From 482fcd413b07e9fd3ef9850e6d01a45f4e187108 Mon Sep 17 00:00:00 2001 From: Andy Ragusa Date: Tue, 19 Nov 2019 15:55:47 -0800 Subject: [PATCH] Modified mbox.c only mark files as infected with heuristic alerts if heuristic alerts are enabled. --- libclamav/mbox.c | 52 ++++++++++++++++++++++-------------------------- 1 file changed, 24 insertions(+), 28 deletions(-) diff --git a/libclamav/mbox.c b/libclamav/mbox.c index 684f0d7e34..fc63245255 100644 --- a/libclamav/mbox.c +++ b/libclamav/mbox.c @@ -232,11 +232,11 @@ static blob *getHrefs(message *m, tag_arguments_t *hrefs); static void hrefs_done(blob *b, tag_arguments_t *hrefs); static void checkURLs(message *m, mbox_ctx *mctx, mbox_status *rc, int is_html); -static bool haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx); -static bool hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx); -static bool haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx); -static bool haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx); -static bool haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx); +static bool haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status * rc); +static bool hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool * heuristicFound); +static bool haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool * heuristicFound); +static bool haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool * heuristicFound); +static bool haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool * heuristicFound); /* Maximum line length according to RFC2821 */ #define RFC2821LENGTH 1000 @@ -769,7 +769,7 @@ doContinueMultipleEmptyOptions(const char *const line, bool *lastWasOnlySemi) } static bool -hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx) +hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx, bool * heuristicFound) { if (line) { @@ -782,6 +782,7 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx) if ((*lineFoldCnt) >= HEURISTIC_EMAIL_MAX_LINE_FOLDS_PER_HEADER) { if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) { cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxLineFoldCnt"); + *heuristicFound = TRUE; } return TRUE; @@ -791,12 +792,13 @@ hitLineFoldCnt(const char *const line, size_t *lineFoldCnt, cli_ctx *ctx) } static bool -haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx) +haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx, bool * heuristicFound) { if (totalLen > HEURISTIC_EMAIL_MAX_HEADER_BYTES) { if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) { cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxHeaderBytes"); + *heuristicFound = TRUE; } return TRUE; @@ -805,12 +807,13 @@ haveTooManyHeaderBytes(size_t totalLen, cli_ctx *ctx) } static bool -haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx) +haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx, bool * heuristicFound) { if (totalHeaderCnt > HEURISTIC_EMAIL_MAX_HEADERS) { if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) { cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxEmailHeaders"); + *heuristicFound = TRUE; } return TRUE; @@ -819,12 +822,13 @@ haveTooManyEmailHeaders(size_t totalHeaderCnt, cli_ctx *ctx) } static bool -haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx) +haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx, mbox_status * rc) { if (mimePartCnt >= HEURISTIC_EMAIL_MAX_MIME_PARTS_PER_MESSAGE) { if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) { cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEPartsPerMessage"); + *rc = VIRUS; } return TRUE; @@ -833,12 +837,13 @@ haveTooManyMIMEPartsPerMessage(size_t mimePartCnt, cli_ctx *ctx) } static bool -haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx) +haveTooManyMIMEArguments(size_t argCnt, cli_ctx *ctx, bool * heuristicFound) { if (argCnt >= HEURISTIC_EMAIL_MAX_ARGUMENTS_PER_HEADER) { if (ctx->options->general & CL_SCAN_GENERAL_HEURISTICS) { cli_append_virus(ctx, "Heuristics.Email.ExceedsMaxMIMEArguments"); + *heuristicFound = TRUE; } return TRUE; @@ -899,8 +904,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first continue; } - if (hitLineFoldCnt(line, &lineFoldCnt, ctx)) { - *heuristicFound = TRUE; + if (hitLineFoldCnt(line, &lineFoldCnt, ctx, heuristicFound )) { break; } @@ -947,8 +951,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first DO_VERIFY_POINTER(header); totalHeaderCnt++; - if (haveTooManyEmailHeaders(totalHeaderCnt, ctx)) { - *heuristicFound = TRUE; + if (haveTooManyEmailHeaders(totalHeaderCnt, ctx, heuristicFound)) { break; } needContinue = (parseEmailHeader(ret, header, rfc821, ctx, heuristicFound) < 0); @@ -1037,8 +1040,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first if (lineAdded) { totalHeaderBytes += strlen(line); - if (haveTooManyHeaderBytes(totalHeaderBytes, ctx)) { - *heuristicFound = TRUE; + if (haveTooManyHeaderBytes(totalHeaderBytes, ctx, heuristicFound)) { break; } } @@ -1069,8 +1071,7 @@ parseEmailFile(fmap_t *map, size_t *at, const table_t *rfc821, const char *first if (0 == needContinue) { totalHeaderCnt++; - if (haveTooManyEmailHeaders(totalHeaderCnt, ctx)) { - *heuristicFound = TRUE; + if (haveTooManyEmailHeaders(totalHeaderCnt, ctx, heuristicFound)) { break; } needContinue = (parseEmailHeader(ret, header, rfc821, ctx, heuristicFound) < 0); @@ -1205,8 +1206,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound) continue; } - if (hitLineFoldCnt(line, &lineFoldCnt, m->ctx)) { - *heuristicFound = TRUE; + if (hitLineFoldCnt(line, &lineFoldCnt, m->ctx, heuristicFound)) { break; } @@ -1283,8 +1283,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound) } if (lineAdded) { - if (haveTooManyHeaderBytes(fulllinelength, m->ctx)) { - *heuristicFound = TRUE; + if (haveTooManyHeaderBytes(fulllinelength, m->ctx, heuristicFound)) { break; } } @@ -1306,8 +1305,7 @@ parseEmailHeaders(message *m, const table_t *rfc821, bool *heuristicFound) } totalHeaderCnt++; - if (haveTooManyEmailHeaders(totalHeaderCnt, m->ctx)) { - *heuristicFound = TRUE; + if (haveTooManyEmailHeaders(totalHeaderCnt, m->ctx, heuristicFound)) { break; } if (parseEmailHeader(ret, fullline, rfc821, m->ctx, heuristicFound) < 0) { @@ -2209,9 +2207,8 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re free((char *)boundary); - if (haveTooManyMIMEPartsPerMessage(multiparts, mctx->ctx)) { + if (haveTooManyMIMEPartsPerMessage(multiparts, mctx->ctx, &rc)) { DO_FREE(messages); - rc = VIRUS; break; } @@ -3290,8 +3287,7 @@ parseMimeHeader(message *m, const char *cmd, const table_t *rfc821Table, const c cli_dbgmsg("mimeArgs = '%s'\n", buf); argCnt++; - if (haveTooManyMIMEArguments(argCnt, ctx)) { - *heuristicFound = TRUE; + if (haveTooManyMIMEArguments(argCnt, ctx, heuristicFound )) { break; } messageAddArguments(m, buf);