Hullo!
I have noticed some disturbing behaviour in ClamAV (0.88.5 and earlier)
regarding the various archive scanning limits (ArchiveMaxFiles,
ArchiveMaxFileSize etc.). What I have noticed is that when
ArchiveBlockMax is not enabled, ClamD can take a very long time to
process files which are above the limits - files which it blocks almost
instantaneously when ArchiveBlockMax is enabled. Looking at the code of
scanners.c, it would appear that some of the limits are completely
ignored when ArchiveBlockMax is not enabled, and so there is not
actually any DoS protection in place.
Here's an example of a piece of code that worries me:
> if(limits->maxfilesize && ((unsigned int) zdirent.st_size >
> limits->maxfilesize)) {
> cli_dbgmsg("Zip: %s: Size exceeded (%d, max: %ld)\n",
> zdirent.d_name, zdirent.st_size, limits->maxfilesize);
> /* ret = CL_EMAXSIZE; */
> if(BLOCKMAX) {
> *virname = "Zip.ExceededFileSize";
> ret = CL_VIRUS;
> break;
> }
> continue; /* continue scanning */
> }
Also, only the Zip and RAR scanners appear to obey ArchiveMaxFiles and
ArchiveMaxCompressionRatio (the latter not actually being controlled by
ArchiveBlockMax). This inconsistency is not warned about in the
documentation.
I have implemented ClamD integration for SmoothGuardian, our web
filtering product, which currently ships with ArchiveBlockMax enabled.
Whilst we have yet to receive any "bug reports" moaning about oversized
archives or similar, it would be nice if we could give more control over
ClamD to the end user; however, I am not confident in allowing customers
to turn off ArchiveBlockMax if this will completely disable the denial
of service protection the limits provide.
In my opinion, the option should simply disable whether or not archives
that break limits are treated as viruses; the scanner should still exit
early if the limits are broken.
Any comments? What is the "official" verdict on what scanners should do
with the limits when ArchiveBlockMax is disabled, and what are the
scanners *actually* doing at the moment?
Regards,
Phil
--
Philip Allison
Developer
SmoothWall Ltd. - http://www.smoothwall.net/
This email and any attachments transmitted with it are confidential to
the intended recipient(s) and may not be communicated to any other
person or published by any means without the express permission of
SmoothWall Ltd. Any views expressed in this message are solely those of
the author. See http://www.smoothwall.net/emailnotice.html for the full
text of this notice.
This email has been processed by SmoothZap - www.smoothwall.net
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
