1.0.6 reports "(null) found" if max recursion limit reached

[MASHtm]

I'm in the process upgrading from 0.103.11 to 1.0.6. We use clamd on our MX hosts. Compared to 0.103.11 which runs stable and with expected results I noticed some "Can't allocate memory ERROR" messages in clamd log from 1.0.6.

clamav 1.0.6 is built from source using a local spec file for el8 and is running on rocky linux 8.10.

IMO these error messages are more or less false positives and are triggered if an archive reaches maxrecursion limit while unpacking. clamd and clamscan as well return an empty virusname while flagging the file as infected. Regardless of AlertExceedsMax setting.

clamscan --maxrecursion=4
returns
tmp/<testfile>!(18446744073709551615)MAIL:payment_copy.tar: (null) FOUND

clamd reports Can't allocate memory ERROR without debug log active.

How to reproduce the problem

Using ONLY the official patterns of today and starting
clamscan -av --maxrecursion=4
shows eg. (the test file was detected and written by an other clamd instance using sanesecurity patterns and i didn't rename it!):

# clamscan -av --max-recursion=4 /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL 
Loading:    14s, ETA:   0s [========================>]    8.70M/8.70M sigs       
Compiling:   3s, ETA:   0s [========================>]       41/41 tasks 

Scanning /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL
Scanning /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL!MAIL:attachment
Scanning /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL!MAIL:mixedtextportion
Scanning /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL!MAIL:payment_copy.tar
Scanning /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL!MAIL:payment_copy.tar!RAR:payment copy.exe
/tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL!(18446744073709551615)MAIL:payment_copy.tar: (null) FOUND

If I do the same with --maxrecursion=10 clamscan reports
/tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL: OK

In clamd it gets worse since it finally reports the "Can't allocate memory ERROR" while logging some more info with debug log active:

Sep  4 16:04:20 xxxxxxx clamd[1046621]: /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL: reported CL_VIRUS but no virname returned!
Sep  4 16:04:20 xxxxxxx clamd[1046621]: /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL: Can't allocate memory ERROR

while
AlertExceedsMax no
is set.

Attachments

Since the testfile is probably infected with something please contact me personally. I can provide a download link.
But most likely this happens with any test file which hits maxrecursion (on rar?)

[micahsnyder]

That's very strange! I will try to reproduce this.

[MASHtm]

additionally:

# clamscan -av --max-recursion=4 --alert-exceeds-max=yes /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL 
Loading:    14s, ETA:   0s [========================>]    8.70M/8.70M sigs         
Compiling:   3s, ETA:   0s [========================>]       41/41 tasks 

Scanning /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL
Scanning /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL!MAIL:attachment
Scanning /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL!MAIL:mixedtextportion
Scanning /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL!MAIL:payment_copy.tar
Scanning /tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL!MAIL:payment_copy.tar!RAR:payment copy.exe
/tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL: Heuristics.Limits.Exceeded.MaxRecursion FOUND
/tmp/Sanesecurity.Foxhole.Rar_fs2720.UNOFFICIAL!MAIL:payment_copy.tar!(2)RAR:payment copy.exe: Heuristics.Limits.Exceeded.MaxRecursion FOUND

[MASHtm]

same happens with the EPEL8 RPMs in epel-testing using a ZIP (since these are built without rar support)'

# clamscan -av --max-recursion=4 /tmp/SecuriteInfo.com.W32.AutoIt.XU.gen.Eldorado.22586.618.UNOFFICIAL 
Loading:    24s, ETA:   0s [========================>]    8.70M/8.70M sigs       
Compiling:   4s, ETA:   0s [========================>]       41/41 tasks 

Scanning /tmp/SecuriteInfo.com.W32.AutoIt.XU.gen.Eldorado.22586.618.UNOFFICIAL
Scanning /tmp/SecuriteInfo.com.W32.AutoIt.XU.gen.Eldorado.22586.618.UNOFFICIAL!MAIL:mixedtextportion
Scanning /tmp/SecuriteInfo.com.W32.AutoIt.XU.gen.Eldorado.22586.618.UNOFFICIAL!MAIL:Pilot_Befehl.zip
Scanning /tmp/SecuriteInfo.com.W32.AutoIt.XU.gen.Eldorado.22586.618.UNOFFICIAL!MAIL:Pilot_Befehl.zip!ZIP:Pilot Befehl.exe
Scanning /tmp/SecuriteInfo.com.W32.AutoIt.XU.gen.Eldorado.22586.618.UNOFFICIAL!MAIL:Pilot_Befehl.zip!ZIP:Pilot Befehl.exe
/tmp/SecuriteInfo.com.W32.AutoIt.XU.gen.Eldorado.22586.618.UNOFFICIAL!(18446744073709551615)MAIL:Pilot_Befehl.zip: (null) FOUND

[MASHtm]

doing some further tests I noticed that it seems not "enough" to be over the limit to trigger this. It seems to me that it has to be some exact value. In my test cases it is two below the actual amount of recursion needed.

It fails exactly with -max-recursion=4 and --alert-exceeds-max=no
It works and returns "OK" testing with 1,2,3,5,6 for recursion limit and --alert-exceeds-max=no

It works and returns "Heuristics.Limits.Exceeded.MaxRecursion FOUND" testing with 2,3,4,5(!) and "OK" for 6 with --alert-exceeds-max=yes

So for my two testfiles it is exactly max-recursion 4 which fails while 5 still exceeds the limit according to --alert-exceeds-max=yes output.

[MASHtm]

for completeness: same with 1.0.7