Browse code
Some Worm.Bagle.AC were not being caught
git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@1418 77e5149b-7576-45b1-b177-96237e5ba77b
Nigel Horne authored on 2005/03/22 20:28:42Showing 2 changed files
| ... | ... |
@@ -1,3 +1,7 @@ |
| 1 |
+Tue Mar 22 11:27:58 GMT 2005 (njh) |
|
| 2 |
+---------------------------------- |
|
| 3 |
+ * libclamav/mbox.c: Not all Worm.Bagle.AC were being caught |
|
| 4 |
+ |
|
| 1 | 5 |
Tue Mar 22 00:23:43 CET 2005 (tk) |
| 2 | 6 |
--------------------------------- |
| 3 | 7 |
* libclamav/matcher.c: add support for SL+n (last section + offset); requested |
| ... | ... |
@@ -15,7 +15,7 @@ |
| 15 | 15 |
* along with this program; if not, write to the Free Software |
| 16 | 16 |
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
| 17 | 17 |
*/ |
| 18 |
-static char const rcsid[] = "$Id: mbox.c,v 1.230 2005/03/20 09:09:25 nigelhorne Exp $"; |
|
| 18 |
+static char const rcsid[] = "$Id: mbox.c,v 1.231 2005/03/22 11:26:33 nigelhorne Exp $"; |
|
| 19 | 19 |
|
| 20 | 20 |
#if HAVE_CONFIG_H |
| 21 | 21 |
#include "clamav-config.h" |
| ... | ... |
@@ -942,10 +942,11 @@ parseEmailFile(FILE *fin, const table_t *rfc821, const char *firstLine) |
| 942 | 942 |
{
|
| 943 | 943 |
bool inHeader = TRUE; |
| 944 | 944 |
bool contMarker = FALSE; |
| 945 |
+ bool lastWasBlank = FALSE; |
|
| 945 | 946 |
message *ret; |
| 946 | 947 |
bool anyHeadersFound = FALSE; |
| 947 | 948 |
int commandNumber = -1; |
| 948 |
- char *fullline = NULL; |
|
| 949 |
+ char *fullline = NULL, *boundary = NULL; |
|
| 949 | 950 |
size_t fulllinelength = 0; |
| 950 | 951 |
char buffer[LINE_LENGTH+1]; |
| 951 | 952 |
|
| ... | ... |
@@ -974,9 +975,51 @@ parseEmailFile(FILE *fin, const table_t *rfc821, const char *firstLine) |
| 974 | 974 |
* Don't blank lines which are only spaces from headers, |
| 975 | 975 |
* otherwise they'll be treated as the end of header marker |
| 976 | 976 |
*/ |
| 977 |
+ if(lastWasBlank) {
|
|
| 978 |
+ lastWasBlank = FALSE; |
|
| 979 |
+ if(boundaryStart(buffer, boundary)) {
|
|
| 980 |
+ cli_dbgmsg("Found a header line with space that should be blank\n");
|
|
| 981 |
+ inHeader = FALSE; |
|
| 982 |
+ } |
|
| 983 |
+ } |
|
| 984 |
+ if(boundary) {
|
|
| 985 |
+ free(boundary); |
|
| 986 |
+ boundary = NULL; |
|
| 987 |
+ } |
|
| 977 | 988 |
if(inHeader) {
|
| 978 |
- cli_dbgmsg("parseEmailFile: check '%s' contMarker %d\n",
|
|
| 979 |
- buffer ? buffer : "", (int)contMarker); |
|
| 989 |
+ cli_dbgmsg("parseEmailFile: check '%s' contMarker %d fullline 0x%p\n",
|
|
| 990 |
+ buffer ? buffer : "", (int)contMarker, fullline); |
|
| 991 |
+ if(start && isspace(start[0])) {
|
|
| 992 |
+ char copy[sizeof(buffer)]; |
|
| 993 |
+ |
|
| 994 |
+ strcpy(copy, buffer); |
|
| 995 |
+ strstrip(copy); |
|
| 996 |
+ if(copy[0] == '\0') {
|
|
| 997 |
+ /* |
|
| 998 |
+ * The header line contains only white space. This |
|
| 999 |
+ * is not the end of the headers according to |
|
| 1000 |
+ * RFC2822, but some MUAs will handle it |
|
| 1001 |
+ * as though it were, and virus writers exploit |
|
| 1002 |
+ * this bug. We can't just break from the |
|
| 1003 |
+ * loop here since that would allow other |
|
| 1004 |
+ * exploits such as inserting a white space |
|
| 1005 |
+ * line before the content-type line. So we |
|
| 1006 |
+ * just have to make a best guess. Sigh. |
|
| 1007 |
+ */ |
|
| 1008 |
+ if(fullline) {
|
|
| 1009 |
+ if(parseEmailHeader(ret, fullline, rfc821) < 0) |
|
| 1010 |
+ continue; |
|
| 1011 |
+ |
|
| 1012 |
+ free(fullline); |
|
| 1013 |
+ fullline = NULL; |
|
| 1014 |
+ } |
|
| 1015 |
+ if((boundary = messageFindArgument(ret, "boundary")) != NULL) {
|
|
| 1016 |
+ lastWasBlank = TRUE; |
|
| 1017 |
+ continue; |
|
| 1018 |
+ } |
|
| 1019 |
+ } |
|
| 1020 |
+ } |
|
| 1021 |
+ lastWasBlank = FALSE; |
|
| 980 | 1022 |
if((start == NULL) && (fullline == NULL)) { /* empty line */
|
| 981 | 1023 |
if(!contMarker) {
|
| 982 | 1024 |
/* |