diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/src/malware.c | 38 |
1 files changed, 28 insertions, 10 deletions
diff --git a/src/src/malware.c b/src/src/malware.c index 7685554ae..04b5887e7 100644 --- a/src/src/malware.c +++ b/src/src/malware.c @@ -456,7 +456,8 @@ malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) /* v0.0 - initial release -- support for unix sockets */ { int result; - unsigned int fsize; + off_t fsize; + unsigned int fsize_uint; uschar * tmpbuf, *drweb_fbuf; int drweb_rc, drweb_cmd, drweb_flags = 0x0000, drweb_fd, drweb_vnum, drweb_slen, drweb_fin = 0x0000; @@ -484,6 +485,14 @@ malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) eml_filename, strerror(err)), sock); } + fsize_uint = (unsigned int) fsize; + if ((off_t)fsize_uint != fsize) { + (void)close(drweb_fd); + return m_errlog_defer_3(scanent, + string_sprintf("seeking spool file %s, size overflow", + eml_filename), + sock); + } drweb_slen = htonl(fsize); lseek(drweb_fd, 0, SEEK_SET); @@ -501,11 +510,11 @@ malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) sock); } - if (!(drweb_fbuf = (uschar *) malloc (fsize))) { + if (!(drweb_fbuf = (uschar *) malloc (fsize_uint))) { (void)close(drweb_fd); return m_errlog_defer_3(scanent, string_sprintf("unable to allocate memory %u for file (%s)", - fsize, eml_filename), + fsize_uint, eml_filename), sock); } @@ -1035,7 +1044,8 @@ malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) host_item connhost; uschar *clamav_fbuf; int clam_fd, result; - unsigned int fsize; + off_t fsize; + unsigned int fsize_uint; BOOL use_scan_command = FALSE; clamd_address_container * clamd_address_vector[MAX_CLAMD_SERVERS]; int current_server; @@ -1231,17 +1241,25 @@ malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) eml_filename, strerror(err)), sock); } + fsize_uint = (unsigned int) fsize; + if ((off_t)fsize_uint != fsize) { + CLOSE_SOCKDATA; (void)close(clam_fd); + return m_errlog_defer_3(scanent, + string_sprintf("seeking spool file %s, size overflow", + eml_filename), + sock); + } lseek(clam_fd, 0, SEEK_SET); - if (!(clamav_fbuf = (uschar *) malloc (fsize))) { + if (!(clamav_fbuf = (uschar *) malloc (fsize_uint))) { CLOSE_SOCKDATA; (void)close(clam_fd); return m_errlog_defer_3(scanent, string_sprintf("unable to allocate memory %u for file (%s)", - fsize, eml_filename), + fsize_uint, eml_filename), sock); } - if ((result = read(clam_fd, clamav_fbuf, fsize)) < 0) { + if ((result = read(clam_fd, clamav_fbuf, fsize_uint)) < 0) { int err = errno; free(clamav_fbuf); CLOSE_SOCKDATA; (void)close(clam_fd); return m_errlog_defer_3(scanent, @@ -1253,7 +1271,7 @@ malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) /* send file body to socket */ #ifdef WITH_OLD_CLAMAV_STREAM - if (send(sockData, clamav_fbuf, fsize, 0) < 0) { + if (send(sockData, clamav_fbuf, fsize_uint, 0) < 0) { free(clamav_fbuf); CLOSE_SOCKDATA; return m_errlog_defer_3(scanent, string_sprintf("unable to send file body to socket (%s:%u)", @@ -1261,10 +1279,10 @@ malware_internal(uschar **listptr, uschar *eml_filename, BOOL faking) sock); } #else - send_size = htonl(fsize); + send_size = htonl(fsize_uint); send_final_zeroblock = 0; if ((send(sock, &send_size, sizeof(send_size), 0) < 0) || - (send(sock, clamav_fbuf, fsize, 0) < 0) || + (send(sock, clamav_fbuf, fsize_uint, 0) < 0) || (send(sock, &send_final_zeroblock, sizeof(send_final_zeroblock), 0) < 0)) { free(clamav_fbuf); |