[Libguestfs] [PATCH v6 6/7] New API: yara_scan
Richard W.M. Jones
rjones at redhat.com
Tue Apr 18 09:14:22 UTC 2017
On Thu, Apr 06, 2017 at 11:41:06PM +0300, Matteo Cafasso wrote:
> +let non_daemon_functions = [
> + { defaults with
> + name = "yara_scan"; added = (1, 37, 9);
> + style = RStructList ("detections", "yara_detection"), [Pathname "path"], [];
> + optional = Some "libyara";
> + progress = true; cancellable = true;
> + shortdesc = "scan a file with the loaded yara rules";
> + longdesc = "\
> +Scan a file with the previously loaded Yara rules.
> +
> +For each matching rule, a C<yara_detection> structure is returned.
> +
> +The C<yara_detection> structure contains the following fields.
> +
> +=over 4
> +
> +=item 'yara_name'
...
> +=item 'yara_rule'
You should use:
=item C<yara_name>
> +static struct guestfs_yara_detection_list *parse_yara_detection_file (guestfs_h *, const char *);
> +static int deserialise_yara_detection_list (guestfs_h *, FILE *, struct guestfs_yara_detection_list *);
> +
> +struct guestfs_yara_detection_list *
> +guestfs_impl_yara_scan (guestfs_h *g, const char *path)
> +{
> + int ret = 0;
s/ret/r/
> + CLEANUP_UNLINK_FREE char *tmpfile = NULL;
> +
> + tmpfile = guestfs_int_make_temp_path (g, "yara_scan");
> + if (tmpfile == NULL)
> + return NULL;
> +
> + ret = guestfs_internal_yara_scan (g, path, tmpfile);
> + if (ret < 0)
> + return NULL;
This function returns 0 or -1, so only need to check for r == -1.
> +/* Parse the file content and return detections list.
> + * Return a list of yara_detection on success, NULL on error.
> + */
> +static struct guestfs_yara_detection_list *
> +parse_yara_detection_file (guestfs_h *g, const char *tmpfile)
> +{
> + int ret = 0;
s/ret/r/
> + CLEANUP_FCLOSE FILE *fp = NULL;
> + struct guestfs_yara_detection_list *detections = NULL;
> +
> + fp = fopen (tmpfile, "r");
> + if (fp == NULL) {
> + perrorf (g, "fopen: %s", tmpfile);
> + return NULL;
> + }
> +
> + /* Initialise results array. */
> + detections = safe_malloc (g, sizeof (*detections));
> + detections->len = 8;
> + detections->val = safe_malloc (g, detections->len *
> + sizeof (*detections->val));
> +
> + /* Deserialise buffer into detection list. */
> + ret = deserialise_yara_detection_list (g, fp, detections);
> + if (ret < 0) {
This returns 0 or -1, so check r == -1.
> + guestfs_free_yara_detection_list (detections);
> + return NULL;
There is no call to error/perrorf/etc along this path.
> + }
> +
> + return detections;
> +}
> +
> +/* Deserialise the file content and populate the detection list.
> + * Return the number of deserialised detections, -1 on error.
> + */
> +static int
> +deserialise_yara_detection_list (guestfs_h *g, FILE *fp,
> + struct guestfs_yara_detection_list *detections)
> +{
> + XDR xdr;
> + int ret = 0;
s/ret/r/
> + uint32_t index = 0;
> + struct stat statbuf;
> +
> + ret = fstat (fileno(fp), &statbuf);
> + if (ret == -1)
No call to perrorf.
> + return -1;
> +
> + xdrstdio_create (&xdr, fp, XDR_DECODE);
> +
> + for (index = 0; xdr_getpos (&xdr) < statbuf.st_size; index++) {
> + if (index == detections->len) {
> + detections->len = 2 * detections->len;
> + detections->val = safe_realloc (g, detections->val,
> + detections->len *
> + sizeof (*detections->val));
> + }
> +
> + /* Clear the entry so xdr logic will allocate necessary memory. */
> + memset (&detections->val[index], 0, sizeof (*detections->val));
> + ret = xdr_guestfs_int_yara_detection (&xdr, (guestfs_int_yara_detection *)
> + &detections->val[index]);
> + if (ret == 0)
> + break;
> + }
> +
> + xdr_destroy (&xdr);
> + detections->len = index;
> +
> + return ret ? 0 : -1;
No call to error/perrorf along the error path.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
More information about the Libguestfs
mailing list