
         }
801 802
 
802 803
         return TRUE;
... ...
@@ -805,12 +807,13 @@ haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx)
805 805
 }
806 806
 
807 807
 static bool
808
-haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx)
808
+haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool * heuristicFound)
809 809
 {
810 810
 
811 811
     if (totalHeaderCnt > HEURISTIC_EMAIL_MAX_HEADERS) {
812 812
         if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
813 813
             cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxEmailHeaders");
814
+            *heuristicFound = TRUE;
814 815
         }
815 816
 
816 817
         return TRUE;
... ...
@@ -819,12 +822,13 @@ haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx)
819 819
 }
820 820
 
821 821
 static bool
822
-haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx)
822
+haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status  * rc)
823 823
 {
824 824
 
825 825
     if (mimePartCnt >= HEURISTIC_EMAIL_MAX_MIME_PARTS_PER_MESSAGE) {
826 826
         if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
827 827
             cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEPartsPerMessage");
828
+            *rc = VIRUS;
828 829
         }
829 830
 
830 831
         return TRUE;
... ...
@@ -833,12 +837,13 @@ haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx)
833 833
 }
834 834
 
835 835
 static bool
836
-haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx)
836
+haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool * heuristicFound)
837 837
 {
838 838
 
839 839
     if (argCnt >= HEURISTIC_EMAIL_MAX_ARGUMENTS_PER_HEADER) {
840 840
         if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) {
841 841
             cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEArguments");
842
+            *heuristicFound = TRUE;
842 843
         }
843 844
 
844 845
         return TRUE;
... ...
@@ -899,8 +904,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
899 899
             continue;
900 900
         }
901 901
 
902
-        if (hitLineFoldCnt(line, &lineFoldCnt, ctx)) {
903
-            *heuristicFound = TRUE;
902
+        if (hitLineFoldCnt(line, &lineFoldCnt, ctx, heuristicFound )) {
904 903
             break;
905 904
         }
906 905
 
... ...
@@ -947,8 +951,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
947 947
                         DO_VERIFY_POINTER(header);
948 948
 
949 949
                         totalHeaderCnt++;
950
-                        if (haveTooManyEmailHeaders(totalHeaderCnt, ctx)) {
951
-                            *heuristicFound = TRUE;
950
+                        if (haveTooManyEmailHeaders(totalHeaderCnt, ctx, heuristicFound)) {
952 951
                             break;
953 952
                         }
954 953
                         needContinue = (parseEmailHeader(ret, header, rfc821, ctx, heuristicFound) < 0);
... ...
@@ -1037,8 +1040,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
1037 1037
 
1038 1038
                 if (lineAdded) {
1039 1039
                     totalHeaderBytes += strlen(line);
1040
-                    if (haveTooManyHeaderBytes(totalHeaderBytes, ctx)) {
1041
-                        *heuristicFound = TRUE;
1040
+                    if (haveTooManyHeaderBytes(totalHeaderBytes, ctx, heuristicFound)) {
1042 1041
                         break;
1043 1042
                     }
1044 1043
                 }
... ...
@@ -1069,8 +1071,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first
1069 1069
 
1070 1070
                     if (0 == needContinue) {
1071 1071
                         totalHeaderCnt++;
1072
-                        if (haveTooManyEmailHeaders(totalHeaderCnt, ctx)) {
1073
-                            *heuristicFound = TRUE;
1072
+                        if (haveTooManyEmailHeaders(totalHeaderCnt, ctx, heuristicFound)) {
1074 1073
                             break;
1075 1074
                         }
1076 1075
                         needContinue = (parseEmailHeader(ret, header, rfc821, ctx, heuristicFound) < 0);
... ...
@@ -1205,8 +1206,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound)
1205 1205
             continue;
1206 1206
         }
1207 1207
 
1208
-        if (hitLineFoldCnt(line, &lineFoldCnt, m->ctx)) {
1209
-            *heuristicFound = TRUE;
1208
+        if (hitLineFoldCnt(line, &lineFoldCnt, m->ctx, heuristicFound)) {
1210 1209
             break;
1211 1210
         }
1212 1211
 
... ...
@@ -1283,8 +1283,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound)
1283 1283
                 }
1284 1284
 
1285 1285
                 if (lineAdded) {
1286
-                    if (haveTooManyHeaderBytes(fulllinelength, m->ctx)) {
1287
-                        *heuristicFound = TRUE;
1286
+                    if (haveTooManyHeaderBytes(fulllinelength, m->ctx, heuristicFound)) {
1288 1287
                         break;
1289 1288
                     }
1290 1289
                 }
... ...
@@ -1306,8 +1305,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound)
1306 1306
                 }
1307 1307
 
1308 1308
                 totalHeaderCnt++;
1309
-                if (haveTooManyEmailHeaders(totalHeaderCnt, m->ctx)) {
1310
-                    *heuristicFound = TRUE;
1309
+                if (haveTooManyEmailHeaders(totalHeaderCnt, m->ctx, heuristicFound)) {
1311 1310
                     break;
1312 1311
                 }
1313 1312
                 if (parseEmailHeader(ret, fullline, rfc821, m->ctx, heuristicFound) < 0) {
... ...
@@ -2209,9 +2207,8 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re
2209 2209
 
2210 2210
                 free((char *)boundary);
2211 2211
 
2212
-                if (haveTooManyMIMEPartsPerMessage(multiparts, mctx->ctx)) {
2212
+                if (haveTooManyMIMEPartsPerMessage(multiparts, mctx->ctx, &rc)) {
2213 2213
                     DO_FREE(messages);
2214
-                    rc = VIRUS;
2215 2214
                     break;
2216 2215
                 }
2217 2216
 
... ...
@@ -3290,8 +3287,7 @@ parseMimeHeader(message *m, const char *cmd, const table_t *rfc821Table, const c
3290 3290
                     cli_dbgmsg("mimeArgs = '%s'\n", buf);
3291 3291
 
3292 3292
                     argCnt++;
3293
-                    if (haveTooManyMIMEArguments(argCnt, ctx)) {
3294
-                        *heuristicFound = TRUE;
3293
+                    if (haveTooManyMIMEArguments(argCnt, ctx, heuristicFound )) {
3295 3294
                         break;
3296 3295
                     }
3297 3296
                     messageAddArguments(m, buf);