Bugzilla – Bug 11970
clamscan --block-max VERSES clamdscan BlockMax in conf
Last modified: 2021-11-02 13:46:09 EDT
Testing beta2, ubuntu 16.04 LTS x64 I noticed that the clamd.conf has the following option: # When BlockMax is set, files exceeding the MaxFileSize, MaxScanSize, or MaxRecursion limit will be flagged # with the virus "Heuristic.Limits.Exceeded". # Default: no BlockMax yes As you can see above, it's enabled because the "#" is removed from BlockMax yes. Below is scanning a file that is too large. As you can see it doesn't actually scan the file, but it doesn't flag the warning message like it does in clamscan --block-max clamscan --block-max ALSO flags files that are too large as infected, but clamdscan with the option enabled doesn't do that at all. These are very inconsistent in how they work for something that should be transparent. sudo clamdscan --log=/opt/clamd.log -v wsusscn2.cab -------------------------------------- /opt/wsusscn2.cab: OK ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 0.000 sec (0 m 0 s) tmccourt@ubuntu:/opt$ cat clamd.log -------------------------------------- /opt/wsusscn2.cab: OK ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 0.000 sec (0 m 0 s)
Please supply the file and clamscan output that you mention.
It's too large to upload. Its the same cab file that was used for other tests. I believe micah and mickey both have the file
You previously shared it with Google drive: https://drive.google.com/open?id=0B1J3F64yVVXNbWFfMkhuYWREX0U
clamscan --debug --block-max /opt/wsusscn2.cab ----------- SCAN SUMMARY ----------- Known viruses: 6354080 Engine version: 0.99.3-beta2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 208.33 MB (ratio 0.00:1) Time: 10.608 sec (0 m 10 s)
Micah, please check this out.
Check for block-max documentation.
I have the expected behavior occur where both clamscan and clamdscan successfully detected Heuristic.Limits.Exceeded on the current HEAD of master. ---- klin@klin-dev:~/bb11970$ clamdscan wsusscn2.cab /home/klin/bb11970/wsusscn2.cab: Heuristic.Limits.Exceeded FOUND ---- Looking at the code directly, both clamscan and clamd invoke the block-max(BlockMax) option the same way by adding the CL_SCAN_BLOCKMAX to the options field. clamd does invoke it slightly differently but it would have to break all scan options to work differently. The issue has either already been resolved or the clamd configuration might be using different limit value.
Please supply the clamd configuration file that causes this issue.
only thing changed from the sample was logging and block max to allow this to work.
I also has no issue getting clamdscan with BlockMax to flag the large file as infected the way clamscan does with --block-max. micasnyd@avavpn-120:~/workspace/clamav-devel$ clamdscan ~/Downloads/wsusscn2.cab /Users/micasnyd/Downloads/wsusscn2.cab: Heuristic.Limits.Exceeded FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.002 sec (0 m 0 s)
Works ok on dev/0.100 for both Kevin and me.
$ cat test.c struct foo { int len; https://www.webb-dev.co.uk/category/computers/ int items[]; }; struct foo *p; http://www.compilatori.com/category/technology/ int main() { return 0; } $ gcc test.c -g -O0 -o test http://www.acpirateradio.co.uk/category/computers/ $ ./gdb -q -nx --data-directory=data-directory ./test -ex 'python gdb.parse_and_eval("p").type.target()["items"].type.range()' Reading symbols from ./test... http://www-look-4.com/category/computers/ /home/simark/src/binutils-gdb/gdb/gdbtypes.h:435: internal-error: LONGEST dynamic_prop::const_val() const: Assertion `m_kind == PROP_CONST' failed. http://www.mconstantine.co.uk/category/services/ A problem internal to GDB has been detected, further debugging may prove unreliable. Quit this debugging session? (y or n) http://www.logoarts.co.uk/category/computers/ This is because the Python code (typy_range) blindly reads the high bound of the type of `items` as a constant value. Since it is a http://www.iu-bloomington.com/category/computers/ flexible array member, it has no high bound, the property is undefined. Since commit 8c2e4e0689 https://komiya-dental.com/category/computers/ ("gdb: add accessors to struct dynamic_prop"), the getters check that you are not http://www.go-mk-websites.co.uk/category/services/ getting a property value of the wrong kind, so this causes a failed assertion. http://www.slipstone.co.uk/category/computers/ Fix it by checking if the property is indeed a constant value before http://embermanchester.uk/category/computers/ accessing it as such. Otherwise, use 0. This restores the previous GDB http://fishingnewsletters.co.uk/category/services/ behavior: because the structure was zero-initialized, http://connstr.net/category/computers/ this is what was returned before. But now this behavior is explicit and not accidental. But now this behavior is explicit and not accidental. But now this behavior is explicit and not http://the-hunters.org/technology/new-robot/ accidental. But now this behavior is explicit and not accidental. But now this behavior is explicit and is explicit and not accidental. http://joerg.li/category/computers/ Add a test, gdb.python/flexible-array-member.exp, that is derived from gdb.base/flexible-array-member.exp. http://www.jopspeech.com/category/computers/ It tests the same things, but through the Python API. It also specifically tests getting the range from the various kinds http://www.wearelondonmade.com/category/computers/ of flexible array member types (AFAIK it wasn't possible to do the equivalent through the CLI). https://waytowhatsnext.com/category/computers/ gdb/ChangeLog: