Browse code

ArchiveMaxCompressionRatio

git-svn: trunk@135

Tomasz Kojm authored on 2003/12/02 07:55:35
Showing 12 changed files
... ...
@@ -1,3 +1,10 @@
1
+Mon Dec  1 23:51:25 CET 2003 (tk)
2
+---------------------------------
3
+  * libclamav: maxratio added to cl_limits
4
+  * clamd: new directive ArchiveMaxCompressionRatio
5
+  * configure: detect the type of setpgrp() (thanks to Eugene Crosser
6
+               <crosser*rol.ru>)
7
+
1 8
 Mon Dec  1 20:26:45 CET 2003 (tk)
2 9
 ---------------------------------
3 10
   * A bunch of patches from Thomas Lamy <Thomas.Lamy*in-online.net>:
... ...
@@ -81,7 +81,7 @@ dnl there is now a CREATE_PREFIX_TARGET_H in this file as a shorthand for
81 81
 dnl PREFIX_CONFIG_H from a target.h file, however w/o the target.h ever created
82 82
 dnl (the prefix is a bit different, since we add an extra -target- and -host-)
83 83
 dnl 
84
-dnl @version: $Id: aclocal.m4,v 1.12 2003/11/09 02:29:23 kojm Exp $
84
+dnl @version: $Id: aclocal.m4,v 1.13 2003/12/01 22:55:35 kojm Exp $
85 85
 dnl @author Guido Draheim <guidod@gmx.de>                 STATUS: used often
86 86
 
87 87
 AC_DEFUN([AC_CREATE_TARGET_H],
... ...
@@ -4041,7 +4041,7 @@ dnl      AC_COMPILE_CHECK_SIZEOF(ptrdiff_t, $headers)
4041 4041
 dnl      AC_COMPILE_CHECK_SIZEOF(off_t, $headers)
4042 4042
 dnl
4043 4043
 dnl @author Kaveh Ghazi <ghazi@caip.rutgers.edu>
4044
-dnl @version $Id: aclocal.m4,v 1.12 2003/11/09 02:29:23 kojm Exp $
4044
+dnl @version $Id: aclocal.m4,v 1.13 2003/12/01 22:55:35 kojm Exp $
4045 4045
 dnl
4046 4046
 AC_DEFUN([AC_COMPILE_CHECK_SIZEOF],
4047 4047
 [changequote(<<, >>)dnl
... ...
@@ -50,6 +50,7 @@ struct cfgstruct *parsecfg(const char *cfgfile)
50 50
 	    {"ArchiveMaxFileSize", OPT_COMPSIZE},
51 51
 	    {"ArchiveMaxRecursion", OPT_NUM},
52 52
 	    {"ArchiveMaxFiles", OPT_NUM},
53
+	    {"ArchiveMaxCompressionRatio", OPT_NUM},
53 54
 	    {"ArchiveLimitMemoryUsage", OPT_NOARG},
54 55
 	    {"DataDirectory", OPT_STR},
55 56
 	    {"TCPAddr", OPT_STR},
... ...
@@ -153,6 +153,16 @@ int acceptloop_proc(int socketd, struct cl_node *root, const struct cfgstruct *c
153 153
 	    logg("^USING HARDCODED LIMIT: Archive: Files limit set to %d.\n", limits.maxfiles);
154 154
 	}
155 155
 
156
+	if((cpt = cfgopt(copt, "ArchiveMaxCompressionRatio"))) {
157
+	    if((limits.maxratio = cpt->numarg))
158
+		logg("Archive: Compression ratio limit set to %d.\n", limits.maxratio);
159
+	    else
160
+		logg("^Archive: Compression ratio limit disabled.\n");
161
+	} else {
162
+	    limits.maxratio = 200;
163
+	    logg("^USING HARDCODED LIMIT: Archive: Compression ratio limit set to %d.\n", limits.maxratio);
164
+	}
165
+
156 166
 	if(cfgopt(copt, "ArchiveLimitMemoryUsage")) {
157 167
 	    limits.archivememlim = 1;
158 168
 	    logg("Archive: Limited memory usage.\n");
... ...
@@ -446,6 +446,16 @@ int acceptloop_th(int socketd, struct cl_node *root, const struct cfgstruct *cop
446 446
 	    logg("^USING HARDCODED LIMIT: Archive: Files limit set to %d.\n", limits.maxfiles);
447 447
 	}
448 448
 
449
+	if((cpt = cfgopt(copt, "ArchiveMaxCompressionRatio"))) {
450
+	    if((limits.maxratio = cpt->numarg))
451
+		logg("Archive: Compression ratio limit set to %d.\n", limits.maxratio);
452
+	    else
453
+		logg("^Archive: Compression ratio limit disabled.\n");
454
+	} else {
455
+	    limits.maxratio = 200;
456
+	    logg("^USING HARDCODED LIMIT: Archive: Compression ratio limit set to %d.\n", limits.maxratio);
457
+	}
458
+
449 459
 	if(cfgopt(copt, "ArchiveLimitMemoryUsage")) {
450 460
 	    limits.archivememlim = 1;
451 461
 	    logg("Archive: Limited memory usage.\n");
... ...
@@ -8618,6 +8618,149 @@ fi
8618 8618
 
8619 8619
 fi
8620 8620
 
8621
+
8622
+for ac_func in setsid
8623
+do
8624
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
8625
+echo "$as_me:$LINENO: checking for $ac_func" >&5
8626
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
8627
+if eval "test \"\${$as_ac_var+set}\" = set"; then
8628
+  echo $ECHO_N "(cached) $ECHO_C" >&6
8629
+else
8630
+  cat >conftest.$ac_ext <<_ACEOF
8631
+#line $LINENO "configure"
8632
+#include "confdefs.h"
8633
+/* System header to define __stub macros and hopefully few prototypes,
8634
+    which can conflict with char $ac_func (); below.  */
8635
+#include <assert.h>
8636
+/* Override any gcc2 internal prototype to avoid an error.  */
8637
+#ifdef __cplusplus
8638
+extern "C"
8639
+#endif
8640
+/* We use char because int might match the return type of a gcc2
8641
+   builtin and then its argument prototype would still apply.  */
8642
+char $ac_func ();
8643
+char (*f) ();
8644
+
8645
+#ifdef F77_DUMMY_MAIN
8646
+#  ifdef __cplusplus
8647
+     extern "C"
8648
+#  endif
8649
+   int F77_DUMMY_MAIN() { return 1; }
8650
+#endif
8651
+int
8652
+main ()
8653
+{
8654
+/* The GNU C library defines this for functions which it implements
8655
+    to always fail with ENOSYS.  Some functions are actually named
8656
+    something starting with __ and the normal name is an alias.  */
8657
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
8658
+choke me
8659
+#else
8660
+f = $ac_func;
8661
+#endif
8662
+
8663
+  ;
8664
+  return 0;
8665
+}
8666
+_ACEOF
8667
+rm -f conftest.$ac_objext conftest$ac_exeext
8668
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
8669
+  (eval $ac_link) 2>&5
8670
+  ac_status=$?
8671
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
8672
+  (exit $ac_status); } &&
8673
+         { ac_try='test -s conftest$ac_exeext'
8674
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
8675
+  (eval $ac_try) 2>&5
8676
+  ac_status=$?
8677
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
8678
+  (exit $ac_status); }; }; then
8679
+  eval "$as_ac_var=yes"
8680
+else
8681
+  echo "$as_me: failed program was:" >&5
8682
+cat conftest.$ac_ext >&5
8683
+eval "$as_ac_var=no"
8684
+fi
8685
+rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
8686
+fi
8687
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
8688
+echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
8689
+if test `eval echo '${'$as_ac_var'}'` = yes; then
8690
+  cat >>confdefs.h <<_ACEOF
8691
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
8692
+_ACEOF
8693
+
8694
+fi
8695
+done
8696
+
8697
+echo "$as_me:$LINENO: checking whether setpgrp takes no argument" >&5
8698
+echo $ECHO_N "checking whether setpgrp takes no argument... $ECHO_C" >&6
8699
+if test "${ac_cv_func_setpgrp_void+set}" = set; then
8700
+  echo $ECHO_N "(cached) $ECHO_C" >&6
8701
+else
8702
+  if test "$cross_compiling" = yes; then
8703
+  { { echo "$as_me:$LINENO: error: cannot check setpgrp when cross compiling" >&5
8704
+echo "$as_me: error: cannot check setpgrp when cross compiling" >&2;}
8705
+   { (exit 1); exit 1; }; }
8706
+else
8707
+  cat >conftest.$ac_ext <<_ACEOF
8708
+#line $LINENO "configure"
8709
+#include "confdefs.h"
8710
+#if HAVE_UNISTD_H
8711
+# include <unistd.h>
8712
+#endif
8713
+
8714
+#ifdef F77_DUMMY_MAIN
8715
+#  ifdef __cplusplus
8716
+     extern "C"
8717
+#  endif
8718
+   int F77_DUMMY_MAIN() { return 1; }
8719
+#endif
8720
+int
8721
+main ()
8722
+{
8723
+/* If this system has a BSD-style setpgrp which takes arguments,
8724
+  setpgrp(1, 1) will fail with ESRCH and return -1, in that case
8725
+  exit successfully. */
8726
+  exit (setpgrp (1,1) == -1 ? 0 : 1);
8727
+  ;
8728
+  return 0;
8729
+}
8730
+_ACEOF
8731
+rm -f conftest$ac_exeext
8732
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
8733
+  (eval $ac_link) 2>&5
8734
+  ac_status=$?
8735
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
8736
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
8737
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
8738
+  (eval $ac_try) 2>&5
8739
+  ac_status=$?
8740
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
8741
+  (exit $ac_status); }; }; then
8742
+  ac_cv_func_setpgrp_void=no
8743
+else
8744
+  echo "$as_me: program exited with status $ac_status" >&5
8745
+echo "$as_me: failed program was:" >&5
8746
+cat conftest.$ac_ext >&5
8747
+( exit $ac_status )
8748
+ac_cv_func_setpgrp_void=yes
8749
+fi
8750
+rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
8751
+fi
8752
+fi
8753
+echo "$as_me:$LINENO: result: $ac_cv_func_setpgrp_void" >&5
8754
+echo "${ECHO_T}$ac_cv_func_setpgrp_void" >&6
8755
+if test $ac_cv_func_setpgrp_void = yes; then
8756
+
8757
+cat >>confdefs.h <<\_ACEOF
8758
+#define SETPGRP_VOID 1
8759
+_ACEOF
8760
+
8761
+fi
8762
+
8763
+
8621 8764
 have_milter="no"
8622 8765
 if test "${ac_cv_header_libmilter_mfapi_h+set}" = set; then
8623 8766
   echo "$as_me:$LINENO: checking for libmilter/mfapi.h" >&5
... ...
@@ -74,6 +74,9 @@ then
74 74
     AC_CHECK_LIB(bz2, bzReadOpen, AC_DEFINE(NOBZ2PREFIX),)
75 75
 fi
76 76
 
77
+AC_CHECK_FUNCS(setsid)
78
+AC_FUNC_SETPGRP
79
+
77 80
 have_milter="no"
78 81
 AC_CHECK_HEADER(libmilter/mfapi.h,have_milter="yes",)
79 82
 
... ...
@@ -167,6 +167,9 @@ ArchiveMaxRecursion 5
167 167
 # Value of 0 disables the limit.
168 168
 ArchiveMaxFiles 1000
169 169
 
170
+# Mark potential archive bombs as viruses (0 disables the limit)
171
+ArchiveMaxCompressionRatio 200
172
+
170 173
 # Use slower decompression algorithm which uses less memory. This option 
171 174
 # affects bzip2 decompressor only.
172 175
 #ArchiveLimitMemoryUsage
... ...
@@ -60,6 +60,7 @@ int main(int argc, char **argv)
60 60
     }
61 61
 
62 62
     /* set up archive limits */
63
+    memset(&limits, 0, sizeof(struct cl_limits));
63 64
     limits.maxfiles = 1000; /* max files */
64 65
     limits.maxfilesize = 10 * 1048576; /* maximal archived file size == 10 Mb */
65 66
     limits.maxreclevel = 8; /* maximal recursion level */
... ...
@@ -89,6 +89,7 @@ struct cl_node {
89 89
 struct cl_limits {
90 90
     int maxreclevel;
91 91
     int maxfiles;
92
+    int maxratio;
92 93
     short archivememlim;
93 94
     long int maxfilesize;
94 95
 };
... ...
@@ -82,7 +82,7 @@ void cli_enqueue(struct nodelist **bfs, struct cl_node *n)
82 82
     new = (struct nodelist *) cli_calloc(1, sizeof(struct nodelist));
83 83
     if (new == NULL) {
84 84
 	cli_dbgmsg("Unable to allocate node list (%d)\n", sizeof(struct nodelist));
85
-	return CL_EMEM;
85
+	return; /* FIXME: should return CL_EMEM */
86 86
     }
87 87
 
88 88
     new->next = *bfs;
... ...
@@ -61,8 +61,6 @@ int cli_scanrar_inuse = 0;
61 61
 #define DELIVERED_MAGIC_STR "Delivered-To: "
62 62
 #define BZIP_MAGIC_STR "BZh"
63 63
 
64
-#define ZIPOSDET 50 /* FIXME: Make it user definable */
65
-
66 64
 int cli_magic_scandesc(int desc, char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev);
67 65
 
68 66
 int cli_scandesc(int desc, char **virname, long int *scanned, const struct 
... ...
@@ -274,7 +272,7 @@ int cli_scanzip(int desc, char **virname, long int *scanned, const struct cl_nod
274 274
 
275 275
 	cli_dbgmsg("Zip -> %s, compressed: %d, normal: %d.\n", zdirent.d_name, zdirent.d_csize, zdirent.st_size);
276 276
 
277
-	if(source.st_size && (zdirent.st_size / source.st_size) >= ZIPOSDET) {
277
+	if(limits && limits->maxratio > 0 && source.st_size && (zdirent.st_size / source.st_size) >= limits->maxratio) {
278 278
 	    *virname = "Oversized.Zip";
279 279
 	    ret = CL_VIRUS;
280 280
 	    break;