Browse code
fix infinite loop in cl_free(); check file size
git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@699 77e5149b-7576-45b1-b177-96237e5ba77b
Tomasz Kojm authored on 2004/07/28 08:22:44Showing 5 changed files
| ... | ... |
@@ -1,3 +1,8 @@ |
| 1 |
+Wed Jul 28 01:10:46 CEST 2004 (tk) |
|
| 2 |
+---------------------------------- |
|
| 3 |
+ * libclamav: md5: fix possible infinite loop in cl_free(); check file |
|
| 4 |
+ size to eliminate potential false positive alerts |
|
| 5 |
+ |
|
| 1 | 6 |
Mon Jul 26 14:24:24 BST 2004 (njh) |
| 2 | 7 |
---------------------------------- |
| 3 | 8 |
* clamav-milter: %v in the template file handling is now replaced |
| ... | ... |
@@ -178,9 +178,19 @@ int cli_scandesc(int desc, const char **virname, long int *scanned, const struct |
| 178 | 178 |
md5_finish_ctx(&ctx, &md5buff); |
| 179 | 179 |
|
| 180 | 180 |
if((md5_node = cli_vermd5(md5buff, root))) {
|
| 181 |
- if(virname) |
|
| 182 |
- *virname = md5_node->virname; |
|
| 183 |
- return CL_VIRUS; |
|
| 181 |
+ struct stat sb; |
|
| 182 |
+ |
|
| 183 |
+ if(fstat(desc, &sb)) |
|
| 184 |
+ return CL_EIO; |
|
| 185 |
+ |
|
| 186 |
+ if(sb.st_size != md5_node->size) {
|
|
| 187 |
+ cli_warnmsg("Detected false positive MD5 match. Please report.\n");
|
|
| 188 |
+ } else {
|
|
| 189 |
+ if(virname) |
|
| 190 |
+ *virname = md5_node->virname; |
|
| 191 |
+ |
|
| 192 |
+ return CL_VIRUS; |
|
| 193 |
+ } |
|
| 184 | 194 |
} |
| 185 | 195 |
} |
| 186 | 196 |
|
| ... | ... |
@@ -208,7 +218,8 @@ void cl_free(struct cl_node *root) |
| 208 | 208 |
|
| 209 | 209 |
if(root->md5_hlist) {
|
| 210 | 210 |
for(i = 0; i < 256; i++) {
|
| 211 |
- while((pt = root->md5_hlist[i])) {
|
|
| 211 |
+ pt = root->md5_hlist[i]; |
|
| 212 |
+ while(pt) {
|
|
| 212 | 213 |
h = pt; |
| 213 | 214 |
pt = pt->next; |
| 214 | 215 |
free(h); |
| ... | ... |
@@ -484,14 +484,23 @@ static int cli_loadhdb(FILE *fd, struct cl_node **root, int *virnum) |
| 484 | 484 |
} |
| 485 | 485 |
free(pt); |
| 486 | 486 |
|
| 487 |
- if(!(new->virname = cli_strtok(buffer, 1, ":"))) {
|
|
| 487 |
+ if(!(pt = cli_strtok(buffer, 1, ":"))) {
|
|
| 488 |
+ free(new->md5); |
|
| 489 |
+ free(new); |
|
| 490 |
+ ret = CL_EMALFDB; |
|
| 491 |
+ break; |
|
| 492 |
+ } |
|
| 493 |
+ new->size = atoi(pt); |
|
| 494 |
+ free(pt); |
|
| 495 |
+ |
|
| 496 |
+ if(!(new->virname = cli_strtok(buffer, 2, ":"))) {
|
|
| 488 | 497 |
free(new->md5); |
| 489 | 498 |
free(new); |
| 490 | 499 |
ret = CL_EMALFDB; |
| 491 | 500 |
break; |
| 492 | 501 |
} |
| 493 | 502 |
|
| 494 |
- new->viralias = cli_strtok(buffer, 1, ":"); /* aliases are optional */ |
|
| 503 |
+ new->viralias = cli_strtok(buffer, 3, ":"); /* aliases are optional */ |
|
| 495 | 504 |
|
| 496 | 505 |
if(!(*root)->md5_hlist) {
|
| 497 | 506 |
cli_dbgmsg("Initializing md5 list structure\n");
|
| ... | ... |
@@ -661,9 +661,6 @@ static int cli_scanhtml(int desc, const char **virname, long int *scanned, const |
| 661 | 661 |
|
| 662 | 662 |
#ifdef HAVE_MMAP |
| 663 | 663 |
membuff = mmap(NULL, statbuf.st_size, PROT_READ, MAP_PRIVATE, desc, 0); |
| 664 |
-#else /* FIXME */ |
|
| 665 |
- return CL_CLEAN; |
|
| 666 |
-#endif |
|
| 667 | 664 |
|
| 668 | 665 |
/* TODO: do file operations if mmap fails */ |
| 669 | 666 |
if(membuff == MAP_FAILED) {
|
| ... | ... |
@@ -690,6 +687,9 @@ static int cli_scanhtml(int desc, const char **virname, long int *scanned, const |
| 690 | 690 |
|
| 691 | 691 |
free(newbuff); |
| 692 | 692 |
return ret; |
| 693 |
+#else /* FIXME */ |
|
| 694 |
+ return CL_CLEAN; |
|
| 695 |
+#endif |
|
| 693 | 696 |
} |
| 694 | 697 |
|
| 695 | 698 |
static int cli_scandir(const char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |