... | ... |
@@ -2763,23 +2763,29 @@ static int cli_loadopenioc(FILE *fs, const char *dbname, struct cl_engine *engin |
2763 | 2763 |
#define cli_yaramsg(...) |
2764 | 2764 |
#endif |
2765 | 2765 |
|
2766 |
-static char *parse_yara_hex_string(YR_STRING *string); |
|
2766 |
+static char *parse_yara_hex_string(YR_STRING *string, int *ret); |
|
2767 | 2767 |
|
2768 |
-static char *parse_yara_hex_string(YR_STRING *string) |
|
2768 |
+static char *parse_yara_hex_string(YR_STRING *string, int *ret) |
|
2769 | 2769 |
{ |
2770 | 2770 |
char *res, *str; |
2771 | 2771 |
size_t slen, reslen=0, i, j; |
2772 | 2772 |
|
2773 |
- if (!(string) || !(string->string)) |
|
2773 |
+ if (!(string) || !(string->string)) { |
|
2774 |
+ if (ret) *ret = CL_ENULLARG; |
|
2774 | 2775 |
return NULL; |
2776 |
+ } |
|
2775 | 2777 |
|
2776 |
- if (!STRING_IS_HEX(string)) |
|
2778 |
+ if (!STRING_IS_HEX(string)) { |
|
2779 |
+ if (ret) *ret = CL_EARG; |
|
2777 | 2780 |
return NULL; |
2781 |
+ } |
|
2778 | 2782 |
|
2779 | 2783 |
str = (char *)(string->string); |
2780 | 2784 |
|
2781 |
- if ((slen = strlen(str)) == 0) |
|
2785 |
+ if ((slen = strlen(str)) == 0) { |
|
2786 |
+ if (ret) *ret = CL_EARG; |
|
2782 | 2787 |
return NULL; |
2788 |
+ } |
|
2783 | 2789 |
|
2784 | 2790 |
str = strchr(str, '{')+1; |
2785 | 2791 |
|
... | ... |
@@ -2792,8 +2798,10 @@ static char *parse_yara_hex_string(YR_STRING *string) |
2792 | 2792 |
break; |
2793 | 2793 |
case '[': |
2794 | 2794 |
/* ClamAV's Aho-Corasic algorithm requires at least two known bytes before {n,m} wildcard */ |
2795 |
- if (reslen < 4) |
|
2795 |
+ if (reslen < 4) { |
|
2796 |
+ if (ret) *ret = CL_EMALFDB; |
|
2796 | 2797 |
return NULL; |
2798 |
+ } |
|
2797 | 2799 |
reslen += 2; |
2798 | 2800 |
break; |
2799 | 2801 |
default: |
... | ... |
@@ -2804,8 +2812,10 @@ static char *parse_yara_hex_string(YR_STRING *string) |
2804 | 2804 |
|
2805 | 2805 |
reslen++; |
2806 | 2806 |
res = cli_calloc(reslen, 1); |
2807 |
- if (!(res)) |
|
2807 |
+ if (!(res)) { |
|
2808 |
+ if (ret) *ret = CL_EMEM; |
|
2808 | 2809 |
return NULL; |
2810 |
+ } |
|
2809 | 2811 |
|
2810 | 2812 |
for (i=0, j=0; i < slen-1 && j < reslen; i++) { |
2811 | 2813 |
switch (str[i]) { |
... | ... |
@@ -2829,6 +2839,8 @@ static char *parse_yara_hex_string(YR_STRING *string) |
2829 | 2829 |
} |
2830 | 2830 |
} |
2831 | 2831 |
|
2832 |
+ if (ret) |
|
2833 |
+ *ret = CL_SUCCESS; |
|
2832 | 2834 |
return res; |
2833 | 2835 |
} |
2834 | 2836 |
|
... | ... |
@@ -3050,7 +3062,7 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op |
3050 | 3050 |
/*** verification step - can clamav load it? ***/ |
3051 | 3051 |
/*** initial population pass for the strings table ***/ |
3052 | 3052 |
STAILQ_FOREACH(string, &rule->strings, link) { |
3053 |
- char *substr; |
|
3053 |
+ char *substr = NULL; |
|
3054 | 3054 |
|
3055 | 3055 |
/* string type handler */ |
3056 | 3056 |
if (STRING_IS_NULL(string)) { |
... | ... |
@@ -3058,20 +3070,26 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op |
3058 | 3058 |
//str_error++; /* kill the insertion? */ |
3059 | 3059 |
continue; |
3060 | 3060 |
} else if (STRING_IS_HEX(string)) { |
3061 |
- substr = parse_yara_hex_string(string); |
|
3062 |
- cli_yaramsg("load_oneyara: hex string: [%s] => [%s]\n", string->string, substr); |
|
3063 |
- |
|
3064 |
- if (substr) { |
|
3065 |
- if (strlen(substr)/2 <= CLI_DEFAULT_AC_MINDEPTH) { |
|
3066 |
- cli_warnmsg("load_oneyara: string is too short %s\n", string->id); |
|
3067 |
- str_error++; |
|
3068 |
- } |
|
3061 |
+ substr = parse_yara_hex_string(string, &ret); |
|
3062 |
+ if (ret != CL_SUCCESS) { |
|
3063 |
+ cli_errmsg("load_oneyara: error in parsing yara hex string\n"); |
|
3064 |
+ str_error++; |
|
3065 |
+ break; |
|
3066 |
+ } |
|
3069 | 3067 |
|
3070 |
- ytable_add_string(&ytable, substr); |
|
3071 |
- free(substr); |
|
3068 |
+ if (strlen(substr)/2 <= CLI_DEFAULT_AC_MINDEPTH) { |
|
3069 |
+ cli_warnmsg("load_oneyara: string is too short %s\n", string->id); |
|
3070 |
+ str_error++; |
|
3072 | 3071 |
} |
3072 |
+ |
|
3073 |
+ cli_yaramsg("load_oneyara: hex string: [%s] => [%s]\n", string->string, substr); |
|
3074 |
+ |
|
3075 |
+ ytable_add_string(&ytable, substr); |
|
3076 |
+ free(substr); |
|
3073 | 3077 |
} else if (STRING_IS_LITERAL(string)) { |
3078 |
+ cli_yaramsg("load_oneyara: literal string: [%s] => [%s]\n", string->string, substr); |
|
3074 | 3079 |
} else if (STRING_IS_REGEXP(string)) { |
3080 |
+ cli_yaramsg("load_oneyara: regex string: [%s] => [%s]\n", string->string, substr); |
|
3075 | 3081 |
} else { |
3076 | 3082 |
/* TODO - extract the string length to handle NULL hex-escaped characters |
3077 | 3083 |
* For now, we'll just use the strlen we get which crudely finds the length |
... | ... |
@@ -3079,8 +3097,6 @@ static int load_oneyara(YR_RULE *rule, struct cl_engine *engine, unsigned int op |
3079 | 3079 |
size_t length = strlen(string->string); |
3080 | 3080 |
size_t totsize = 2*length+1; |
3081 | 3081 |
|
3082 |
- cli_yaramsg("load_oneyara: generic string: %d\n", string->length); |
|
3083 |
- |
|
3084 | 3082 |
if (length <= CLI_DEFAULT_AC_MINDEPTH) { |
3085 | 3083 |
cli_warnmsg("load_oneyara: string is too short %s\n", string->id); |
3086 | 3084 |
str_error++; |