Browse code
more limits and ole2 collision fixup
git-svn-id: file:///var/lib/svn/clamav-devel/branches/newlimits@3608 77e5149b-7576-45b1-b177-96237e5ba77b
aCaB authored on 2008/02/11 22:18:41Showing 5 changed files
- libclamav/nsis/nulsft.c
- libclamav/ole2_extract.c
- libclamav/ole2_extract.h
- libclamav/scanners.c
- libclamav/vba_extract.c
| ... | ... |
@@ -163,7 +163,6 @@ static int nsis_decomp(struct nsis_st *n) {
|
| 163 | 163 |
break; |
| 164 | 164 |
case Z_STREAM_END: |
| 165 | 165 |
ret = CL_BREAK; |
| 166 |
- /* FIXME: regression needed */ |
|
| 167 | 166 |
} |
| 168 | 167 |
n->nsis.avail_in = n->z.avail_in; |
| 169 | 168 |
n->nsis.next_in = n->z.next_in; |
| ... | ... |
@@ -184,10 +183,9 @@ static int nsis_unpack_next(struct nsis_st *n, cli_ctx *ctx) {
|
| 184 | 184 |
cli_dbgmsg("NSIS: extraction complete\n");
|
| 185 | 185 |
return CL_BREAK; |
| 186 | 186 |
} |
| 187 |
- if (ctx->limits && ctx->limits->maxfiles && n->fno >= ctx->limits->maxfiles) {
|
|
| 188 |
- cli_dbgmsg("NSIS: Files limit reached (max: %u)\n", ctx->limits->maxfiles);
|
|
| 189 |
- return CL_EMAXFILES; |
|
| 190 |
- } |
|
| 187 |
+ |
|
| 188 |
+ if ((ret=cli_checklimits("NSIS", ctx 0, 0, 0))!=CL_CLEAN)
|
|
| 189 |
+ return ret; |
|
| 191 | 190 |
|
| 192 | 191 |
if (n->fno) |
| 193 | 192 |
snprintf(n->ofn, 1023, "%s/content.%.3u", n->dir, n->fno); |
| ... | ... |
@@ -225,11 +223,10 @@ static int nsis_unpack_next(struct nsis_st *n, cli_ctx *ctx) {
|
| 225 | 225 |
|
| 226 | 226 |
n->asz -= size+4; |
| 227 | 227 |
|
| 228 |
- if (ctx->limits && ctx->limits->maxfilesize && size > ctx->limits->maxfilesize) {
|
|
| 229 |
- cli_dbgmsg("NSIS: Skipping file due to size limit (%u, max: %lu)\n", size, ctx->limits->maxfilesize);
|
|
| 228 |
+ if ((ret=cli_checklimits("NSIS", ctx, size, 0, 0)!=CL_CLEAN) {
|
|
| 230 | 229 |
close(n->ofd); |
| 231 | 230 |
if (lseek(n->ifd, size, SEEK_CUR)==-1) return CL_EIO; |
| 232 |
- return CL_EMAXSIZE; |
|
| 231 |
+ return ret; |
|
| 233 | 232 |
} |
| 234 | 233 |
if (!(ibuf= (unsigned char *) cli_malloc(size))) {
|
| 235 | 234 |
cli_dbgmsg("NSIS: out of memory"__AT__"\n");
|
| ... | ... |
@@ -274,12 +271,11 @@ static int nsis_unpack_next(struct nsis_st *n, cli_ctx *ctx) {
|
| 274 | 274 |
n->nsis.next_out = obuf; |
| 275 | 275 |
n->nsis.avail_out = BUFSIZ; |
| 276 | 276 |
loops=0; |
| 277 |
- if (ctx->limits && ctx->limits->maxfilesize && size > ctx->limits->maxfilesize) {
|
|
| 278 |
- cli_dbgmsg("NSIS: Skipping file due to size limit (%u, max: %lu)\n", size, ctx->limits->maxfilesize);
|
|
| 277 |
+ if ((ret=cli_checklimits("NSIS", ctx, size, 0, 0))!=CL_CLEAN) {
|
|
| 279 | 278 |
free(ibuf); |
| 280 | 279 |
close(n->ofd); |
| 281 | 280 |
nsis_shutdown(n); |
| 282 |
- return CL_EMAXSIZE; |
|
| 281 |
+ return ret; |
|
| 283 | 282 |
} |
| 284 | 283 |
} else if (++loops > 10) {
|
| 285 | 284 |
cli_dbgmsg("NSIS: xs looping, breaking out"__AT__"\n");
|
| ... | ... |
@@ -367,10 +363,9 @@ static int nsis_unpack_next(struct nsis_st *n, cli_ctx *ctx) {
|
| 367 | 367 |
} |
| 368 | 368 |
|
| 369 | 369 |
size=cli_readint32(obuf); |
| 370 |
- if (ctx->limits && ctx->limits->maxfilesize && size > ctx->limits->maxfilesize) {
|
|
| 371 |
- cli_dbgmsg("NSIS: Breaking out due to filesize limit (%u, max: %lu) in solid archive\n", size, ctx->limits->maxfilesize);
|
|
| 370 |
+ if ((ret=cli_checklimits("NSIS", ctx, size, 0, 0))!=CL_CLEAN) {
|
|
| 372 | 371 |
close(n->ofd); |
| 373 |
- return CL_EFORMAT; |
|
| 372 |
+ return ret; |
|
| 374 | 373 |
} |
| 375 | 374 |
|
| 376 | 375 |
n->nsis.next_out = obuf; |
| ... | ... |
@@ -536,7 +531,7 @@ int cli_scannulsft(int desc, cli_ctx *ctx, off_t offset) {
|
| 536 | 536 |
} |
| 537 | 537 |
} while(ret == CL_SUCCESS); |
| 538 | 538 |
|
| 539 |
- if(ret == CL_BREAK) |
|
| 539 |
+ if(ret == CL_BREAK || ret == CL_EMAXFILES) |
|
| 540 | 540 |
ret = CL_CLEAN; |
| 541 | 541 |
|
| 542 | 542 |
cli_nsis_free(&nsist); |
| ... | ... |
@@ -475,7 +475,9 @@ static void ole2_walk_property_tree(int fd, ole2_header_t *hdr, const char *dir, |
| 475 | 475 |
if ((prop_index < 0) || (prop_index > (int32_t) hdr->max_block_no) || (rec_level > 100) || (*file_count > 100000)) {
|
| 476 | 476 |
return; |
| 477 | 477 |
} |
| 478 |
- /* FIXMELIMITS */ |
|
| 478 |
+ /* FIXMELIMITS |
|
| 479 |
+ * DOES recursion on virtual object make sense ? |
|
| 480 |
+ * WHY no size checking ? */ |
|
| 479 | 481 |
if (limits && limits->maxfiles && (*file_count > limits->maxfiles)) {
|
| 480 | 482 |
cli_dbgmsg("OLE2: File limit reached (max: %d)\n", limits->maxfiles);
|
| 481 | 483 |
return; |
| ... | ... |
@@ -778,7 +780,7 @@ static int ole2_read_header(int fd, ole2_header_t *hdr) |
| 778 | 778 |
} |
| 779 | 779 |
#endif |
| 780 | 780 |
|
| 781 |
-int cli_ole2_extract(int fd, const char *dirname, const struct cl_limits *limits) |
|
| 781 |
+int cli_ole2_extract(int fd, const char *dirname, cli_ctx *ctx) |
|
| 782 | 782 |
{
|
| 783 | 783 |
ole2_header_t hdr; |
| 784 | 784 |
int hdr_size; |
| ... | ... |
@@ -878,7 +880,7 @@ int cli_ole2_extract(int fd, const char *dirname, const struct cl_limits *limits |
| 878 | 878 |
|
| 879 | 879 |
/* OR */ |
| 880 | 880 |
|
| 881 |
- ole2_walk_property_tree(fd, &hdr, dirname, 0, handler_writefile, 0, &file_count, limits); |
|
| 881 |
+ ole2_walk_property_tree(fd, &hdr, dirname, 0, handler_writefile, 0, &file_count, ctx->limits); |
|
| 882 | 882 |
|
| 883 | 883 |
abort: |
| 884 | 884 |
#ifdef HAVE_MMAP |
| ... | ... |
@@ -24,8 +24,8 @@ |
| 24 | 24 |
#ifndef __OLE2_EXTRACT_H |
| 25 | 25 |
#define __OLE2_EXTRACT_H |
| 26 | 26 |
|
| 27 |
-#include "clamav.h" |
|
| 27 |
+#include "others.h" |
|
| 28 | 28 |
|
| 29 |
-int cli_ole2_extract(int fd, const char *dirname, const struct cl_limits *limits); |
|
| 29 |
+int cli_ole2_extract(int fd, const char *dirname, cli_ctx *ctx); |
|
| 30 | 30 |
|
| 31 | 31 |
#endif |
| ... | ... |
@@ -102,9 +102,6 @@ |
| 102 | 102 |
#include <stddef.h> |
| 103 | 103 |
#endif |
| 104 | 104 |
|
| 105 |
-#define MAX_MAIL_RECURSION 15 |
|
| 106 |
- |
|
| 107 |
- |
|
| 108 | 105 |
static int cli_scanfile(const char *filename, cli_ctx *ctx); |
| 109 | 106 |
|
| 110 | 107 |
#ifdef ENABLE_UNRAR |
| ... | ... |
@@ -1077,6 +1074,9 @@ static int cli_scanole2(int desc, cli_ctx *ctx) |
| 1077 | 1077 |
|
| 1078 | 1078 |
cli_dbgmsg("in cli_scanole2()\n");
|
| 1079 | 1079 |
|
| 1080 |
+ if(ctx->limits && ctx->limits->maxreclevel && ctx->recursion >= ctx->limits->maxreclevel) |
|
| 1081 |
+ return CL_EMAXREC; |
|
| 1082 |
+ |
|
| 1080 | 1083 |
/* generate the temporary directory */ |
| 1081 | 1084 |
dir = cli_gentemp(NULL); |
| 1082 | 1085 |
if(mkdir(dir, 0700)) {
|
| ... | ... |
@@ -1085,20 +1085,25 @@ static int cli_scanole2(int desc, cli_ctx *ctx) |
| 1085 | 1085 |
return CL_ETMPDIR; |
| 1086 | 1086 |
} |
| 1087 | 1087 |
|
| 1088 |
- if((ret = cli_ole2_extract(desc, dir, ctx->limits))) {
|
|
| 1088 |
+ if((ret = cli_ole2_extract(desc, dir, ctx))) {
|
|
| 1089 | 1089 |
cli_dbgmsg("OLE2: %s\n", cl_strerror(ret));
|
| 1090 | 1090 |
if(!cli_leavetemps_flag) |
| 1091 | 1091 |
cli_rmdirs(dir); |
| 1092 | 1092 |
free(dir); |
| 1093 |
+ ctx->recursion--; |
|
| 1093 | 1094 |
return ret; |
| 1094 | 1095 |
} |
| 1095 | 1096 |
|
| 1097 |
+ ctx->recursion++; |
|
| 1098 |
+ |
|
| 1096 | 1099 |
if((ret = cli_vba_scandir(dir, ctx)) != CL_VIRUS) {
|
| 1097 | 1100 |
if(cli_scandir(dir, ctx) == CL_VIRUS) {
|
| 1098 | 1101 |
ret = CL_VIRUS; |
| 1099 | 1102 |
} |
| 1100 | 1103 |
} |
| 1101 | 1104 |
|
| 1105 |
+ ctx->recursion--; |
|
| 1106 |
+ |
|
| 1102 | 1107 |
if(!cli_leavetemps_flag) |
| 1103 | 1108 |
cli_rmdirs(dir); |
| 1104 | 1109 |
free(dir); |
| ... | ... |
@@ -1758,7 +1763,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx) |
| 1758 | 1758 |
break; |
| 1759 | 1759 |
|
| 1760 | 1760 |
case CL_TYPE_NULSFT: |
| 1761 |
- if(SCAN_ARCHIVE) |
|
| 1761 |
+ if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_NSIS)) |
|
| 1762 | 1762 |
ret = cli_scannulsft(desc, ctx, 0); |
| 1763 | 1763 |
break; |
| 1764 | 1764 |
|
| ... | ... |
@@ -590,7 +590,7 @@ cli_decode_ole_object(int fd, const char *dir) |
| 590 | 590 |
int ofd; |
| 591 | 591 |
uint32_t object_size; |
| 592 | 592 |
struct stat statbuf; |
| 593 |
- char fullname[NAME_MAX + 1]; |
|
| 593 |
+ char *fullname; |
|
| 594 | 594 |
|
| 595 | 595 |
if(dir == NULL) |
| 596 | 596 |
return -1; |
| ... | ... |
@@ -629,15 +629,19 @@ cli_decode_ole_object(int fd, const char *dir) |
| 629 | 629 |
if(!read_uint32(fd, &object_size, FALSE)) |
| 630 | 630 |
return -1; |
| 631 | 631 |
} |
| 632 |
- snprintf(fullname, sizeof(fullname) - 1, "%s/_clam_ole_object", dir); |
|
| 632 |
+ if(!(fullname = cli_gentemp(dir))) {
|
|
| 633 |
+ return -1; |
|
| 634 |
+ } |
|
| 633 | 635 |
ofd = open(fullname, O_RDWR|O_CREAT|O_TRUNC|O_BINARY|O_EXCL, |
| 634 | 636 |
S_IWUSR|S_IRUSR); |
| 635 | 637 |
if (ofd < 0) {
|
| 636 |
- cli_warnmsg("cli_decode_ole_object: can't create %s\n",
|
|
| 637 |
- fullname); |
|
| 638 |
+ cli_warnmsg("cli_decode_ole_object: can't create %s\n", fullname);
|
|
| 639 |
+ free(fullname); |
|
| 638 | 640 |
return -1; |
| 641 |
+ } else {
|
|
| 642 |
+ cli_dbgmsg("cli_decode_ole_object: decoding to %s\n", fullname);
|
|
| 639 | 643 |
} |
| 640 |
- |
|
| 644 |
+ free(fullname); |
|
| 641 | 645 |
ole_copy_file_data(fd, ofd, object_size); |
| 642 | 646 |
lseek(ofd, 0, SEEK_SET); |
| 643 | 647 |
return ofd; |