| 
									
										
										
										
											2014-08-22 14:39:17 -04:00
										 |  |  | /*
 | 
					
						
							|  |  |  |  *  Support for matcher using PCRE | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  *  Copyright (C) 2007-2013 Sourcefire, Inc. | 
					
						
							|  |  |  |  *  Copyright (C) 2014 Cisco Systems, Inc. | 
					
						
							|  |  |  |  *  All Rights Reserved. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  *  Authors: Kevin Lin | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  *  This program is free software; you can redistribute it and/or modify | 
					
						
							|  |  |  |  *  it under the terms of the GNU General Public License version 2 as | 
					
						
							|  |  |  |  *  published by the Free Software Foundation. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  *  This program is distributed in the hope that it will be useful, | 
					
						
							|  |  |  |  *  but WITHOUT ANY WARRANTY; without even the implied warranty of | 
					
						
							|  |  |  |  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | 
					
						
							|  |  |  |  *  GNU General Public License for more details. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  *  You should have received a copy of the GNU General Public License | 
					
						
							|  |  |  |  *  along with this program; if not, write to the Free Software | 
					
						
							|  |  |  |  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, | 
					
						
							|  |  |  |  *  MA 02110-1301, USA. | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #if HAVE_CONFIG_H
 | 
					
						
							|  |  |  | #include "clamav-config.h"
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #include "clamav.h"
 | 
					
						
							|  |  |  | #include "cltypes.h"
 | 
					
						
							| 
									
										
										
										
											2014-09-15 18:10:11 -04:00
										 |  |  | #include "dconf.h"
 | 
					
						
							| 
									
										
										
										
											2014-09-16 15:56:56 -04:00
										 |  |  | #include "events.h"
 | 
					
						
							| 
									
										
										
										
											2014-08-22 14:39:17 -04:00
										 |  |  | #include "others.h"
 | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  | #include "matcher.h"
 | 
					
						
							| 
									
										
										
										
											2014-09-23 13:31:47 -04:00
										 |  |  | #include "matcher-ac.h"
 | 
					
						
							| 
									
										
										
										
											2014-08-22 14:39:17 -04:00
										 |  |  | #include "matcher-pcre.h"
 | 
					
						
							|  |  |  | #include "mpool.h"
 | 
					
						
							|  |  |  | #include "regex_pcre.h"
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-18 14:10:12 -04:00
										 |  |  | #if HAVE_PCRE
 | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  | /* DEBUGGING */ | 
					
						
							|  |  |  | //#define MATCHER_PCRE_DEBUG
 | 
					
						
							|  |  |  | #ifdef MATCHER_PCRE_DEBUG
 | 
					
						
							|  |  |  | #  define pm_dbgmsg(...) cli_dbgmsg( __VA_ARGS__)
 | 
					
						
							|  |  |  | #else
 | 
					
						
							|  |  |  | #  define pm_dbgmsg(...)
 | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | #undef MATCHER_PCRE_DEBUG
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 15:56:56 -04:00
										 |  |  | /* PERFORMANCE MACROS AND FUNCTIONS */ | 
					
						
							|  |  |  | #define MAX_TRACKED_PCRE 64
 | 
					
						
							|  |  |  | #define PCRE_EVENTS_PER_SIG 2
 | 
					
						
							|  |  |  | #define MAX_PCRE_SIGEVENT_ID MAX_TRACKED_PCRE*PCRE_EVENTS_PER_SIG
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  | cli_events_t *p_sigevents = NULL; | 
					
						
							| 
									
										
										
										
											2014-09-16 15:56:56 -04:00
										 |  |  | unsigned int p_sigid = 0; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static void pcre_perf_events_init(struct cli_pcre_meta *pm) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     int ret; | 
					
						
							|  |  |  |     char *pcre_name = NULL; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     if (!p_sigevents) { | 
					
						
							|  |  |  |         p_sigevents = cli_events_new(MAX_PCRE_SIGEVENT_ID); | 
					
						
							|  |  |  |         if (!p_sigevents) { | 
					
						
							|  |  |  |             cli_errmsg("pcre_perf: no memory for events table\n"); | 
					
						
							|  |  |  |             return; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     if (p_sigid > MAX_PCRE_SIGEVENT_ID - PCRE_EVENTS_PER_SIG - 1) { | 
					
						
							|  |  |  |         cli_errmsg("pcre_perf: events table full. Increase MAX_TRACKED_PCRE\n"); | 
					
						
							|  |  |  |         return; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     /* set the name */ | 
					
						
							|  |  |  |     pcre_name = pm->pdata.expression; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |     pm_dbgmsg("pcre_perf: adding sig ids starting %u for %s\n", p_sigid, pcre_name); | 
					
						
							| 
									
										
										
										
											2014-09-16 15:56:56 -04:00
										 |  |  | 
 | 
					
						
							|  |  |  |     /* register time event */ | 
					
						
							|  |  |  |     pm->sigtime_id = p_sigid; | 
					
						
							|  |  |  |     ret = cli_event_define(p_sigevents, p_sigid++, pcre_name, ev_time, multiple_sum); | 
					
						
							|  |  |  |     if (ret) { | 
					
						
							|  |  |  |         cli_errmsg("pcre_perf: cli_event_define() error for time event id %d\n", pm->sigtime_id); | 
					
						
							|  |  |  |         pm->sigtime_id = MAX_PCRE_SIGEVENT_ID+1; | 
					
						
							|  |  |  |         return; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     /* register match count */ | 
					
						
							|  |  |  |     pm->sigmatch_id = p_sigid; | 
					
						
							|  |  |  |     ret = cli_event_define(p_sigevents, p_sigid++, pcre_name, ev_int, multiple_sum); | 
					
						
							|  |  |  |     if (ret) { | 
					
						
							|  |  |  |         cli_errmsg("pcre_perf: cli_event_define() error for matches event id %d\n", pm->sigmatch_id); | 
					
						
							|  |  |  |         pm->sigmatch_id = MAX_PCRE_SIGEVENT_ID+1; | 
					
						
							|  |  |  |         return; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | struct sigperf_elem { | 
					
						
							|  |  |  |     const char * name; | 
					
						
							|  |  |  |     uint64_t usecs; | 
					
						
							|  |  |  |     unsigned long run_count; | 
					
						
							|  |  |  |     unsigned long match_count; | 
					
						
							|  |  |  | }; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static int sigelem_comp(const void * a, const void * b) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     const struct sigperf_elem *ela = a; | 
					
						
							|  |  |  |     const struct sigperf_elem *elb = b; | 
					
						
							|  |  |  |     return elb->usecs/elb->run_count - ela->usecs/ela->run_count; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void cli_pcre_perf_print() | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     struct sigperf_elem stats[MAX_TRACKED_PCRE], *elem = stats; | 
					
						
							|  |  |  |     int i, elems = 0, max_name_len = 0, name_len; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     if (!p_sigid || !p_sigevents) { | 
					
						
							|  |  |  |         cli_warnmsg("cli_pcre_perf_print: statistics requested but no PCREs were loaded!\n"); | 
					
						
							|  |  |  |         return; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     memset(stats, 0, sizeof(stats)); | 
					
						
							|  |  |  |     for (i=0;i<MAX_TRACKED_PCRE;i++) { | 
					
						
							|  |  |  |         union ev_val val; | 
					
						
							|  |  |  |         uint32_t count; | 
					
						
							|  |  |  |         const char * name = cli_event_get_name(p_sigevents, i*PCRE_EVENTS_PER_SIG); | 
					
						
							|  |  |  |         cli_event_get(p_sigevents, i*PCRE_EVENTS_PER_SIG, &val, &count); | 
					
						
							|  |  |  |         if (!count) { | 
					
						
							|  |  |  |             if (name) | 
					
						
							|  |  |  |                 cli_dbgmsg("No event triggered for %s\n", name); | 
					
						
							|  |  |  |             continue; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         if (name) | 
					
						
							|  |  |  |             name_len = strlen(name); | 
					
						
							|  |  |  |         else | 
					
						
							|  |  |  |             name_len = 0; | 
					
						
							|  |  |  |         if (name_len > max_name_len) | 
					
						
							|  |  |  |             max_name_len = name_len; | 
					
						
							|  |  |  |         elem->name = name?name:"\"noname\""; | 
					
						
							|  |  |  |         elem->usecs = val.v_int; | 
					
						
							|  |  |  |         elem->run_count = count; | 
					
						
							|  |  |  |         cli_event_get(p_sigevents, i*PCRE_EVENTS_PER_SIG+1, &val, &count); | 
					
						
							|  |  |  |         elem->match_count = count; | 
					
						
							|  |  |  |         elem++; | 
					
						
							|  |  |  |         elems++; | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2014-10-22 17:56:49 -04:00
										 |  |  |     if (max_name_len < strlen("PCRE Expression")) | 
					
						
							|  |  |  |         max_name_len = strlen("PCRE Expression"); | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 15:56:56 -04:00
										 |  |  |     cli_qsort(stats, elems, sizeof(struct sigperf_elem), sigelem_comp); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     elem = stats; | 
					
						
							|  |  |  |     /* name runs matches microsecs avg */ | 
					
						
							|  |  |  |     cli_infomsg (NULL, "%-*s %*s %*s %*s %*s\n", max_name_len, "PCRE Expression", | 
					
						
							|  |  |  |                  8, "#runs", 8, "#matches", 12, "usecs total", 9, "usecs avg"); | 
					
						
							|  |  |  |     cli_infomsg (NULL, "%-*s %*s %*s %*s %*s\n", max_name_len, "===============", | 
					
						
							|  |  |  |                  8, "=====", 8, "========", 12, "===========", 9, "========="); | 
					
						
							|  |  |  |     while (elem->run_count) { | 
					
						
							|  |  |  |         cli_infomsg (NULL, "%-*s %*lu %*lu %*llu %*.2f\n", max_name_len, elem->name, | 
					
						
							|  |  |  |                      8, elem->run_count, 8, elem->match_count, | 
					
						
							|  |  |  |                      12, elem->usecs, 9, (double)elem->usecs/elem->run_count); | 
					
						
							|  |  |  |         elem++; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void cli_pcre_perf_events_destroy() | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     cli_events_free(p_sigevents); | 
					
						
							|  |  |  |     p_sigid = 0; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /* PCRE MATCHER FUNCTIONS */ | 
					
						
							| 
									
										
										
										
											2014-10-09 13:23:29 -04:00
										 |  |  | int cli_pcre_addpatt(struct cli_matcher *root, const char *virname, const char *trigger, const char *pattern, const char *cflags, const char *offset, const uint32_t *lsigid, unsigned int options) | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  | { | 
					
						
							|  |  |  |     struct cli_pcre_meta **newmetatable = NULL, *pm = NULL; | 
					
						
							|  |  |  |     uint32_t pcre_count; | 
					
						
							| 
									
										
										
										
											2014-09-02 17:22:22 -04:00
										 |  |  |     const char *opt; | 
					
						
							| 
									
										
										
										
											2014-09-16 15:56:56 -04:00
										 |  |  |     int ret = CL_SUCCESS, rssigs; | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |     if (!root || !trigger || !pattern || !offset) { | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |         cli_errmsg("cli_pcre_addpatt: NULL root or NULL trigger or NULL pattern or NULL offset\n"); | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  |         return CL_ENULLARG; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-18 13:54:57 -04:00
										 |  |  |     /* TODO: trigger and regex checking (backreference limitations?) (control pattern limitations?) */ | 
					
						
							| 
									
										
										
										
											2014-09-17 11:37:13 -04:00
										 |  |  |     /* cli_ac_chklsig will fail a empty trigger; empty patterns can cause an infinite loop */ | 
					
						
							|  |  |  |     if (*trigger == '\0' || *pattern == '\0') { | 
					
						
							|  |  |  |         cli_errmsg("cli_pcre_addpatt: trigger or pattern cannot be an empty string\n"); | 
					
						
							|  |  |  |         return CL_EMALFDB; | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2014-09-17 16:37:14 -04:00
										 |  |  |     if (cflags && *cflags == '\0') { | 
					
						
							|  |  |  |         cflags = NULL; | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2014-09-17 11:37:13 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |     if (lsigid) | 
					
						
							| 
									
										
										
										
											2014-09-18 21:03:09 -04:00
										 |  |  |         pm_dbgmsg("cli_pcre_addpatt: Adding /%s/%s%s triggered on (%s) as subsig %d for lsigid %d\n",  | 
					
						
							|  |  |  |                   pattern, cflags ? " with flags " : "", cflags ? cflags : "", trigger, lsigid[1], lsigid[0]); | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |     else | 
					
						
							|  |  |  |         pm_dbgmsg("cli_pcre_addpatt: Adding /%s/%s%s triggered on (%s) [no lsigid]\n", | 
					
						
							| 
									
										
										
										
											2014-09-18 21:03:09 -04:00
										 |  |  |                   pattern, cflags ? " with flags " : "", cflags ? cflags : "", trigger); | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-09 11:58:16 -04:00
										 |  |  | #ifdef PCRE_BYPASS
 | 
					
						
							|  |  |  |     /* check for trigger bypass */ | 
					
						
							|  |  |  |     if (strcmp(trigger, PCRE_BYPASS)) { | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  |         /* validate the lsig trigger */ | 
					
						
							|  |  |  |         rssigs = cli_ac_chklsig(trigger, trigger + strlen(trigger), NULL, NULL, NULL, 1); | 
					
						
							|  |  |  |         if(rssigs == -1) { | 
					
						
							|  |  |  |             cli_errmsg("cli_pcre_addpatt: regex subsig /%s/ is missing a valid logical trigger\n", pattern); | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |             return CL_EMALFDB; | 
					
						
							|  |  |  |         } | 
					
						
							| 
									
										
										
										
											2014-10-09 11:58:16 -04:00
										 |  |  | 
 | 
					
						
							|  |  |  |         if (lsigid) { | 
					
						
							|  |  |  |             if (rssigs > lsigid[1]) { | 
					
						
							|  |  |  |                 cli_errmsg("cli_pcre_addpatt: regex subsig %d logical trigger refers to subsequent subsig %d\n", lsigid[1], rssigs); | 
					
						
							|  |  |  |                 return CL_EMALFDB; | 
					
						
							|  |  |  |             } | 
					
						
							|  |  |  |             if (rssigs == lsigid[1]) { | 
					
						
							|  |  |  |                 cli_errmsg("cli_pcre_addpatt: regex subsig %d logical trigger is self-referential\n", lsigid[1]); | 
					
						
							|  |  |  |                 return CL_EMALFDB; | 
					
						
							|  |  |  |             } | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |         } | 
					
						
							| 
									
										
										
										
											2014-10-09 11:58:16 -04:00
										 |  |  |         else { | 
					
						
							|  |  |  |             cli_dbgmsg("cli_pcre_addpatt: regex subsig is missing lsigid data\n"); | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | #ifdef PCRE_BYPASS
 | 
					
						
							| 
									
										
										
										
											2014-09-03 16:17:41 -04:00
										 |  |  |     } | 
					
						
							| 
									
										
										
										
											2014-10-09 11:58:16 -04:00
										 |  |  | #endif
 | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  | 
 | 
					
						
							|  |  |  |     /* allocating entries */ | 
					
						
							|  |  |  |     pm = (struct cli_pcre_meta *)mpool_calloc(root->mempool, 1, sizeof(*pm)); | 
					
						
							|  |  |  |     if (!pm) { | 
					
						
							|  |  |  |         cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for new pcre meta\n"); | 
					
						
							|  |  |  |         return CL_EMEM; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     pm->trigger = strdup(trigger); | 
					
						
							|  |  |  |     if (!pm->trigger) { | 
					
						
							|  |  |  |         cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for trigger string\n"); | 
					
						
							|  |  |  |         cli_pcre_freemeta(pm); | 
					
						
							|  |  |  |         mpool_free(root->mempool, pm); | 
					
						
							|  |  |  |         return CL_EMEM; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-09 13:23:29 -04:00
										 |  |  |     pm->virname = (char *)cli_virname(virname, options & CL_DB_OFFICIAL); | 
					
						
							|  |  |  |     if(!pm->virname) { | 
					
						
							|  |  |  |         cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for virname or NULL virname\n"); | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  |         cli_pcre_freemeta(pm); | 
					
						
							|  |  |  |         mpool_free(root->mempool, pm); | 
					
						
							|  |  |  |         return CL_EMEM; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |     if (lsigid) { | 
					
						
							| 
									
										
										
										
											2014-10-09 13:23:29 -04:00
										 |  |  |         root->ac_lsigtable[lsigid[0]]->virname = pm->virname; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |         pm->lsigid[0] = 1; | 
					
						
							|  |  |  |         pm->lsigid[1] = lsigid[0]; | 
					
						
							|  |  |  |         pm->lsigid[2] = lsigid[1]; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     else { | 
					
						
							|  |  |  |         /* sigtool */ | 
					
						
							|  |  |  |         pm->lsigid[0] = 0; | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-09 13:23:29 -04:00
										 |  |  |     pm->pdata.expression = strdup(pattern); | 
					
						
							|  |  |  |     if (!pm->pdata.expression) { | 
					
						
							|  |  |  |         cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for expression\n"); | 
					
						
							|  |  |  |         cli_pcre_freemeta(pm); | 
					
						
							|  |  |  |         mpool_free(root->mempool, pm); | 
					
						
							|  |  |  |         return CL_EMEM; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |     /* offset parsing and usage, similar to cli_ac_addsig */ | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |     /* relative and type-specific offsets handled during scan */ | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |     ret = cli_caloff(offset, NULL, root->type, pm->offdata, &(pm->offset_min), &(pm->offset_max)); | 
					
						
							|  |  |  |     if (ret != CL_SUCCESS) { | 
					
						
							|  |  |  |         cli_errmsg("cli_pcre_addpatt: cannot calculate offset data: %s for pattern: %s\n", offset, pattern); | 
					
						
							|  |  |  |         cli_pcre_freemeta(pm); | 
					
						
							|  |  |  |         mpool_free(root->mempool, pm); | 
					
						
							|  |  |  |         return ret; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     if(pm->offdata[0] != CLI_OFF_ANY) { | 
					
						
							|  |  |  |         if(pm->offdata[0] == CLI_OFF_ABSOLUTE) | 
					
						
							|  |  |  |             root->pcre_absoff_num++; | 
					
						
							|  |  |  |         else | 
					
						
							|  |  |  |             root->pcre_reloff_num++; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-02 17:22:22 -04:00
										 |  |  |     /* parse and add options, also totally not from snort */ | 
					
						
							|  |  |  |     if (cflags) { | 
					
						
							|  |  |  |         opt = cflags; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         /* cli_pcre_addoptions handles pcre specific options */ | 
					
						
							|  |  |  |         while (cli_pcre_addoptions(&(pm->pdata), &opt, 0) != CL_SUCCESS) { | 
					
						
							|  |  |  |             /* handle matcher specific options here */ | 
					
						
							|  |  |  |             switch (*opt) { | 
					
						
							| 
									
										
										
										
											2014-09-03 00:27:15 -04:00
										 |  |  |             case 'g':  pm->flags |= CLI_PCRE_GLOBAL;            break; | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |             case 'e':  pm->flags |= CLI_PCRE_ENCOMPASS;         break; | 
					
						
							| 
									
										
										
										
											2014-09-02 17:22:22 -04:00
										 |  |  |             default: | 
					
						
							|  |  |  |                 cli_errmsg("cli_pcre_addpatt: unknown/extra pcre option encountered %c\n", *opt); | 
					
						
							|  |  |  |                 cli_pcre_freemeta(pm); | 
					
						
							|  |  |  |                 mpool_free(root->mempool, pm); | 
					
						
							|  |  |  |                 return CL_EMALFDB; | 
					
						
							|  |  |  |             } | 
					
						
							|  |  |  |             opt++; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |         if (pm->flags) { | 
					
						
							|  |  |  |             pm_dbgmsg("Matcher:  %s%s\n", | 
					
						
							|  |  |  |                       pm->flags & CLI_PCRE_GLOBAL ? "CLAMAV_PCRE_GLOBAL " : "", | 
					
						
							|  |  |  |                       pm->flags & CLI_PCRE_ENCOMPASS ? "CLAMAV_ENCOMPASS " : ""); | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         else | 
					
						
							|  |  |  |             pm_dbgmsg("Matcher:  NONE\n"); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if (pm->pdata.options) { | 
					
						
							|  |  |  |             pm_dbgmsg("Compiler: %s%s%s%s%s%s%s\n", | 
					
						
							|  |  |  |                       pm->pdata.options & PCRE_CASELESS ? "PCRE_CASELESS " : "", | 
					
						
							|  |  |  |                       pm->pdata.options & PCRE_DOTALL ? "PCRE_DOTALL " : "", | 
					
						
							|  |  |  |                       pm->pdata.options & PCRE_MULTILINE ? "PCRE_MULTILINE " : "", | 
					
						
							|  |  |  |                       pm->pdata.options & PCRE_EXTENDED ? "PCRE_EXTENDED " : "", | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |                       pm->pdata.options & PCRE_ANCHORED ? "PCRE_ANCHORED " : "", | 
					
						
							|  |  |  |                       pm->pdata.options & PCRE_DOLLAR_ENDONLY ? "PCRE_DOLLAR_ENDONLY " : "", | 
					
						
							|  |  |  |                       pm->pdata.options & PCRE_UNGREEDY ? "PCRE_UNGREEDY " : ""); | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         else | 
					
						
							|  |  |  |             pm_dbgmsg("Compiler: NONE\n"); | 
					
						
							| 
									
										
										
										
											2014-09-02 17:22:22 -04:00
										 |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 15:56:56 -04:00
										 |  |  |     /* add metadata to the performance tracker */ | 
					
						
							|  |  |  |     if (options & CL_DB_PCRE_STATS) | 
					
						
							|  |  |  |         pcre_perf_events_init(pm); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-02 17:22:22 -04:00
										 |  |  |     /* add pcre data to root after reallocation */ | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  |     pcre_count = root->pcre_metas+1; | 
					
						
							|  |  |  |     newmetatable = (struct cli_pcre_meta **)mpool_realloc(root->mempool, root->pcre_metatable, | 
					
						
							|  |  |  |                                          pcre_count * sizeof(struct cli_pcre_meta *)); | 
					
						
							|  |  |  |     if (!newmetatable) { | 
					
						
							|  |  |  |         cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for new pcre meta table\n"); | 
					
						
							|  |  |  |         cli_pcre_freemeta(pm); | 
					
						
							|  |  |  |         mpool_free(root->mempool, pm); | 
					
						
							|  |  |  |         return CL_EMEM; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     newmetatable[pcre_count-1] = pm; | 
					
						
							|  |  |  |     root->pcre_metatable = newmetatable; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     root->pcre_metas = pcre_count; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     return CL_SUCCESS; | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2014-08-22 14:39:17 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-23 13:43:55 -04:00
										 |  |  | int cli_pcre_build(struct cli_matcher *root, long long unsigned match_limit, long long unsigned recmatch_limit, const struct cli_dconf *dconf) | 
					
						
							| 
									
										
										
										
											2014-08-25 19:11:12 -04:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  |     unsigned int i; | 
					
						
							|  |  |  |     int ret; | 
					
						
							|  |  |  |     struct cli_pcre_meta *pm = NULL; | 
					
						
							| 
									
										
										
										
											2014-10-10 11:11:28 -04:00
										 |  |  |     int disable_all = 0; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-22 16:08:36 -04:00
										 |  |  |     if (dconf && !(dconf->pcre & PCRE_CONF_SUPPORT)) | 
					
						
							| 
									
										
										
										
											2014-10-10 11:11:28 -04:00
										 |  |  |         disable_all = 1; | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  | 
 | 
					
						
							|  |  |  |     for (i = 0; i < root->pcre_metas; ++i) { | 
					
						
							|  |  |  |         pm = root->pcre_metatable[i]; | 
					
						
							| 
									
										
										
										
											2014-10-09 11:18:19 -04:00
										 |  |  |         if (!pm) { | 
					
						
							|  |  |  |             cli_errmsg("cli_pcre_build: metadata for pcre %d is missing\n", i); | 
					
						
							|  |  |  |             return CL_ENULLARG; | 
					
						
							|  |  |  |         } | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-15 18:10:11 -04:00
										 |  |  |         /* for safety, disable all pcre */ | 
					
						
							|  |  |  |         if (disable_all) { | 
					
						
							|  |  |  |             pm->flags |= CLI_PCRE_DISABLED; | 
					
						
							|  |  |  |             continue; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if (pm->flags & CLI_PCRE_DISABLED) { | 
					
						
							|  |  |  |             cli_dbgmsg("cli_pcre_build: Skip compiling regex: %s (disabled)\n", pm->pdata.expression); | 
					
						
							|  |  |  |             continue; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 11:20:39 -04:00
										 |  |  |         /* disable global */ | 
					
						
							| 
									
										
										
										
											2014-10-10 11:11:28 -04:00
										 |  |  |         if (dconf && !(dconf->pcre & PCRE_CONF_GLOBAL)) { | 
					
						
							| 
									
										
										
										
											2014-09-16 11:20:39 -04:00
										 |  |  |             cli_dbgmsg("cli_pcre_build: disabling global option for regex /%s/\n", pm->pdata.expression); | 
					
						
							|  |  |  |             pm->flags &= ~(CLI_PCRE_GLOBAL); | 
					
						
							|  |  |  |         } | 
					
						
							| 
									
										
										
										
											2014-09-12 13:35:19 -04:00
										 |  |  | 
 | 
					
						
							|  |  |  |         /* options override through metadata manipulation */ | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  | #ifdef PCRE_NEVER_UTF
 | 
					
						
							|  |  |  |         pm->pdata.options |= PCRE_NEVER_UTF; /* implemented in 8.33, disables (?UTF*) potential security vuln */ | 
					
						
							|  |  |  | #endif
 | 
					
						
							| 
									
										
										
										
											2014-09-12 13:35:19 -04:00
										 |  |  |         //pm->pdata.options |= PCRE_UCP;/* implemented in 8.20 */
 | 
					
						
							|  |  |  |         //pm->pdata.options |= PCRE_AUTO_CALLOUT; /* used with CALLOUT(-BACK) function */
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-10 11:11:28 -04:00
										 |  |  |         if (dconf && (dconf->pcre & PCRE_CONF_OPTIONS)) { | 
					
						
							| 
									
										
										
										
											2014-09-16 11:20:39 -04:00
										 |  |  |             /* compile the regex, no options override *wink* */ | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |             pm_dbgmsg("cli_pcre_build: Compiling regex: /%s/\n", pm->pdata.expression); | 
					
						
							| 
									
										
										
										
											2014-09-16 11:20:39 -04:00
										 |  |  |             ret = cli_pcre_compile(&(pm->pdata), match_limit, recmatch_limit, 0, 0); | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         else { | 
					
						
							|  |  |  |             /* compile the regex, options overrided and disabled */ | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |             pm_dbgmsg("cli_pcre_build: Compiling regex: /%s/ (without options)\n", pm->pdata.expression); | 
					
						
							| 
									
										
										
										
											2014-09-16 11:20:39 -04:00
										 |  |  |             ret = cli_pcre_compile(&(pm->pdata), match_limit, recmatch_limit, 0, 1); | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         if (ret != CL_SUCCESS) { | 
					
						
							| 
									
										
										
										
											2014-09-15 18:10:11 -04:00
										 |  |  |             cli_errmsg("cli_pcre_build: failed to build pcre regex\n"); | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |             pm->flags |= CLI_PCRE_DISABLED; /* disable the pcre, currently will terminate execution */ | 
					
						
							| 
									
										
										
										
											2014-08-25 19:11:12 -04:00
										 |  |  |             return ret; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     return CL_SUCCESS; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-15 18:10:11 -04:00
										 |  |  | int cli_pcre_recaloff(struct cli_matcher *root, struct cli_pcre_off *data, struct cli_target_info *info, cli_ctx *ctx) | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2014-09-11 12:43:04 -04:00
										 |  |  |     /* TANGENT: maintain relative offset data in cli_ac_data? */ | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |     int ret; | 
					
						
							|  |  |  |     unsigned int i; | 
					
						
							|  |  |  |     struct cli_pcre_meta *pm; | 
					
						
							|  |  |  |     uint32_t endoff; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-09 17:27:17 -04:00
										 |  |  |     if (!data) { | 
					
						
							|  |  |  |         return CL_ENULLARG; | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2014-09-15 18:10:11 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-10 11:11:28 -04:00
										 |  |  |     if (!root || !root->pcre_metatable || !info || (ctx && ctx->dconf && !(ctx->dconf->pcre & PCRE_CONF_SUPPORT))) { | 
					
						
							| 
									
										
										
										
											2014-09-09 17:27:17 -04:00
										 |  |  |         data->shift = NULL; | 
					
						
							|  |  |  |         data->offset = NULL; | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |         return CL_SUCCESS; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     /* allocate data structures */ | 
					
						
							|  |  |  |     data->shift = (uint32_t *) cli_calloc(root->pcre_metas, sizeof(uint32_t)); | 
					
						
							|  |  |  |     if (!data->shift) { | 
					
						
							|  |  |  |         cli_errmsg("cli_pcre_initoff: cannot allocate memory for data->shift\n"); | 
					
						
							|  |  |  |         return CL_EMEM; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     data->offset = (uint32_t *) cli_calloc(root->pcre_metas, sizeof(uint32_t)); | 
					
						
							|  |  |  |     if (!data->offset) { | 
					
						
							|  |  |  |         cli_errmsg("cli_pcre_initoff: cannot allocate memory for data->offset\n"); | 
					
						
							|  |  |  |         free(data->shift); | 
					
						
							|  |  |  |         return CL_EMEM; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-27 11:35:21 -04:00
										 |  |  |     pm_dbgmsg("CLI_OFF_NONE: %u\n", CLI_OFF_NONE); | 
					
						
							|  |  |  |     pm_dbgmsg("CLI_OFF_ANY: %u\n", CLI_OFF_ANY); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |     /* iterate across all pcre metadata and recalc offsets */ | 
					
						
							|  |  |  |     for (i = 0; i < root->pcre_metas; ++i) { | 
					
						
							|  |  |  |         pm = root->pcre_metatable[i]; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |         /* skip broken pcres, not getting executed anyways */ | 
					
						
							| 
									
										
										
										
											2014-09-15 18:10:11 -04:00
										 |  |  |         if (pm->flags & CLI_PCRE_DISABLED) { | 
					
						
							|  |  |  |             data->offset[i] = CLI_OFF_NONE; | 
					
						
							| 
									
										
										
										
											2014-10-27 11:35:21 -04:00
										 |  |  |             data->shift[i] = 0; | 
					
						
							| 
									
										
										
										
											2014-09-15 18:10:11 -04:00
										 |  |  |             continue; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |         if (pm->offdata[0] == CLI_OFF_ANY) { | 
					
						
							|  |  |  |             data->offset[i] = 0; | 
					
						
							|  |  |  |             data->shift[i] = 0; | 
					
						
							|  |  |  |         } | 
					
						
							| 
									
										
										
										
											2014-10-27 11:35:21 -04:00
										 |  |  |         else if (pm->offdata[0] == CLI_OFF_NONE) { | 
					
						
							|  |  |  |             data->offset[i] = CLI_OFF_NONE; | 
					
						
							|  |  |  |             data->shift[i] = 0; | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |         } | 
					
						
							| 
									
										
										
										
											2014-10-27 11:35:21 -04:00
										 |  |  |         else if (pm->offdata[0] == CLI_OFF_ABSOLUTE) { | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |             data->offset[i] = pm->offdata[1]; | 
					
						
							|  |  |  |             data->shift[i] = pm->offdata[2]; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         else { | 
					
						
							|  |  |  |             ret = cli_caloff(NULL, info, root->type, pm->offdata, &data->offset[i], &endoff); | 
					
						
							|  |  |  |             if (ret != CL_SUCCESS) { | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |                 cli_errmsg("cli_pcre_recaloff: cannot recalculate relative offset for signature\n"); | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |                 free(data->shift); | 
					
						
							|  |  |  |                 free(data->offset); | 
					
						
							|  |  |  |                 return ret; | 
					
						
							|  |  |  |             } | 
					
						
							| 
									
										
										
										
											2014-10-27 11:35:21 -04:00
										 |  |  |             /* CLI_OFF_NONE gets passed down, CLI_OFF_ANY gets reinterpreted */ | 
					
						
							|  |  |  |             /* TODO - CLI_OFF_VERSION is interpreted as CLI_OFF_ANY(?) */ | 
					
						
							|  |  |  |             if (data->offset[i] == CLI_OFF_ANY) { | 
					
						
							|  |  |  |                 data->offset[i] = 0; | 
					
						
							|  |  |  |                 data->shift[i] = 0; | 
					
						
							|  |  |  |             } else { | 
					
						
							|  |  |  |                 data->shift[i] = endoff-(data->offset[i]); | 
					
						
							|  |  |  |             } | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |         } | 
					
						
							| 
									
										
										
										
											2014-10-27 11:35:21 -04:00
										 |  |  | 
 | 
					
						
							|  |  |  |         pm_dbgmsg("%u: %u %u->%u(+%u)\n", i, pm->offdata[0], data->offset[i], | 
					
						
							|  |  |  |                   data->offset[i]+data->shift[i], data->shift[i]); | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     return CL_SUCCESS; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void cli_pcre_freeoff(struct cli_pcre_off *data) | 
					
						
							|  |  |  | { | 
					
						
							| 
									
										
										
										
											2014-09-09 17:27:17 -04:00
										 |  |  |     if (data) { | 
					
						
							|  |  |  |         free(data->offset); | 
					
						
							|  |  |  |         data->offset = NULL; | 
					
						
							|  |  |  |         free(data->shift); | 
					
						
							|  |  |  |         data->shift = NULL; | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-27 11:35:21 -04:00
										 |  |  | int cli_pcre_qoff(struct cli_pcre_meta *pm, uint32_t length, uint32_t *adjbuffer, uint32_t *adjshift) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     if (!pm) | 
					
						
							|  |  |  |         return CL_ENULLARG; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     /* default to scanning whole buffer but try to use existing offdata */ | 
					
						
							|  |  |  |     if (pm->offdata[0] == CLI_OFF_NONE) { | 
					
						
							|  |  |  |         return CL_BREAK; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     else if (pm->offdata[0] == CLI_OFF_ABSOLUTE) { | 
					
						
							|  |  |  |         *adjbuffer = pm->offdata[1]; | 
					
						
							|  |  |  |         *adjshift = pm->offdata[2]; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     else if (pm->offdata[0] == CLI_OFF_EOF_MINUS) { | 
					
						
							|  |  |  |         *adjbuffer = length - pm->offdata[1]; | 
					
						
							|  |  |  |         *adjshift = pm->offdata[2]; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     else { | 
					
						
							|  |  |  |         /* CLI_OFF_ANY and all relative offsets; TODO - check if relative offsets apply for normal hex substrs */ | 
					
						
							|  |  |  |         *adjbuffer = 0; | 
					
						
							|  |  |  |         *adjshift = 0; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     return CL_SUCCESS; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  | int cli_pcre_scanbuf(const unsigned char *buffer, uint32_t length, const struct cli_matcher *root, struct cli_ac_data *mdata, struct cli_ac_result **res, const struct cli_pcre_off *data, cli_ctx *ctx) | 
					
						
							| 
									
										
										
										
											2014-08-22 14:39:17 -04:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  |     struct cli_pcre_meta **metatable = root->pcre_metatable, *pm = NULL; | 
					
						
							|  |  |  |     struct cli_pcre_data *pd; | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |     struct cli_ac_result *newres; | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |     uint32_t adjbuffer, adjshift, adjlength; | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  |     unsigned int i, evalcnt; | 
					
						
							| 
									
										
										
										
											2014-09-19 02:39:52 -04:00
										 |  |  |     uint64_t evalids, maxfilesize; | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |     uint32_t global, encompass; | 
					
						
							| 
									
										
										
										
											2014-09-03 00:27:15 -04:00
										 |  |  |     int rc, offset, ovector[OVECCOUNT]; | 
					
						
							| 
									
										
										
										
											2014-08-22 17:29:40 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-10 11:11:28 -04:00
										 |  |  |     if ((!root->pcre_metatable) || (ctx && ctx->dconf && !(ctx->dconf->pcre & PCRE_CONF_SUPPORT))) { | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |         return CL_SUCCESS; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-16 10:27:38 -04:00
										 |  |  |     /* NOTE: moved pcre maxfilesize limit check to caller [matcher_run] */ | 
					
						
							| 
									
										
										
										
											2014-09-19 02:39:52 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  |     for (i = 0; i < root->pcre_metas; ++i) { | 
					
						
							|  |  |  |         pm = root->pcre_metatable[i]; | 
					
						
							| 
									
										
										
										
											2014-08-29 15:56:53 -04:00
										 |  |  |         pd = &(pm->pdata); | 
					
						
							| 
									
										
										
										
											2014-08-22 17:29:40 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-15 18:10:11 -04:00
										 |  |  |         /* skip checking and running disabled pcres */ | 
					
						
							|  |  |  |         if (pm->flags & CLI_PCRE_DISABLED) { | 
					
						
							|  |  |  |             cli_dbgmsg("cli_pcre_scanbuf: skipping disabled regex /%s/\n", pd->expression); | 
					
						
							|  |  |  |             continue; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-27 11:35:21 -04:00
										 |  |  |         /* skip checking and running CLI_OFF_NONE pcres */ | 
					
						
							|  |  |  |         if (data && data->offset[i] == CLI_OFF_NONE) { | 
					
						
							|  |  |  |             pm_dbgmsg("cli_pcre_scanbuf: skipping CLI_OFF_NONE regex /%s/\n", pd->expression); | 
					
						
							|  |  |  |             continue; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |         /* evaluate trigger */ | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |         if (pm->lsigid[0]) { | 
					
						
							|  |  |  |             cli_dbgmsg("cli_pcre_scanbuf: checking %s; running regex /%s/\n", pm->trigger, pd->expression); | 
					
						
							| 
									
										
										
										
											2014-10-09 11:58:16 -04:00
										 |  |  | #ifdef PCRE_BYPASS
 | 
					
						
							|  |  |  |             if (strcmp(pm->trigger, PCRE_BYPASS)) | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  |                 if (cli_ac_chklsig(pm->trigger, pm->trigger + strlen(pm->trigger), mdata->lsigcnt[pm->lsigid[1]], &evalcnt, &evalids, 0) != 1) | 
					
						
							|  |  |  |                     continue; | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |         } | 
					
						
							|  |  |  |         else { | 
					
						
							|  |  |  |             cli_dbgmsg("cli_pcre_scanbuf: skipping %s check due to unintialized lsigid\n", pm->trigger); | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |             /* fall-through to unconditional execution - sigtool-only */ | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |         } | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |         global = (pm->flags & CLI_PCRE_GLOBAL);       /* search for all matches */ | 
					
						
							|  |  |  |         encompass = (pm->flags & CLI_PCRE_ENCOMPASS); /* encompass search to offset->offset+maxshift */ | 
					
						
							|  |  |  |         offset = pd->search_offset;                   /* this is usually 0 */ | 
					
						
							| 
									
										
										
										
											2014-08-22 17:29:40 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-03 00:27:15 -04:00
										 |  |  |         cli_dbgmsg("cli_pcre_scanbuf: triggered %s; running regex /%s/%s\n", pm->trigger, pd->expression, global ? " (global)":""); | 
					
						
							| 
									
										
										
										
											2014-08-22 17:29:40 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |         /* adjust the buffer sent to cli_pcre_match for offset and maxshift */ | 
					
						
							|  |  |  |         if (!data) { | 
					
						
							| 
									
										
										
										
											2014-10-27 11:35:21 -04:00
										 |  |  |             if (cli_pcre_qoff(pm, length, &adjbuffer, &adjshift) != CL_SUCCESS) | 
					
						
							|  |  |  |                 continue; | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |         } | 
					
						
							|  |  |  |         else { | 
					
						
							|  |  |  |             adjbuffer = data->offset[i]; | 
					
						
							|  |  |  |             adjshift = data->shift[i]; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         /* check the offset bounds */ | 
					
						
							|  |  |  |         if (adjbuffer < length) { | 
					
						
							|  |  |  |             /* handle encompass flag */ | 
					
						
							|  |  |  |             if (encompass && adjshift != 0 && adjshift != CLI_OFF_NONE) { | 
					
						
							|  |  |  |                     if (adjbuffer+adjshift > length) | 
					
						
							|  |  |  |                         adjlength = length - adjbuffer; | 
					
						
							|  |  |  |                     else | 
					
						
							|  |  |  |                         adjlength = adjshift; | 
					
						
							|  |  |  |             } | 
					
						
							|  |  |  |             else { | 
					
						
							| 
									
										
										
										
											2014-10-27 11:35:21 -04:00
										 |  |  |                 /* NOTE - if using non-encompass method 2, alter shift universally */ | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |                 adjlength = length - adjbuffer; | 
					
						
							|  |  |  |             } | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  |         else { | 
					
						
							|  |  |  |             /* starting offset is outside bounds of file, skip pcre execution */ | 
					
						
							|  |  |  |             cli_dbgmsg("cli_pcre_scanbuf: starting offset is outside bounds of file %u >= %u\n", adjbuffer, length); | 
					
						
							|  |  |  |             continue; | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |         pm_dbgmsg("cli_pcre_scanbuf: passed buffer adjusted to %u +%u(%u)[%u]%s\n", adjbuffer, adjlength, adjbuffer+adjlength, adjshift, encompass ? " (encompass)":""); | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-23 13:31:47 -04:00
										 |  |  |         /* if the global flag is set, loop through the scanning */ | 
					
						
							| 
									
										
										
										
											2014-09-03 00:27:15 -04:00
										 |  |  |         do { | 
					
						
							| 
									
										
										
										
											2014-09-16 15:56:56 -04:00
										 |  |  |             /* performance metrics */ | 
					
						
							|  |  |  |             cli_event_time_start(p_sigevents, pm->sigtime_id); | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |             rc = cli_pcre_match(pd, buffer+adjbuffer, adjlength, offset, 0, ovector, OVECCOUNT); | 
					
						
							| 
									
										
										
										
											2014-09-16 15:56:56 -04:00
										 |  |  |             cli_event_time_stop(p_sigevents, pm->sigtime_id); | 
					
						
							| 
									
										
										
										
											2014-09-16 12:33:50 -04:00
										 |  |  |             /* if debug, generate a match report */ | 
					
						
							|  |  |  |             if (cli_debug_flag) | 
					
						
							|  |  |  |                 cli_pcre_report(pd, buffer+adjbuffer, adjlength, rc, ovector, OVECCOUNT); | 
					
						
							| 
									
										
										
										
											2014-08-28 13:13:05 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-03 00:27:15 -04:00
										 |  |  |             /* matched, rc shouldn't be >0 unless a full match occurs */ | 
					
						
							|  |  |  |             if (rc > 0) { | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |                 /* check if we've gone over offset+shift */ | 
					
						
							|  |  |  |                 if (!encompass && adjshift) { | 
					
						
							|  |  |  |                     if (ovector[0] > adjshift) { | 
					
						
							|  |  |  |                         /* ignore matched offset (outside of maxshift) */ | 
					
						
							|  |  |  |                         cli_dbgmsg("cli_pcre_scanbuf: match found outside of maxshift @%u\n", adjbuffer+ovector[0]); | 
					
						
							|  |  |  |                         break; | 
					
						
							|  |  |  |                     } | 
					
						
							|  |  |  |                 } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 15:56:56 -04:00
										 |  |  |                 /* track the detection count */ | 
					
						
							|  |  |  |                 cli_event_count(p_sigevents, pm->sigmatch_id); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |                 /* for logical signature evaluation */ | 
					
						
							|  |  |  |                 if (pm->lsigid[0]) { | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |                     pm_dbgmsg("cli_pcre_scanbuf: assigning lsigcnt[%d][%d], located @ %d\n", | 
					
						
							|  |  |  |                               pm->lsigid[1], pm->lsigid[2], adjbuffer+ovector[0]); | 
					
						
							| 
									
										
										
										
											2014-09-03 00:27:15 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |                     lsig_sub_matched(root, mdata, pm->lsigid[1], pm->lsigid[2], adjbuffer+ovector[0], 0); | 
					
						
							|  |  |  |                 } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |                 cli_dbgmsg("cli_pcre_scanbuf: located regex match @ %d\n", adjbuffer+ovector[0]); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |                 /* for raw match data - sigtool only */ | 
					
						
							| 
									
										
										
										
											2014-09-11 12:27:52 -04:00
										 |  |  |                 if(res) { | 
					
						
							|  |  |  |                     newres = (struct cli_ac_result *) malloc(sizeof(struct cli_ac_result)); | 
					
						
							|  |  |  |                     if(!newres) { | 
					
						
							|  |  |  |                         cli_errmsg("cli_pcre_scanbuff: Can't allocate memory for newres %u\n", sizeof(struct cli_ac_result)); | 
					
						
							|  |  |  |                         return CL_EMEM; | 
					
						
							|  |  |  |                     } | 
					
						
							|  |  |  |                     newres->virname = NULL;    /* get value? */ | 
					
						
							|  |  |  |                     newres->customdata = NULL; /* get value? */ | 
					
						
							|  |  |  |                     newres->next = *res; | 
					
						
							|  |  |  |                     newres->offset = adjbuffer+ovector[0]; | 
					
						
							|  |  |  |                     *res = newres; | 
					
						
							|  |  |  |                 } | 
					
						
							| 
									
										
										
										
											2014-09-03 00:27:15 -04:00
										 |  |  |             } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |             /* move off to the end of the match for next match; offset is relative to adjbuffer
 | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |              * NOTE: misses matches starting within the last match; TODO: start from start of last match? */ | 
					
						
							| 
									
										
										
										
											2014-09-03 00:27:15 -04:00
										 |  |  |             offset = ovector[1]; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |             /* clear the ovector results (they fall through the pcre_match) */ | 
					
						
							|  |  |  |             memset(ovector, 0, sizeof(ovector)); | 
					
						
							| 
									
										
										
										
											2014-09-09 17:14:12 -04:00
										 |  |  |         } while (global && rc > 0 && offset < adjlength); | 
					
						
							| 
									
										
										
										
											2014-09-03 00:27:15 -04:00
										 |  |  | 
 | 
					
						
							|  |  |  |         /* handle error codes */ | 
					
						
							|  |  |  |         if (rc < 0 && rc != PCRE_ERROR_NOMATCH) { | 
					
						
							| 
									
										
										
										
											2014-09-11 12:43:04 -04:00
										 |  |  |             switch (rc) { | 
					
						
							|  |  |  |             case PCRE_ERROR_CALLOUT: | 
					
						
							|  |  |  |                 break; | 
					
						
							|  |  |  |             case PCRE_ERROR_NOMEMORY: | 
					
						
							|  |  |  |                 cli_errmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: out of memory\n"); | 
					
						
							|  |  |  |                 return CL_EMEM; | 
					
						
							|  |  |  |             case PCRE_ERROR_MATCHLIMIT: | 
					
						
							|  |  |  |                 cli_dbgmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: match limit exceeded\n"); | 
					
						
							|  |  |  |                 break; | 
					
						
							|  |  |  |             case PCRE_ERROR_RECURSIONLIMIT: | 
					
						
							|  |  |  |                 cli_dbgmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: recursive limit exceeded\n"); | 
					
						
							|  |  |  |                 break; | 
					
						
							|  |  |  |             default: | 
					
						
							|  |  |  |                 cli_errmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: returned error %d\n", rc); | 
					
						
							|  |  |  |                 return CL_BREAK; | 
					
						
							|  |  |  |             } | 
					
						
							| 
									
										
										
										
											2014-08-22 17:29:40 -04:00
										 |  |  |         } | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     return CL_SUCCESS; | 
					
						
							| 
									
										
										
										
											2014-08-22 14:39:17 -04:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  | void cli_pcre_freemeta(struct cli_pcre_meta *pm) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     if (!pm) | 
					
						
							|  |  |  |         return; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-10-09 13:23:29 -04:00
										 |  |  |     if (pm->trigger) { | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  |         free(pm->trigger); | 
					
						
							| 
									
										
										
										
											2014-10-09 13:23:29 -04:00
										 |  |  |         pm->trigger = NULL; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     if (pm->virname) { | 
					
						
							|  |  |  |         free(pm->virname); | 
					
						
							|  |  |  |         pm->virname = NULL; | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  | 
 | 
					
						
							|  |  |  |     cli_pcre_free_single(&(pm->pdata)); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void cli_pcre_freetable(struct cli_matcher *root) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     uint32_t i; | 
					
						
							|  |  |  |     struct cli_pcre_meta *pm = NULL; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     for (i = 0; i < root->pcre_metas; ++i) { | 
					
						
							| 
									
										
										
										
											2014-09-16 17:54:58 -04:00
										 |  |  |         /* free pcre meta */ | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  |         pm = root->pcre_metatable[i]; | 
					
						
							|  |  |  |         cli_pcre_freemeta(pm); | 
					
						
							|  |  |  |         mpool_free(root->mempool, pm); | 
					
						
							|  |  |  |     } | 
					
						
							| 
									
										
										
										
											2014-08-22 14:39:17 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-08-29 14:57:09 -04:00
										 |  |  |     /* free holding structures and set count to zero */ | 
					
						
							|  |  |  |     mpool_free(root->mempool, root->pcre_metatable); | 
					
						
							|  |  |  |     root->pcre_metatable = NULL; | 
					
						
							|  |  |  |     root->pcre_metas = 0; | 
					
						
							| 
									
										
										
										
											2014-08-22 14:39:17 -04:00
										 |  |  | } | 
					
						
							| 
									
										
										
										
											2014-09-16 15:56:56 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-09-18 14:10:12 -04:00
										 |  |  | #else
 | 
					
						
							|  |  |  | /* NO-PCRE FUNCTIONS */ | 
					
						
							|  |  |  | int cli_pcre_recaloff(struct cli_matcher *root, struct cli_pcre_off *data, struct cli_target_info *info, cli_ctx *ctx) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     UNUSEDPARAM(root); | 
					
						
							|  |  |  |     UNUSEDPARAM(info); | 
					
						
							|  |  |  |     UNUSEDPARAM(ctx); | 
					
						
							|  |  |  |     if (data) { | 
					
						
							|  |  |  |         data->offset = NULL; | 
					
						
							|  |  |  |         data->shift = NULL; | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  |     return CL_SUCCESS; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void cli_pcre_freeoff(struct cli_pcre_off *data) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     UNUSEDPARAM(data); | 
					
						
							|  |  |  |     return; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-08-25 15:07:30 -04:00
										 |  |  | #endif /* HAVE_PCRE */
 |