Scans performed in the RTC SCAN_CLEANUP macro by the state.cb_end()
callback function never save the return value and thus fail to record a
detection. This patch sets `ret` so the detection isn't lost.
fixed a leak where host and port were not being properly cleaned up
cleaned up error handling for make_connection_real function
added various null param checks
a problem existed in which specifying --enable-libclamav-only would fail
if curl was not installed on the system
this fix puts a check in place which will ensure the curl check code is
not run if the option is turned on
in the future if curl becomes required in libclamav this check will need
to be removed
The newer freshclam uses libcurl for downloads and downloads the
updates via https. There are systems which don't have a "default CA
store" but instead the administrator maintains a CA-bundle of certs
they trust.
This patch allows the users to specify their own CA cert path by
setting the environment variable CURL_CA_BUNDLE to the path of their
choice.
Patch courtesy of Sebastian A. Siewior
These opcodes specify a function or keyword by number
instead of by name. The corresponding lookup tables
still have a few entries without names, but the majority
of them are been determined and verified.
The PROFILE_HASHTABLE preprocessor definition can be set at build
time and is intended to be used to enable profiling capabilities
for developers working with hash table and set data structure
profiling. This hashtable profiling functionality was added into
the code a while back and isn't currently functional, but would
ultimately be nice to have. This commit is a first step towards
getting it working.
When PROFILE_HASHTABLE is set, it causes several counters used for
collecting performance metrics to be inserted into the core hashtable
structures. When PROFILE_HASHTABLE is not set, however, these
counters are omitted, and the other members of the structure only
ever contain constant data. I'm guessing that at some point, as an
optimization in the latter case, ClamAV began declaring the hashtable
structures `const`, causing gcc (and maybe other compilers) to put
the structures in the read-only data section. Thus, the code
crashes when PROFILE_HASHTABLE is defined and the counters in the
read-only data section try to get incremented. The fix for this is
to just not mark these structures as `const` if PROFILE_HASHTABLE
is defined.
The commit "Freshclam create database directory if missing" inadvertently
broke the build, because it was blindly rebased and merged after a prior
commit relocated the required `statbuf` variable.
This commit adds back the missing `statbuf` variable.
This fixes issues in cvd download when network speed is slow.
Setting is passed to libcurl CURLOPT_TIMEOUT. Original default of 60s
was not enough if network speed is limited. Curl handles this as
total time for http(s) transfer.
https://curl.haxx.se/libcurl/c/CURLOPT_TIMEOUT.html
Also change commented out setting of ReceiveTimeout on example configs
to somewhat sensible value (1800s).
Signed-off-by: Tuomo Soini <tis@foobar.fi>
On initialization, freshclam will create the database directory if it is
missing.
If running as root, freshclam will assign ownership of the new directory
to the DatabaseOwner account.
Disable line wrap when printing the progress bar so that small terminal
windows do not see excessive lines printed.
Reduce the number of characters in the progress bar to accomodate
80-char width terminals.
Correctly display number of kilobytes (KiB) in progress bar. Previously
was showing # of MiB but printing "KiB".
Freshclam creates a tmp directory in the database directory used to
store downloaded patches or databases before they replace current
databases. The tmp directory previously was created at when freshclam
was initialized and deleted when freshclam exited. This was problematic
if freshclam was run in daemon mode and then run manually while the
daemon was already running.
This commit alters the behavior to create tmp directory with a random
suffix before the update begins and remove this directory when the
update ends, allowing freshclam to be run manually without causing the
freshclam daemon to fail later.
Users have reported that freshclam will fail to download daily.cvd to an
empty database directory shortly after a new database is published due
to a mirror synchronization error. This may occur if the CDN serves up
an older version while a newer version has just been published. Clearing
the CDN cache has not eliminated the issue.
This commit allows freshclam to accept a database 1 version older than
advertised by DNS but will still fail if the database is more than one
version out of date.
Removing problematic call to convert file descriptors to filepaths.
Added filename and tempfile names to scandesc calls in clamd.
Added a general scan option to treat the scan engine as unprivileged,
meaning that the scan engine will not have read access to the file.
Added check to drop a temp file for RAR's where the we don't have
read access to the filepath provided (i.e. unprivileged is set, or
access() check fails).
Users have reported slow scan speeds of some PDF documents. The scan
speed was very slow on Windows in particular. Investigation indicated
significant time spent in cli_realloc.
Performance is particularly bad with a relatively large data stream is
decompressed using small chunk sizes and the final buffer is reallocated
to a larger buffer size each time a chunk is added.
This commit replaces BUFSIZ, which varies from 256B -> 8192B, with
INFLATE_CHUNK_SIZE, set to 256kB, the chunk size recommended by the zlib
documentation for efficient inflate performance. The output buffer is
shrunk (reallocated) down to the final decoded buffer length so as not
to waste memory when many small buffers must be decompressed.
A followup fix should provide a standard way to do zlib decompression
across libclamav where a linked list of decompressed chunks are
assembled and then the final output buffer is allocated at the end.
Implemented several maximums in parsing MIME messages to avoid Denial of
Service attempts, as well as improving parsing logic to avoid repeatedly
calling the realloc function. These are in response to excessively long scan
times for specially crafted files.
This is in response to CVE-2019-15961.
The limits added are
1. Limit on number of MIME parts per message.
2. Limit on number of header bytes.
3. Limit on number of email headers.
4. Limit on number of line folds.
5. Limit on numbef of MIME arguments.
Tests in libcheck 0.13 must have {} between START_TEST and END_TEST
else it will not compile.
Also replaced all deprecated "fail_" macros with "ck_" macros.
E.g. fail_unless() becomes ck_assert_msg()
The checks_common.h header file provided a couple of macros to
support versions older than 0.9.3. As these older versions are
no longer relevant, I've removed those compatibility macros
entirely.
The ClamAV engine abstraction was migrated into the test-framework
repository to provide a single unified framework for build acceptance
and quality assurance tests. This commit updates the Jenkinsfile
accordingly.
Micah Snyder (micasnyd)