Browse code
capped the number of yara strings to MAX_LDB_SUBSIGS
Kevin Lin authored on 2015/02/14 06:37:38Showing 1 changed files
| ... | ... |
@@ -3260,17 +3260,23 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op |
| 3260 | 3260 |
} |
| 3261 | 3261 |
|
| 3262 | 3262 |
if (str_error > 0) {
|
| 3263 |
- cli_warnmsg("load_oneyara: clamav cannot support %d input strings, skipping\n", str_error);
|
|
| 3263 |
+ cli_warnmsg("load_oneyara: clamav cannot support %d input strings, skipping %s\n", str_error, rule->id);
|
|
| 3264 | 3264 |
yara_malform++; |
| 3265 | 3265 |
ytable_delete(&ytable); |
| 3266 | 3266 |
(*sigs)--; |
| 3267 |
- return ret; /* kill determined by ret */ |
|
| 3267 |
+ return ret; |
|
| 3268 | 3268 |
} else if (ytable.tbl_cnt == 0) {
|
| 3269 |
- cli_warnmsg("load_oneyara: yara contains no supported strings, skipping\n");
|
|
| 3269 |
+ cli_warnmsg("load_oneyara: yara rule contains no supported strings, skipping %s\n", rule->id);
|
|
| 3270 | 3270 |
yara_malform++; |
| 3271 | 3271 |
ytable_delete(&ytable); |
| 3272 | 3272 |
(*sigs)--; |
| 3273 | 3273 |
return CL_SUCCESS; /* TODO - kill signature instead? */ |
| 3274 |
+ } else if (ytable.tbl_cnt > MAX_LDB_SUBSIGS) {
|
|
| 3275 |
+ cli_warnmsg("load_oneyara: yara rule contains too many subsigs (%d, max: %d), skipping %s\n", ytable.tbl_cnt, MAX_LDB_SUBSIGS, rule->id);
|
|
| 3276 |
+ yara_malform++; |
|
| 3277 |
+ ytable_delete(&ytable); |
|
| 3278 |
+ (*sigs)--; |
|
| 3279 |
+ return CL_SUCCESS; |
|
| 3274 | 3280 |
} |
| 3275 | 3281 |
|
| 3276 | 3282 |
/*** conditional verification step (ex. do we define too many strings versus used?) ***/ |
| ... | ... |
@@ -3424,7 +3430,7 @@ static int cli_loadyara(FILE *fs, struct cl_engine *engine, unsigned int *signo, |
| 3424 | 3424 |
/* TODO - PUA and engine->ignored */ |
| 3425 | 3425 |
rc = load_oneyara(rule, engine, options, &sigs); |
| 3426 | 3426 |
if (rc != CL_SUCCESS) {
|
| 3427 |
- cli_errmsg("cli_loadyara: problem parsing yara rule %s\n", rule->id);
|
|
| 3427 |
+ cli_warnmsg("cli_loadyara: problem parsing yara rule %s\n", rule->id);
|
|
| 3428 | 3428 |
#ifdef YARA_FINISHED |
| 3429 | 3429 |
free_yararule(rule); |
| 3430 | 3430 |
break; |
| ... | ... |
@@ -3441,15 +3447,18 @@ static int cli_loadyara(FILE *fs, struct cl_engine *engine, unsigned int *signo, |
| 3441 | 3441 |
free_yararule(rule); |
| 3442 | 3442 |
} |
| 3443 | 3443 |
|
| 3444 |
+#ifdef YARA_FINISHED |
|
| 3444 | 3445 |
if(rc) |
| 3445 | 3446 |
return rc; |
| 3446 | 3447 |
|
| 3447 |
-#ifdef YARA_FINISHED |
|
| 3448 | 3448 |
if(!rules) {
|
| 3449 | 3449 |
cli_errmsg("cli_loadyara: empty database file\n");
|
| 3450 | 3450 |
return CL_EMALFDB; |
| 3451 | 3451 |
} |
| 3452 | 3452 |
#else |
| 3453 |
+ if(rc) |
|
| 3454 |
+ return CL_SUCCESS; |
|
| 3455 |
+ |
|
| 3453 | 3456 |
if(!rules) {
|
| 3454 | 3457 |
cli_warnmsg("cli_loadyara: empty database file\n");
|
| 3455 | 3458 |
yara_empty++; |