MaxStreamSize does not seem to have an upper limit

[arranpx]

Describe the bug

It is a known limitation of ClamAV that files larger than 2GB cannot be scanned, as discussed in this issue.

I am implementing my own client for the ClamAV daemon, which does the reading of files itself and then uses the ClamAV INSTREAM command to scan the stream of the file.

This works well, and of course, if I try to send a stream larger than the MaxStreamSize setting in the clamd.conf, ClamAV logs an error and closes the connection as expected.

However, if I set MaxStreamSize to something larger than "officially" supported by ClamAV e.g. 5GB, and then read + stream a file of (just under) this size to ClamAV, ClamAV seems to successfully scan the stream and return a result. There seems to be no limit to what I can set MaxStreamSize to, and therefore no limit to the size of the stream I can use - as long as I have sufficient memory. This allows me to theoretically have no limit to the file size I can scan as long as I do the read myself.

My understanding from reading the ClamAV docs and Github issues is that this should not be possible due to technical limitations of ClamAV. If this is true, can I therefore not trust the result of this scan? It feels like there should there be an upper limit on the MaxStreamSize setting, similar to MaxScanSize and MaxFileSize.

Further, the man page for ClamAV implies this should be limited to 4GB as it states:

All options expressing a size are limited to max 4GB. Values in excess will be reset to the maximum.

How to reproduce the problem

• Set MaxStreamSize to 5GB
• Generate a 4.8GB file (or any size >4gb but <5gb)
• Read the file and stream the buffer to ClamAV, using the INSTREAM command
• Scan should complete successfully and return an OK status (assuming you did not use an Eicar)

[arranpx]

I have just seen the issue #1424, and the reply there indicates that using INSTREAM simply writes to a temporary file, which ClamAV scans. If this is the case, why are we able to scan any arbitrarily sized stream, as my issue mentions? This seems like a significant bug.

[micahsnyder]

I am sorry your issue slipped past me 2 weeks ago.

Note: it is StreamMaxLength, not MaxStreamSize.

If you use clamscan to scan a file larger than MaxFileSize it will also return "OK", even though the file wasn't scanned.

So regardless of whether or not you're using clamscan or clamd with INSTREAM, I wouldn't trust the scan of a file larger than MaxFileSize.

If you enable AlertExceedsMax, I suspect it will show the file isn't really scanned.

I haven't played around with StreamMaxLength. My intuition is that you probably shouldn't be allowed to set StreamMaxLength larger than MaxFileSize. Or perhaps it should print a warning if you do.

[arranpx]

No worries about the delay! Thanks for replying now!

Note: it is StreamMaxLength, not MaxStreamSize.

Thanks, I am not sure how I got this wrong in the initial post, but this is indeed the setting I mean, and have been fiddling with.

If you use clamscan to scan a file larger than MaxFileSize it will also return "OK", even though the file wasn't scanned.

This is very interesting. It is what I was expecting given my results, but it is good to have it confirmed, as the behaviour to return OK in this instance seems counterintuitive. I will have a play with AlertExceedsMax - thanks for the suggestion.

you probably shouldn't be allowed to set StreamMaxLength larger than MaxFileSize

Completely agree with this! ClamAV appropriately errors if you set MaxFileSize too large, but not StreamMaxLength hence my confusion with it. I think it would make sense for them both to error in the same way.