Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 10:23:17 +00:00
Code Issues Projects Releases Packages Wiki Activity
clamav/libclamav/matcher-ac.c

3137 lines
114 KiB
C
Raw Normal View History

Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
/*
Bump copyright dates for 2024
2024-01-12 17:03:59 -05:00
* Copyright (C) 2013-2024 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Updating and cleaning up copyright notices.
2019-01-25 10:15:50 -05:00
* Copyright (C) 2007-2013 Sourcefire, Inc.
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
*
update copyrights and stick more files to GPLv2; move and add more credits to the AUTHORS file; add COPYING.BSD git-svn: trunk@3749
2008-04-02 15:24:51 +00:00
* Authors: Tomasz Kojm
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
*
* This program is free software; you can redistribute it and/or modify
update some copyrights and stick to GPL v2 git-svn: trunk@3003
2007-03-31 20:31:04 +00:00
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
update GPL headers with new address for FSF git-svn: trunk@1901
2006-04-09 19:59:28 +00:00
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA.
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
*/
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
#include <ctype.h>
libclamav/matcher-ac.c: improve handling of signature offsets
2009-08-26 23:39:35 +02:00
#include <sys/stat.h>
fix unit tests when mpool is activated git-svn: trunk@4323
2008-11-03 19:26:57 +00:00
#include <assert.h>
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
#ifdef HAVE_UNISTD_H
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
#include <unistd.h>
apply w32 patches from NJH git-svn: trunk@2359
2006-10-09 15:23:50 +00:00
#endif
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
#include "clamav.h"
#include "others.h"
initial support for new signature format git-svn: trunk@860
2004-09-14 01:33:32 +00:00
#include "matcher.h"
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
#include "matcher-ac.h"
#include "filetypes.h"
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
#include "str.h"
libclamav: add ".UNOFFICIAL" suffix to 3rd party signatures (bb#1061) git-svn: trunk@3903
2008-07-03 11:19:21 +00:00
#include "readdb.h"
libclamav: add default.h git-svn: trunk@4578
2008-12-29 17:55:30 +00:00
#include "default.h"
Add the rest of the prefiltering glue code. This is still disabled for now (see the & 0).
2010-02-10 11:39:47 +02:00
#include "filtering.h"
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
HIGLY EXPERIMENTAL memory pool for libclamav The goal is to put an end to memory wasted due to stupid allocators and fragmentation In the long run mpool libraries will be replaced with better code. For now there just good enough. This branch is currently under development and totally broken. If it will ever compile, it'll probably result in random crashes or at least (slightly) higher load times. The code is also terrible, just don't look. Do not use except for testing. git-svn-id: file:///var/lib/svn/clamav-devel/branches/mpool@4266 77e5149b-7576-45b1-b177-96237e5ba77b
2008-10-17 17:00:13 +00:00
#include "mpool.h"
Added .clang-format style rules, clam-format script to automate formatting of ClamAV code, and preparing select files so that clang-format does not alter carefully formatted sections.
2018-12-03 12:37:58 -05:00
// clang-format off
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
#define AC_SPECIAL_ALT_CHAR 1
#define AC_SPECIAL_ALT_STR_FIXED 2
#define AC_SPECIAL_ALT_STR 3
#define AC_SPECIAL_LINE_MARKER 4
#define AC_SPECIAL_BOUNDARY 5
#define AC_SPECIAL_WORD_MARKER 6
#define AC_BOUNDARY_LEFT 0x0001
#define AC_BOUNDARY_LEFT_NEGATIVE 0x0002
#define AC_BOUNDARY_RIGHT 0x0004
#define AC_BOUNDARY_RIGHT_NEGATIVE 0x0008
#define AC_LINE_MARKER_LEFT 0x0010
#define AC_LINE_MARKER_LEFT_NEGATIVE 0x0020
#define AC_LINE_MARKER_RIGHT 0x0040
#define AC_LINE_MARKER_RIGHT_NEGATIVE 0x0080
#define AC_WORD_MARKER_LEFT 0x0100
#define AC_WORD_MARKER_LEFT_NEGATIVE 0x0200
#define AC_WORD_MARKER_RIGHT 0x0400
#define AC_WORD_MARKER_RIGHT_NEGATIVE 0x0800
libclamav/matcher-ac.c: implement word delimiter (B) as requested in bb#1631
2009-09-17 22:49:45 +02:00
static char boundary[256] = {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 2, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
3, 0, 2, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 3, 1, 3,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 2, 2, 0,
1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
libclamav/matcher-ac.c: implement word delimiter (B) as requested in bb#1631
2009-09-17 22:49:45 +02:00
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
Added .clang-format style rules, clam-format script to automate formatting of ClamAV code, and preparing select files so that clang-format does not alter carefully formatted sections.
2018-12-03 12:37:58 -05:00
// clang-format on
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
static inline int insert_list(struct cli_matcher *root, struct cli_ac_patt *pattern, struct cli_ac_node *pt)
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
{
Fix assorted warnings Add missing ping_clamd() declaration in client.h Fix check for ping option to first check if ping option is NULL before strdup'ing and checking if the alloc failed. Fix format string for uint64_t print. Correctly assign name pointer to stack buffer in cpio parser. Remove vestigial variables from insert_list() function matcher-ac.c, left over from before the load-time optimizations completely restructured everything. Silence warnings about unused parameters in progress bar callback function.
2020-07-31 16:04:38 -07:00
struct cli_ac_list *new;
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
struct cli_ac_list **newtable;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
new = (struct cli_ac_list *)MPOOL_CALLOC(root->mempool, 1, sizeof(struct cli_ac_list));
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
if (!new) {
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
cli_errmsg("cli_ac_addpatt: Can't allocate memory for list node\n");
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_EMEM;
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
}
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
new->me = pattern;
new->node = pt;
various speed optimisations git-svn: trunk@3218
2007-09-13 18:14:20 +00:00
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
root->ac_lists++;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
newtable = MPOOL_REALLOC(root->mempool, root->ac_listtable, root->ac_lists * sizeof(struct cli_ac_list *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!newtable) {
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
root->ac_lists--;
cli_errmsg("cli_ac_addpatt: Can't realloc ac_listtable\n");
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new);
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
return CL_EMEM;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
root->ac_listtable = newtable;
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
root->ac_listtable[root->ac_lists - 1] = new;
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
return CL_SUCCESS;
}
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
#define RETURN_RES_IF_NE(uia, uib) \
do { \
if (uia < uib) return -1; \
if (uia > uib) return +1; \
} while (0)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
static int patt_cmp_fn(const struct cli_ac_patt *a, const struct cli_ac_patt *b)
{
unsigned int i;
int res;
RETURN_RES_IF_NE(a->length[0], b->length[0]);
RETURN_RES_IF_NE(a->prefix_length[0], b->prefix_length[0]);
RETURN_RES_IF_NE(a->ch[0], b->ch[0]);
RETURN_RES_IF_NE(a->ch[1], b->ch[1]);
RETURN_RES_IF_NE(a->boundary, b->boundary);
Fix integer overflow/undefined behavior in NSIS parser Fix integer overflow in the NSIS parser Cast int32_t to uint32_t for comparison with uint32_t, to prevent integer overflow, as well as signed/unsigned compare warning. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44493 Also address some other undefined behavior warnings: * mpool.c: Fixed pointer overflow errors uncovered by UndefinedBehaviorSanitizer. * matcher-ac.c: Test length to avoid passing NULLs to memcmp.
2022-06-01 16:46:36 -04:00
/*
* If the first two arguments to memcmp are NULL, clangs
* UndefinedBehaviorSanitizer will complain. It is legal if the length
* is zero, so don't call memcmp if the length is zero.
*/
if (a->length[0] > 0) {
res = memcmp(a->pattern, b->pattern, a->length[0] * sizeof(uint16_t));
if (res) {
return res;
}
}
if (a->prefix_length[0] > 0) {
res = memcmp(a->prefix, b->prefix, a->prefix_length[0] * sizeof(uint16_t));
if (res) {
return res;
}
}
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
RETURN_RES_IF_NE(a->special, b->special);
if (!a->special && !b->special)
return 0;
for (i = 0; i < a->special; i++) {
struct cli_ac_special *spcl_a = a->special_table[i], *spcl_b = b->special_table[i];
RETURN_RES_IF_NE(spcl_a->num, spcl_b->num);
RETURN_RES_IF_NE(spcl_a->negative, spcl_b->negative);
RETURN_RES_IF_NE(spcl_a->type, spcl_b->type);
if (spcl_a->type == AC_SPECIAL_ALT_CHAR) {
res = memcmp((spcl_a->alt).byte, (spcl_b->alt).byte, spcl_a->num);
if (res) return res;
} else if (spcl_a->type == AC_SPECIAL_ALT_STR_FIXED) {
unsigned int j;
RETURN_RES_IF_NE(spcl_a->len[0], spcl_b->len[0]);
for (j = 0; j < spcl_a->num; j++) {
res = memcmp((spcl_a->alt).f_str[j], (spcl_b->alt).f_str[j], spcl_a->len[0]);
if (res) return res;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
}
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
} else if (spcl_a->type == AC_SPECIAL_ALT_STR) {
struct cli_alt_node *alt_a = (spcl_a->alt).v_str, *alt_b = (spcl_b->alt).v_str;
while (alt_a && alt_b) {
RETURN_RES_IF_NE(alt_a->len, alt_b->len);
res = memcmp(alt_a->str, alt_b->str, alt_a->len);
if (res) return res;
alt_a = alt_a->next;
alt_b = alt_b->next;
}
RETURN_RES_IF_NE(alt_a, alt_b);
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
}
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
}
return 0;
}
static int sort_list_fn(const void *a, const void *b)
{
const struct cli_ac_node *node_a = (*(const struct cli_ac_list **)a)->node;
const struct cli_ac_node *node_b = (*(const struct cli_ac_list **)b)->node;
const struct cli_ac_patt *patt_a = (*(const struct cli_ac_list **)a)->me;
const struct cli_ac_patt *patt_b = (*(const struct cli_ac_list **)b)->me;
int res;
/* 1. Group by owning node
* (this is for assigning entries to nodes) */
RETURN_RES_IF_NE(node_a, node_b);
/* 2. Group together equal pattern in a node
* (this is for building the next_same list) */
res = patt_cmp_fn(patt_a, patt_b);
if (res)
return res;
/* 3. Sort equal patterns in a node by partno in ascending order
* (this is required by the matcher) */
RETURN_RES_IF_NE(patt_a->partno, patt_b->partno);
/* 4. Keep close patterns close
Fix typos (no functional changes)
2024-01-19 09:08:36 -08:00
* (this is for performance) */
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
RETURN_RES_IF_NE(patt_a, patt_b);
return 0;
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
static int sort_heads_by_partno_fn(const void *a, const void *b)
{
const struct cli_ac_list *list_a = *(const struct cli_ac_list **)a;
const struct cli_ac_list *list_b = *(const struct cli_ac_list **)b;
const struct cli_ac_patt *patt_a = list_a->me;
const struct cli_ac_patt *patt_b = list_b->me;
/* 1. Sort heads by partno
* (this is required by the matcher) */
RETURN_RES_IF_NE(patt_a->partno, patt_b->partno);
/* 2. Place longer lists earlier
* (this is for performance) */
while (1) {
if (!list_a->next_same) {
if (!list_b->next_same)
break;
return +1;
}
if (!list_b->next_same)
return -1;
list_a = list_a->next_same;
list_b = list_b->next_same;
various speed optimisations git-svn: trunk@3218
2007-09-13 18:14:20 +00:00
}
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
/* 3. Keep close patterns close
Fix typos (no functional changes)
2024-01-19 09:08:36 -08:00
* (this is for performance) */
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
RETURN_RES_IF_NE(patt_a, patt_b);
return 0;
}
static inline void link_node_lists(struct cli_ac_list **listtable, unsigned int nentries)
{
struct cli_ac_list *prev = listtable[0];
struct cli_ac_node *node = prev->node;
unsigned int i, nheads = 1;
/* Link equal patterns in the next_same list (entries are already sorted by partno asc) */
for (i = 1; i < nentries; i++) {
int ret = patt_cmp_fn(prev->me, listtable[i]->me);
if (ret) {
/* This is a new head of a next_same chain */
prev = listtable[i];
if (i != nheads) {
/* Move heads towards the beginning of the table */
listtable[i] = listtable[nheads];
listtable[nheads] = prev;
}
nheads++;
} else {
prev->next_same = listtable[i];
prev->next = NULL;
prev = listtable[i];
}
libclamav/matcher-ac.c: optimize handling of multi-part signatures (bb#2322)
2010-12-02 18:50:53 +01:00
}
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
cli_qsort(listtable, nheads, sizeof(listtable[0]), sort_heads_by_partno_fn);
/* Link heads in the next list */
node->list = listtable[0];
for (i = 1; i < nheads; i++)
listtable[i - 1]->next = listtable[i];
listtable[nheads - 1]->next = NULL;
}
static void link_lists(struct cli_matcher *root)
{
struct cli_ac_node *curnode;
unsigned int i, grouplen;
if (!root->ac_lists)
return;
/* Group the list by owning node, pattern equality and sort by partno */
cli_qsort(root->ac_listtable, root->ac_lists, sizeof(root->ac_listtable[0]), sort_list_fn);
curnode = root->ac_listtable[0]->node;
for (i = 1, grouplen = 1; i <= root->ac_lists; i++, grouplen++) {
if (i == root->ac_lists || root->ac_listtable[i]->node != curnode) {
link_node_lists(&root->ac_listtable[i - grouplen], grouplen);
if (i < root->ac_lists) {
grouplen = 0;
curnode = root->ac_listtable[i]->node;
}
}
}
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
Speed up freeing of signatures Speed up freeing of signatures by tracking all malloced blocks instead of having to find duplicates in our data structures on signature unload.
2022-09-30 10:43:55 -07:00
/**
* @brief Inserts newly malloced trans node in the array of nodes to be freed on
* cleanup. There is no verification that the added node is not already in the
* list, so that is up to the caller.
*
* @param root The matcher root.
* @param trans The trans node to be tracked.
* @return bool
*/
Corrected types to remove warnings.
2022-10-18 09:54:50 -07:00
static bool store_trans_node(struct cli_matcher *root, struct cli_ac_node **trans)
Speed up freeing of signatures Speed up freeing of signatures by tracking all malloced blocks instead of having to find duplicates in our data structures on signature unload.
2022-09-30 10:43:55 -07:00
{
bool bRet = false;
if (root->trans_cnt + 1 > root->trans_capacity) {
Corrected types to remove warnings.
2022-10-18 09:54:50 -07:00
size_t newCapacity = root->trans_capacity + 1024;
struct cli_ac_node ***ret = MPOOL_REALLOC(root->mempool, root->trans_array, newCapacity * sizeof(struct cli_ac_node **));
Speed up freeing of signatures Speed up freeing of signatures by tracking all malloced blocks instead of having to find duplicates in our data structures on signature unload.
2022-09-30 10:43:55 -07:00
if (NULL == ret) {
cli_errmsg("cli_ac_addpatt: Can't allocate memory for cleanup storage of trans\n");
goto done;
}
root->trans_capacity = newCapacity;
root->trans_array = ret;
}
root->trans_array[root->trans_cnt++] = trans;
bRet = true;
done:
return bRet;
}
/**
* @brief Frees all trans nodes for cleanup.
* cleanup.
*
* @param root The matcher root.
*/
static void free_trans_nodes(struct cli_matcher *root)
{
uint32_t i = 0;
for (i = 0; i < root->trans_cnt; i++) {
MPOOL_FREE(root->mempool, root->trans_array[i]);
}
MPOOL_FREE(root->mempool, root->trans_array);
root->trans_array = NULL;
root->trans_cnt = 0;
root->trans_capacity = 0;
}
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
static inline struct cli_ac_node *add_new_node(struct cli_matcher *root, uint16_t i, uint16_t len)
{
struct cli_ac_node *new;
struct cli_ac_node **newtable;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
new = (struct cli_ac_node *)MPOOL_CALLOC(root->mempool, 1, sizeof(struct cli_ac_node));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!new) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
cli_errmsg("cli_ac_addpatt: Can't allocate memory for AC node\n");
return NULL;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (i != len - 1) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
new->trans = (struct cli_ac_node **)MPOOL_CALLOC(root->mempool, 256, sizeof(struct cli_ac_node *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!new->trans) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
cli_errmsg("cli_ac_addpatt: Can't allocate memory for new->trans\n");
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new);
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
return NULL;
}
Speed up freeing of signatures Speed up freeing of signatures by tracking all malloced blocks instead of having to find duplicates in our data structures on signature unload.
2022-09-30 10:43:55 -07:00
if (!store_trans_node(root, new->trans)) {
/* Error printed in store_trans_node */
MPOOL_FREE(root->mempool, new);
return NULL;
}
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
}
root->ac_nodes++;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
newtable = MPOOL_REALLOC(root->mempool, root->ac_nodetable, root->ac_nodes * sizeof(struct cli_ac_node *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!newtable) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
root->ac_nodes--;
cli_errmsg("cli_ac_addpatt: Can't realloc ac_nodetable\n");
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (new->trans)
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new->trans);
MPOOL_FREE(root->mempool, new);
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
return NULL;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
root->ac_nodetable = newtable;
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
root->ac_nodetable[root->ac_nodes - 1] = new;
return new;
}
static int cli_ac_addpatt_recursive(struct cli_matcher *root, struct cli_ac_patt *pattern, struct cli_ac_node *pt, uint16_t i, uint16_t len)
{
struct cli_ac_node *next;
int ret;
/* last node, insert pattern here (base case)*/
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (i >= len) {
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
return insert_list(root, pattern, pt);
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
}
/* if current node has no trans table, generate one */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!pt->trans) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
pt->trans = (struct cli_ac_node **)MPOOL_CALLOC(root->mempool, 256, sizeof(struct cli_ac_node *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!pt->trans) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
cli_errmsg("cli_ac_addpatt: Can't allocate memory for pt->trans\n");
return CL_EMEM;
}
Speed up freeing of signatures Speed up freeing of signatures by tracking all malloced blocks instead of having to find duplicates in our data structures on signature unload.
2022-09-30 10:43:55 -07:00
if (!store_trans_node(root, pt->trans)) {
/* Error printed in store_trans_node */
return CL_EMEM;
}
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
}
/* if pattern is nocase, we need to enumerate all the combinations if applicable
* it's why this function was re-written to be recursive
*/
Add check for signature pattern bytes < 0x80 When locale is UTF-8, check that signature pattern bytes are < 0x80 before using the isalpha() and toupper() functions since that can lead to segfaults and/or unintended matches. For example take a LDB signature with a case-insensitive subsignature containing byte 0xb5. The uint16_t value of pattern->pattern[i] is 0x10b5 since 0xb5 is OR'd with the CLI_MATCH_NOCASE (0x1000) flag. Locale: C isalpha((unsigned char) (0x10b5 & 0xff)): 0 toupper((unsigned char) (0x10b5 & 0xff)): b5 Locale: en_US.UTF-8 isalpha((unsigned char) (0x10b5 & 0xff)): 1 toupper((unsigned char) (0x10b5 & 0xff)): 39c U+00B5 is the Micro Sign (also known as Mu) U+03BC is the Greek Small Letter Mu U+039C is the Greek Capital Letter Mu
2021-08-31 16:55:39 +02:00
if ((pattern->sigopts & ACPATT_OPTION_NOCASE) && (pattern->pattern[i] & 0xff) < 0x80 && isalpha((unsigned char)(pattern->pattern[i] & 0xff))) {
bb12370 - cli_strndup and other str* replacements must be built and exported for every OS to be used outside of libclamav on systems that don't have the original functions (e.g. strndup). This commit renames the macros to be uppercase, renames the replacement functions to be preceeded with two understores (e.g. __cli_strndup), and removes the ifdef's so that they are built regardless, because there are no ifdefs in libclamav.map.
2019-08-22 16:51:01 -04:00
next = pt->trans[CLI_NOCASEI((unsigned char)(pattern->pattern[i] & 0xff))];
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!next)
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
next = add_new_node(root, i, len);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!next)
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
return CL_EMEM;
else
bb12370 - cli_strndup and other str* replacements must be built and exported for every OS to be used outside of libclamav on systems that don't have the original functions (e.g. strndup). This commit renames the macros to be uppercase, renames the replacement functions to be preceeded with two understores (e.g. __cli_strndup), and removes the ifdef's so that they are built regardless, because there are no ifdefs in libclamav.map.
2019-08-22 16:51:01 -04:00
pt->trans[CLI_NOCASEI((unsigned char)(pattern->pattern[i] & 0xff))] = next;
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((ret = cli_ac_addpatt_recursive(root, pattern, next, i + 1, len)) != CL_SUCCESS)
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
return ret;
}
/* normal transition, also enumerates the 'normal' nocase */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
next = pt->trans[(unsigned char)(pattern->pattern[i] & 0xff)];
if (!next)
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
next = add_new_node(root, i, len);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!next)
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
return CL_EMEM;
else
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
pt->trans[(unsigned char)(pattern->pattern[i] & 0xff)] = next;
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
return cli_ac_addpatt_recursive(root, pattern, next, i + 1, len);
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
}
Correcting types from int to cl_error_t where appropriate. Eliminating unused variables and referencing unused parameters to remove warnings.
2019-02-27 00:47:38 -05:00
cl_error_t cli_ac_addpatt(struct cli_matcher *root, struct cli_ac_patt *pattern)
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
{
struct cli_ac_patt **newtable;
matcher-ac: converted length fields to arrays
2015-07-02 14:41:37 -04:00
uint16_t len = MIN(root->ac_maxdepth, pattern->length[0]);
bb12221: Fix for subtle type-mismatch that could result in an infinite loop with a large number of sigs.
2018-11-16 11:50:48 -08:00
uint16_t i;
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < len; i++) {
if (pattern->pattern[i] & CLI_MATCH_WILDCARD) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
len = i;
break;
}
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (len < root->ac_mindepth) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
/* cli_errmsg("cli_ac_addpatt: Signature for %s is too short\n", pattern->virname); */
return CL_EMALFDB;
}
/* pattern added to master list */
root->ac_patterns++;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
newtable = MPOOL_REALLOC(root->mempool, root->ac_pattable, root->ac_patterns * sizeof(struct cli_ac_patt *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!newtable) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
root->ac_patterns--;
cli_errmsg("cli_ac_addpatt: Can't realloc ac_pattable\n");
return CL_EMEM;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
root->ac_pattable = newtable;
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
root->ac_pattable[root->ac_patterns - 1] = pattern;
pattern->depth = len;
return cli_ac_addpatt_recursive(root, pattern, root->ac_root, 0, len);
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
struct bfs_list {
struct cli_ac_node *node;
struct bfs_list *next;
};
add basic support for string alternatives; optimise bfs_enqueue/dequeue git-svn: trunk@3262
2007-10-03 00:31:52 +00:00
static int bfs_enqueue(struct bfs_list **bfs, struct bfs_list **last, struct cli_ac_node *n)
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
{
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
struct bfs_list *new;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
Optimization: replace limited allocation calls There are a large number of allocations for fix sized buffers using the `cli_malloc` and `cli_calloc` calls that check if the requested size is larger than our allocation threshold for allocations based on untrusted input. These allocations will *always* be higher than the threshold, so the extra stack frame and check for these calls is a waste of CPU. This commit replaces needless calls with A -> B: - cli_malloc -> malloc - cli_calloc -> calloc - CLI_MALLOC -> MALLOC - CLI_CALLOC -> CALLOC I also noticed that our MPOOL_MALLOC / MPOOL_CALLOC are not limited by the max-allocation threshold, when MMAP is found/enabled. But the alternative was set to cli_malloc / cli_calloc when disabled. I changed those as well. I didn't change the cli_realloc/2 calls because our version of realloc not only implements a threshold but also stabilizes the undefined behavior in realloc to protect against accidental double-free's. It may be worth implementing a cli_realloc that doesn't have the threshold built-in, however, so as to allow reallocaitons for things like buffers for loading signatures, which aren't subject to the same concern as allocations for scanning possible malware. There was one case in mbox.c where I changed MALLOC -> CLI_MALLOC, because it appears to be allocating based on untrusted input.
2022-05-08 14:59:09 -07:00
new = (struct bfs_list *)malloc(sizeof(struct bfs_list));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!new) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("bfs_enqueue: Can't allocate memory for bfs_list\n");
return CL_EMEM;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
add basic support for string alternatives; optimise bfs_enqueue/dequeue git-svn: trunk@3262
2007-10-03 00:31:52 +00:00
new->next = NULL;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
new->node = n;
add basic support for string alternatives; optimise bfs_enqueue/dequeue git-svn: trunk@3262
2007-10-03 00:31:52 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (*last) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
(*last)->next = new;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
*last = new;
add basic support for string alternatives; optimise bfs_enqueue/dequeue git-svn: trunk@3262
2007-10-03 00:31:52 +00:00
} else {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
*bfs = *last = new;
add basic support for string alternatives; optimise bfs_enqueue/dequeue git-svn: trunk@3262
2007-10-03 00:31:52 +00:00
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
minor code cleanup git-svn: trunk@1981
2006-05-18 11:29:24 +00:00
return CL_SUCCESS;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
fix handling of bfs_last (bb#713) git-svn: trunk@3381
2007-12-06 15:24:03 +00:00
static struct cli_ac_node *bfs_dequeue(struct bfs_list **bfs, struct bfs_list **last)
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
{
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
struct bfs_list *lpt;
struct cli_ac_node *pt;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!(lpt = *bfs)) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return NULL;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
} else {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
*bfs = (*bfs)->next;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
pt = lpt->node;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (lpt == *last)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
*last = NULL;
free(lpt);
return pt;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
static int ac_maketrans(struct cli_matcher *root)
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
{
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
struct bfs_list *bfs = NULL, *bfs_last = NULL;
struct cli_ac_node *ac_root = root->ac_root, *child, *node, *fail;
int i, ret;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < 256; i++) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
node = ac_root->trans[i];
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!node) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
ac_root->trans[i] = ac_root;
} else {
node->fail = ac_root;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((ret = bfs_enqueue(&bfs, &bfs_last, node)))
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return ret;
}
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
while ((node = bfs_dequeue(&bfs, &bfs_last))) {
if (IS_LEAF(node)) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
struct cli_ac_node *failtarget = node->fail;
while (NULL != failtarget && (IS_LEAF(failtarget) || !IS_FINAL(failtarget)))
failtarget = failtarget->fail;
bb#9659 correction to construction of Aho-Corasick trie fail links.
2014-01-02 17:19:05 -05:00
if (NULL != failtarget)
node->fail = failtarget;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < 256; i++) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
child = node->trans[i];
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (child) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
fail = node->fail;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
while (IS_LEAF(fail) || !fail->trans[i])
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
fail = fail->fail;
child->fail = fail->trans[i];
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((ret = bfs_enqueue(&bfs, &bfs_last, child)) != 0)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return ret;
}
}
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
libclamav/matcher-ac.c: micro-optimization (bb#843), thanks to Edwin git-svn: trunk@4334
2008-11-04 19:23:35 +00:00
bfs = bfs_last = NULL;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < 256; i++) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
node = ac_root->trans[i];
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (node != ac_root) {
if ((ret = bfs_enqueue(&bfs, &bfs_last, node)))
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return ret;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
}
libclamav/matcher-ac.c: micro-optimization (bb#843), thanks to Edwin git-svn: trunk@4334
2008-11-04 19:23:35 +00:00
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
while ((node = bfs_dequeue(&bfs, &bfs_last))) {
if (IS_LEAF(node))
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < 256; i++) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
child = node->trans[i];
if (!child || (!IS_FINAL(child) && IS_LEAF(child))) {
struct cli_ac_node *failtarget = node->fail;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
while (IS_LEAF(failtarget) || !failtarget->trans[i])
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
failtarget = failtarget->fail;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
failtarget = failtarget->trans[i];
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
node->trans[i] = failtarget;
} else if (IS_FINAL(child) && IS_LEAF(child)) {
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
struct cli_ac_list *list;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
list = child->list;
if (list) {
while (list->next)
list = list->next;
list->next = child->fail->list;
} else {
child->list = child->fail->list;
}
child->trans = child->fail->trans;
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((ret = bfs_enqueue(&bfs, &bfs_last, child)) != 0)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return ret;
}
}
libclamav/matcher-ac.c: micro-optimization (bb#843), thanks to Edwin git-svn: trunk@4334
2008-11-04 19:23:35 +00:00
}
minor code cleanup git-svn: trunk@1981
2006-05-18 11:29:24 +00:00
return CL_SUCCESS;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
Correcting types from int to cl_error_t where appropriate. Eliminating unused variables and referencing unused parameters to remove warnings.
2019-02-27 00:47:38 -05:00
cl_error_t cli_ac_buildtrie(struct cli_matcher *root)
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!root)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_EMALFDB;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!(root->ac_root)) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_dbgmsg("cli_ac_buildtrie: AC pattern matcher is not initialised\n");
return CL_SUCCESS;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
fix prefiltering build.
2010-02-10 16:58:13 +02:00
if (root->filter)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_dbgmsg("Using filter for trie %d\n", root->type);
bb12389 - fast AC sig load - courtesy of Alberto Wu This commit addresses the signature load time issue in the following steps: 1. Loaded list items are allocated but left unattached; only a node reference is set on them for further processing. This is done with no increase of memory usage. See changes in insert_list and matcher-ac.h 2. Before the tries are built, the whole list of entries is sorted by node, then by pattern, then by partno. This requires O(N log(N)) time. 3. The list is processed linearly, one node at a time and the `next_same` chain is built. Each next_same chain head is also extracted. This requires O(N) time. 4. The list of heads is sorted by partno. This requires O(M log(M)) time on average with M<=N. 5. The list of heads is processed linearly and the `next` chain is built. This has O(M) complexity. And improves scantime performance, by adding checks to: 1. Place longer lists earlier in the trie. 2. Keep close patterns close, rather than scattering them further apart. This reduced memory cache faults to improve load and scan time performance.
2019-11-08 14:05:08 -08:00
link_lists(root);
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
return ac_maketrans(root);
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
Correcting types from int to cl_error_t where appropriate. Eliminating unused variables and referencing unused parameters to remove warnings.
2019-02-27 00:47:38 -05:00
cl_error_t cli_ac_init(struct cli_matcher *root, uint8_t mindepth, uint8_t maxdepth, uint8_t dconf_prefiltering)
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
{
fix unit tests when mpool is activated git-svn: trunk@4323
2008-11-03 19:26:57 +00:00
#ifdef USE_MPOOL
assert(root->mempool && "mempool must be initialized");
#endif
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
root->ac_root = (struct cli_ac_node *)MPOOL_CALLOC(root->mempool, 1, sizeof(struct cli_ac_node));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!root->ac_root) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_init: Can't allocate memory for ac_root\n");
return CL_EMEM;
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
}
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
root->ac_root->trans = (struct cli_ac_node **)MPOOL_CALLOC(root->mempool, 256, sizeof(struct cli_ac_node *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!root->ac_root->trans) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_init: Can't allocate memory for ac_root->trans\n");
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, root->ac_root);
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_EMEM;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
root->ac_mindepth = mindepth;
root->ac_maxdepth = maxdepth;
enable prefiltering, and add to dconf. Also downgrade some warnings to debug messages.
2010-02-15 15:01:37 +02:00
if (cli_mtargets[root->type].enable_prefiltering && dconf_prefiltering) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
root->filter = MPOOL_MALLOC(root->mempool, sizeof(*root->filter));
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
if (!root->filter) {
cli_errmsg("cli_ac_init: Can't allocate memory for ac_root->filter\n");
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, root->ac_root->trans);
MPOOL_FREE(root->mempool, root->ac_root);
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_EMEM;
}
filter_init(root->filter);
Add the rest of the prefiltering glue code. This is still disabled for now (see the & 0).
2010-02-10 11:39:47 +02:00
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
return CL_SUCCESS;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
HIGLY EXPERIMENTAL memory pool for libclamav The goal is to put an end to memory wasted due to stupid allocators and fragmentation In the long run mpool libraries will be replaced with better code. For now there just good enough. This branch is currently under development and totally broken. If it will ever compile, it'll probably result in random crashes or at least (slightly) higher load times. The code is also terrible, just don't look. Do not use except for testing. git-svn-id: file:///var/lib/svn/clamav-devel/branches/mpool@4266 77e5149b-7576-45b1-b177-96237e5ba77b
2008-10-17 17:00:13 +00:00
#ifdef USE_MPOOL
libclamav/matcher-ac.c: initial limited support for word boundary (bb#1631)
2009-09-11 16:05:50 +02:00
#define mpool_ac_free_special(a, b) ac_free_special(a, b)
static void ac_free_special(mpool_t *mempool, struct cli_ac_patt *p)
HIGLY EXPERIMENTAL memory pool for libclamav The goal is to put an end to memory wasted due to stupid allocators and fragmentation In the long run mpool libraries will be replaced with better code. For now there just good enough. This branch is currently under development and totally broken. If it will ever compile, it'll probably result in random crashes or at least (slightly) higher load times. The code is also terrible, just don't look. Do not use except for testing. git-svn-id: file:///var/lib/svn/clamav-devel/branches/mpool@4266 77e5149b-7576-45b1-b177-96237e5ba77b
2008-10-17 17:00:13 +00:00
#else
libclamav/matcher-ac.c: initial limited support for word boundary (bb#1631)
2009-09-11 16:05:50 +02:00
#define mpool_ac_free_special(a, b) ac_free_special(b)
static void ac_free_special(struct cli_ac_patt *p)
HIGLY EXPERIMENTAL memory pool for libclamav The goal is to put an end to memory wasted due to stupid allocators and fragmentation In the long run mpool libraries will be replaced with better code. For now there just good enough. This branch is currently under development and totally broken. If it will ever compile, it'll probably result in random crashes or at least (slightly) higher load times. The code is also terrible, just don't look. Do not use except for testing. git-svn-id: file:///var/lib/svn/clamav-devel/branches/mpool@4266 77e5149b-7576-45b1-b177-96237e5ba77b
2008-10-17 17:00:13 +00:00
#endif
add basic support for string alternatives; optimise bfs_enqueue/dequeue git-svn: trunk@3262
2007-10-03 00:31:52 +00:00
{
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
unsigned int i, j;
struct cli_ac_special *a1;
struct cli_alt_node *b1, *b2;
add basic support for string alternatives; optimise bfs_enqueue/dequeue git-svn: trunk@3262
2007-10-03 00:31:52 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!p->special)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return;
add basic support for string alternatives; optimise bfs_enqueue/dequeue git-svn: trunk@3262
2007-10-03 00:31:52 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < p->special; i++) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
a1 = p->special_table[i];
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
if (a1->type == AC_SPECIAL_ALT_CHAR) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(mempool, (a1->alt).byte);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
} else if (a1->type == AC_SPECIAL_ALT_STR_FIXED) {
for (j = 0; j < a1->num; j++)
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(mempool, (a1->alt).f_str[j]);
MPOOL_FREE(mempool, (a1->alt).f_str);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
} else if (a1->type == AC_SPECIAL_ALT_STR) {
b1 = (a1->alt).v_str;
while (b1) {
b2 = b1->next;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(mempool, b1->str);
MPOOL_FREE(mempool, b1);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
b1 = b2;
}
}
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(mempool, a1);
add basic support for string alternatives; optimise bfs_enqueue/dequeue git-svn: trunk@3262
2007-10-03 00:31:52 +00:00
}
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(mempool, p->special_table);
add basic support for string alternatives; optimise bfs_enqueue/dequeue git-svn: trunk@3262
2007-10-03 00:31:52 +00:00
}
add support for cl_engine and cli_matcher git-svn: trunk@1726
2005-09-23 02:23:36 +00:00
void cli_ac_free(struct cli_matcher *root)
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
{
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
uint32_t i = 0;
struct cli_ac_patt *patt = NULL;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < root->ac_patterns; i++) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
patt = root->ac_pattable[i];
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, patt->prefix ? patt->prefix : patt->pattern);
Image fuzzy hash: new logical sub-signature feature Add a new logical signature subsignature type for matching on images with image fuzzy hashes. Image fuzzy hash subsigantures follow this format: fuzzy_img#<hash>#<dist> In this initial implementation, the hamming distance (dist) is ignored and only exact fuzzy hash matches will alert. Fuzzy hash matching is only performed for supported image types. Also: removed some excessive debug log messages on start-up. Fixed an issue where the signature name (virname) is being allocated and stored for every subsignature or even ever sub-pattern in an AC-pattern (i.e. NDB sig or LDB subsig) containing a `{n-m}` or `*` wildcard. This fix is only for LDB subsigs though. NDB signatures are still allocaing one virname per sub-pattern. This fix was required because I needed a place to store the virname with fuzzy-hash subsignatures. Storing it in the fuzzy-hash subsig metadatathe way AC-pattern, PCRE, and BComp subsigs were doing it wouldn't work because it would cross the C-Rust FFI boundary and giving pointers to Rust allocated stuff is dicey. Not to mention native Rust strings are different thatn C strings. Anyways, the correct thing to do was to store the virname with the actual logical signature. TODO: Keep track of NDB signatures in the same way and store the virname for NDB sigs there instead of in AC-patterns so that we can get rid of the virname field in the AC-pattern struct.
2021-04-21 16:24:24 -07:00
if (!(patt->lsigid[0] == 1)) {
/* Don't free the virname for patterns lsigs (normal or yara).
For lsigs, we store the virname in lsig->virname, not in each ac-pattern.
TODO: never store the virname in the ac pattern and only store it per-signature, not per-pattern. */
MPOOL_FREE(root->mempool, patt->virname);
}
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
if (patt->special) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
mpool_ac_free_special(root->mempool, patt);
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
}
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, patt);
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
if (root->ac_pattable) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, root->ac_pattable);
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
if (root->ac_reloff) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, root->ac_reloff);
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
}
libclamav: improve handling of signature offsets
2009-08-14 14:38:13 +02:00
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
for (i = 0; i < root->ac_lists; i++) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, root->ac_listtable[i]);
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
}
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
if (root->ac_listtable) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, root->ac_listtable);
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
}
fix to yara integration with nocase patterns
2015-02-10 07:08:15 -08:00
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
for (i = 0; i < root->ac_nodes; i++) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, root->ac_nodetable[i]);
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
}
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
if (root->ac_nodetable) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, root->ac_nodetable);
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (root->ac_root) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, root->ac_root->trans);
MPOOL_FREE(root->mempool, root->ac_root);
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
if (root->filter) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, root->filter);
Fixed heap buffer overflow while loading signatures There is a possible overflow read when loading PDB and WDB phishing signatures. This issue is not a vulnerability. Changed const char pointers to uint8_t pointers when they are to be used with data, as well as removing asserts and adding additional error checking. Thank you Michał Dardas for reporting this issue. This fix also resolves: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43845 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43812 - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43866 This commit also fixes a minor leak of pattern matching trans nodes that was observed when testing with the MPOOL module disabled.
2022-05-16 21:29:25 -04:00
}
Speed up freeing of signatures Speed up freeing of signatures by tracking all malloced blocks instead of having to find duplicates in our data structures on signature unload.
2022-09-30 10:43:55 -07:00
free_trans_nodes(root);
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
/*
* In parse_only mode this function returns -1 on error or the max subsig id
*/
libclamav: lsigs: handle extended block modifiers (bb#896) git-svn: trunk@3998
2008-07-26 15:48:08 +00:00
int cli_ac_chklsig(const char *expr, const char *end, uint32_t *lsigcnt, unsigned int *cnt, uint64_t *ids, unsigned int parse_only)
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
{
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
unsigned int i, len = end - expr, pth = 0, opoff = 0, op1off = 0, val;
unsigned int blkend = 0, id, modval1, modval2 = 0, lcnt = 0, rcnt = 0, tcnt, modoff = 0;
uint64_t lids = 0, rids = 0, tids;
int ret, lval, rval;
char op = 0, op1 = 0, mod = 0, blkmod = 0;
const char *lstart = expr, *lend = NULL, *rstart = NULL, *rend = end, *pt;
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < len; i++) {
switch (expr[i]) {
case '(':
pth++;
break;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case ')':
if (!pth) {
cli_errmsg("cli_ac_chklsig: Syntax error: Missing opening parenthesis\n");
return -1;
}
pth--;
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
/* fall-through */
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case '>':
case '<':
case '=':
mod = expr[i];
modoff = i;
break;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
default:
if (strchr("&|", expr[i])) {
if (!pth) {
op = expr[i];
opoff = i;
} else if (pth == 1) {
op1 = expr[i];
op1off = i;
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
}
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (op)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
break;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (op1 && !pth) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
blkend = i;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (expr[i + 1] == '>' || expr[i + 1] == '<' || expr[i + 1] == '=') {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
blkmod = expr[i + 1];
ret = sscanf(&expr[i + 2], "%u,%u", &modval1, &modval2);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (ret != 2)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
ret = sscanf(&expr[i + 2], "%u", &modval1);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!ret || ret == EOF) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("chklexpr: Syntax error: Missing number after '%c'\n", expr[i + 1]);
return -1;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i += 2; i + 1 < len && (isdigit(expr[i + 1]) || expr[i + 1] == ','); i++)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (&expr[i + 1] == rend)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
break;
else
blkmod = 0;
}
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pth) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_chklsig: Syntax error: Missing closing parenthesis\n");
return -1;
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!op && !op1) {
if (expr[0] == '(')
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return cli_ac_chklsig(++expr, --end, lsigcnt, cnt, ids, parse_only);
ret = sscanf(expr, "%u", &id);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!ret || ret == EOF) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_chklsig: Can't parse %s\n", expr);
return -1;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (parse_only)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
val = id;
else
val = lsigcnt[id];
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (mod) {
pt = expr + modoff + 1;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
ret = sscanf(pt, "%u", &modval1);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!ret || ret == EOF) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("chklexpr: Syntax error: Missing number after '%c'\n", mod);
return -1;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!parse_only) {
switch (mod) {
case '=':
if (val != modval1)
return 0;
break;
case '<':
if (val >= modval1)
return 0;
break;
case '>':
if (val <= modval1)
return 0;
break;
default:
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return 0;
}
*cnt += val;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
*ids |= (uint64_t)1 << id;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return 1;
}
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (parse_only) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return val;
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (val) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
*cnt += val;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
*ids |= (uint64_t)1 << id;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return 1;
} else {
return 0;
}
}
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!op) {
op = op1;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
opoff = op1off;
lstart++;
rend = &expr[blkend];
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!opoff) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_chklsig: Syntax error: Missing left argument\n");
return -1;
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
lend = &expr[opoff];
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (opoff + 1 == len) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_chklsig: Syntax error: Missing right argument\n");
return -1;
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
rstart = &expr[opoff + 1];
libclamav: lsigs: handle extended block modifiers (bb#896) git-svn: trunk@3998
2008-07-26 15:48:08 +00:00
lval = cli_ac_chklsig(lstart, lend, lsigcnt, &lcnt, &lids, parse_only);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (lval == -1) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_chklsig: Calculation of lval failed\n");
return -1;
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
libclamav: lsigs: handle extended block modifiers (bb#896) git-svn: trunk@3998
2008-07-26 15:48:08 +00:00
rval = cli_ac_chklsig(rstart, rend, lsigcnt, &rcnt, &rids, parse_only);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (rval == -1) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_chklsig: Calculation of rval failed\n");
return -1;
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (parse_only) {
switch (op) {
case '&':
case '|':
return MAX(lval, rval);
default:
cli_errmsg("cli_ac_chklsig: Incorrect operator type\n");
return -1;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
}
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
switch (op) {
case '&':
ret = lval && rval;
break;
case '|':
ret = lval || rval;
break;
default:
cli_errmsg("cli_ac_chklsig: Incorrect operator type\n");
return -1;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!blkmod) {
if (ret) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
*cnt += lcnt + rcnt;
*ids |= lids | rids;
}
return ret;
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (ret) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
tcnt = lcnt + rcnt;
tids = lids | rids;
} else {
tcnt = 0;
tids = 0;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
switch (blkmod) {
case '=':
if (tcnt != modval1)
return 0;
break;
case '<':
if (tcnt >= modval1)
return 0;
break;
case '>':
if (tcnt <= modval1)
return 0;
break;
default:
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return 0;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (modval2) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
val = 0;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
while (tids) {
val += tids & (uint64_t)1;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
tids >>= 1;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (val < modval2)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return 0;
}
*cnt += tcnt;
return 1;
}
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
}
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
inline static int ac_findmatch_special(const unsigned char *buffer, uint32_t offset, uint32_t bp, uint32_t fileoffset, uint32_t length,
const struct cli_ac_patt *pattern, uint32_t pp, uint16_t specialcnt, uint32_t *start, uint32_t *end, int rev);
static int ac_backward_match_branch(const unsigned char *buffer, uint32_t bp, uint32_t offset, uint32_t length, uint32_t fileoffset,
const struct cli_ac_patt *pattern, uint32_t pp, uint16_t specialcnt, uint32_t *start, uint32_t *end);
static int ac_forward_match_branch(const unsigned char *buffer, uint32_t bp, uint32_t offset, uint32_t length, uint32_t fileoffset,
const struct cli_ac_patt *pattern, uint32_t pp, uint16_t specialcnt, uint32_t *start, uint32_t *end);
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
matcher-ac: wildcard support for variable alternates (needs optimization)
2015-05-18 09:59:04 -04:00
/* call only by ac_findmatch_special! Does not handle recursive specials */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
#define AC_MATCH_CHAR2(p, b) \
switch (wc = p & CLI_MATCH_METADATA) { \
case CLI_MATCH_CHAR: \
if ((unsigned char)p != b) \
match = 0; \
break; \
\
case CLI_MATCH_NOCASE: \
bb12370 - cli_strndup and other str* replacements must be built and exported for every OS to be used outside of libclamav on systems that don't have the original functions (e.g. strndup). This commit renames the macros to be uppercase, renames the replacement functions to be preceeded with two understores (e.g. __cli_strndup), and removes the ifdef's so that they are built regardless, because there are no ifdefs in libclamav.map.
2019-08-22 16:51:01 -04:00
if ((unsigned char)(p & 0xff) != CLI_NOCASE(b)) \
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
match = 0; \
break; \
\
case CLI_MATCH_IGNORE: \
break; \
\
case CLI_MATCH_NIBBLE_HIGH: \
if ((unsigned char)(p & 0x00f0) != (b & 0xf0)) \
match = 0; \
break; \
\
case CLI_MATCH_NIBBLE_LOW: \
if ((unsigned char)(p & 0x000f) != (b & 0x0f)) \
match = 0; \
break; \
\
default: \
cli_errmsg("ac_findmatch: Unknown metatype 0x%x\n", wc); \
match = 0; \
matcher-ac: wildcard support for variable alternates (needs optimization)
2015-05-18 09:59:04 -04:00
}
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
/* call only by ac_XX_match_branch! */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
#define AC_MATCH_CHAR(p, b, rev) \
switch (wc = p & CLI_MATCH_METADATA) { \
case CLI_MATCH_CHAR: \
if ((unsigned char)p != b) \
match = 0; \
break; \
\
case CLI_MATCH_NOCASE: \
bb12370 - cli_strndup and other str* replacements must be built and exported for every OS to be used outside of libclamav on systems that don't have the original functions (e.g. strndup). This commit renames the macros to be uppercase, renames the replacement functions to be preceeded with two understores (e.g. __cli_strndup), and removes the ifdef's so that they are built regardless, because there are no ifdefs in libclamav.map.
2019-08-22 16:51:01 -04:00
if ((unsigned char)(p & 0xff) != CLI_NOCASE(b)) \
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
match = 0; \
break; \
\
case CLI_MATCH_IGNORE: \
break; \
\
case CLI_MATCH_SPECIAL: \
/* >1 = movement, 0 = fail, <1 = resolved in branch */ \
if ((match = ac_findmatch_special(buffer, offset, bp, fileoffset, length, \
pattern, i, specialcnt, start, end, rev)) <= 0) \
return match; \
\
if (!rev) { \
bp += (match - 1); /* -1 is for bp++ in parent loop */ \
specialcnt++; \
} else { \
bp = bp + 1 - match; /* +1 is for bp-- in parent loop */ \
specialcnt--; \
} \
\
break; \
\
case CLI_MATCH_NIBBLE_HIGH: \
if ((unsigned char)(p & 0x00f0) != (b & 0xf0)) \
match = 0; \
break; \
\
case CLI_MATCH_NIBBLE_LOW: \
if ((unsigned char)(p & 0x000f) != (b & 0x0f)) \
match = 0; \
break; \
\
default: \
cli_errmsg("ac_findmatch: Unknown metatype 0x%x\n", wc); \
match = 0; \
alternative code clean-up (cli_altnmsg)
2015-05-22 10:51:48 -04:00
}
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
/* special handler */
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
inline static int ac_findmatch_special(const unsigned char *buffer, uint32_t offset, uint32_t bp, uint32_t fileoffset, uint32_t length,
const struct cli_ac_patt *pattern, uint32_t pp, uint16_t specialcnt, uint32_t *start, uint32_t *end, int rev)
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
{
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
int match, cmp;
ac_fincmatch_special: fixed issue regarding boundaries and prefix checking
2015-05-22 16:18:36 -04:00
uint16_t j, b = buffer[bp];
matcher-ac: wildcard support for variable alternates (needs optimization)
2015-05-18 09:59:04 -04:00
uint16_t wc;
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
uint32_t subbp;
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
struct cli_ac_special *special = pattern->special_table[specialcnt];
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
struct cli_alt_node *alt = NULL;
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
match = special->negative;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
switch (special->type) {
case AC_SPECIAL_ALT_CHAR: /* single-byte */
for (j = 0; j < special->num; j++) {
cmp = b - (special->alt).byte[j];
if (cmp == 0) {
match = !special->negative;
break;
} else if (cmp < 0)
break;
}
break;
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case AC_SPECIAL_ALT_STR_FIXED: /* fixed length multi-byte */
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
if (!rev) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (bp + special->len[0] > length)
break;
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
subbp = bp;
} else {
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
if (bp < (uint32_t)(special->len[0] - 1))
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
break;
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
subbp = bp - (uint32_t)(special->len[0] - 1);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
match *= special->len[0];
for (j = 0; j < special->num; j++) {
cmp = memcmp(&buffer[subbp], (special->alt).f_str[j], special->len[0]);
if (cmp == 0) {
match = (!special->negative) * special->len[0];
matcher-ac: wildcard support for variable alternates (needs optimization)
2015-05-18 09:59:04 -04:00
break;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (cmp < 0)
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
break;
matcher-ac: wildcard support for variable alternates (needs optimization)
2015-05-18 09:59:04 -04:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
break;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case AC_SPECIAL_ALT_STR: /* generic */
alt = (special->alt).v_str;
while (alt) {
if (!rev) {
if (bp + alt->len > length) {
alt = alt->next;
continue;
}
subbp = bp;
} else {
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
if (bp < (uint32_t)(alt->len - 1)) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
alt = alt->next;
continue;
}
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
subbp = bp - (uint32_t)(alt->len - 1);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
}
/* note that generic alternates CANNOT be negated */
match = 1;
for (j = 0; j < alt->len; j++) {
AC_MATCH_CHAR2(alt->str[j], buffer[subbp + j]);
if (!match)
break;
}
if (match) {
/* if match is unique (has no derivatives), we can pass it directly back */
if (alt->unique) {
match = alt->len;
break;
}
/* branch for backtracking */
if (!rev)
match = ac_forward_match_branch(buffer, subbp + alt->len, offset, fileoffset, length, pattern, pp + 1, specialcnt + 1, start, end);
else
match = ac_backward_match_branch(buffer, subbp - 1, offset, fileoffset, length, pattern, pp - 1, specialcnt - 1, start, end);
if (match)
return -1; /* alerts caller that match has been resolved in child callee */
}
alt = alt->next;
}
break;
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case AC_SPECIAL_LINE_MARKER:
if (b == '\n')
match = !special->negative;
else if (b == '\r' && (bp + 1 < length && buffer[bp + 1] == '\n'))
match = (!special->negative) * 2;
break;
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case AC_SPECIAL_BOUNDARY:
if (boundary[b])
match = !special->negative;
break;
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case AC_SPECIAL_WORD_MARKER:
if (!isalnum(b))
match = !special->negative;
break;
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
default:
cli_errmsg("ac_findmatch: Unknown special\n");
match = 0;
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
}
return match;
}
/* state should reset on call, recursion depth = number of alternate specials */
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
/* each loop iteration starts on the NEXT sequence to be validated */
static int ac_backward_match_branch(const unsigned char *buffer, uint32_t bp, uint32_t offset, uint32_t fileoffset, uint32_t length,
const struct cli_ac_patt *pattern, uint32_t pp, uint16_t specialcnt, uint32_t *start, uint32_t *end)
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
{
bb11992: cleaning up some variable initialization.
2017-12-20 08:27:21 -05:00
int match = 0;
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
uint16_t wc, i;
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
uint32_t filestart;
fix boundary error (bb#491) git-svn: trunk@3049
2007-05-02 09:17:46 +00:00
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
/* backwards (prefix) validation, determines start */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pattern->prefix && pattern->prefix_length[0]) {
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
match = 1;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
for (i = pp; 1; i--) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
AC_MATCH_CHAR(pattern->prefix[i], buffer[bp], 1);
if (!match)
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
return 0;
/* needs to perform check before decrement due to unsignedness */
if (i == 0 || bp == 0)
break;
bp--;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
*start = bp;
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
filestart = fileoffset - offset + bp;
} else {
/* bp is set to buffer offset */
*start = bp = offset;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
filestart = fileoffset;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
/* left-side special checks, bp = start */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pattern->boundary & AC_BOUNDARY_LEFT) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
match = !!(pattern->boundary & AC_BOUNDARY_LEFT_NEGATIVE);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!filestart || (bp && (boundary[buffer[bp - 1]] == 1 || boundary[buffer[bp - 1]] == 3)))
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
match = !match;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!match)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return 0;
libclamav/matcher-ac.c: implement word delimiter (B) as requested in bb#1631
2009-09-17 22:49:45 +02:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pattern->boundary & AC_LINE_MARKER_LEFT) {
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
match = !!(pattern->boundary & AC_LINE_MARKER_LEFT_NEGATIVE);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!filestart || (bp && (buffer[bp - 1] == '\n')))
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
match = !match;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!match)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return 0;
libclamav/matcher-ac.c: implement word delimiter (B) as requested in bb#1631
2009-09-17 22:49:45 +02:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pattern->boundary & AC_WORD_MARKER_LEFT) {
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
match = !!(pattern->boundary & AC_WORD_MARKER_LEFT_NEGATIVE);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!filestart)
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
match = !match;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
else if (pattern->sigopts & ACPATT_OPTION_WIDE) {
if (filestart - 1 == 0)
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
match = !match;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (bp - 1 && bp && !(isalnum(buffer[bp - 2]) && buffer[bp - 1] == '\0'))
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
match = !match;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (bp && !isalnum(buffer[bp - 1]))
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
match = !match;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!match)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return 0;
libclamav/matcher-ac.c: add support for line marker (L) (matches CR, CRLF and boundaries)
2009-09-25 10:38:10 +02:00
}
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
/* bp is shifted for left anchor check, thus invalidated as pattern start */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!(pattern->ch[0] & CLI_MATCH_IGNORE)) {
if (pattern->ch_mindist[0] + (uint32_t)1 > bp)
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
return 0;
bp -= pattern->ch_mindist[0] + 1;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = pattern->ch_mindist[0]; i <= pattern->ch_maxdist[0]; i++) {
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
match = 1;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
AC_MATCH_CHAR(pattern->ch[0], buffer[bp], 1);
if (match)
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
break;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!bp)
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
return 0;
else
bp--;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!match)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return 0;
libclamav/matcher-ac.c: add support for line marker (L) (matches CR, CRLF and boundaries)
2009-09-25 10:38:10 +02:00
}
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
return 1;
}
/* state should reset on call, recursion depth = number of alternate specials */
/* each loop iteration starts on the NEXT sequence to validate */
static int ac_forward_match_branch(const unsigned char *buffer, uint32_t bp, uint32_t offset, uint32_t fileoffset, uint32_t length,
const struct cli_ac_patt *pattern, uint32_t pp, uint16_t specialcnt, uint32_t *start, uint32_t *end)
{
int match;
uint16_t wc, i;
match = 1;
/* forward (pattern) validation; determines end */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = pp; i < pattern->length[0] && bp < length; i++) {
AC_MATCH_CHAR(pattern->pattern[i], buffer[bp], 0);
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
if (!match)
return 0;
bp++;
}
*end = bp;
/* right-side special checks, bp = end */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pattern->boundary & AC_BOUNDARY_RIGHT) {
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
match = !!(pattern->boundary & AC_BOUNDARY_RIGHT_NEGATIVE);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((length <= SCANBUFF) && (bp == length || boundary[buffer[bp]] >= 2))
added wide support for word marker char class reason: differs from what is expected in yara TODO: handle this case for all character classes/cases
2015-02-26 11:21:34 -05:00
match = !match;
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!match)
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
return 0;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pattern->boundary & AC_LINE_MARKER_RIGHT) {
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
match = !!(pattern->boundary & AC_LINE_MARKER_RIGHT_NEGATIVE);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((length <= SCANBUFF) && (bp == length || buffer[bp] == '\n' || (buffer[bp] == '\r' && bp + 1 < length && buffer[bp + 1] == '\n')))
added '(W)' special character to match fullword (non-alnum)
2015-02-20 15:40:36 -05:00
match = !match;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!match)
added '(W)' special character to match fullword (non-alnum)
2015-02-20 15:40:36 -05:00
return 0;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pattern->boundary & AC_WORD_MARKER_RIGHT) {
added '(W)' special character to match fullword (non-alnum)
2015-02-20 15:40:36 -05:00
match = !!(pattern->boundary & AC_WORD_MARKER_RIGHT_NEGATIVE);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (length <= SCANBUFF) {
if (bp == length)
added wide support for word marker char class reason: differs from what is expected in yara TODO: handle this case for all character classes/cases
2015-02-26 11:21:34 -05:00
match = !match;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
else if ((pattern->sigopts & ACPATT_OPTION_WIDE) && (bp + 1 < length)) {
if (!(isalnum(buffer[bp]) && buffer[bp + 1] == '\0'))
added wide support for word marker char class reason: differs from what is expected in yara TODO: handle this case for all character classes/cases
2015-02-26 11:21:34 -05:00
match = !match;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (!isalnum(buffer[bp]))
added wide support for word marker char class reason: differs from what is expected in yara TODO: handle this case for all character classes/cases
2015-02-26 11:21:34 -05:00
match = !match;
}
added '(W)' special character to match fullword (non-alnum)
2015-02-20 15:40:36 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!match)
added '(W)' special character to match fullword (non-alnum)
2015-02-20 15:40:36 -05:00
return 0;
}
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
/* bp is shifted for right anchor check, thus invalidated as pattern right-side */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!(pattern->ch[1] & CLI_MATCH_IGNORE)) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
bp += pattern->ch_mindist[1];
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = pattern->ch_mindist[1]; i <= pattern->ch_maxdist[1]; i++) {
if (bp >= length)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return 0;
match = 1;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
AC_MATCH_CHAR(pattern->ch[1], buffer[bp], 0);
if (match)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
break;
bp++;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!match)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return 0;
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
return ac_backward_match_branch(buffer, offset - 1, offset, fileoffset, length, pattern, pattern->prefix_length[0] - 1, pattern->special_pattern - 1, start, end);
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
inline static int ac_findmatch(const unsigned char *buffer, uint32_t offset, uint32_t fileoffset, uint32_t length, const struct cli_ac_patt *pattern, uint32_t *start, uint32_t *end)
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
{
int match;
uint16_t specialcnt = pattern->special_pattern;
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
/* minimal check as the maximum variable length may exceed the buffer */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((offset + pattern->length[1] > length) || (pattern->prefix_length[1] > offset))
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
return 0;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
match = ac_forward_match_branch(buffer, offset + pattern->depth, offset, fileoffset, length, pattern, pattern->depth, specialcnt, start, end);
if (match)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return 1;
ac_findmatch branching variant for alternating strings
2015-05-06 13:34:15 -04:00
return 0;
}
Correcting types from int to cl_error_t where appropriate. Eliminating unused variables and referencing unused parameters to remove warnings.
2019-02-27 00:47:38 -05:00
cl_error_t cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint32_t lsigs, uint32_t reloffsigs, uint8_t tracklen)
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
{
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
unsigned int i, j;
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
Silence a bunch of compiler warnings in libclamav
2014-07-10 18:11:49 -04:00
UNUSEDPARAM(tracklen);
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!data) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_init: data == NULL\n");
return CL_ENULLARG;
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
}
bb#9595 fix for sigs targeted for ascii files containing offsets of the form EOF-n.
2013-12-05 15:09:19 -08:00
memset((void *)data, 0, sizeof(struct cli_ac_data));
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
libclamav: handle relative offsets with cli_ac_data; fix offset logic
2009-08-21 15:55:10 +02:00
data->reloffsigs = reloffsigs;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (reloffsigs) {
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
data->offset = (uint32_t *)malloc(reloffsigs * 2 * sizeof(uint32_t));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!data->offset) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_init: Can't allocate memory for data->offset\n");
return CL_EMEM;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < reloffsigs * 2; i += 2)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
data->offset[i] = CLI_OFF_NONE;
libclamav: handle relative offsets with cli_ac_data; fix offset logic
2009-08-21 15:55:10 +02:00
}
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
libclamav: handle relative offsets with cli_ac_data; fix offset logic
2009-08-21 15:55:10 +02:00
data->partsigs = partsigs;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (partsigs) {
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
data->offmatrix = (uint32_t ***)calloc(partsigs, sizeof(uint32_t **));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!data->offmatrix) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_init: Can't allocate memory for data->offmatrix\n");
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (reloffsigs)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->offset);
return CL_EMEM;
}
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
data->lsigs = lsigs;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (lsigs) {
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
data->lsigcnt = (uint32_t **)malloc(lsigs * sizeof(uint32_t *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!data->lsigcnt) {
if (partsigs)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->offmatrix);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (reloffsigs)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->offset);
cli_errmsg("cli_ac_init: Can't allocate memory for data->lsigcnt\n");
return CL_EMEM;
}
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
data->lsigcnt[0] = (uint32_t *)calloc(lsigs * 64, sizeof(uint32_t));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!data->lsigcnt[0]) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->lsigcnt);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (partsigs)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->offmatrix);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (reloffsigs)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->offset);
cli_errmsg("cli_ac_init: Can't allocate memory for data->lsigcnt[0]\n");
return CL_EMEM;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 1; i < lsigs; i++)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
data->lsigcnt[i] = data->lsigcnt[0] + 64 * i;
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
data->yr_matches = (uint8_t *)calloc(lsigs, sizeof(uint8_t));
Add support for YARA private rules and referencing other rules in a YARA condition.
2015-06-19 16:33:59 -04:00
if (data->yr_matches == NULL) {
free(data->lsigcnt[0]);
free(data->lsigcnt);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (partsigs)
Add support for YARA private rules and referencing other rules in a YARA condition.
2015-06-19 16:33:59 -04:00
free(data->offmatrix);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (reloffsigs)
Add support for YARA private rules and referencing other rules in a YARA condition.
2015-06-19 16:33:59 -04:00
free(data->offset);
return CL_EMEM;
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
/* subsig offsets */
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
data->lsig_matches = (struct cli_lsig_matches **)calloc(lsigs, sizeof(struct cli_lsig_matches *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!data->lsig_matches) {
Add support for YARA private rules and referencing other rules in a YARA condition.
2015-06-19 16:33:59 -04:00
free(data->yr_matches);
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
free(data->lsigcnt[0]);
free(data->lsigcnt);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (partsigs)
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
free(data->offmatrix);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (reloffsigs)
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
free(data->offset);
cli_errmsg("cli_ac_init: Can't allocate memory for data->lsig_matches\n");
return CL_EMEM;
}
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
data->lsigsuboff_last = (uint32_t **)malloc(lsigs * sizeof(uint32_t *));
data->lsigsuboff_first = (uint32_t **)malloc(lsigs * sizeof(uint32_t *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!data->lsigsuboff_last || !data->lsigsuboff_first) {
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
free(data->lsig_matches);
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->lsigsuboff_last);
free(data->lsigsuboff_first);
Add support for YARA private rules and referencing other rules in a YARA condition.
2015-06-19 16:33:59 -04:00
free(data->yr_matches);
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->lsigcnt[0]);
free(data->lsigcnt);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (partsigs)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->offmatrix);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (reloffsigs)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->offset);
cli_errmsg("cli_ac_init: Can't allocate memory for data->lsigsuboff_(last|first)\n");
return CL_EMEM;
}
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
data->lsigsuboff_last[0] = (uint32_t *)calloc(lsigs * 64, sizeof(uint32_t));
data->lsigsuboff_first[0] = (uint32_t *)calloc(lsigs * 64, sizeof(uint32_t));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!data->lsigsuboff_last[0] || !data->lsigsuboff_first[0]) {
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
free(data->lsig_matches);
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->lsigsuboff_last[0]);
free(data->lsigsuboff_first[0]);
free(data->lsigsuboff_last);
free(data->lsigsuboff_first);
Add support for YARA private rules and referencing other rules in a YARA condition.
2015-06-19 16:33:59 -04:00
free(data->yr_matches);
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->lsigcnt[0]);
free(data->lsigcnt);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (partsigs)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->offmatrix);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (reloffsigs)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->offset);
cli_errmsg("cli_ac_init: Can't allocate memory for data->lsigsuboff_(last|first)[0]\n");
return CL_EMEM;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (j = 0; j < 64; j++) {
data->lsigsuboff_last[0][j] = CLI_OFF_NONE;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
data->lsigsuboff_first[0][j] = CLI_OFF_NONE;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 1; i < lsigs; i++) {
data->lsigsuboff_last[i] = data->lsigsuboff_last[0] + 64 * i;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
data->lsigsuboff_first[i] = data->lsigsuboff_first[0] + 64 * i;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (j = 0; j < 64; j++) {
data->lsigsuboff_last[i][j] = CLI_OFF_NONE;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
data->lsigsuboff_first[i][j] = CLI_OFF_NONE;
}
}
libclamav: handle relative offsets with cli_ac_data; fix offset logic
2009-08-21 15:55:10 +02:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < 32; i++)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
data->macro_lastmatch[i] = CLI_OFF_NONE;
libclamav: handle relative offsets with cli_ac_data; fix offset logic
2009-08-21 15:55:10 +02:00
libclamav/matcher-ac.c: optimize handling of multi-part signatures (bb#2322)
2010-12-02 18:50:53 +01:00
data->min_partno = 1;
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
return CL_SUCCESS;
}
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
Correcting types from int to cl_error_t where appropriate. Eliminating unused variables and referencing unused parameters to remove warnings.
2019-02-27 00:47:38 -05:00
cl_error_t cli_ac_caloff(const struct cli_matcher *root, struct cli_ac_data *data, const struct cli_target_info *info)
libclamav: improve handling of signature offsets
2009-08-14 14:38:13 +02:00
{
Matcher: Remove allmatch checks and significantly tidy code Significantly tidy the `cli_scan_fmap()` function, and add comments to explain how it all works. Add SHA1 and SHA256 digest variables to the FMAP structure in addition to the existing MD5. Add a function to set the hash so that when we calculate the hashes for hash matching, we save them for subsequent FP matching. This enabled me to remove the extra "hash-only" FP check from `cli_scan_fmap()`. This will also make it easier to switch the clean cache hash algorithm to SHA256 in the future. Remove extra allmatch checks that are no longer required. Add a new header to prevent #include order issues.
2022-08-18 20:00:33 -07:00
cl_error_t ret;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
unsigned int i;
struct cli_ac_patt *patt;
libclamav: improve handling of signature offsets
2009-08-14 14:38:13 +02:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (info)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
data->vinfo = &info->exeinfo.vinfo;
matching complete
2010-01-04 14:56:04 +01:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < root->ac_reloff_num; i++) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
patt = root->ac_reloff[i];
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!info) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
data->offset[patt->offset_min] = CLI_OFF_NONE;
Matcher: Remove allmatch checks and significantly tidy code Significantly tidy the `cli_scan_fmap()` function, and add comments to explain how it all works. Add SHA1 and SHA256 digest variables to the FMAP structure in addition to the existing MD5. Add a function to set the hash so that when we calculate the hashes for hash matching, we save them for subsequent FP matching. This enabled me to remove the extra "hash-only" FP check from `cli_scan_fmap()`. This will also make it easier to switch the clean cache hash algorithm to SHA256 in the future. Remove extra allmatch checks that are no longer required. Add a new header to prevent #include order issues.
2022-08-18 20:00:33 -07:00
} else if (CL_SUCCESS != (ret = cli_caloff(NULL, info, root->type, patt->offdata, &data->offset[patt->offset_min], &data->offset[patt->offset_max]))) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_caloff: Can't calculate relative offset in signature for %s\n", patt->virname);
return ret;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if ((data->offset[patt->offset_min] != CLI_OFF_NONE) && (data->offset[patt->offset_min] + patt->length[1] > info->fsize)) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
data->offset[patt->offset_min] = CLI_OFF_NONE;
}
libclamav: improve handling of signature offsets
2009-08-14 14:38:13 +02:00
}
return CL_SUCCESS;
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
void cli_ac_freedata(struct cli_ac_data *data)
{
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
uint32_t i;
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
if (!data)
return;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (data->partsigs) {
for (i = 0; i < data->partsigs; i++) {
if (data->offmatrix[i]) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->offmatrix[i][0]);
free(data->offmatrix[i]);
}
}
free(data->offmatrix);
data->offmatrix = NULL;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
data->partsigs = 0;
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (data->lsigs) {
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
if (data->lsig_matches) {
for (i = 0; i < data->lsigs; i++) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
struct cli_lsig_matches *ls_matches;
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
if ((ls_matches = data->lsig_matches[i])) {
uint32_t j;
for (j = 0; j < ls_matches->subsigs; j++) {
if (ls_matches->matches[j]) {
free(ls_matches->matches[j]);
ls_matches->matches[j] = 0;
}
}
free(data->lsig_matches[i]);
data->lsig_matches[i] = 0;
}
}
free(data->lsig_matches);
data->lsig_matches = 0;
}
Add support for YARA private rules and referencing other rules in a YARA condition.
2015-06-19 16:33:59 -04:00
free(data->yr_matches);
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->lsigcnt[0]);
free(data->lsigcnt);
free(data->lsigsuboff_last[0]);
free(data->lsigsuboff_last);
free(data->lsigsuboff_first[0]);
free(data->lsigsuboff_first);
data->lsigs = 0;
multipart signatures: give higher priority to new sub-matches git-svn: trunk@2507
2006-11-18 20:49:08 +00:00
}
libclamav: handle relative offsets with cli_ac_data; fix offset logic
2009-08-21 15:55:10 +02:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (data->reloffsigs) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
free(data->offset);
data->reloffsigs = 0;
libclamav: handle relative offsets with cli_ac_data; fix offset logic
2009-08-21 15:55:10 +02:00
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
}
multipart signatures: give higher priority to new sub-matches git-svn: trunk@2507
2006-11-18 20:49:08 +00:00
Scan_all: make sure flag reaches ac_scanbuff and cleaner clamd support
2013-06-13 15:01:39 -04:00
/* returns only CL_SUCCESS or CL_EMEM */
use limits->maxfiles instead of MAX_EMBEDDED_OBJ for ZIP-SFX git-svn: trunk@3668
2008-02-22 00:26:25 +00:00
inline static int ac_addtype(struct cli_matched_type **list, cli_file_t type, off_t offset, const cli_ctx *ctx)
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
{
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
struct cli_matched_type *tnode, *tnode_last;
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (type == CL_TYPE_ZIPSFX) {
if (*list && ctx && ctx->engine->maxfiles && (*list)->cnt > ctx->engine->maxfiles)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_SUCCESS;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (*list && (*list)->cnt >= MAX_EMBEDDED_OBJ) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_SUCCESS;
}
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
Optimization: replace limited allocation calls There are a large number of allocations for fix sized buffers using the `cli_malloc` and `cli_calloc` calls that check if the requested size is larger than our allocation threshold for allocations based on untrusted input. These allocations will *always* be higher than the threshold, so the extra stack frame and check for these calls is a waste of CPU. This commit replaces needless calls with A -> B: - cli_malloc -> malloc - cli_calloc -> calloc - CLI_MALLOC -> MALLOC - CLI_CALLOC -> CALLOC I also noticed that our MPOOL_MALLOC / MPOOL_CALLOC are not limited by the max-allocation threshold, when MMAP is found/enabled. But the alternative was set to cli_malloc / cli_calloc when disabled. I changed those as well. I didn't change the cli_realloc/2 calls because our version of realloc not only implements a threshold but also stabilizes the undefined behavior in realloc to protect against accidental double-free's. It may be worth implementing a cli_realloc that doesn't have the threshold built-in, however, so as to allow reallocaitons for things like buffers for loading signatures, which aren't subject to the same concern as allocations for scanning possible malware. There was one case in mbox.c where I changed MALLOC -> CLI_MALLOC, because it appears to be allocating based on untrusted input.
2022-05-08 14:59:09 -07:00
if (!(tnode = calloc(1, sizeof(struct cli_matched_type)))) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_addtype: Can't allocate memory for new type node\n");
return CL_EMEM;
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
tnode->type = type;
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
tnode->offset = offset;
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
tnode_last = *list;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
while (tnode_last && tnode_last->next)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
tnode_last = tnode_last->next;
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (tnode_last)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
tnode_last->next = tnode;
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
else
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
*list = tnode;
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
(*list)->cnt++;
pattern matcher accuracy improvements git-svn: trunk@2505
2006-11-15 15:26:54 +00:00
return CL_SUCCESS;
}
Image fuzzy hash: new logical sub-signature feature Add a new logical signature subsignature type for matching on images with image fuzzy hashes. Image fuzzy hash subsigantures follow this format: fuzzy_img#<hash>#<dist> In this initial implementation, the hamming distance (dist) is ignored and only exact fuzzy hash matches will alert. Fuzzy hash matching is only performed for supported image types. Also: removed some excessive debug log messages on start-up. Fixed an issue where the signature name (virname) is being allocated and stored for every subsignature or even ever sub-pattern in an AC-pattern (i.e. NDB sig or LDB subsig) containing a `{n-m}` or `*` wildcard. This fix is only for LDB subsigs though. NDB signatures are still allocaing one virname per sub-pattern. This fix was required because I needed a place to store the virname with fuzzy-hash subsignatures. Storing it in the fuzzy-hash subsig metadatathe way AC-pattern, PCRE, and BComp subsigs were doing it wouldn't work because it would cross the C-Rust FFI boundary and giving pointers to Rust allocated stuff is dicey. Not to mention native Rust strings are different thatn C strings. Anyways, the correct thing to do was to store the virname with the actual logical signature. TODO: Keep track of NDB signatures in the same way and store the virname for NDB sigs there instead of in AC-patterns so that we can get rid of the virname field in the AC-pattern struct.
2021-04-21 16:24:24 -07:00
void lsig_increment_subsig_match(struct cli_ac_data *mdata, uint32_t lsig_id, uint32_t subsig_id)
{
mdata->lsigcnt[lsig_id][subsig_id]++;
}
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
cl_error_t lsig_sub_matched(const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t lsig_id, uint32_t subsig_id, uint32_t realoff, int partial)
Support for macros in logical subsignatures (bb #164). In the LDB there is (one or more) special subsignature ${min-max}MACROID$, which means: must match any signature from group MACROID (for current filetype), and the match must occur at a distance of min-max from the start(!) of the previous logical subsignature match. It also has the sideeffect of making the previous subsignature considered a match only if both that and the macro matches. The offset of first match for the previous logical subsig will be the offset where the {min-max} distance is satisfied. The macro logical subsignature will have a count of 0 (if it didn't match together with the previous subsig), or a count of 1 if it did. The matches can occur anywhere (even in different ac scan buffers), since I don't call cli_ac_scanbuff I just use the offset of first match (which we have for the bytecode anyway). There can be at most 32 macro groups, signatures are added to a macro group by using $MACROID$ as offset. For example pdb entries could be converted to PDB:3:$0:<hexsig of domainname> if we assign macro id 0 to PDB (and we can assign 31 more macro ids to whatever). Example: test.ldb: TestMacro;Target:0;0&1;616161;${3-4}12$ test.ndb: D:0:$12:6262 D:0:$12:6363 D:0:$11:6262 test.dat: aaaaxccdd test-nomatch.dat: aaaaxxxccdd
2010-02-08 13:45:03 +02:00
{
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
const struct cli_ac_lsig *ac_lsig = root->ac_lsigtable[lsig_id];
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
const struct cli_lsig_tdb *tdb = &ac_lsig->tdb;
libclamav/matcher.c: fix counting of logical subsigs matched at boundaries (bb#2053)
2010-07-01 18:24:17 +02:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (realoff != CLI_OFF_NONE) {
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
if (mdata->lsigsuboff_first[lsig_id][subsig_id] == CLI_OFF_NONE) {
/* If this is the first subsig in the lsig, store the offset in the first-list. */
mdata->lsigsuboff_first[lsig_id][subsig_id] = realoff;
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
if (mdata->lsigsuboff_last[lsig_id][subsig_id] != CLI_OFF_NONE &&
/* If this isn't the first subsig match for this logical sig and the offset
is earlier in the file than the last subsig match, don't count it. */
((!partial && realoff <= mdata->lsigsuboff_last[lsig_id][subsig_id]) ||
(partial && realoff < mdata->lsigsuboff_last[lsig_id][subsig_id]))) {
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
return CL_SUCCESS;
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
/* Increment the subsig count for this logical signature */
mdata->lsigcnt[lsig_id][subsig_id]++;
libclamav/matcher-ac.c: fix counting of subsig matches (bb#2001)
2010-05-04 16:48:54 +02:00
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
if (mdata->lsigcnt[lsig_id][subsig_id] <= 1 || !tdb->macro_ptids || !tdb->macro_ptids[subsig_id]) {
/* Store the offset of this subsig match in the last-list (except in certain circumstances) */
mdata->lsigsuboff_last[lsig_id][subsig_id] = realoff;
}
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
if (ac_lsig->type & CLI_YARA_OFFSET) {
/*
* There are 3 types of logical signatures: normal, yara-normal, and yara-offset
*
* For yara-offset logical signatures we allocate some structures to
* store yara subsignature match offsets.
*/
struct cli_subsig_matches *ss_matches;
struct cli_lsig_matches *ls_matches;
cli_dbgmsg("lsig_sub_matched lsig %u:%u at %u\n", lsig_id, subsig_id, realoff);
ls_matches = mdata->lsig_matches[lsig_id];
if (ls_matches == NULL) { /* allocate cli_lsig_matches */
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
ls_matches = mdata->lsig_matches[lsig_id] = (struct cli_lsig_matches *)calloc(1, sizeof(struct cli_lsig_matches) +
(ac_lsig->tdb.subsigs - 1) * sizeof(struct cli_subsig_matches *));
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
if (ls_matches == NULL) {
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
cli_errmsg("lsig_sub_matched: calloc failed for cli_lsig_matches\n");
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
return CL_EMEM;
}
ls_matches->subsigs = ac_lsig->tdb.subsigs;
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
}
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
ss_matches = ls_matches->matches[subsig_id];
if (ss_matches == NULL) { /* allocate cli_subsig_matches */
Optimization: replace limited allocation calls There are a large number of allocations for fix sized buffers using the `cli_malloc` and `cli_calloc` calls that check if the requested size is larger than our allocation threshold for allocations based on untrusted input. These allocations will *always* be higher than the threshold, so the extra stack frame and check for these calls is a waste of CPU. This commit replaces needless calls with A -> B: - cli_malloc -> malloc - cli_calloc -> calloc - CLI_MALLOC -> MALLOC - CLI_CALLOC -> CALLOC I also noticed that our MPOOL_MALLOC / MPOOL_CALLOC are not limited by the max-allocation threshold, when MMAP is found/enabled. But the alternative was set to cli_malloc / cli_calloc when disabled. I changed those as well. I didn't change the cli_realloc/2 calls because our version of realloc not only implements a threshold but also stabilizes the undefined behavior in realloc to protect against accidental double-free's. It may be worth implementing a cli_realloc that doesn't have the threshold built-in, however, so as to allow reallocaitons for things like buffers for loading signatures, which aren't subject to the same concern as allocations for scanning possible malware. There was one case in mbox.c where I changed MALLOC -> CLI_MALLOC, because it appears to be allocating based on untrusted input.
2022-05-08 14:59:09 -07:00
ss_matches = ls_matches->matches[subsig_id] = malloc(sizeof(struct cli_subsig_matches));
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
if (ss_matches == NULL) {
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
cli_errmsg("lsig_sub_matched: malloc failed for cli_subsig_matches struct\n");
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
return CL_EMEM;
}
ss_matches->next = 0;
ss_matches->last = sizeof(ss_matches->offsets) / sizeof(uint32_t) - 1;
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
}
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
if (ss_matches->next > ss_matches->last) { /* cli_matches out of space? realloc */
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
ss_matches = ls_matches->matches[subsig_id] = realloc(ss_matches, sizeof(struct cli_subsig_matches) + sizeof(uint32_t) * ss_matches->last * 2);
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
if (ss_matches == NULL) {
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
cli_errmsg("lsig_sub_matched: realloc failed for cli_subsig_matches struct\n");
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
return CL_EMEM;
}
ss_matches->last = sizeof(ss_matches->offsets) / sizeof(uint32_t) + ss_matches->last * 2 - 1;
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
ss_matches->offsets[ss_matches->next] = realoff; /* finally, store the offset */
ss_matches->next++;
}
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
}
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
if ((tdb->macro_ptids != NULL) &&
(tdb->macro_ptids[subsig_id] > 0) &&
(mdata->lsigcnt[lsig_id][subsig_id] > 1)) {
/*
* This logical signature has a macro subsignature and this current subsignature has a macro following it.
*
* Check that the previous match had a macro match following it at the correct distance.
* This check is only done after the 1st match.
*/
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
const struct cli_ac_patt *macropt;
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
uint32_t id, last_macro_match, smin, smax, macro_group_id, last_macroprev_match;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
/*
* Look up the subsig for the upcoming macro to get anchor-min/max, and macro group id.
* Reminder: A macro subsignature takes the form:
* ${anchor_min - anchor_max} macro_group_id$
*/
id = tdb->macro_ptids[subsig_id];
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
macropt = root->ac_pattable[id];
smin = macropt->ch_mindist[0];
smax = macropt->ch_maxdist[0];
macro_group_id = macropt->sigid;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
/* start of last macro match */
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
last_macro_match = mdata->macro_lastmatch[macro_group_id];
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
/* start of previous lsig subsig match */
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
last_macroprev_match = mdata->lsigsuboff_last[lsig_id][subsig_id];
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
if (last_macro_match == CLI_OFF_NONE ||
last_macroprev_match + smin > last_macro_match ||
last_macroprev_match + smax < last_macro_match) {
cli_dbgmsg("Canceled false lsig macro match\n");
/* Previous match was false - cancel it */
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
mdata->lsigcnt[lsig_id][subsig_id]--;
mdata->lsigsuboff_last[lsig_id][subsig_id] = realoff;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
} else {
/* mark the macro sig itself matched */
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
cli_dbgmsg("Checking macro match: %u + (%u - %u) == %u\n",
last_macroprev_match, smin, smax, last_macro_match);
mdata->lsigcnt[lsig_id][subsig_id + 1]++;
mdata->lsigsuboff_last[lsig_id][subsig_id + 1] = last_macro_match;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
}
Support for macros in logical subsignatures (bb #164). In the LDB there is (one or more) special subsignature ${min-max}MACROID$, which means: must match any signature from group MACROID (for current filetype), and the match must occur at a distance of min-max from the start(!) of the previous logical subsignature match. It also has the sideeffect of making the previous subsignature considered a match only if both that and the macro matches. The offset of first match for the previous logical subsig will be the offset where the {min-max} distance is satisfied. The macro logical subsignature will have a count of 0 (if it didn't match together with the previous subsig), or a count of 1 if it did. The matches can occur anywhere (even in different ac scan buffers), since I don't call cli_ac_scanbuff I just use the offset of first match (which we have for the bytecode anyway). There can be at most 32 macro groups, signatures are added to a macro group by using $MACROID$ as offset. For example pdb entries could be converted to PDB:3:$0:<hexsig of domainname> if we assign macro id 0 to PDB (and we can assign 31 more macro ids to whatever). Example: test.ldb: TestMacro;Target:0;0&1;616161;${3-4}12$ test.ndb: D:0:$12:6262 D:0:$12:6363 D:0:$11:6262 test.dat: aaaaxccdd test-nomatch.dat: aaaaxxxccdd
2010-02-08 13:45:03 +02:00
}
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
return CL_SUCCESS;
Support for macros in logical subsignatures (bb #164). In the LDB there is (one or more) special subsignature ${min-max}MACROID$, which means: must match any signature from group MACROID (for current filetype), and the match must occur at a distance of min-max from the start(!) of the previous logical subsignature match. It also has the sideeffect of making the previous subsignature considered a match only if both that and the macro matches. The offset of first match for the previous logical subsig will be the offset where the {min-max} distance is satisfied. The macro logical subsignature will have a count of 0 (if it didn't match together with the previous subsig), or a count of 1 if it did. The matches can occur anywhere (even in different ac scan buffers), since I don't call cli_ac_scanbuff I just use the offset of first match (which we have for the bytecode anyway). There can be at most 32 macro groups, signatures are added to a macro group by using $MACROID$ as offset. For example pdb entries could be converted to PDB:3:$0:<hexsig of domainname> if we assign macro id 0 to PDB (and we can assign 31 more macro ids to whatever). Example: test.ldb: TestMacro;Target:0;0&1;616161;${3-4}12$ test.ndb: D:0:$12:6262 D:0:$12:6363 D:0:$11:6262 test.dat: aaaaxccdd test-nomatch.dat: aaaaxxxccdd
2010-02-08 13:45:03 +02:00
}
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
cl_error_t cli_ac_chkmacro(struct cli_matcher *root, struct cli_ac_data *data, unsigned lsig_id)
Support for macros in logical subsignatures (bb #164). In the LDB there is (one or more) special subsignature ${min-max}MACROID$, which means: must match any signature from group MACROID (for current filetype), and the match must occur at a distance of min-max from the start(!) of the previous logical subsignature match. It also has the sideeffect of making the previous subsignature considered a match only if both that and the macro matches. The offset of first match for the previous logical subsig will be the offset where the {min-max} distance is satisfied. The macro logical subsignature will have a count of 0 (if it didn't match together with the previous subsig), or a count of 1 if it did. The matches can occur anywhere (even in different ac scan buffers), since I don't call cli_ac_scanbuff I just use the offset of first match (which we have for the bytecode anyway). There can be at most 32 macro groups, signatures are added to a macro group by using $MACROID$ as offset. For example pdb entries could be converted to PDB:3:$0:<hexsig of domainname> if we assign macro id 0 to PDB (and we can assign 31 more macro ids to whatever). Example: test.ldb: TestMacro;Target:0;0&1;616161;${3-4}12$ test.ndb: D:0:$12:6262 D:0:$12:6363 D:0:$11:6262 test.dat: aaaaxccdd test-nomatch.dat: aaaaxxxccdd
2010-02-08 13:45:03 +02:00
{
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
const struct cli_lsig_tdb *tdb = &root->ac_lsigtable[lsig_id]->tdb;
Support for macros in logical subsignatures (bb #164). In the LDB there is (one or more) special subsignature ${min-max}MACROID$, which means: must match any signature from group MACROID (for current filetype), and the match must occur at a distance of min-max from the start(!) of the previous logical subsignature match. It also has the sideeffect of making the previous subsignature considered a match only if both that and the macro matches. The offset of first match for the previous logical subsig will be the offset where the {min-max} distance is satisfied. The macro logical subsignature will have a count of 0 (if it didn't match together with the previous subsig), or a count of 1 if it did. The matches can occur anywhere (even in different ac scan buffers), since I don't call cli_ac_scanbuff I just use the offset of first match (which we have for the bytecode anyway). There can be at most 32 macro groups, signatures are added to a macro group by using $MACROID$ as offset. For example pdb entries could be converted to PDB:3:$0:<hexsig of domainname> if we assign macro id 0 to PDB (and we can assign 31 more macro ids to whatever). Example: test.ldb: TestMacro;Target:0;0&1;616161;${3-4}12$ test.ndb: D:0:$12:6262 D:0:$12:6363 D:0:$11:6262 test.dat: aaaaxccdd test-nomatch.dat: aaaaxxxccdd
2010-02-08 13:45:03 +02:00
unsigned i;
Correct return status variable type Should use the 'cl_error_t' enum, not 'int'. No functional difference, but is better for type safety and for debugging.
2021-06-18 16:26:56 -07:00
cl_error_t rc;
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
Support for macros in logical subsignatures (bb #164). In the LDB there is (one or more) special subsignature ${min-max}MACROID$, which means: must match any signature from group MACROID (for current filetype), and the match must occur at a distance of min-max from the start(!) of the previous logical subsignature match. It also has the sideeffect of making the previous subsignature considered a match only if both that and the macro matches. The offset of first match for the previous logical subsig will be the offset where the {min-max} distance is satisfied. The macro logical subsignature will have a count of 0 (if it didn't match together with the previous subsig), or a count of 1 if it did. The matches can occur anywhere (even in different ac scan buffers), since I don't call cli_ac_scanbuff I just use the offset of first match (which we have for the bytecode anyway). There can be at most 32 macro groups, signatures are added to a macro group by using $MACROID$ as offset. For example pdb entries could be converted to PDB:3:$0:<hexsig of domainname> if we assign macro id 0 to PDB (and we can assign 31 more macro ids to whatever). Example: test.ldb: TestMacro;Target:0;0&1;616161;${3-4}12$ test.ndb: D:0:$12:6262 D:0:$12:6363 D:0:$11:6262 test.dat: aaaaxccdd test-nomatch.dat: aaaaxxxccdd
2010-02-08 13:45:03 +02:00
/* Loop through all subsigs, and if they are tied to macros check that the
* macro matched at a correct distance */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < tdb->subsigs; i++) {
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
rc = lsig_sub_matched(root, data, lsig_id, i, CLI_OFF_NONE, 0);
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
if (rc != CL_SUCCESS)
return rc;
Support for macros in logical subsignatures (bb #164). In the LDB there is (one or more) special subsignature ${min-max}MACROID$, which means: must match any signature from group MACROID (for current filetype), and the match must occur at a distance of min-max from the start(!) of the previous logical subsignature match. It also has the sideeffect of making the previous subsignature considered a match only if both that and the macro matches. The offset of first match for the previous logical subsig will be the offset where the {min-max} distance is satisfied. The macro logical subsignature will have a count of 0 (if it didn't match together with the previous subsig), or a count of 1 if it did. The matches can occur anywhere (even in different ac scan buffers), since I don't call cli_ac_scanbuff I just use the offset of first match (which we have for the bytecode anyway). There can be at most 32 macro groups, signatures are added to a macro group by using $MACROID$ as offset. For example pdb entries could be converted to PDB:3:$0:<hexsig of domainname> if we assign macro id 0 to PDB (and we can assign 31 more macro ids to whatever). Example: test.ldb: TestMacro;Target:0;0&1;616161;${3-4}12$ test.ndb: D:0:$12:6262 D:0:$12:6363 D:0:$11:6262 test.dat: aaaaxccdd test-nomatch.dat: aaaaxxxccdd
2010-02-08 13:45:03 +02:00
}
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
return CL_SUCCESS;
Support for macros in logical subsignatures (bb #164). In the LDB there is (one or more) special subsignature ${min-max}MACROID$, which means: must match any signature from group MACROID (for current filetype), and the match must occur at a distance of min-max from the start(!) of the previous logical subsignature match. It also has the sideeffect of making the previous subsignature considered a match only if both that and the macro matches. The offset of first match for the previous logical subsig will be the offset where the {min-max} distance is satisfied. The macro logical subsignature will have a count of 0 (if it didn't match together with the previous subsig), or a count of 1 if it did. The matches can occur anywhere (even in different ac scan buffers), since I don't call cli_ac_scanbuff I just use the offset of first match (which we have for the bytecode anyway). There can be at most 32 macro groups, signatures are added to a macro group by using $MACROID$ as offset. For example pdb entries could be converted to PDB:3:$0:<hexsig of domainname> if we assign macro id 0 to PDB (and we can assign 31 more macro ids to whatever). Example: test.ldb: TestMacro;Target:0;0&1;616161;${3-4}12$ test.ndb: D:0:$12:6262 D:0:$12:6363 D:0:$11:6262 test.dat: aaaaxccdd test-nomatch.dat: aaaaxxxccdd
2010-02-08 13:45:03 +02:00
}
Correcting types from int to cl_error_t where appropriate. Eliminating unused variables and referencing unused parameters to remove warnings.
2019-02-27 00:47:38 -05:00
cl_error_t cli_ac_scanbuff(
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
const unsigned char *buffer,
uint32_t length,
const char **virname,
void **customdata,
struct cli_ac_result **res,
const struct cli_matcher *root,
struct cli_ac_data *mdata,
uint32_t offset,
cli_file_t ftype,
struct cli_matched_type **ftoffset,
unsigned int mode,
adding back changes to eliminate warnings from mspack, matcher, others, and readdb.
2017-09-21 13:10:01 -04:00
cli_ctx *ctx)
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
{
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
struct cli_ac_node *current;
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
struct cli_ac_list *pattN, *ptN;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
struct cli_ac_patt *patt, *pt;
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
uint32_t i, bp, exptoff[2], realoff, matchstart, matchend;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
uint16_t j;
uint8_t found, viruses_found = 0;
adding back changes to eliminate warnings from mspack, matcher, others, and readdb.
2017-09-21 13:10:01 -04:00
uint32_t **offmatrix, swp;
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
cli_file_t type = CL_TYPE_ANY;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
struct cli_ac_result *newres;
Correct return status variable type Should use the 'cl_error_t' enum, not 'int'. No functional difference, but is better for type safety and for debugging.
2021-06-18 16:26:56 -07:00
cl_error_t rc;
cl_error_t ret;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!root->ac_root)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_CLEAN;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!mdata && (root->ac_partsigs || root->ac_lsigs || root->ac_reloff_num)) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_scanbuff: mdata == NULL\n");
return CL_ENULLARG;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
current = root->ac_root;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < length; i++) {
removed nocase changes to ac tree operation
2015-02-09 14:22:45 -08:00
current = current->trans[buffer[i]];
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (UNLIKELY(IS_FINAL(current))) {
added direct memory freeing of cli_ac_list cli_ac_pattlist renamed to cli_ac_list
2015-02-10 09:23:51 -08:00
struct cli_ac_list *faillist = current->fail->list;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
pattN = current->list;
while (pattN) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
patt = pattN->me;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (patt->partno > mdata->min_partno) {
pattN = faillist;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
faillist = NULL;
continue;
}
bp = i + 1 - patt->depth;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (patt->offdata[0] != CLI_OFF_VERSION && patt->offdata[0] != CLI_OFF_MACRO && !pattN->next_same && (patt->offset_min != CLI_OFF_ANY) && (!patt->sigid || patt->partno == 1)) {
if (patt->offset_min == CLI_OFF_NONE) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
pattN = pattN->next;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
exptoff[0] = offset + bp - patt->prefix_length[2]; /* lower offset end */
exptoff[1] = offset + bp - patt->prefix_length[1]; /* higher offset end */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (patt->offdata[0] == CLI_OFF_ABSOLUTE) {
if (patt->offset_max < exptoff[0] || patt->offset_min > exptoff[1]) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
pattN = pattN->next;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (mdata->offset[patt->offset_min] == CLI_OFF_NONE || mdata->offset[patt->offset_max] < exptoff[0] || mdata->offset[patt->offset_min] > exptoff[1]) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
pattN = pattN->next;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
}
}
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = pattN;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (ac_findmatch(buffer, bp, offset + bp, length, patt, &matchstart, &matchend)) {
while (ptN) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
pt = ptN->me;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->partno > mdata->min_partno)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
break;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((pt->type && !(mode & AC_SCAN_FT)) || (!pt->type && !(mode & AC_SCAN_VIR))) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
matcher-ac: restructed ac verification
2015-07-06 19:05:36 -04:00
realoff = offset + matchstart;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->offdata[0] == CLI_OFF_VERSION) {
Hashtable / hashmap / hashset code cleanup I found mixed types and multiple bugs in the hashtable/map/set code, and very little documentation. The most documentation available is the bytecode compiler users manual. Although I also found one discrepancy there with the return value for the BC API map_remove function that calls cli_map_removekey() and so put in an issue with the compiler project for the documentation. Most notably is that this hashtab.c had a lot of functions returning negative enum values instead of returning the enums and then having the caller evaluate the return code to return a negative/0/1 result. This commit fixes all of that, and adds in a bunch of documentation to explain the purpose and behavior of each function and structure provided by hashtab.c/.h. Specific bugs that I know I fixed outside of code quality improvements: - cli_hashset_toarray() was returning CL_ENULLARG / CL_EMEM on failure, when the caller is expecting a ssize_t to indicate how big of an array is allocated. It now returns -1 on failure. I also found that an attempt was made to have the same API that takes a mempool pointer even if mempool is disabled. I preserved that, but made it so the macro is in all-caps so it's more obvious what is going on.
2022-08-12 16:59:35 -07:00
if (false == cli_hashset_contains_maybe_noalloc(mdata->vinfo, realoff)) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
cli_dbgmsg("cli_ac_scanbuff: VI match for offset %x\n", realoff);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (pt->offdata[0] == CLI_OFF_MACRO) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
mdata->macro_lastmatch[patt->offdata[1]] = realoff;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (pt->offset_min != CLI_OFF_ANY && (!pt->sigid || pt->partno == 1)) {
if (pt->offset_min == CLI_OFF_NONE) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->offdata[0] == CLI_OFF_ABSOLUTE) {
if (pt->offset_max < realoff || pt->offset_min > realoff) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (mdata->offset[pt->offset_min] == CLI_OFF_NONE || mdata->offset[pt->offset_max] < realoff || mdata->offset[pt->offset_min] > realoff) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
}
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->sigid) { /* it's a partial signature */
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
/* if 2nd or later part, confirm some prior part has matched */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->partno != 1 && (!mdata->offmatrix[pt->sigid - 1] || !mdata->offmatrix[pt->sigid - 1][pt->partno - 2][0])) {
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
if ((uint32_t)(pt->partno + 1) > mdata->min_partno)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
mdata->min_partno = pt->partno + 1;
/* sparsely populated matrix, so allocate and initialize if NULL */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!mdata->offmatrix[pt->sigid - 1]) {
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
mdata->offmatrix[pt->sigid - 1] = malloc(pt->parts * sizeof(int32_t *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!mdata->offmatrix[pt->sigid - 1]) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_scanbuff: Can't allocate memory for mdata->offmatrix[%u]\n", pt->sigid - 1);
return CL_EMEM;
}
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
mdata->offmatrix[pt->sigid - 1][0] = malloc(pt->parts * (CLI_DEFAULT_AC_TRACKLEN + 2) * sizeof(uint32_t));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!mdata->offmatrix[pt->sigid - 1][0]) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_scanbuff: Can't allocate memory for mdata->offmatrix[%u][0]\n", pt->sigid - 1);
free(mdata->offmatrix[pt->sigid - 1]);
mdata->offmatrix[pt->sigid - 1] = NULL;
return CL_EMEM;
}
adding back changes to eliminate warnings from mspack, matcher, others, and readdb.
2017-09-21 13:10:01 -04:00
memset(mdata->offmatrix[pt->sigid - 1][0], (uint32_t)-1, pt->parts * (CLI_DEFAULT_AC_TRACKLEN + 2) * sizeof(uint32_t));
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
mdata->offmatrix[pt->sigid - 1][0][0] = 0;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (j = 1; j < pt->parts; j++) {
mdata->offmatrix[pt->sigid - 1][j] = mdata->offmatrix[pt->sigid - 1][0] + j * (CLI_DEFAULT_AC_TRACKLEN + 2);
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
mdata->offmatrix[pt->sigid - 1][j][0] = 0;
}
}
offmatrix = mdata->offmatrix[pt->sigid - 1];
found = 0;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->partno != 1) {
for (j = 1; (j <= CLI_DEFAULT_AC_TRACKLEN + 1) && (offmatrix[pt->partno - 2][j] != (uint32_t)-1); j++) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
found = j;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (realoff < offmatrix[pt->partno - 2][j])
bb#8239 - added offset check to prevent integer wrap
2016-06-14 17:11:41 -04:00
found = 0;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (found && pt->maxdist)
if (realoff - offmatrix[pt->partno - 2][j] > pt->maxdist)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
found = 0;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (found && pt->mindist)
if (realoff - offmatrix[pt->partno - 2][j] < pt->mindist)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
found = 0;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (found)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
break;
}
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->partno == 2 && found > 1) {
swp = offmatrix[0][1];
offmatrix[0][1] = offmatrix[0][found];
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
offmatrix[0][found] = swp;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->type != CL_TYPE_MSEXE) {
swp = offmatrix[pt->parts - 1][1];
offmatrix[pt->parts - 1][1] = offmatrix[pt->parts - 1][found];
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
offmatrix[pt->parts - 1][found] = swp;
}
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->partno == 1 || (found && (pt->partno != pt->parts))) {
if (offmatrix[pt->partno - 1][0] == CLI_DEFAULT_AC_TRACKLEN + 1)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
offmatrix[pt->partno - 1][0] = 1; /* wrap, ends up at 2 */
offmatrix[pt->partno - 1][0]++;
offmatrix[pt->partno - 1][offmatrix[pt->partno - 1][0]] = offset + matchend;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->partno == 1) /* save realoff for the first part */
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
offmatrix[pt->parts - 1][offmatrix[pt->partno - 1][0]] = realoff;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (found && pt->partno == pt->parts) {
if (pt->type) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->type == CL_TYPE_IGNORED && (!pt->rtype || ftype == pt->rtype))
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_TYPE_IGNORED;
Tests: All-match mode tests Add tests to verify an alert on the base file in addition to embedded file type recognition (for ZIPSFX extraction) and then subsequent detection of content extracted from the embedded zip.
2022-07-28 16:03:34 -07:00
if ((pt->type > type || pt->type >= CL_TYPE_SFX || pt->type == CL_TYPE_MSEXE) &&
(pt->rtype == CL_TYPE_ANY || ftype == pt->rtype)) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_dbgmsg("Matched signature for file type %s\n", pt->virname);
type = pt->type;
Tests: All-match mode tests Add tests to verify an alert on the base file in addition to embedded file type recognition (for ZIPSFX extraction) and then subsequent detection of content extracted from the embedded zip.
2022-07-28 16:03:34 -07:00
if ((ftoffset != NULL) &&
((*ftoffset == NULL) || (*ftoffset)->cnt < MAX_EMBEDDED_OBJ || type == CL_TYPE_ZIPSFX) && (type >= CL_TYPE_SFX || ((ftype == CL_TYPE_MSEXE || ftype == CL_TYPE_ZIP || ftype == CL_TYPE_MSOLE2) && type == CL_TYPE_MSEXE))) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
/* FIXME: the first offset in the array is most likely the correct one but
* it may happen it is not
*/
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (j = 1; j <= CLI_DEFAULT_AC_TRACKLEN + 1 && offmatrix[0][j] != (uint32_t)-1; j++)
if (ac_addtype(ftoffset, type, offmatrix[pt->parts - 1][j], ctx))
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_EMEM;
}
adding back changes to eliminate warnings from mspack, matcher, others, and readdb.
2017-09-21 13:10:01 -04:00
memset(offmatrix[0], (uint32_t)-1, pt->parts * (CLI_DEFAULT_AC_TRACKLEN + 2) * sizeof(uint32_t));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (j = 0; j < pt->parts; j++)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
offmatrix[j][0] = 0;
}
} else { /* !pt->type */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->lsigid[0]) {
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
rc = lsig_sub_matched(root, mdata, pt->lsigid[1], pt->lsigid[2], offmatrix[pt->parts - 1][1], 1);
if (rc != CL_SUCCESS)
return rc;
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (res) {
newres = (struct cli_ac_result *)malloc(sizeof(struct cli_ac_result));
if (!newres) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_scanbuff: Can't allocate memory for newres %lu\n", (unsigned long)sizeof(struct cli_ac_result));
return CL_EMEM;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
newres->virname = pt->virname;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
newres->customdata = pt->customdata;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
newres->next = *res;
newres->offset = (off_t)offmatrix[pt->parts - 1][1];
*res = newres;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (ctx && SCAN_ALLMATCHES) {
Fix all-match mode FP checks The `cli_append_virus()` function does an FP check. If it is an FP, it will return `CL_CLEAN` and the match/alert/virus should be discarded. This fix will respect FP verdicts when appending virus name in ac and bm matchers in all match mode.
2020-02-10 16:14:47 -05:00
ret = cli_append_virus(ctx, (const char *)pt->virname);
clang-format housekeeping
2021-06-18 12:56:38 -07:00
if (ret == CL_VIRUS) {
Fix all-match mode FP checks The `cli_append_virus()` function does an FP check. If it is an FP, it will return `CL_CLEAN` and the match/alert/virus should be discarded. This fix will respect FP verdicts when appending virus name in ac and bm matchers in all match mode.
2020-02-10 16:14:47 -05:00
viruses_found = 1;
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
}
if (virname)
*virname = pt->virname;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (customdata)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
*customdata = pt->customdata;
Restructured scan options flags from a single bitflag field to a structure containing multiple bitflag fields. This also required adding a new function to the bytecode API to get scan options a la carte, and modifying the existing function to hand back scan options in the old/deprecated uint32_t bitflag format. Re-generated bytecode iface header files. Updated libclamav documentation detailing new scan options structure. Renamed references to 'algorithmic' detection to 'heuristic' detection. Renaming references to 'properties' to 'collect metadata'. Renamed references to 'scan all' to 'scan all match'. Renamed a couple of 'Hueristic.*' signature names as 'Heuristics.*' signatures (plural) to match majority of other heuristics.
2018-07-20 22:28:48 -04:00
if (!ctx || !SCAN_ALLMATCHES)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_VIRUS;
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
}
}
} else { /* old type signature */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->type) {
Tests: All-match mode tests Add tests to verify an alert on the base file in addition to embedded file type recognition (for ZIPSFX extraction) and then subsequent detection of content extracted from the embedded zip.
2022-07-28 16:03:34 -07:00
if (pt->type == CL_TYPE_IGNORED && (pt->rtype == CL_TYPE_ANY || ftype == pt->rtype))
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_TYPE_IGNORED;
Tests: All-match mode tests Add tests to verify an alert on the base file in addition to embedded file type recognition (for ZIPSFX extraction) and then subsequent detection of content extracted from the embedded zip.
2022-07-28 16:03:34 -07:00
if ((pt->type > type || pt->type >= CL_TYPE_SFX || pt->type == CL_TYPE_MSEXE) &&
(pt->rtype == CL_TYPE_ANY || ftype == pt->rtype)) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_dbgmsg("Matched signature for file type %s at %u\n", pt->virname, realoff);
type = pt->type;
Tests: All-match mode tests Add tests to verify an alert on the base file in addition to embedded file type recognition (for ZIPSFX extraction) and then subsequent detection of content extracted from the embedded zip.
2022-07-28 16:03:34 -07:00
if ((ftoffset != NULL) &&
((*ftoffset == NULL) || (*ftoffset)->cnt < MAX_EMBEDDED_OBJ || type == CL_TYPE_ZIPSFX) && (type == CL_TYPE_MBR || type >= CL_TYPE_SFX || ((ftype == CL_TYPE_MSEXE || ftype == CL_TYPE_ZIP || ftype == CL_TYPE_MSOLE2) && type == CL_TYPE_MSEXE))) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (ac_addtype(ftoffset, type, realoff, ctx))
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_EMEM;
}
}
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt->lsigid[0]) {
YARA: capture offsets in matcher and use for processing YARA condition 'at' clauses.
2015-03-30 17:12:01 -04:00
rc = lsig_sub_matched(root, mdata, pt->lsigid[1], pt->lsigid[2], realoff, 0);
if (rc != CL_SUCCESS)
return rc;
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (res) {
newres = (struct cli_ac_result *)malloc(sizeof(struct cli_ac_result));
if (!newres) {
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
cli_errmsg("cli_ac_scanbuff: Can't allocate memory for newres %lu\n", (unsigned long)sizeof(struct cli_ac_result));
return CL_EMEM;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
newres->virname = pt->virname;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
newres->customdata = pt->customdata;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
newres->offset = (off_t)realoff;
newres->next = *res;
*res = newres;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (ctx && SCAN_ALLMATCHES) {
Fix all-match mode FP checks The `cli_append_virus()` function does an FP check. If it is an FP, it will return `CL_CLEAN` and the match/alert/virus should be discarded. This fix will respect FP verdicts when appending virus name in ac and bm matchers in all match mode.
2020-02-10 16:14:47 -05:00
ret = cli_append_virus(ctx, (const char *)pt->virname);
clang-format housekeeping
2021-06-18 12:56:38 -07:00
if (ret == CL_VIRUS) {
Fix all-match mode FP checks The `cli_append_virus()` function does an FP check. If it is an FP, it will return `CL_CLEAN` and the match/alert/virus should be discarded. This fix will respect FP verdicts when appending virus name in ac and bm matchers in all match mode.
2020-02-10 16:14:47 -05:00
viruses_found = 1;
}
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
}
if (virname)
*virname = pt->virname;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (customdata)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
*customdata = pt->customdata;
Restructured scan options flags from a single bitflag field to a structure containing multiple bitflag fields. This also required adding a new function to the bytecode API to get scan options a la carte, and modifying the existing function to hand back scan options in the old/deprecated uint32_t bitflag format. Re-generated bytecode iface header files. Updated libclamav documentation detailing new scan options structure. Renamed references to 'algorithmic' detection to 'heuristic' detection. Renaming references to 'properties' to 'collect metadata'. Renamed references to 'scan all' to 'scan all match'. Renamed a couple of 'Hueristic.*' signature names as 'Heuristics.*' signatures (plural) to match majority of other heuristics.
2018-07-20 22:28:48 -04:00
if (!ctx || !SCAN_ALLMATCHES)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_VIRUS;
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
continue;
}
}
}
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
ptN = ptN->next_same;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
}
}
implemented second nocase AC matcher using full enumerations
2015-02-09 19:28:39 -08:00
pattN = pattN->next;
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
}
}
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
Scan_all: make sure flag reaches ac_scanbuff and cleaner clamd support
2013-06-13 15:01:39 -04:00
if (viruses_found)
Finish whitespace changes of matcher-ac.c
2014-11-11 16:48:19 -05:00
return CL_VIRUS;
filetype detection improvements git-svn: trunk@3662
2008-02-20 22:04:48 +00:00
return (mode & AC_SCAN_FT) ? type : CL_CLEAN;
Use new patter matching algorithm. Cleanup. git-svn: trunk@674
2004-07-19 17:54:40 +00:00
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
altstr: optimized fixed length alternate runtime
2015-05-21 15:04:22 -04:00
static int qcompare_byte(const void *a, const void *b)
optimize alt handling
2009-09-09 22:50:24 +02:00
{
fix some warnings
2010-01-27 16:06:12 +01:00
return *(const unsigned char *)a - *(const unsigned char *)b;
optimize alt handling
2009-09-09 22:50:24 +02:00
}
altstr: optimized fixed length alternate runtime
2015-05-21 15:04:22 -04:00
static int qcompare_fstr(const void *arg, const void *a, const void *b)
{
uint16_t len = *(uint16_t *)arg;
return memcmp(*(const unsigned char **)a, *(const unsigned char **)b, len);
}
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
/* returns if level of nesting, end set to MATCHING paren, start AFTER staring paren */
bb12221: Fix for subtle type-mismatch that could result in an infinite loop with a large number of sigs.
2018-11-16 11:50:48 -08:00
inline static size_t find_paren_end(char *hexstr, char **end)
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
{
bb12221: Fix for subtle type-mismatch that could result in an infinite loop with a large number of sigs.
2018-11-16 11:50:48 -08:00
size_t i;
size_t nest = 0, level = 0;
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
*end = NULL;
for (i = 0; i < strlen(hexstr); i++) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
if (hexstr[i] == '(') {
nest++;
level++;
} else if (hexstr[i] == ')') {
if (!level) {
*end = &hexstr[i];
break;
}
level--;
}
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
}
return nest;
}
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
/* analyzes expr, returns number of subexpr, if fixed length subexpr and longest subexpr len *
* goes to either end of string or to closing parenthesis; allowed to be unbalanced *
* counts applied to start of expr (not end, i.e. numexpr starts at 1 for the first expr */
inline static int ac_analyze_expr(char *hexstr, int *fixed_len, int *sub_len)
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
{
adding back changes to eliminate warnings from mspack, matcher, others, and readdb.
2017-09-21 13:10:01 -04:00
unsigned long i;
int level = 0, len = 0, numexpr = 1;
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
int flen, slen;
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
flen = 1;
slen = 0;
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
for (i = 0; i < strlen(hexstr); i++) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
if (hexstr[i] == '(') {
flen = 0;
level++;
} else if (hexstr[i] == ')') {
if (!level) {
if (!slen) {
slen = len;
} else if (len != slen) {
flen = 0;
if (len > slen)
slen = len;
}
break;
}
level--;
}
if (!level && hexstr[i] == '|') {
if (!slen) {
slen = len;
} else if (len != slen) {
flen = 0;
if (len > slen)
slen = len;
}
len = 0;
numexpr++;
} else {
matcher-ac: wildcard support for variable alternates (needs optimization)
2015-05-18 09:59:04 -04:00
if (hexstr[i] == '?')
flen = 0;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
len++;
}
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
}
ac-alt: check last altstr for fixed property in expr analysis
2015-09-01 16:13:00 -04:00
if (!slen) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
slen = len;
ac-alt: check last altstr for fixed property in expr analysis
2015-09-01 16:13:00 -04:00
} else if (len != slen) {
flen = 0;
if (len > slen)
slen = len;
}
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
if (sub_len)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
*sub_len = slen;
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
if (fixed_len)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
*fixed_len = flen;
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
return numexpr;
}
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
inline static int ac_uicmp(uint16_t *a, size_t alen, uint16_t *b, size_t blen, int *wild)
{
adding back changes to eliminate warnings from mspack, matcher, others, and readdb.
2017-09-21 13:10:01 -04:00
uint16_t awild, bwild, side_wild;
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
size_t i, minlen = MIN(alen, blen);
side_wild = 0;
for (i = 0; i < minlen; i++) {
awild = a[i] & CLI_MATCH_WILDCARD;
bwild = b[i] & CLI_MATCH_WILDCARD;
if (awild == bwild) {
switch (awild) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case CLI_MATCH_CHAR:
if ((a[i] & 0xff) != (b[i] & 0xff)) {
return (b[i] & 0xff) - (a[i] & 0xff);
}
break;
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
case CLI_MATCH_IGNORE:
break;
case CLI_MATCH_NIBBLE_HIGH:
if ((a[i] & 0xf0) != (b[i] & 0xf0)) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
return (b[i] & 0xf0) - (a[i] & 0xf0);
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
}
break;
case CLI_MATCH_NIBBLE_LOW:
if ((a[i] & 0x0f) != (b[i] & 0x0f)) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
return (b[i] & 0x0f) - (a[i] & 0x0f);
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
}
break;
default:
cli_errmsg("ac_uicmp: unhandled wildcard type\n");
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
return 1;
}
} else { /* not identical wildcard types */
if (awild == CLI_MATCH_CHAR) { /* b is only wild */
switch (bwild) {
case CLI_MATCH_IGNORE:
side_wild |= 2;
break;
case CLI_MATCH_NIBBLE_HIGH:
if ((a[i] & 0xf0) != (b[i] & 0xf0)) {
return (b[i] & 0xf0) - (a[i] & 0xff);
}
side_wild |= 2;
break;
case CLI_MATCH_NIBBLE_LOW:
if ((a[i] & 0x0f) != (b[i] & 0x0f)) {
return (b[i] & 0x0f) - (a[i] & 0xff);
}
side_wild |= 2;
break;
default:
cli_errmsg("ac_uicmp: unhandled wildcard type\n");
return -1;
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
}
} else if (bwild == CLI_MATCH_CHAR) { /* a is only wild */
switch (awild) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case CLI_MATCH_IGNORE:
side_wild |= 1;
break;
case CLI_MATCH_NIBBLE_HIGH:
if ((a[i] & 0xf0) != (b[i] & 0xf0)) {
return (b[i] & 0xff) - (a[i] & 0xf0);
}
side_wild |= 1;
break;
case CLI_MATCH_NIBBLE_LOW:
if ((a[i] & 0x0f) != (b[i] & 0x0f)) {
return (b[i] & 0xff) - (a[i] & 0x0f);
}
side_wild |= 1;
break;
default:
cli_errmsg("ac_uicmp: unhandled wild typing\n");
return 1;
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
}
} else { /* not identical, both wildcards */
if (awild == CLI_MATCH_IGNORE || bwild == CLI_MATCH_IGNORE) {
if (awild == CLI_MATCH_IGNORE) {
side_wild |= 1;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (bwild == CLI_MATCH_IGNORE) {
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
side_wild |= 2;
}
} else {
/* only high and low nibbles should be left here */
side_wild |= 3;
}
}
}
/* both sides contain a wildcard that contains the other, therefore unique by wildcards */
if (side_wild == 3)
return 1;
}
if (wild)
*wild = side_wild;
return 0;
}
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
/* add new generic alternate node to special */
ac_special_altstr: sigopt support
2015-05-19 12:04:59 -04:00
inline static int ac_addspecial_add_alt_node(const char *subexpr, uint8_t sigopts, struct cli_ac_special *special, struct cli_matcher *root)
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
{
Speed up freeing of signatures Speed up freeing of signatures by tracking all malloced blocks instead of having to find duplicates in our data structures on signature unload.
2022-09-30 10:43:55 -07:00
struct cli_alt_node *newnode = NULL;
struct cli_alt_node **prev = NULL;
struct cli_alt_node *ins = NULL;
uint16_t *s = NULL;
int i = 0;
int cmp = 0;
int wild = 0;
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
#ifndef USE_MPOOL
UNUSEDPARAM(root);
#endif
newnode = (struct cli_alt_node *)MPOOL_CALLOC(root->mempool, 1, sizeof(struct cli_alt_node));
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
if (!newnode) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
cli_errmsg("ac_addspecial_add_alt_node: Can't allocate new alternate node\n");
return CL_EMEM;
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
}
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
s = CLI_MPOOL_HEX2UI(root->mempool, subexpr);
matcher-ac: wildcard support for variable alternates (needs optimization)
2015-05-18 09:59:04 -04:00
if (!s) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newnode);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return CL_EMALFDB;
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
newnode->str = s;
newnode->len = (uint16_t)strlen(subexpr) / 2;
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
newnode->unique = 1;
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
ac_special_altstr: sigopt support
2015-05-19 12:04:59 -04:00
/* setting nocase match */
if (sigopts & ACPATT_OPTION_NOCASE) {
for (i = 0; i < newnode->len; ++i)
if ((newnode->str[i] & CLI_MATCH_METADATA) == CLI_MATCH_CHAR) {
bb12370 - cli_strndup and other str* replacements must be built and exported for every OS to be used outside of libclamav on systems that don't have the original functions (e.g. strndup). This commit renames the macros to be uppercase, renames the replacement functions to be preceeded with two understores (e.g. __cli_strndup), and removes the ifdef's so that they are built regardless, because there are no ifdefs in libclamav.map.
2019-08-22 16:51:01 -04:00
newnode->str[i] = CLI_NOCASE(newnode->str[i] & 0xff);
ac_special_altstr: sigopt support
2015-05-19 12:04:59 -04:00
newnode->str[i] += CLI_MATCH_NOCASE;
}
}
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
/* search for uniqueness, TODO: directed acyclic word graph */
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
prev = &((special->alt).v_str);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
ins = (special->alt).v_str;
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
while (ins) {
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
cmp = ac_uicmp(ins->str, ins->len, newnode->str, newnode->len, &wild);
alternative code clean-up (cli_altnmsg)
2015-05-22 10:51:48 -04:00
if (cmp == 0) {
if (newnode->len != ins->len) { /* derivative */
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
newnode->unique = 0;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
ins->unique = 0;
alternative code clean-up (cli_altnmsg)
2015-05-22 10:51:48 -04:00
} else if (wild == 0) { /* duplicate */
Fix small leak when loading invalid FTM signatures Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43844
2022-04-19 18:46:27 -04:00
MPOOL_FREE(root->mempool, newnode->str);
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newnode);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return CL_SUCCESS;
}
altstr: vstr duplicate trimming and uniqueness optimization
2015-05-21 18:46:34 -04:00
} /* TODO - possible sorting of altstr uniques and derivative groups? */
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
prev = &(ins->next);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
ins = ins->next;
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
*prev = newnode;
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
newnode->next = ins;
ac_special: tracks both the min and max lengths
2015-07-01 16:53:07 -04:00
if ((special->num == 0) || (newnode->len < special->len[0]))
special->len[0] = newnode->len;
if ((special->num == 0) || (newnode->len > special->len[1]))
special->len[1] = newnode->len;
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
special->num++;
return CL_SUCCESS;
}
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
/* recursive special handler for expanding and adding generic alternates */
ac_special_altstr: sigopt support
2015-05-19 12:04:59 -04:00
static int ac_special_altexpand(char *hexpr, char *subexpr, uint16_t maxlen, int lvl, int maxlvl, uint8_t sigopts, struct cli_ac_special *special, struct cli_matcher *root)
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
{
int ret, scnt = 0, numexpr;
char *ept, *sexpr, *end, term;
char *fp;
ept = sexpr = hexpr;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
fp = subexpr + strlen(subexpr);
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
numexpr = ac_analyze_expr(hexpr, NULL, NULL);
/* while there are expressions to resolve */
while (scnt < numexpr) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
scnt++;
while ((*ept != '(') && (*ept != '|') && (*ept != ')') && (*ept != '\0'))
ept++;
/* check for invalid negation */
term = *ept;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((*ept == '(') && (ept >= hexpr + 1)) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
if (ept[-1] == '!') {
cli_errmsg("ac_special_altexpand: Generic alternates cannot contain negations\n");
return CL_EMALFDB;
}
}
/* appended token */
*ept = 0;
if (cli_strlcat(subexpr, sexpr, maxlen) >= maxlen) {
cli_errmsg("ac_special_altexpand: Unexpected expression larger than expected\n");
return CL_EMEM;
}
alternative code clean-up (cli_altnmsg)
2015-05-22 10:51:48 -04:00
*ept++ = term;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
sexpr = ept;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
if (term == '|') {
if (lvl == 0) {
ac_special_altstr: sigopt support
2015-05-19 12:04:59 -04:00
if ((ret = ac_addspecial_add_alt_node(subexpr, sigopts, special, root)) != CL_SUCCESS)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return ret;
} else {
find_paren_end(ept, &end);
if (!end) {
cli_errmsg("ac_special_altexpand: Missing closing parenthesis\n");
return CL_EMALFDB;
}
end++;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((ret = ac_special_altexpand(end, subexpr, maxlen, lvl - 1, lvl, sigopts, special, root)) != CL_SUCCESS)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return ret;
}
*fp = 0;
} else if (term == ')') {
if (lvl == 0) {
cli_errmsg("ac_special_altexpand: Unexpected closing parenthesis\n");
return CL_EPARSE;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((ret = ac_special_altexpand(ept, subexpr, maxlen, lvl - 1, lvl, sigopts, special, root)) != CL_SUCCESS)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return ret;
break;
} else if (term == '(') {
int inner, found;
find_paren_end(ept, &end);
if (!end) {
cli_errmsg("ac_special_altexpand: Missing closing parenthesis\n");
return CL_EMALFDB;
}
end++;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((ret = ac_special_altexpand(ept, subexpr, maxlen, lvl + 1, lvl + 1, sigopts, special, root)) != CL_SUCCESS)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return ret;
alternative code clean-up (cli_altnmsg)
2015-05-22 10:51:48 -04:00
/* move ept to end of current alternate expression (recursive call already populates them) */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
ept = end;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
inner = 0;
found = 0;
while (!found && *ept != '\0') {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
switch (*ept) {
case '|':
if (!inner)
found = 1;
break;
case '(':
inner++;
break;
case ')':
inner--;
break;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
}
ept++;
}
if (*ept == '|')
ept++;
sexpr = ept;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
*fp = 0;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
} else if (term == '\0') {
ac_special_altstr: sigopt support
2015-05-19 12:04:59 -04:00
if ((ret = ac_addspecial_add_alt_node(subexpr, sigopts, special, root)) != CL_SUCCESS)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return ret;
break;
}
if (lvl != maxlvl)
return CL_SUCCESS;
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
}
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
if (scnt != numexpr) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
cli_errmsg("ac_addspecial: Mismatch in parsed and expected signature\n");
return CL_EMALFDB;
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
}
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
return CL_SUCCESS;
}
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
/* alternate string specials (so many specials!) */
ac_special_altstr: sigopt support
2015-05-19 12:04:59 -04:00
inline static int ac_special_altstr(const char *hexpr, uint8_t sigopts, struct cli_ac_special *special, struct cli_matcher *root)
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
{
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
char *hexprcpy, *h, *c;
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
int i, ret, num, fixed, slen;
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
if (!(hexprcpy = cli_safer_strdup(hexpr))) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
cli_errmsg("ac_special_altstr: Can't duplicate alternate expression\n");
return CL_EDUP;
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
}
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
num = ac_analyze_expr(hexprcpy, &fixed, &slen);
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
ac_special_altstr: sigopt support
2015-05-19 12:04:59 -04:00
if (!sigopts && fixed) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
special->num = 0;
ac_special: tracks both the min and max lengths
2015-07-01 16:53:07 -04:00
special->len[0] = special->len[1] = slen / 2;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
/* single-bytes are len 2 in hex */
if (slen == 2) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
special->type = AC_SPECIAL_ALT_CHAR;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
(special->alt).byte = (unsigned char *)MPOOL_MALLOC(root->mempool, num);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
if (!((special->alt).byte)) {
cli_errmsg("cli_ac_special_altstr: Can't allocate newspecial->str\n");
free(hexprcpy);
return CL_EMEM;
}
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
special->type = AC_SPECIAL_ALT_STR_FIXED;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
(special->alt).f_str = (unsigned char **)MPOOL_MALLOC(root->mempool, num * sizeof(unsigned char *));
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
if (!((special->alt).f_str)) {
cli_errmsg("cli_ac_special_altstr: Can't allocate newspecial->str\n");
free(hexprcpy);
return CL_EMEM;
}
}
for (i = 0; i < num; i++) {
if (num == 1) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
c = CLI_MPOOL_HEX2STR(root->mempool, hexprcpy);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!(h = cli_strtok(hexprcpy, i, "|"))) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
free(hexprcpy);
return CL_EMEM;
}
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
c = CLI_MPOOL_HEX2STR(root->mempool, h);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
free(h);
}
if (!c) {
free(hexprcpy);
return CL_EMALFDB;
}
if (special->type == AC_SPECIAL_ALT_CHAR) {
fixed minor warnings regarding type conversions.
2017-08-08 17:38:17 -04:00
(special->alt).byte[i] = (unsigned char)*c;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, c);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
(special->alt).f_str[i] = (unsigned char *)c;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
}
special->num++;
}
/* sorting byte alternates */
if (special->num > 1 && special->type == AC_SPECIAL_ALT_CHAR)
altstr: optimized fixed length alternate runtime
2015-05-21 15:04:22 -04:00
cli_qsort((special->alt).byte, special->num, sizeof(unsigned char), qcompare_byte);
/* sorting str alternates */
if (special->num > 1 && special->type == AC_SPECIAL_ALT_STR_FIXED)
cli_qsort_r((special->alt).f_str, special->num, sizeof(unsigned char *), qcompare_fstr, &(special->len));
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
} else { /* generic alternates */
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
char *subexpr;
if (special->negative) {
cli_errmsg("ac_special_altstr: Can't apply negation operation to generic alternate strings\n");
free(hexprcpy);
return CL_EMALFDB;
}
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
special->type = AC_SPECIAL_ALT_STR;
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
/* allocate reusable subexpr */
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
if (!(subexpr = calloc(slen + 1, sizeof(char)))) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
cli_errmsg("ac_special_altstr: Can't allocate subexpr container\n");
cid 12207 - fix error state for allocating altstr container
2015-08-17 12:30:07 -04:00
free(hexprcpy);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return CL_EMEM;
}
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
ret = ac_special_altexpand(hexprcpy, subexpr, slen + 1, 0, 0, sigopts, special, root);
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
free(subexpr);
free(hexprcpy);
return ret;
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
}
matcher-ac: expansion of nested alternates within alternate expr matcher-ac: three types of alternates: byte, fixed, and generic (variable)
2015-05-13 17:48:22 -04:00
free(hexprcpy);
matcher-ac: basic framework+debug for processing nested alternates
2015-05-11 11:55:43 -04:00
return CL_SUCCESS;
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
/* FIXME: clean up the code */
Correcting types from int to cl_error_t where appropriate. Eliminating unused variables and referencing unused parameters to remove warnings.
2019-02-27 00:47:38 -05:00
cl_error_t cli_ac_addsig(struct cli_matcher *root, const char *virname, const char *hexsig, uint8_t sigopts, uint32_t sigid, uint16_t parts, uint16_t partno, uint16_t rtype, uint16_t type, uint32_t mindist, uint32_t maxdist, const char *offset, const uint32_t *lsigid, unsigned int options)
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
{
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
struct cli_ac_patt *new;
char *pt, *pt2, *hex = NULL, *hexcpy = NULL;
uint16_t i, j, ppos = 0, pend, *dec, nzpos = 0;
converted sigopts from char string to uint8_t
2015-02-20 18:13:28 -05:00
uint8_t wprefix = 0, zprefix = 1, plen = 0, nzplen = 0;
adding back changes to eliminate warnings from mspack, matcher, others, and readdb.
2017-09-21 13:10:01 -04:00
struct cli_ac_special *newspecial, **newtable;
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
int ret, error = CL_SUCCESS;
Image fuzzy hash: new logical sub-signature feature Add a new logical signature subsignature type for matching on images with image fuzzy hashes. Image fuzzy hash subsigantures follow this format: fuzzy_img#<hash>#<dist> In this initial implementation, the hamming distance (dist) is ignored and only exact fuzzy hash matches will alert. Fuzzy hash matching is only performed for supported image types. Also: removed some excessive debug log messages on start-up. Fixed an issue where the signature name (virname) is being allocated and stored for every subsignature or even ever sub-pattern in an AC-pattern (i.e. NDB sig or LDB subsig) containing a `{n-m}` or `*` wildcard. This fix is only for LDB subsigs though. NDB signatures are still allocaing one virname per sub-pattern. This fix was required because I needed a place to store the virname with fuzzy-hash subsignatures. Storing it in the fuzzy-hash subsig metadatathe way AC-pattern, PCRE, and BComp subsigs were doing it wouldn't work because it would cross the C-Rust FFI boundary and giving pointers to Rust allocated stuff is dicey. Not to mention native Rust strings are different thatn C strings. Anyways, the correct thing to do was to store the virname with the actual logical signature. TODO: Keep track of NDB signatures in the same way and store the virname for NDB sigs there instead of in AC-patterns so that we can get rid of the virname field in the AC-pattern struct.
2021-04-21 16:24:24 -07:00
char *virname_copy = NULL;
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!root) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
cli_errmsg("cli_ac_addsig: root == NULL\n");
return CL_ENULLARG;
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (strlen(hexsig) / 2 < root->ac_mindepth) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
cli_errmsg("cli_ac_addsig: Signature for %s is too short\n", virname);
return CL_EMALFDB;
return codes cleanup (bb#1159) git-svn: trunk@4749
2009-02-12 13:53:23 +00:00
}
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
if ((new = (struct cli_ac_patt *)MPOOL_CALLOC(root->mempool, 1, sizeof(struct cli_ac_patt))) == NULL)
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
return CL_EMEM;
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
new->rtype = rtype;
new->type = type;
new->sigid = sigid;
new->parts = parts;
new->partno = partno;
new->mindist = mindist;
new->maxdist = maxdist;
allow custom data to be associated with patterns (such as a regex) via a void* field. Fix memory leaks, and valgrind problems in regex_list_done. git-svn: trunk@3994
2008-07-25 20:01:40 +00:00
new->customdata = NULL;
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
new->ch[0] |= CLI_MATCH_IGNORE;
new->ch[1] |= CLI_MATCH_IGNORE;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (lsigid) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
new->lsigid[0] = 1;
memcpy(&new->lsigid[1], lsigid, 2 * sizeof(uint32_t));
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
}
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (strchr(hexsig, '[')) {
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
if (!(hexcpy = cli_safer_strdup(hexsig))) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new);
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
return CL_EMEM;
}
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
hex = hexcpy;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < 2; i++) {
allow anchored hexsigs to use single numbers for whitespace
2015-02-11 09:02:27 -08:00
unsigned int n, n1, n2;
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!(pt = strchr(hex, '[')))
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
break;
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
*pt++ = 0;
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!(pt2 = strchr(pt, ']'))) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
cli_dbgmsg("cli_ac_addsig: missing closing square bracket\n");
error = CL_EMALFDB;
break;
}
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
*pt2++ = 0;
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
allow anchored hexsigs to use single numbers for whitespace
2015-02-11 09:02:27 -08:00
n = sscanf(pt, "%u-%u", &n1, &n2);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (n == 1) {
allow anchored hexsigs to use single numbers for whitespace
2015-02-11 09:02:27 -08:00
n2 = n1;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (n != 2) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
cli_dbgmsg("cli_ac_addsig: incorrect range inside square brackets\n");
error = CL_EMALFDB;
break;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((n1 > n2) || (n2 > AC_CH_MAXDIST)) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
cli_dbgmsg("cli_ac_addsig: incorrect range inside square brackets\n");
error = CL_EMALFDB;
break;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (strlen(hex) == 2) {
if (i) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
error = CL_EMALFDB;
break;
}
dec = cli_hex2ui(hex);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!dec) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
error = CL_EMALFDB;
break;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((sigopts & ACPATT_OPTION_NOCASE) && ((*dec & CLI_MATCH_METADATA) == CLI_MATCH_CHAR))
bb12370 - cli_strndup and other str* replacements must be built and exported for every OS to be used outside of libclamav on systems that don't have the original functions (e.g. strndup). This commit renames the macros to be uppercase, renames the replacement functions to be preceeded with two understores (e.g. __cli_strndup), and removes the ifdef's so that they are built regardless, because there are no ifdefs in libclamav.map.
2019-08-22 16:51:01 -04:00
new->ch[i] = CLI_NOCASE(*dec) | CLI_MATCH_NOCASE;
added nocase support for anchored hexsigs
2015-02-11 10:20:07 -08:00
else
new->ch[i] = *dec;
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
free(dec);
new->ch_mindist[i] = n1;
new->ch_maxdist[i] = n2;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
hex = pt2;
} else if (strlen(pt2) == 2) {
i = 1;
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
dec = cli_hex2ui(pt2);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!dec) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
error = CL_EMALFDB;
break;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((sigopts & ACPATT_OPTION_NOCASE) && ((*dec & CLI_MATCH_METADATA) == CLI_MATCH_CHAR))
bb12370 - cli_strndup and other str* replacements must be built and exported for every OS to be used outside of libclamav on systems that don't have the original functions (e.g. strndup). This commit renames the macros to be uppercase, renames the replacement functions to be preceeded with two understores (e.g. __cli_strndup), and removes the ifdef's so that they are built regardless, because there are no ifdefs in libclamav.map.
2019-08-22 16:51:01 -04:00
new->ch[i] = CLI_NOCASE(*dec) | CLI_MATCH_NOCASE;
added nocase support for anchored hexsigs
2015-02-11 10:20:07 -08:00
else
new->ch[i] = *dec;
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
free(dec);
new->ch_mindist[i] = n1;
new->ch_maxdist[i] = n2;
} else {
error = CL_EMALFDB;
break;
}
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (error) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
free(hexcpy);
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new);
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
return error;
}
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
hex = cli_safer_strdup(hex);
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
free(hexcpy);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!hex) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new);
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
return CL_EMEM;
}
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (strchr(hexsig, '(')) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
char *hexnew, *start;
bb12221: Fix for subtle type-mismatch that could result in an infinite loop with a large number of sigs.
2018-11-16 11:50:48 -08:00
size_t nest;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
size_t hexnewsz;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (hex) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
hexcpy = hex;
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
} else if (!(hexcpy = cli_safer_strdup(hexsig))) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return CL_EMEM;
}
hexnewsz = strlen(hexsig) + 1;
Remove additional memory allocation limits relating to signature load Variables like the number of signature parts are considered trusted user input and so allocations based on those values need not check the memory allocation limit. Specifically for the allocation of the normalized buffer in cli_scanscript, I determined that the size of SCANBUFF is fixed and so safe, and the maxpatlen comes from the signature load and is therefore also trusted, so we do not need to check the allocation limit.
2024-01-09 17:17:48 -05:00
if (!(hexnew = (char *)calloc(1, hexnewsz))) {
Fix possible invalid free (#507) 'new' is allocated by mpool, so should be freed by the mpool free function. This issue is not a vulnerability Resolves: https://github.com/Cisco-Talos/clamav/issues/430
2022-03-22 20:06:22 -04:00
MPOOL_FREE(root->mempool, new);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
free(hexcpy);
return CL_EMEM;
}
start = pt = hexcpy;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
while ((pt = strchr(start, '('))) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
*pt++ = 0;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!start) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
error = CL_EMALFDB;
break;
}
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
newspecial = (struct cli_ac_special *)MPOOL_CALLOC(root->mempool, 1, sizeof(struct cli_ac_special));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!newspecial) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
cli_errmsg("cli_ac_addsig: Can't allocate newspecial\n");
error = CL_EMEM;
break;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (pt >= hexcpy + 2) {
if (pt[-2] == '!') {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
newspecial->negative = 1;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
pt[-2] = 0;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
}
}
cli_strlcat(hexnew, start, hexnewsz);
nest = find_paren_end(pt, &start);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!start) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
cli_errmsg("cli_ac_addsig: Missing closing parenthesis\n");
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newspecial);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
error = CL_EMALFDB;
break;
}
*start++ = 0;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!strlen(pt)) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
cli_errmsg("cli_ac_addsig: Empty block\n");
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newspecial);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
error = CL_EMALFDB;
break;
}
alternative code clean-up (cli_altnmsg)
2015-05-22 10:51:48 -04:00
if (nest > ACPATT_ALTN_MAXNEST) {
cli_errmsg("ac_addspecial: Expression exceeds maximum alternate nesting limit\n");
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newspecial);
matcher-ac: fix error case handling
2016-07-12 12:46:16 -04:00
error = CL_EMALFDB;
break;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
}
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
/*
* Detect special character classes
* - (B) word boundary
* - (L) CR, CRLF line boundaries
* - (W) Non-alphanumeric character
*
* For more details: https://docs.clamav.net/manual/Signatures/BodySignatureFormat.html#character-classes
*/
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!strcmp(pt, "B")) {
if (!*start) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_BOUNDARY_RIGHT;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (newspecial->negative)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_BOUNDARY_RIGHT_NEGATIVE;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newspecial);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
continue;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (pt - 1 == hexcpy) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_BOUNDARY_LEFT;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (newspecial->negative)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_BOUNDARY_LEFT_NEGATIVE;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newspecial);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
continue;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (!strcmp(pt, "L")) {
if (!*start) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_LINE_MARKER_RIGHT;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (newspecial->negative)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_LINE_MARKER_RIGHT_NEGATIVE;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newspecial);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
continue;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (pt - 1 == hexcpy) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_LINE_MARKER_LEFT;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (newspecial->negative)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_LINE_MARKER_LEFT_NEGATIVE;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newspecial);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
continue;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (!strcmp(pt, "W")) {
if (!*start) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_WORD_MARKER_RIGHT;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (newspecial->negative)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_WORD_MARKER_RIGHT_NEGATIVE;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newspecial);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
continue;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (pt - 1 == hexcpy) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_WORD_MARKER_LEFT;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (newspecial->negative)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->boundary |= AC_WORD_MARKER_LEFT_NEGATIVE;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newspecial);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
continue;
}
}
cli_strlcat(hexnew, "()", hexnewsz);
new->special++;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
newtable = (struct cli_ac_special **)MPOOL_REALLOC(root->mempool, new->special_table, new->special * sizeof(struct cli_ac_special *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!newtable) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->special--;
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, newspecial);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
cli_errmsg("cli_ac_addsig: Can't realloc new->special_table\n");
error = CL_EMEM;
break;
}
newtable[new->special - 1] = newspecial;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
new->special_table = newtable;
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!strcmp(pt, "B")) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
newspecial->type = AC_SPECIAL_BOUNDARY;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (!strcmp(pt, "L")) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
newspecial->type = AC_SPECIAL_LINE_MARKER;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else if (!strcmp(pt, "W")) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
newspecial->type = AC_SPECIAL_WORD_MARKER;
} else {
ac_special_altstr: sigopt support
2015-05-19 12:04:59 -04:00
if ((ret = ac_special_altstr(pt, sigopts, newspecial, root)) != CL_SUCCESS) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
error = ret;
break;
}
}
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (start)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
cli_strlcat(hexnew, start, hexnewsz);
hex = hexnew;
free(hexcpy);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (error) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
free(hex);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (new->special) {
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
mpool_ac_free_special(root->mempool, new);
}
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
return error;
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
}
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
/*
* Convert the hex string pattern to a uint16_t* pattern (flags + byte) patterns.
*/
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
new->pattern = CLI_MPOOL_HEX2UI(root->mempool, hex ? hex : hexsig);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (new->pattern == NULL) {
if (new->special)
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
mpool_ac_free_special(root->mempool, new);
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new);
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
free(hex);
return CL_EMALFDB;
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
}
HIGLY EXPERIMENTAL memory pool for libclamav The goal is to put an end to memory wasted due to stupid allocators and fragmentation In the long run mpool libraries will be replaced with better code. For now there just good enough. This branch is currently under development and totally broken. If it will ever compile, it'll probably result in random crashes or at least (slightly) higher load times. The code is also terrible, just don't look. Do not use except for testing. git-svn-id: file:///var/lib/svn/clamav-devel/branches/mpool@4266 77e5149b-7576-45b1-b177-96237e5ba77b
2008-10-17 17:00:13 +00:00
eliminating compile warnings in windows 10, vs2015, x86 and x64.
2017-08-31 16:38:41 -04:00
new->length[0] = (uint16_t)strlen(hex ? hex : hexsig) / 2;
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
if (new->length[0] < root->ac_mindepth) {
cli_errmsg("cli_ac_addsig: Subpattern in signature is shorter than the minimum depth of the AC trie. (%u < %u)\n", new->length[0], root->ac_mindepth);
if (new->special)
mpool_ac_free_special(root->mempool, new);
MPOOL_FREE(root->mempool, new->pattern);
MPOOL_FREE(root->mempool, new);
free(hex);
return CL_EMALFDB;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0, j = 0; i < new->length[0]; i++) {
if ((new->pattern[i] & CLI_MATCH_METADATA) == CLI_MATCH_SPECIAL) {
matcher-ac: added calc and storage for min/max lengths
2015-07-02 15:06:04 -04:00
new->length[1] += new->special_table[j]->len[0];
new->length[2] += new->special_table[j]->len[1];
j++;
} else {
new->length[1]++;
new->length[2]++;
}
}
add support for matching single bytes anchored to sub-signatures; bump f-level git-svn: trunk@3588
2008-02-06 12:26:16 +00:00
free(hex);
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
converted sigopts from char string to uint8_t
2015-02-20 18:13:28 -05:00
new->sigopts = sigopts;
matcher-ac: minor change to bp movement for specials
2015-05-14 14:44:06 -04:00
/* setting nocase match */
converted sigopts from char string to uint8_t
2015-02-20 18:13:28 -05:00
if (sigopts & ACPATT_OPTION_NOCASE) {
matcher-ac: added calc and storage for min/max lengths
2015-07-02 15:06:04 -04:00
for (i = 0; i < new->length[0]; i++)
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
if ((new->pattern[i] & CLI_MATCH_METADATA) == CLI_MATCH_CHAR) {
bb12370 - cli_strndup and other str* replacements must be built and exported for every OS to be used outside of libclamav on systems that don't have the original functions (e.g. strndup). This commit renames the macros to be uppercase, renames the replacement functions to be preceeded with two understores (e.g. __cli_strndup), and removes the ifdef's so that they are built regardless, because there are no ifdefs in libclamav.map.
2019-08-22 16:51:01 -04:00
new->pattern[i] = CLI_NOCASE(new->pattern[i] & 0xff);
matcher-ac.c: whitespace consistency [tabs->spaces]
2015-05-14 12:23:56 -04:00
new->pattern[i] += CLI_MATCH_NOCASE;
}
[WIP] added nocase support to clamav ac algorithm
2015-02-05 20:52:18 -08:00
}
alternative code clean-up (cli_altnmsg)
2015-05-22 10:51:48 -04:00
/* TODO - sigopts affect on filters? */
if (root->filter) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
/* so that we can show meaningful messages */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
new->virname = (char *)virname;
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
if (filter_add_acpatt(root->filter, new) == -1) {
A-C pattern match code cleanup, add comments
2022-02-12 14:53:44 -08:00
cli_warnmsg("cli_ac_addsig: cannot use filter for trie\n");
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, root->filter);
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
root->filter = NULL;
Abort signature load for short signature patterns If a signature has a pattern that is too short will fail to load the signature but does not cause the entire load process to abort. This is bad for two reasons: 1) It is not immediately apparent that the signature is bad, and so it could be published accidentally. 2) The signature is partially loaded by the time the bad pattern is observed and that may cause a crash later. Because of (1), it is not worth it to try to unload the first part of the signature. Instead, we should just abort the signature load. Fixes: https://github.com/Cisco-Talos/clamav/issues/923 We should also abort loading if the filter pattern for the boyer-moore matcher is shorter than 2 bytes. Also, do not print the final "Loading" progress bar if an error occurred.
2023-06-12 18:03:45 -07:00
return CL_EMALFDB;
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
}
/* TODO: should this affect maxpatlen? */
Add the rest of the prefiltering glue code. This is still disabled for now (see the & 0).
2010-02-10 11:39:47 +02:00
}
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
/*
* Check beginning bytes of the pattern up to the max-depth of the AC trie to see if:
* a. it contains a wildcard, or
* b. the bytes are all zeroes.
*
* If it does, we can try to shift the start of the pattern the right, have those beginning
* bytes be a "prefix" which gets backwards-matched after the AC match.
* This happens in the call to ac_backward_match_branch() in ac_forward_match_branch()
*/
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < root->ac_maxdepth && i < new->length[0]; i++) {
if (new->pattern[i] & CLI_MATCH_WILDCARD) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
wprefix = 1;
break;
}
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
if (zprefix && 0 != new->pattern[i]) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
zprefix = 0;
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (wprefix || zprefix) {
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
/*
* This pattern has a wildcard in the first few bytes or starts with some zeroes.
* We'll try to shift the start of the pattern right a bit to find a static subpattern to use for the bytes that go in the A-C trie.
*/
// If needed, we can shift the start of the pattern that goes in the A-C Trie right up to the pattern length minus min-depth bytes
// The original starting bytes will become a "prefix" that gets backward-matched.
matcher-ac: converted length fields to arrays
2015-07-02 14:41:37 -04:00
pend = new->length[0] - root->ac_mindepth + 1;
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// Search for static bytes to start the pattern in the A-C trie that starts within original min-depth, and of a length up to max-depth.
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0; i < pend; i++) {
for (j = i; j < i + root->ac_maxdepth && j < new->length[0]; j++) {
if (new->pattern[j] & CLI_MATCH_WILDCARD) {
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// Found a wildcard. Shift the pattern start right a byte, relegating this byte to the "prefix"
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
break;
}
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// This byte is a contender for the start of the pattern.
// Record the start + length of the shifted prefix.
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
if (j - i + 1 >= plen) {
plen = j - i + 1;
ppos = i;
}
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// Check if the starting bytes at this offset are both non-zero. If they are, then that's even better.
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
if ((0 != new->pattern[ppos]) ||
((new->length[0] > ppos + 1) && (0 != new->pattern[ppos + 1]))) {
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// At least one of the first two bytes is non-zero which would be better than starting with two zeroes.
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (plen >= root->ac_maxdepth) {
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// But... we hit max-depth, so nevermind. Let's stop searching.
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
break;
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
}
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// Save off the position and length so we can roll back to it later, if needed.
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
if (plen >= root->ac_mindepth && plen > nzplen) {
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// We've found a longer sequence of non-zero bytes we could use for the AC pattern starting position.
// Store off the length and position of this starting position with the non-zero bytes, in case we want to roll back to it.
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
nzplen = plen;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
nzpos = ppos;
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
}
}
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
if (plen >= root->ac_maxdepth && (0 != new->pattern[ppos] || 0 != new->pattern[ppos + 1])) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
break;
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
}
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
}
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
if ((0 != nzplen) &&
(new->length[0] > ppos + 1) &&
(0 == new->pattern[ppos]) &&
(0 == new->pattern[ppos + 1])) {
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// The latest shifted position starts with two zeroes.
// We found a valid static pattern earlier that doesn't start with two zeroes.
// Let's roll back a little bit to use that instead.
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
plen = nzplen;
ppos = nzpos;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (plen < root->ac_mindepth) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
cli_errmsg("cli_ac_addsig: Can't find a static subpattern of length %u\n", root->ac_mindepth);
mpool_ac_free_special(root->mempool, new);
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new->pattern);
MPOOL_FREE(root->mempool, new);
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
return CL_EMALFDB;
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
Fix typos (no functional changes)
2023-11-26 15:01:19 -08:00
// Store those initial bytes as the pattern "prefix" (the stuff before what goes in the AC Trie)
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
new->prefix = new->pattern;
// The "prefix" length is the number of bytes before the starting position of the pattern that goes in the AC Trie.
matcher-ac: converted length fields to arrays
2015-07-02 14:41:37 -04:00
new->prefix_length[0] = ppos;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
for (i = 0, j = 0; i < new->prefix_length[0]; i++) {
if ((new->prefix[i] & CLI_MATCH_WILDCARD) == CLI_MATCH_SPECIAL)
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
new->special_pattern++;
matcher-ac: added calc and storage for min/max lengths
2015-07-02 15:06:04 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((new->prefix[i] & CLI_MATCH_METADATA) == CLI_MATCH_SPECIAL) {
matcher-ac: added calc and storage for min/max lengths
2015-07-02 15:06:04 -04:00
new->prefix_length[1] += new->special_table[j]->len[0];
new->prefix_length[2] += new->special_table[j]->len[1];
j++;
} else {
new->prefix_length[1]++;
new->prefix_length[2]++;
}
}
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// Update the pattern to start at the shifted position with the static bytes.
matcher-ac: added calc and storage for min/max lengths
2015-07-02 15:06:04 -04:00
new->pattern = &new->prefix[ppos];
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// And update the pattern length to remove the prefix bytes.
matcher-ac: added calc and storage for min/max lengths
2015-07-02 15:06:04 -04:00
new->length[0] -= new->prefix_length[0];
new->length[1] -= new->prefix_length[1];
new->length[2] -= new->prefix_length[2];
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
}
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
if (new->length[2] + new->prefix_length[2] > root->maxpatlen) {
Add code comments to explain AC pattern prefix process When adding a pattern to the AC trie, checks are done to make sure the bytes that go in the AC trie don't have any `?` wildcards and additionally that the first two bytes are not "\x00\x00". If they are, the position of the pattern that goes in the AC trie can be shifted right until a static pattern is identified that can go in the AC trie. Any bytes to the left of the new start of the pattern become a "prefix". During matching, once the AC trie match occurs and the bytes to the right of that pattern are matched, then the bytes from the prefix are matched. The reason that we don't want the bytes that go in the AC trie to start with "\x00\x00" is that it is such a common pattern in files that it would match constantly, and the scan process would spend a lot of time just checking through the list of patterns associated with a "\x00\x00" AC match, and that'd be crazy slow. But it is important to note that when shifting right, if there aren't enough nonzero, non-wildcard bytes to form a good prefix for the AC trie, that it is tolerable to bend the rule and let some patterns start with "\x00\x00". In that way, a small pattern like "0000ab" is still valid, and can be matched.
2022-06-04 12:38:55 -07:00
// This is the longest pattern we've stored. Update our max-pattern-length record
matcher-ac: fixed prefix verification for fixed multi-byte alts
2015-07-02 15:37:19 -04:00
root->maxpatlen = new->length[2] + new->prefix_length[2];
Fix possible 2-byte overread when adding sig pattern It is possible to create a signature pattern that tries to add a zero-byte matching pattern to the A-C trie. A missing check at this stage can end up with a 2-byte overread when indexing the (empty) pattern to make sure the bytes added to the A-C trie are static and not both zero. This over read issue is not a vulnerability. This commit fixes the issue by adding a check for the pattern length. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43832 Also added: - type casts and a "fall-through" comment to silence compile warnings. - a few additional length checks to protect against an additional 1-byte over read.
2022-06-04 12:08:51 -07:00
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
Image fuzzy hash: new logical sub-signature feature Add a new logical signature subsignature type for matching on images with image fuzzy hashes. Image fuzzy hash subsigantures follow this format: fuzzy_img#<hash>#<dist> In this initial implementation, the hamming distance (dist) is ignored and only exact fuzzy hash matches will alert. Fuzzy hash matching is only performed for supported image types. Also: removed some excessive debug log messages on start-up. Fixed an issue where the signature name (virname) is being allocated and stored for every subsignature or even ever sub-pattern in an AC-pattern (i.e. NDB sig or LDB subsig) containing a `{n-m}` or `*` wildcard. This fix is only for LDB subsigs though. NDB signatures are still allocaing one virname per sub-pattern. This fix was required because I needed a place to store the virname with fuzzy-hash subsignatures. Storing it in the fuzzy-hash subsig metadatathe way AC-pattern, PCRE, and BComp subsigs were doing it wouldn't work because it would cross the C-Rust FFI boundary and giving pointers to Rust allocated stuff is dicey. Not to mention native Rust strings are different thatn C strings. Anyways, the correct thing to do was to store the virname with the actual logical signature. TODO: Keep track of NDB signatures in the same way and store the virname for NDB sigs there instead of in AC-patterns so that we can get rid of the virname field in the AC-pattern struct.
2021-04-21 16:24:24 -07:00
if (0 == new->lsigid[0]) {
/* For logical signatures, we already recorded the virname in the lsig table entry.
* For other signature types, continue to store a copy of the virname in each ac_pattern struct.
*
* TODO: Don't make a copy of the virname for every ac pattern,
* because that makes for multipel copies every time a signature has wildcards.
*/
virname_copy = CLI_MPOOL_VIRNAME(root->mempool, virname, options & CL_DB_OFFICIAL);
if (NULL == virname_copy) {
MPOOL_FREE(root->mempool, new->prefix ? new->prefix : new->pattern);
mpool_ac_free_special(root->mempool, new);
MPOOL_FREE(root->mempool, new);
return CL_EMEM;
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
Image fuzzy hash: new logical sub-signature feature Add a new logical signature subsignature type for matching on images with image fuzzy hashes. Image fuzzy hash subsigantures follow this format: fuzzy_img#<hash>#<dist> In this initial implementation, the hamming distance (dist) is ignored and only exact fuzzy hash matches will alert. Fuzzy hash matching is only performed for supported image types. Also: removed some excessive debug log messages on start-up. Fixed an issue where the signature name (virname) is being allocated and stored for every subsignature or even ever sub-pattern in an AC-pattern (i.e. NDB sig or LDB subsig) containing a `{n-m}` or `*` wildcard. This fix is only for LDB subsigs though. NDB signatures are still allocaing one virname per sub-pattern. This fix was required because I needed a place to store the virname with fuzzy-hash subsignatures. Storing it in the fuzzy-hash subsig metadatathe way AC-pattern, PCRE, and BComp subsigs were doing it wouldn't work because it would cross the C-Rust FFI boundary and giving pointers to Rust allocated stuff is dicey. Not to mention native Rust strings are different thatn C strings. Anyways, the correct thing to do was to store the virname with the actual logical signature. TODO: Keep track of NDB signatures in the same way and store the virname for NDB sigs there instead of in AC-patterns so that we can get rid of the virname field in the AC-pattern struct.
2021-04-21 16:24:24 -07:00
new->virname = virname_copy;
}
libclamav: add initial support for logical signatures (bb#896) git-svn: trunk@3993
2008-07-25 19:00:25 +00:00
libclamav: minimize header parsing (bb#2065)
2010-06-18 15:41:39 +02:00
ret = cli_caloff(offset, NULL, root->type, new->offdata, &new->offset_min, &new->offset_max);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (ret != CL_SUCCESS) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new->prefix ? new->prefix : new->pattern);
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
mpool_ac_free_special(root->mempool, new);
Free correct variable in signature load error handling We don't allocate a copy of the signature name to store in the AC pattern structure for logical signature patterns because it is already stored in the logical signature structure. But oss-fuzz found that we're freeing that virname in when an error happens even if it wasn't copied. This fix checks the allocation before MPOOL_FREE. Since virname is passed in, and only cloned under certain condtions, check to see that it has actually been cloned before freeing it in any cleanup code. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45205
2022-04-13 12:09:01 -07:00
if (virname_copy) {
MPOOL_FREE(root->mempool, virname_copy);
}
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new);
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
return ret;
add basic support for string alternatives; optimise bfs_enqueue/dequeue git-svn: trunk@3262
2007-10-03 00:31:52 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((ret = cli_ac_addpatt(root, new))) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new->prefix ? new->prefix : new->pattern);
Free correct variable in signature load error handling We don't allocate a copy of the signature name to store in the AC pattern structure for logical signature patterns because it is already stored in the logical signature structure. But oss-fuzz found that we're freeing that virname in when an error happens even if it wasn't copied. This fix checks the allocation before MPOOL_FREE. Since virname is passed in, and only cloned under certain condtions, check to see that it has actually been cloned before freeing it in any cleanup code. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45205
2022-04-13 12:09:01 -07:00
if (virname_copy) {
MPOOL_FREE(root->mempool, virname_copy);
}
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
mpool_ac_free_special(root->mempool, new);
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
MPOOL_FREE(root->mempool, new);
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
return ret;
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
}
libclamav, clamscan: load/unload callbacks & progress meters Add progress callbacks to libclamav for: - database load - engine compile - engine free Add a progress bar to clamscan for load & compile. These are disabled if you run with --debug or stdout is not a TTY or you are using one of --quiet, --infected, or --no-summary. Added code so you can test the engine-free callback by building with ENABLE_ENGINE_FREE_PROGRESSBAR defined. The compile & free progress callbacks pre-calculate the number of tasks to complete to estimate the progress. Some tasks may take longer than others so the progress speed my appear to vary a little. The callbacks return type is a cl_error_t but doesn't currently do anything. It is reserved for future use. Minor formatting change in matcher-ac.c to counteract weird clang-format behavior, and to make it easier to read. Added progress callbacks and clamscan progress bars to the news.
2021-07-16 11:47:23 -07:00
if ((new->offdata[0] != CLI_OFF_ANY) &&
(new->offdata[0] != CLI_OFF_ABSOLUTE) &&
(new->offdata[0] != CLI_OFF_MACRO)) {
Converted mpool calls to macros when USE_MPOOL is defined to clearly differentiate between function and macro behavior.
2019-05-03 18:16:03 -04:00
root->ac_reloff = (struct cli_ac_patt **)MPOOL_REALLOC2(root->mempool, root->ac_reloff, (root->ac_reloff_num + 1) * sizeof(struct cli_ac_patt *));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!root->ac_reloff) {
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
cli_errmsg("cli_ac_addsig: Can't allocate memory for root->ac_reloff\n");
return CL_EMEM;
}
root->ac_reloff[root->ac_reloff_num] = new;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
new->offset_min = root->ac_reloff_num * 2;
new->offset_max = new->offset_min + 1;
Retab cli_ac_addsig()
2014-10-29 15:14:37 -04:00
root->ac_reloff_num++;
libclamav: improve handling of signature offsets
2009-08-14 14:38:13 +02:00
}
new implementation of the Aho-Corasick pattern matcher git-svn: trunk@3038
2007-04-28 18:40:59 +00:00
return CL_SUCCESS;
}
Reference in a new issue Copy permalink