@@ -48,6 +48,21 @@ changes.

     release for offline viewing in the `docs/html` directory.

   - The new home for the documentation markdown is in our

     [ClamAV FAQ Github repository](https://github.com/Cisco-Talos/clamav-faq)

+- To remediate future denial of service conditions caused by excessive scan times,

+  we introduced a scan time limit.

+  The default value is 2 minutes (120000 milliseconds).

+

+  To customize the time limit:

+

+  - use the `clamscan` `--max-scantime` option

+  - use the `clamd` `MaxScanTime` config option

+

+  Libclamav users may customize the time limit using the `cl_engine_set_num`

+  function. For example:

+

+  ```c

+      cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)

+  ```

 ### Other improvements

@@ -750,6 +750,19 @@ int recvloop_th(int *socketds, unsigned nsockets, struct cl_engine *engine, unsi

     memset(&options, 0, sizeof(struct cl_scan_options));

     /* set up limits */

+    if ((opt = optget(opts, "MaxScanTime"))->active) {

+        if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, opt->numarg))) {

+            logg("!cl_engine_set_num(CL_ENGINE_MAX_SCANTIME) failed: %s\n", cl_strerror(ret));

+            cl_engine_free(engine);

+            return 1;

+        }

+    }

+    val = cl_engine_get_num(engine, CL_ENGINE_MAX_SCANTIME, NULL);

+    if (val)

+        logg("Limits: Global time limit set to %llu milliseconds.\n", val);

+    else

+        logg("^Limits: Global time limit protection disabled.\n");

+

     if ((opt = optget(opts, "MaxScanSize"))->active) {

         if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANSIZE, opt->numarg))) {

             logg("!cl_engine_set_num(CL_ENGINE_MAX_SCANSIZE) failed: %s\n", cl_strerror(ret));

@@ -273,6 +273,7 @@ void help(void)

     mprintf("    --nocerts                            Disable authenticode certificate chain verification in PE files\n");

     mprintf("    --dumpcerts                          Dump authenticode certificate chain in PE files\n");

     mprintf("\n");

+    mprintf("    --max-scantime=#n                    Scan time longer than this will be skipped and assumed clean\n");

     mprintf("    --max-filesize=#n                    Files larger than this will be skipped and assumed clean\n");

     mprintf("    --max-scansize=#n                    The maximum amount of data to scan for each container file (**)\n");

     mprintf("    --max-files=#n                       The maximum number of files to scan for each container file (**)\n");

@@ -867,6 +867,24 @@ int scanmanager(const struct optstruct *opts)

     /* set limits */

+    /* TODO: Remove deprecated option in a future feature release */

+    if ((opt = optget(opts, "timelimit"))->active) {

+        if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANTIME) failed: %s\n", cl_strerror(ret));

+

+            cl_engine_free(engine);

+            return 2;

+        }

+    }

+    if ((opt = optget(opts, "max-scantime"))->active) {

+        if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, opt->numarg))) {

+            logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANTIME) failed: %s\n", cl_strerror(ret));

+

+            cl_engine_free(engine);

+            return 2;

+        }

+    }

+

     if ((opt = optget(opts, "max-scansize"))->active) {

         if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANSIZE, opt->numarg))) {

             logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANSIZE) failed: %s\n", cl_strerror(ret));

@@ -988,15 +1006,6 @@ int scanmanager(const struct optstruct *opts)

         }

     }

-    if ((opt = optget(opts, "timelimit"))->active) {

-        if ((ret = cl_engine_set_num(engine, CL_ENGINE_TIME_LIMIT, opt->numarg))) {

-            logg("!cli_engine_set_num(CL_ENGINE_TIME_LIMIT) failed: %s\n", cl_strerror(ret));

-

-            cl_engine_free(engine);

-            return 2;

-        }

-    }

-

     if ((opt = optget(opts, "pcre-max-filesize"))->active) {

         if ((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_MAX_FILESIZE, opt->numarg))) {

             logg("!cli_engine_set_num(CL_ENGINE_PCRE_MAX_FILESIZE) failed: %s\n", cl_strerror(ret));

@@ -85,7 +85,7 @@ Example

 # Default: no

 #OfficialDatabaseOnly no

-# The daemon can work in local mode, network mode or both. 

+# The daemon can work in local mode, network mode or both.

 # Due to security reasons we recommend the local mode.

 # Path to a local socket file the daemon will listen on.

@@ -231,7 +231,7 @@ Example

 #DetectPUA yes

 # Exclude a specific PUA category. This directive can be used multiple times.

-# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for 

+# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for

 # the complete list of PUA categories.

 # Default: Load all categories (if DetectPUA is activated)

 #ExcludePUA NetTool

@@ -271,9 +271,9 @@ Example

 # the end of a scan. If an archive contains both a heuristically detected

 # virus/phish, and a real malware, the real malware will be reported

 #

-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 

+# Keep this disabled if you intend to handle "*.Heuristics.*" viruses

 # differently from "real" malware.

-# If a non-heuristically-detected virus (signature-based) is found first, 

+# If a non-heuristically-detected virus (signature-based) is found first,

 # the scan is interrupted immediately, regardless of this config option.

 #

 # Default: no

@@ -475,6 +475,16 @@ Example

 # The options below protect your system against Denial of Service attacks

 # using archive bombs.

+# This option sets the maximum amount of time to a scan may take.

+# In this version, this field only affects the scan time of ZIP archives.

+# Value of 0 disables the limit

+# Note: disabling this limit or setting it too high may result allow scanning

+# of certain files to lock up the scanning process/threads resulting in a Denial

+# of Service.

+# Time is in milliseconds.

+# Default: 120000

+#MaxScanTime 300000

+

 # This option sets the maximum amount of data to be scanned for each input

 # file.

 # Archives and other containers are recursively extracted and scanned up to

@@ -619,13 +629,13 @@ Example

 #OnAccessMaxFileSize 10M

 # Max number of scanning threads to allocate to the OnAccess thread pool at startup.

-# These threads are the ones responsible for creating a connection with the daemon 

-# and kicking off scanning after an event has been processed. To prevent clamonacc 

+# These threads are the ones responsible for creating a connection with the daemon

+# and kicking off scanning after an event has been processed. To prevent clamonacc

 # from consuming all clamd's resources keep this lower than clamd's max threads.

 # Default: 5

 #OnAccessMaxThreads 10

-# Max amount of time (in milliseconds) that the OnAccess client should spend for every 

+# Max amount of time (in milliseconds) that the OnAccess client should spend for every

 # connect, send, and recieve attempt when communicating with clamd via curl.

 # Default: 5000 (5 seconds)

 # OnAccessCurlTimeout 10000

@@ -652,9 +662,9 @@ Example

 # Default: no

 #OnAccessPrevention yes

-# When using prevention, if this option is turned on, any errors that occur during 

-# scanning will result in the event attempt being denied. This could potentially 

-# lead to unwanted system behaviour with certain configurations, so the client defaults 

+# When using prevention, if this option is turned on, any errors that occur during

+# scanning will result in the event attempt being denied. This could potentially

+# lead to unwanted system behaviour with certain configurations, so the client defaults

 # this to off and prefers allowing access events in case of scan or connection error.

 # Default: no

 #OnAccessDenyOnError yes

@@ -667,9 +677,9 @@ Example

 # Set the  mount point to be scanned. The mount point specified, or the mount

 # point containing the specified directory will be watched. If any directories

-# are specified, this option will preempt (disable and ignore all options related to) 

+# are specified, this option will preempt (disable and ignore all options related to)

 # the DDD system. This option will result in verdicts only.

-# Note that prevention is explicitly disallowed to prevent common, fatal misconfigurations. (e.g. 

+# Note that prevention is explicitly disallowed to prevent common, fatal misconfigurations. (e.g.

 # watching "/" with prevention on and no exclusions made on vital system directories)

 # It can be used multiple times.

 # Default: disabled

@@ -702,14 +712,14 @@ Example

 # Default: disabled

 #OnAccessExcludeUID -1

-# This option allows exclusions via user names when using the on-access 

+# This option allows exclusions via user names when using the on-access

 # scanning client. It can be used multiple times.

 # It has the same potential race condition limitations of the OnAccessExcludeUID option.

 # Default: disabled

 #OnAccessExcludeUname clamav

-# Number of times the OnAccess client will retry a failed scan due to connection problems 

-# (or other issues). 

+# Number of times the OnAccess client will retry a failed scan due to connection problems

+# (or other issues).

 # Default: 0

 #OnAccessRetryAttempts 3

@@ -717,7 +727,7 @@ Example

 ## Bytecode

 ##

-# With this option enabled ClamAV will load bytecode from the database. 

+# With this option enabled ClamAV will load bytecode from the database.

 # It is highly recommended you keep this option on, otherwise you'll miss

 # detections for many new viruses.

 # Default: yes

@@ -741,7 +751,7 @@ Example

 #BytecodeSecurity TrustSigned

 # Set bytecode timeout in milliseconds.

-# 

+#

 # Default: 5000

 # BytecodeTimeout 1000

@@ -300,12 +300,12 @@ enum cl_engine_field {

     CL_ENGINE_MAX_PARTITIONS,      /* uint32_t */

     CL_ENGINE_MAX_ICONSPE,         /* uint32_t */

     CL_ENGINE_MAX_RECHWP3,         /* uint32_t */

-    CL_ENGINE_TIME_LIMIT,          /* uint32_t */

+    CL_ENGINE_MAX_SCANTIME,        /* uint32_t */

     CL_ENGINE_PCRE_MATCH_LIMIT,    /* uint64_t */

     CL_ENGINE_PCRE_RECMATCH_LIMIT, /* uint64_t */

     CL_ENGINE_PCRE_MAX_FILESIZE,   /* uint64_t */

     CL_ENGINE_DISABLE_PE_CERTS,    /* uint32_t */

-    CL_ENGINE_PE_DUMPCERTS         /* uint32_t */

+    CL_ENGINE_PE_DUMPCERTS,        /* uint32_t */

 };

 enum bytecode_security {

@@ -33,6 +33,7 @@

 #define CLI_DEFAULT_BM_OFFMODE_FSIZE 262144

+#define CLI_DEFAULT_TIMELIMIT     120000

 #define CLI_DEFAULT_MAXSCANSIZE   104857600

 #define CLI_DEFAULT_MAXFILESIZE   26214400

 #define CLI_DEFAULT_MAXRECLEVEL   16

@@ -679,6 +679,12 @@ cl_error_t cli_pcre_scanbuf(const unsigned char *buffer, uint32_t length, const

         /* if the global flag is set, loop through the scanning */

         do {

+            if (cli_checktimelimit(ctx) != CL_SUCCESS) {

+                cli_dbgmsg("cli_unzip: Time limit reached (max: %u)\n", ctx->engine->maxscantime);

+                ret = CL_ETIMEOUT;

+                break;

+            }

+

             /* reset the match results */

             if ((ret = cli_pcre_results_reset(&p_res, pd)) != CL_SUCCESS)

                 break;

@@ -257,7 +257,7 @@ const char *cl_strerror(int clerror)

         case CL_EMEM:

             return "Can't allocate memory";

         case CL_ETIMEOUT:

-            return "Time limit reached";

+            return "CL_ETIMEOUT: Time limit reached";

         /* internal (needed for debug messages) */

         case CL_EMAXREC:

             return "CL_EMAXREC";

@@ -321,6 +321,7 @@ struct cl_engine *cl_engine_new(void)

     }

     /* Setup default limits */

+    new->maxscantime   = CLI_DEFAULT_TIMELIMIT;

     new->maxscansize   = CLI_DEFAULT_MAXSCANSIZE;

     new->maxfilesize   = CLI_DEFAULT_MAXFILESIZE;

     new->maxreclevel   = CLI_DEFAULT_MAXRECLEVEL;

@@ -613,8 +614,8 @@ int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long

         case CL_ENGINE_MAX_RECHWP3:

             engine->maxrechwp3 = (uint32_t)num;

             break;

-        case CL_ENGINE_TIME_LIMIT:

-            engine->time_limit = (uint32_t)num;

+        case CL_ENGINE_MAX_SCANTIME:

+            engine->maxscantime = (uint32_t)num;

             break;

         case CL_ENGINE_PCRE_MATCH_LIMIT:

             engine->pcre_match_limit = (uint64_t)num;

@@ -714,8 +715,8 @@ long long cl_engine_get_num(const struct cl_engine *engine, enum cl_engine_field

             return engine->maxiconspe;

         case CL_ENGINE_MAX_RECHWP3:

             return engine->maxrechwp3;

-        case CL_ENGINE_TIME_LIMIT:

-            return engine->time_limit;

+        case CL_ENGINE_MAX_SCANTIME:

+            return engine->maxscantime;

         case CL_ENGINE_PCRE_MATCH_LIMIT:

             return engine->pcre_match_limit;

         case CL_ENGINE_PCRE_RECMATCH_LIMIT:

@@ -795,6 +796,7 @@ struct cl_settings *cl_engine_settings_copy(const struct cl_engine *engine)

     settings->ac_maxdepth        = engine->ac_maxdepth;

     settings->tmpdir             = engine->tmpdir ? strdup(engine->tmpdir) : NULL;

     settings->keeptmp            = engine->keeptmp;

+    settings->maxscantime        = engine->maxscantime;

     settings->maxscansize        = engine->maxscansize;

     settings->maxfilesize        = engine->maxfilesize;

     settings->maxreclevel        = engine->maxreclevel;

@@ -849,6 +851,7 @@ int cl_engine_settings_apply(struct cl_engine *engine, const struct cl_settings

     engine->ac_mindepth        = settings->ac_mindepth;

     engine->ac_maxdepth        = settings->ac_maxdepth;

     engine->keeptmp            = settings->keeptmp;

+    engine->maxscantime        = settings->maxscantime;

     engine->maxscansize        = settings->maxscansize;

     engine->maxfilesize        = settings->maxfilesize;

     engine->maxreclevel        = settings->maxreclevel;

@@ -937,9 +940,9 @@ void cli_check_blockmax(cli_ctx *ctx, int rc)

     }

 }

-int cli_checklimits(const char *who, cli_ctx *ctx, unsigned long need1, unsigned long need2, unsigned long need3)

+cl_error_t cli_checklimits(const char *who, cli_ctx *ctx, unsigned long need1, unsigned long need2, unsigned long need3)

 {

-    int ret = CL_SUCCESS;

+    cl_error_t ret = CL_SUCCESS;

     unsigned long needed;

     /* if called without limits, go on, unpack, scan */

@@ -948,6 +951,9 @@ int cli_checklimits(const char *who, cli_ctx *ctx, unsigned long need1, unsigned

     needed = (need1 > need2) ? need1 : need2;

     needed = (needed > need3) ? needed : need3;

+    /* Enforce timelimit */

+    ret = cli_checktimelimit(ctx);

+

     /* if we have global scan limits */

     if (needed && ctx->engine->maxscansize) {

         /* if the remaining scansize is too small... */

@@ -976,9 +982,9 @@ int cli_checklimits(const char *who, cli_ctx *ctx, unsigned long need1, unsigned

     return ret;

 }

-int cli_updatelimits(cli_ctx *ctx, unsigned long needed)

+cl_error_t cli_updatelimits(cli_ctx *ctx, unsigned long needed)

 {

-    int ret = cli_checklimits("cli_updatelimits", ctx, needed, 0, 0);

+    cl_error_t ret = cli_checklimits("cli_updatelimits", ctx, needed, 0, 0);

     if (ret != CL_CLEAN) return ret;

     ctx->scannedfiles++;

@@ -988,18 +994,33 @@ int cli_updatelimits(cli_ctx *ctx, unsigned long needed)

     return CL_CLEAN;

 }

-int cli_checktimelimit(cli_ctx *ctx)

+/**

+ * @brief Check if we've exceeded the time limit.

+ * If ctx is NULL, there can be no timelimit so just return success.

+ *

+ * @param ctx         The scanning context.

+ * @return cl_error_t CL_SUCCESS if has not exceeded, CL_ETIMEOUT if has exceeded.

+ */

+cl_error_t cli_checktimelimit(cli_ctx *ctx)

 {

+    cl_error_t ret = CL_SUCCESS;

+

+    if (NULL == ctx) {

+        goto done;

+    }

+

     if (ctx->time_limit.tv_sec != 0) {

         struct timeval now;

         if (gettimeofday(&now, NULL) == 0) {

-            if (now.tv_sec < ctx->time_limit.tv_sec)

-                return CL_SUCCESS;

-            if (now.tv_sec > ctx->time_limit.tv_sec || now.tv_usec > ctx->time_limit.tv_usec)

-                return CL_ETIMEOUT;

+            if (now.tv_sec > ctx->time_limit.tv_sec)

+                ret = CL_ETIMEOUT;

+            else if (now.tv_sec == ctx->time_limit.tv_sec && now.tv_usec > ctx->time_limit.tv_usec)

+                ret = CL_ETIMEOUT;

         }

     }

-    return CL_SUCCESS;

+

+done:

+    return ret;

 }

 /*

@@ -1103,7 +1124,7 @@ void cli_virus_found_cb(cli_ctx *ctx)

         ctx->engine->cb_virus_found(fmap_fd(*ctx->fmap), (const char *)*ctx->virname, ctx->cb_ctx);

 }

-int cli_append_possibly_unwanted(cli_ctx *ctx, const char *virname)

+cl_error_t cli_append_possibly_unwanted(cli_ctx *ctx, const char *virname)

 {

     if (SCAN_ALLMATCHES)

         return cli_append_virus(ctx, virname);

@@ -285,16 +285,17 @@ struct cl_engine {

     uint64_t engine_options;

     /* Limits */

+    uint32_t maxscantime; /* Time limit (in milliseconds) */

     uint64_t maxscansize; /* during the scanning of archives this size

-				     * will never be exceeded

-				     */

+				           * will never be exceeded

+				           */

     uint64_t maxfilesize; /* compressed files will only be decompressed

-				     * and scanned up to this size

-				     */

+				           * and scanned up to this size

+				           */

     uint32_t maxreclevel; /* maximum recursion level for archives */

     uint32_t maxfiles;    /* maximum number of files to be scanned

-				     * within a single archive

-				     */

+				           * within a single archive

+				           */

     /* This is for structured data detection.  You can set the minimum

      * number of occurrences of an CC# or SSN before the system will

      * generate a notification.

@@ -403,9 +404,6 @@ struct cl_engine {

     uint32_t maxiconspe; /* max number of icons to scan for PE */

     uint32_t maxrechwp3; /* max recursive calls for HWP3 parsing */

-    /* millisecond time limit for preclassification scanning */

-    uint32_t time_limit;

-

     /* PCRE matching limitations */

     uint64_t pcre_match_limit;

     uint64_t pcre_recmatch_limit;

@@ -427,6 +425,7 @@ struct cl_settings {

     uint32_t ac_maxdepth;

     char *tmpdir;

     uint32_t keeptmp;

+    uint32_t maxscantime;

     uint64_t maxscansize;

     uint64_t maxfilesize;

     uint32_t maxreclevel;

@@ -815,21 +814,20 @@ cl_error_t cli_gentempfd_with_prefix(const char *dir, char *prefix, char **name,

 unsigned int cli_rndnum(unsigned int max);

 int cli_filecopy(const char *src, const char *dest);

-int cli_mapscan(fmap_t *map, off_t offset, size_t size, cli_ctx *ctx, cli_file_t type);

 bitset_t *cli_bitset_init(void);

 void cli_bitset_free(bitset_t *bs);

 int cli_bitset_set(bitset_t *bs, unsigned long bit_offset);

 int cli_bitset_test(bitset_t *bs, unsigned long bit_offset);

 const char *cli_ctime(const time_t *timep, char *buf, const size_t bufsize);

 void cli_check_blockmax(cli_ctx *, int);

-int cli_checklimits(const char *, cli_ctx *, unsigned long, unsigned long, unsigned long);

-int cli_updatelimits(cli_ctx *, unsigned long);

+cl_error_t cli_checklimits(const char *, cli_ctx *, unsigned long, unsigned long, unsigned long);

+cl_error_t cli_updatelimits(cli_ctx *, unsigned long);

 unsigned long cli_getsizelimit(cli_ctx *, unsigned long);

 int cli_matchregex(const char *str, const char *regex);

 void cli_qsort(void *a, size_t n, size_t es, int (*cmp)(const void *, const void *));

 void cli_qsort_r(void *a, size_t n, size_t es, int (*cmp)(const void *, const void *, const void *), void *arg);

-int cli_checktimelimit(cli_ctx *ctx);

-int cli_append_possibly_unwanted(cli_ctx *ctx, const char *virname);

+cl_error_t cli_checktimelimit(cli_ctx *ctx);

+cl_error_t cli_append_possibly_unwanted(cli_ctx *ctx, const char *virname);

 /* symlink behaviour */

 #define CLI_FTW_FOLLOW_FILE_SYMLINK 0x01

@@ -601,7 +601,7 @@ done:

 static cl_error_t cli_scanegg(cli_ctx *ctx, size_t sfx_offset)

 {

-    cl_error_t status      = CL_EPARSE;

+    cl_error_t status  = CL_EPARSE;

     cl_error_t egg_ret = CL_EPARSE;

     char *buffer      = NULL;

@@ -616,7 +616,7 @@ static cl_error_t cli_scanegg(cli_ctx *ctx, size_t sfx_offset)

     void *hArchive = NULL;

-    char **comments     = NULL;

+    char **comments    = NULL;

     uint32_t nComments = 0;

     cl_egg_metadata metadata;

@@ -680,9 +680,9 @@ static cl_error_t cli_scanegg(cli_ctx *ctx, size_t sfx_offset)

             * Drop the comment to a temp file, if requested

             */

             if (ctx->engine->keeptmp) {

-                int comment_fd = -1;

+                int comment_fd   = -1;

                 size_t prefixLen = strlen("comments_") + 5;

-                char * prefix = (char*)malloc(prefixLen + 1);

+                char *prefix     = (char *)malloc(prefixLen + 1);

                 snprintf(prefix, prefixLen, "comments_%u", i);

                 prefix[prefixLen] = '\0';

@@ -2448,7 +2448,7 @@ static int cli_scanmail(cli_ctx *ctx)

 static int cli_scan_structured(cli_ctx *ctx)

 {

     char buf[8192];

-    size_t result             = 0;

+    size_t result          = 0;

     unsigned int cc_count  = 0;

     unsigned int ssn_count = 0;

     int done               = 0;

@@ -3244,7 +3244,7 @@ static int dispatch_prescan(clcb_pre_scan cb, cli_ctx *ctx, const char *filetype

 static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

 {

-    int ret            = CL_CLEAN;

+    cl_error_t ret     = CL_CLEAN;

     cli_file_t dettype = 0;

     uint8_t typercg    = 1;

     size_t hashed_size;

@@ -3567,11 +3567,11 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

                         break;

                     } else if (ret != CL_SUCCESS) {

                         /*

-             * non-critical return => allow for the CL_TYPE_ZIP scan to occur

-             * cli_process_ooxml other possible returns:

-             *   CL_ETIMEOUT, CL_EMAXSIZE, CL_EMAXFILES, CL_EPARSE,

-             *   CL_EFORMAT, CL_BREAK, CL_ESTAT

-             */

+                         * non-critical return => allow for the CL_TYPE_ZIP scan to occur

+                         * cli_process_ooxml other possible returns:

+                         *   CL_ETIMEOUT, CL_EMAXSIZE, CL_EMAXFILES, CL_EPARSE,

+                         *   CL_EFORMAT, CL_BREAK, CL_ESTAT

+                         */

                         ret = CL_SUCCESS;

                     }

                 }

@@ -3804,8 +3804,8 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

         case CL_TYPE_TEXT_ASCII:

             if (SCAN_HEURISTIC_STRUCTURED && (DCONF_OTHER & OTHER_CONF_DLP))

                 /* TODO: consider calling this from cli_scanscript() for

-         * a normalised text

-         */

+                 * a normalised text

+                 */

                 ret = cli_scan_structured(ctx);

             break;

@@ -3845,7 +3845,6 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

                 case CL_ETMPFILE:

                 case CL_ETMPDIR:

                 case CL_EMEM:

-                case CL_ETIMEOUT:

                     cli_dbgmsg("Descriptor[%d]: cli_scanraw error %s\n", fmap_fd(*ctx->fmap), cl_strerror(res));

                     cli_bitset_free(ctx->hook_lsig_matches);

                     ctx->hook_lsig_matches = old_hook_lsig_matches;

@@ -3866,7 +3865,15 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

                     cli_bitset_free(ctx->hook_lsig_matches);

                     ctx->hook_lsig_matches = old_hook_lsig_matches;

                     return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, ret, parent_property);

-                /* "MAX" conditions should still fully scan the current file */

+                /* The CL_ETIMEOUT "MAX" condition should set exceeds max flag and exit out quietly. */

+                case CL_ETIMEOUT:

+                    cli_check_blockmax(ctx, ret);

+                    cli_bitset_free(ctx->hook_lsig_matches);

+                    ctx->hook_lsig_matches = old_hook_lsig_matches;

+                    cli_dbgmsg("Descriptor[%d]: Stopping after cli_scanraw reached %s\n",

+                               fmap_fd(*ctx->fmap), cl_strerror(res));

+                    return magic_scandesc_cleanup(ctx, type, hash, hashed_size, cache_clean, CL_CLEAN, parent_property);

+                /* All other "MAX" conditions should still fully scan the current file */

                 case CL_EMAXREC:

                 case CL_EMAXSIZE:

                 case CL_EMAXFILES:

@@ -3875,9 +3882,9 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

                                fmap_fd(*ctx->fmap), cl_strerror(res));

                     break;

                 /* Other errors must not block further scans below

-         * This specifically includes CL_EFORMAT & CL_EREAD & CL_EUNPACK

-         * Malformed/truncated files could report as any of these three.

-         */

+                 * This specifically includes CL_EFORMAT & CL_EREAD & CL_EUNPACK

+                 * Malformed/truncated files could report as any of these three.

+                 */

                 default:

                     ret = res;

                     cli_dbgmsg("Descriptor[%d]: Continuing after cli_scanraw error %s\n",

@@ -3889,7 +3896,7 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

     ctx->recursion++;

     switch (type) {

         /* bytecode hooks triggered by a lsig must be a hook

-     * called from one of the functions here */

+         * called from one of the functions here */

         case CL_TYPE_TEXT_ASCII:

         case CL_TYPE_TEXT_UTF16BE:

         case CL_TYPE_TEXT_UTF16LE:

@@ -3903,8 +3910,8 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

             perf_nested_stop(ctx, PERFT_SCRIPT, PERFT_SCAN);

             break;

         /* Due to performance reasons all executables were first scanned

-     * in raw mode. Now we will try to unpack them

-     */

+         * in raw mode. Now we will try to unpack them

+         */

         case CL_TYPE_MSEXE:

             perf_nested_start(ctx, PERFT_PE, PERFT_SCAN);

             if (SCAN_PARSE_PE && ctx->dconf->pe) {

@@ -3937,14 +3944,16 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)

     ctx->hook_lsig_matches = old_hook_lsig_matches;

     switch (ret) {

-        /* Malformed file cases */

-        case CL_EFORMAT:

-        case CL_EREAD:

-        case CL_EUNPACK:

         /* Limits exceeded */

+        case CL_ETIMEOUT:

         case CL_EMAXREC:

         case CL_EMAXSIZE:

         case CL_EMAXFILES:

+            cli_check_blockmax(ctx, ret);

+        /* Malformed file cases */

+        case CL_EFORMAT:

+        case CL_EREAD:

+        case CL_EUNPACK:

             cli_dbgmsg("Descriptor[%d]: %s\n", fmap_fd(*ctx->fmap), cl_strerror(ret));

 #if HAVE_JSON

             ctx->wrkproperty = parent_property;

@@ -4233,10 +4242,10 @@ static cl_error_t scan_common(int desc, cl_fmap_t *map, const char *filepath, co

     }

     perf_init(&ctx);

-    if (ctx.options->general & CL_SCAN_GENERAL_COLLECT_METADATA && ctx.engine->time_limit != 0) {

+    if (ctx.engine->maxscantime != 0) {

         if (gettimeofday(&ctx.time_limit, NULL) == 0) {

-            uint32_t secs  = ctx.engine->time_limit / 1000;

-            uint32_t usecs = (ctx.engine->time_limit % 1000) * 1000;

+            uint32_t secs  = ctx.engine->maxscantime / 1000;

+            uint32_t usecs = (ctx.engine->maxscantime % 1000) * 1000;

             ctx.time_limit.tv_sec += secs;

             ctx.time_limit.tv_usec += usecs;

             if (ctx.time_limit.tv_usec >= 1000000) {

@@ -4245,7 +4254,7 @@ static cl_error_t scan_common(int desc, cl_fmap_t *map, const char *filepath, co

             }

         } else {

             char buf[64];

-            cli_dbgmsg("scan_common; gettimeofday error: %s\n", cli_strerror(errno, buf, 64));

+            cli_dbgmsg("scan_common: gettimeofday error: %s\n", cli_strerror(errno, buf, 64));

         }

     }

@@ -4403,14 +4412,14 @@ int cli_found_possibly_unwanted(cli_ctx *ctx)

         cli_dbgmsg("found Possibly Unwanted: %s\n", cli_get_last_virus(ctx));

         if (SCAN_HEURISTIC_PRECEDENCE) {

             /* we found a heuristic match, don't scan further,

-         * but consider it a virus. */

+             * but consider it a virus. */

             cli_dbgmsg("cli_found_possibly_unwanted: CL_VIRUS\n");

             return CL_VIRUS;

         }

         /* heuristic scan isn't taking precedence, keep scanning.

-     * If this is part of an archive, and

-     * we find a real malware we report that instead of the

-     * heuristic match */

+         * If this is part of an archive, and

+         * we find a real malware we report that instead of the

+         * heuristic match */

         ctx->found_possibly_unwanted = 1;

     } else {

         cli_warnmsg("cli_found_possibly_unwanted called, but virname is not set\n");

@@ -930,6 +930,11 @@ cl_error_t cli_unzip(cli_ctx *ctx)

                 ret = CL_EMAXFILES;

             }

+            if (cli_checktimelimit(ctx) != CL_SUCCESS) {

+                cli_dbgmsg("cli_unzip: Time limit reached (max: %u)\n", ctx->engine->maxscantime);

+                ret = CL_ETIMEOUT;

+            }

+

             /*

              * Detect overlapping files and zip bombs.

              */

@@ -366,6 +366,8 @@ const struct clam_option __clam_options[] = {

     {"ForceToDisk", "force-to-disk", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option causes memory or nested map scans to dump the content to disk.\nIf you turn on this option, more data is written to disk and is available\nwhen the leave-temps option is enabled at the cost of more disk writes.", "no"},

+    {"MaxScanTime", "max-scantime", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum amount of time a scan may take to complete.\nIn this version, this field only affects the scan time of ZIP archives.\nThe value of 0 disables the limit.\nWARNING: disabling this limit or setting it too high may result allow scanning\nof certain files to lock up the scanning process/threads resulting in a Denial of Service.\nThe value is in milliseconds.", "120000"},

+

     {"MaxScanSize", "max-scansize", 0, CLOPT_TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_MAXSCANSIZE, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum amount of data to be scanned for each input file.\nArchives and other containers are recursively extracted and scanned up to this\nvalue.\nThe value of 0 disables the limit.\nWARNING: disabling this limit or setting it too high may result in severe\ndamage.", "100M"},

     {"MaxFileSize", "max-filesize", 0, CLOPT_TYPE_SIZE, MATCH_SIZE, CLI_DEFAULT_MAXFILESIZE, NULL, 0, OPT_CLAMD | OPT_MILTER | OPT_CLAMSCAN, "Files/messages larger than this limit won't be scanned. Affects the input\nfile itself as well as files contained inside it (when the input file is\nan archive, a document or some other kind of container).\nThe value of 0 disables the limit.\nWARNING: disabling this limit or setting it too high may result in severe\ndamage to the system.", "25M"},

@@ -391,8 +393,6 @@ const struct clam_option __clam_options[] = {

     {"MaxRecHWP3", "max-rechwp3", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, CLI_DEFAULT_MAXRECHWP3, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum recursive calls to HWP3 parsing function.\nHWP3 files using more than this limit will be terminated and alert the user.\nScans will be unable to scan any HWP3 attachments if the recursive limit is reached.\nNegative values are not allowed.\nWARNING: setting this limit too high may result in severe damage or impact performance.", "16"},

-    {"TimeLimit", "timelimit", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, 0, NULL, 0, OPT_CLAMSCAN, "This clamscan option is currently for testing only. It sets the engine parameter CL_ENGINE_TIME_LIMIT. The value is in milliseconds.", "0"},

-

     {"PCREMatchLimit", "pcre-match-limit", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, CLI_DEFAULT_PCRE_MATCH_LIMIT, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum calls to the PCRE match function during an instance of regex matching.\nInstances using more than this limit will be terminated and alert the user but the scan will continue.\nFor more information on match_limit, see the PCRE documentation.\nNegative values are not allowed.\nWARNING: setting this limit too high may severely impact performance.", "100000"},

     {"PCRERecMatchLimit", "pcre-recmatch-limit", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, CLI_DEFAULT_PCRE_RECMATCH_LIMIT, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching.\nInstances using more than this limit will be terminated and alert the user but the scan will continue.\nFor more information on match_limit_recursion, see the PCRE documentation.\nNegative values are not allowed and values > PCREMatchLimit are superfluous.\nWARNING: setting this limit too high may severely impact performance.", "5000"},

@@ -506,6 +506,7 @@ const struct clam_option __clam_options[] = {

     /* Deprecated options */

+    {"TimeLimit", "timelimit", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, 0, NULL, 0, OPT_CLAMSCAN | OPT_DEPRECATED, "Deprecated option to set the max-scantime.\nThe value is in milliseconds.", "120000"},

     {"DetectBrokenExecutables", "detect-broken", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "Deprecated option to alert on broken PE and ELF executable files.", "no"},

     {"AlgorithmicDetection", "algorithmic-detection", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Deprecated option to enable heuristic alerts (e.g. \"Heuristics.<sig name>\")", "no"},

     {"BlockMax", "block-max", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "", ""},

@@ -76,8 +76,8 @@ Example

 # Default: no

 #OfficialDatabaseOnly no

-# The daemon on Windows only supports unsecured TCP sockets. 

-# Due to security reasons make sure that your IP & port is not 

+# The daemon on Windows only supports unsecured TCP sockets.

+# Due to security reasons make sure that your IP & port is not

 # exposed to the open internet.

 # TCP port address.

@@ -203,7 +203,7 @@ TCPAddr 127.0.0.1

 #DetectPUA yes

 # Exclude a specific PUA category. This directive can be used multiple times.

-# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for 

+# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for

 # the complete list of PUA categories.

 # Default: Load all categories (if DetectPUA is activated)

 #ExcludePUA NetTool

@@ -243,9 +243,9 @@ TCPAddr 127.0.0.1

 # the end of a scan. If an archive contains both a heuristically detected

 # virus/phish, and a real malware, the real malware will be reported

 #

-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 

+# Keep this disabled if you intend to handle "*.Heuristics.*" viruses

 # differently from "real" malware.

-# If a non-heuristically-detected virus (signature-based) is found first, 

+# If a non-heuristically-detected virus (signature-based) is found first,

 # the scan is interrupted immediately, regardless of this config option.

 #

 # Default: no

@@ -446,6 +446,16 @@ TCPAddr 127.0.0.1

 # The options below protect your system against Denial of Service attacks

 # using archive bombs.

+# This option sets the maximum amount of time to a scan may take.

+# In this version, this field only affects the scan time of ZIP archives.

+# Value of 0 disables the limit

+# Note: disabling this limit or setting it too high may result allow scanning

+# of certain files to lock up the scanning process/threads resulting in a Denial

+# of Service.

+# Time is in milliseconds.

+# Default: 120000

+#MaxScanTime 300000

+

 # This option sets the maximum amount of data to be scanned for each input file.

 # Archives and other containers are recursively extracted and scanned up to this

 # value.

@@ -584,7 +594,7 @@ TCPAddr 127.0.0.1

 ## Bytecode

 ##

-# With this option enabled ClamAV will load bytecode from the database. 

+# With this option enabled ClamAV will load bytecode from the database.

 # It is highly recommended you keep this option on, otherwise you'll miss

 # detections for many new viruses.

 # Default: yes

@@ -608,7 +618,7 @@ TCPAddr 127.0.0.1

 #BytecodeSecurity TrustSigned

 # Set bytecode timeout in milliseconds.

-# 

+#

 # Default: 5000

 # BytecodeTimeout 1000