On Thu, 02 Nov 2006 16:10:29 +0000
Philip Allison <[EMAIL PROTECTED]> wrote:
> Looking at the code of scanners.c, it would appear that some of the limits
> are completely ignored when ArchiveBlockMax is not enabled, and so there is
> not actually any DoS protection in place.
Not true, see below.
>
> Here's an example of a piece of code that worries me:
>
>
> > if(limits->maxfilesize && ((unsigned int) zdirent.st_size >
> > limits->maxfilesize)) { cli_dbgmsg("Zip: %s: Size exceeded (%d, max:
> > %ld)\n", zdirent.d_name, zdirent.st_size, limits->maxfilesize); /* ret =
> > CL_EMAXSIZE; */ if(BLOCKMAX) {
> > *virname = "Zip.ExceededFileSize";
> > ret = CL_VIRUS;
> > break;
> > }
> > continue; /* continue scanning */
^-- the archive scanning is continued but the file is
skipped
> > }
> ClamD to the end user; however, I am not confident in allowing customers
> to turn off ArchiveBlockMax if this will completely disable the denial
> of service protection the limits provide.
>
> In my opinion, the option should simply disable whether or not archives
> that break limits are treated as viruses; the scanner should still exit
> early if the limits are broken.
>
> Any comments?
You're posting to the wrong mailing list.
--
oo ..... Tomasz Kojm <[EMAIL PROTECTED]>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Thu Nov 2 17:43:37 CET 2006
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
