git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@652 77e5149b-7576-45b1-b177-96237e5ba77b
Tomasz Kojm authored on 2004/07/06 11:27:22... | ... |
@@ -258,7 +258,8 @@ int cli_scanbuff(const char *buffer, unsigned int length, const char **virname, |
258 | 258 |
if(pt->type) { |
259 | 259 |
if(typerec) { |
260 | 260 |
cli_dbgmsg("Matched signature for file type: %s\n", pt->virname); |
261 |
- type = pt->type; |
|
261 |
+ if(pt->type > type) |
|
262 |
+ type = pt->type; |
|
262 | 263 |
} |
263 | 264 |
} else { |
264 | 265 |
if(virname) |
... | ... |
@@ -427,29 +427,6 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c |
427 | 427 |
|
428 | 428 |
/* UPX support */ |
429 | 429 |
|
430 |
- /* try to detect UPX code */ |
|
431 |
- |
|
432 |
- if(lseek(desc, ep + 0x78, SEEK_SET) == -1) { |
|
433 |
- cli_dbgmsg("lseek() failed\n"); |
|
434 |
- free(section_hdr); |
|
435 |
- return CL_EIO; |
|
436 |
- } |
|
437 |
- |
|
438 |
- if(read(desc, buff, 13) != 13) { |
|
439 |
- cli_dbgmsg("UPX: Can't read 13 bytes at 0x%x (%d)\n", ep + 0x78, ep + 0x78); |
|
440 |
- } else { |
|
441 |
- if(cli_memstr(UPX_NRV2B, 24, buff, 13)) { |
|
442 |
- cli_dbgmsg("UPX: Looks like a NRV2B decompressor\n"); |
|
443 |
- upxfn = upx_inflate2b; |
|
444 |
- } else if(cli_memstr(UPX_NRV2D, 24, buff, 13)) { |
|
445 |
- cli_dbgmsg("UPX: Looks like a NRV2D decompressor\n"); |
|
446 |
- upxfn = upx_inflate2d; |
|
447 |
- } else if(cli_memstr(UPX_NRV2E, 24, buff, 13)) { |
|
448 |
- cli_dbgmsg("UPX: Looks like a NRV2E decompressor\n"); |
|
449 |
- upxfn = upx_inflate2e; |
|
450 |
- } |
|
451 |
- } |
|
452 |
- |
|
453 | 430 |
/* try to find the first section with physical size == 0 */ |
454 | 431 |
found = 0; |
455 | 432 |
for(i = 0; i < nsections - 1; i++) { |
... | ... |
@@ -478,6 +455,11 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c |
478 | 478 |
ssize = EC32(section_hdr[i + 1].SizeOfRawData); |
479 | 479 |
dsize = EC32(section_hdr[i].VirtualSize) + EC32(section_hdr[i + 1].VirtualSize); |
480 | 480 |
|
481 |
+ if(limits && limits->maxfilesize && (ssize > limits->maxfilesize || dsize > limits->maxfilesize)) { |
|
482 |
+ cli_dbgmsg("UPX: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize , limits->maxfilesize); |
|
483 |
+ return CL_CLEAN; |
|
484 |
+ } |
|
485 |
+ |
|
481 | 486 |
/* FIXME: use file operations in case of big files */ |
482 | 487 |
if((src = (char *) cli_malloc(ssize)) == NULL) { |
483 | 488 |
free(section_hdr); |
... | ... |
@@ -499,6 +481,30 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c |
499 | 499 |
return CL_EIO; |
500 | 500 |
} |
501 | 501 |
|
502 |
+ /* try to detect UPX code */ |
|
503 |
+ |
|
504 |
+ if(lseek(desc, ep + 0x78, SEEK_SET) == -1) { |
|
505 |
+ cli_dbgmsg("lseek() failed\n"); |
|
506 |
+ free(section_hdr); |
|
507 |
+ return CL_EIO; |
|
508 |
+ } |
|
509 |
+ |
|
510 |
+ if(read(desc, buff, 13) != 13) { |
|
511 |
+ cli_dbgmsg("UPX: Can't read 13 bytes at 0x%x (%d)\n", ep + 0x78, ep + 0x78); |
|
512 |
+ return CL_EIO; |
|
513 |
+ } else { |
|
514 |
+ if(cli_memstr(UPX_NRV2B, 24, buff, 13)) { |
|
515 |
+ cli_dbgmsg("UPX: Looks like a NRV2B decompression routine\n"); |
|
516 |
+ upxfn = upx_inflate2b; |
|
517 |
+ } else if(cli_memstr(UPX_NRV2D, 24, buff, 13)) { |
|
518 |
+ cli_dbgmsg("UPX: Looks like a NRV2D decompression routine\n"); |
|
519 |
+ upxfn = upx_inflate2d; |
|
520 |
+ } else if(cli_memstr(UPX_NRV2E, 24, buff, 13)) { |
|
521 |
+ cli_dbgmsg("UPX: Looks like a NRV2E decompression routine\n"); |
|
522 |
+ upxfn = upx_inflate2e; |
|
523 |
+ } |
|
524 |
+ } |
|
525 |
+ |
|
502 | 526 |
if(upxfn) { |
503 | 527 |
if(upxfn(src, ssize, dest, dsize)) { |
504 | 528 |
cli_dbgmsg("UPX: Prefered decompressor failed\n"); |
... | ... |
@@ -75,7 +75,7 @@ extern short cli_leavetemps_flag; |
75 | 75 |
#define DISABLE_RAR (options & CL_DISABLERAR) |
76 | 76 |
#define DETECT_ENCRYPTED (options & CL_ENCRYPTED) |
77 | 77 |
|
78 |
-#define MAX_MAIL_RECURSION 10 |
|
78 |
+#define MAX_MAIL_RECURSION 15 |
|
79 | 79 |
|
80 | 80 |
|
81 | 81 |
static int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec); |
... | ... |
@@ -967,7 +967,7 @@ static int cli_scanmail(int desc, const char **virname, long int *scanned, const |
967 | 967 |
int ret; |
968 | 968 |
|
969 | 969 |
|
970 |
- cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", mrec, arec); |
|
970 |
+ cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", *mrec, *arec); |
|
971 | 971 |
|
972 | 972 |
if((tmpdir = getenv("TMPDIR")) == NULL) |
973 | 973 |
#ifdef P_tmpdir |