I've been using cl_scanmap_callback recently since it scans a memory
block, but it crashes when scanning a RAR SFX file. It expects a file
descriptor, but there is none since I pass in a memory buffer.
I made this hack-fix to dump the file to disk so it can be scanned.
Hopefully the RAR interface will be updated so it no longer expects a file
descriptor. Until then, you can use this. It's messy/sloppy but it works.
I can submit the files I used to test this, but some of them are
malicious.
Navigate to cli_scanraw in scanners.c
Replace case CL_TYPE_RARSFX with
case CL_TYPE_RARSFX:
if(type != CL_TYPE_RAR && have_rar && SCAN_ARCHIVE && (DCONF_ARCH &
ARCH_CONF_RAR)) {
int fd = fmap_fd(map);
ctx->container_type = CL_TYPE_RAR;
ctx->container_size = map->len - fpt->offset; /* not precise */
cli_dbgmsg("RAR/RAR-SFX signature found at %u\n", (unsigned int)
fpt->offset);
if (fd == -1) {
int result;
char* tmpname;
cli_dbgmsg("RAR/RAR-SFX map isn't backed by file descriptor,
dumping to
file");
result = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd);
if (result == CL_SUCCESS) {
int bytesWritten = cli_writen(fd, map->data, map->len);
if (bytesWritten == map->len) {
nret = cli_scanrar(fd, ctx, fpt->offset,
&lastrar);
}
close(fd);
cli_unlink(tmpname);
free(tmpname);
}
}
else
nret = cli_scanrar(fd, ctx, fpt->offset, &lastrar);
}
break;
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
