search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.43k stars 706 forks source link

Socket potentially closed too early after "INSTREAM: Size limit reached ..." is logged #1210

Open origooo opened 8 months ago

origooo commented 8 months ago

Describe the bug

I have an issue scanning a stream through a node library (clamscan). I know the library itself is non of your concerns, but I believe the issue exist with other languages/libs as well.

I have clamd running locally through the command /opt/homebrew/opt/clamav/sbin/clamd --foreground and it's listening on port 3310. Scanning works fine most of the times but I start running into issues when testing a stream/file size limit (might not be isolated to that limit check though).

I read a too large file and pipe it to the socket, and ish 5/10 times (in node) I do receive the expected output INSTREAM size limit exceeded. \x00 from the TCP socket. Other times I receive either EPIPE or ECONNRESET, but the size limit message is still logged within clamd.

The code in server-th.c at line 859 logs the message properly every time even if node receives the EPIPE/ECONNRESET errors. I can see that an error code is set in server-th.c and -1 is returned to recvloop. handle_stream() also calls conn_reply_error() before returning -1, and my question is wether or not the socket might be closed before conn_reply_error() has a chance to send the message back to node? Might it be a timing issue somewhere?

How to reproduce the problem

I have stripped out a lot of the code from the library to get a minimal viable code to reproduce the error. The code can be found here and run through node <script name>.

Replace this text with the output from the ClamAV command: Config file: clamd.conf

LocalSocket = "/opt/homebrew/var/run/clamd.sock" TCPSocket = "3310"

Config file: freshclam.conf

DatabaseMirror = "database.clamav.net"

clamav-milter.conf not found

Software settings

Version: 1.3.0 Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

Database information

Database directory: /opt/homebrew/var/lib/clamav bytecode.cvd: version 335, sigs: 86, built on Tue Feb 27 16:37:24 2024 Total number of signatures: 86

Platform information

uname: Darwin 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:53:18 PST 2023; root arm64 OS: Darwin, ARCH: arm64, CPU: arm64 zlib version: 1.2.12 (1.2.12), compile flags: 2a9 platform id: 0x0403c8c80800000000040201

Build information

Clang: Apple LLVM 15.0.0 (clang-1500.1.0.2.5) (4.2.1) sizeof(void*) = 8 Engine flevel: 200, dconf: 200

micahsnyder commented 8 months ago

We have some flakiness in the windows clamd tests relating to clamd responses sometimes missing the error message. I wonder if this is the same issue.

origooo commented 7 months ago

Aha, okok. Do we have an expected timeline on a fix for this issue?

micahsnyder commented 7 months ago

@origooo we're not working on it at the moment.