Hi, I found a message that make clamd and clamscan 0.83 very long (count the time in hours). The message is a 60Kb fat kde-cvs list digest. It's a ordinairy text/plain but it containt multiple (43) messages concatened and it sound like clamav explode the message (which is, at least, not wanted by me) and has a exponential algorithm to parse the whole thing.
Sending such message can issue a deny of service. Clamav 0.81 worked fine. When I scan a text file, the "Data scanned" field report ordinary the file size : % ls -lL /etc/termcap -r--r--r-- 1 root wheel 204798 18 jan 14:45 /etc/termcap % clamscan /etc/termcap /etc/termcap: OK ----------- SCAN SUMMARY ----------- Known viruses: 30736 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.19 MB I/O buffer size: 131072 bytes Time: 0.550 sec (0 m 0 s) But with this digest message, after I remove 2/3 of its content clamscan return, 6 Mb are scanned of a 20K message (If I pass the whole message, clamscan does not return after at least one hour) % ls -l message-small.txt -rw-r--r-- 1 lwa lwa 14259 18 fév 17:37 kde1.bounce % clamscan message-small.txt message-small.txt: OK ----------- SCAN SUMMARY ----------- Known viruses: 30736 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 5.92 MB I/O buffer size: 131072 bytes Time: 16.135 sec (0 m 16 s) When I remove one random 300 bytes message of the digest, It 2 Mb less are scanned. % ls -l message-smaller.txt -rw-r--r-- 1 lwa lwa 13881 18 fév 17:43 message-smaller.txt % clamscan message-smaller.txt message-smaller.txt: OK ----------- SCAN SUMMARY ----------- Known viruses: 30736 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 3.95 MB I/O buffer size: 131072 bytes Time: 11.064 sec (0 m 11 s) You can download the whole message using FTP at victor.teaser.fr in the file /pub/lwa/misc/kde.bounce I just hidden the reciever name. _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel
