GitList

libclamav/matcher.c

b151ef55	/*
d119f7a0	* Copyright (C) 2002 - 2006 Tomasz Kojm <tkojm@clamav.net>
b151ef55	* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software
30738099	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA.
b151ef55	*/
8b242bb9	#if HAVE_CONFIG_H #include "clamav-config.h" #endif
b151ef55	#include <string.h>
856d9c84	#include <ctype.h> #include <sys/types.h> #include <sys/stat.h>
59afa53d	#ifdef HAVE_UNISTD_H
856d9c84	#include <unistd.h>
59afa53d	#endif
b151ef55	#include "clamav.h" #include "others.h"
f91f55e0	#include "matcher-ac.h" #include "matcher-bm.h" #include "md5.h"
2fe19b26	#include "filetypes.h"
df757556	#include "matcher.h"
856d9c84	#include "pe.h"
1ec94c6b	#include "elf.h" #include "execs.h"
958dc41c	#include "special.h"
7f9ddaeb	#include "str.h"
b151ef55
f477691c	static int targettab[CL_TARGET_TABLE_SIZE] = { 0, CL_TYPE_MSEXE, CL_TYPE_MSOLE2, CL_TYPE_HTML, CL_TYPE_MAIL, CL_TYPE_GRAPHICS, CL_TYPE_ELF };
df757556
9bdb71d0	extern short cli_debug_flag;
b151ef55
7def75f3	#ifdef HAVE_NCORE
d119f7a0	#include <sn_sigscan/sn_sigscan.h> #define HWBUFFSIZE 32768
538a6756	#endif
7f9ddaeb
f477691c	int cli_scanbuff(const char buffer, unsigned int length, const char virname, const struct cl_engine engine, unsigned short ftype)
f91f55e0	{
d119f7a0	int ret = CL_CLEAN, i, tid = 0, *partcnt;
f91f55e0	unsigned long int *partoff;
f477691c	struct cli_matcher groot, troot = NULL;
7def75f3	#ifdef HAVE_NCORE
d119f7a0	void streamhandle; void resulthandle;
2de1f9b7	uint32_t datamask[2] = { 0xffffffff, 0xffffffff };
d119f7a0	int count, hret; unsigned long long offset;
7f9ddaeb	char *pt;
d119f7a0	#endif
b151ef55
f477691c	if(!engine) { cli_errmsg("cli_scanbuff: engine == NULL\n"); return CL_ENULLARG; }
7def75f3	#ifdef HAVE_NCORE if(engine->ncore) {
d119f7a0	/* TODO: Setup proper data bitmask (need specs) */ if((hret = sn_sigscan_createstream(engine->hwdb, datamask, 2, &streamhandle)) < 0) { cli_errmsg("cli_scanbuff: can't create new hardware stream: %d\n", hret); return CL_EHWIO; } if((hret = sn_sigscan_writestream(streamhandle, buffer, length)) < 0) { cli_errmsg("cli_scanbuff: can't write %u bytes to hardware stream: %d\n", length, hret); sn_sigscan_closestream(streamhandle, &resulthandle); return CL_EHWIO; } if((hret = sn_sigscan_closestream(streamhandle, &resulthandle)) < 0) { cli_errmsg("cli_scanbuff: can't close hardware stream: %d\n", hret); return CL_EHWIO; } count = sn_sigscan_resultcount(resulthandle);
7f9ddaeb	for(i = 0; i < count; i++) { const char matchname = NULL, offsetstring = NULL, optionalsigdata = NULL; int targettype = 0; if((hret = sn_sigscan_resultget_name(resulthandle, i, &matchname) < 0)) { cli_errmsg("cli_scanbuff: sn_sigscan_resultget_name failed for result %d: %d\n", i, hret); sn_sigscan_resultfree(resulthandle); return CL_EHWIO; } if(!matchname) { cli_errmsg("cli_scanbuff: HW Result[%d]: Signature without name\n", i); sn_sigscan_resultfree(resulthandle); return CL_EMALFDB; } if((hret = sn_sigscan_resultget_targettype(resulthandle, i, &targettype) < 0)) { cli_errmsg("cli_scanbuff: sn_sigscan_resultget_targettype failed for result %d, signature %s: %d\n", i, matchname, hret); sn_sigscan_resultfree(resulthandle); return CL_EHWIO; } if(targettype && targettab[targettype] != (int) ftype) { cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Target type: %d, expected: %d\n", i, matchname, targettab[targettype], ftype); continue; } if((hret = sn_sigscan_resultget_offsetstring(resulthandle, i, &offsetstring) < 0)) { cli_errmsg("cli_scanbuff: sn_sigscan_resultget_offsetstring failed for result %d, signature %s: %d\n", i, matchname, hret); sn_sigscan_resultfree(resulthandle); return CL_EHWIO; } if(offsetstring) { cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Offset based signature not supported in buffer mode\n", i, matchname); continue; } if((hret = sn_sigscan_resultget_extradata(resulthandle, i, &optionalsigdata) < 0)) { cli_errmsg("cli_scanbuff: sn_sigscan_resultget_extradata failed for result %d, signature %s: %d\n", i, matchname, hret); sn_sigscan_resultfree(resulthandle); return CL_EHWIO; } if(optionalsigdata) { if((pt = cli_strtok(optionalsigdata, 1, ":"))) { / max version / if(!isdigit(pt)) { free(pt); cli_errmsg("cli_scanbuff: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata); sn_sigscan_resultfree(resulthandle); return CL_EMALFDB; } if(atoi(pt) < cl_retflevel()) { cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Signature max flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel()); free(pt); continue; } free(pt); if((pt = cli_strtok(optionalsigdata, 0, ":"))) { /* min version / if(!isdigit(pt)) { free(pt); cli_errmsg("cli_scanbuff: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata); sn_sigscan_resultfree(resulthandle); return CL_EMALFDB; } if(atoi(pt) > cl_retflevel()) { cli_dbgmsg("cli_scanbuff: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel()); free(pt); continue; } free(pt); } } else { if(!isdigit(optionalsigdata)) { cli_errmsg("cli_scanbuff: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata); sn_sigscan_resultfree(resulthandle); return CL_EMALFDB; } if(atoi(optionalsigdata) > cl_retflevel()) { cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(optionalsigdata), cl_retflevel()); continue; } } } virname = matchname; ret = CL_VIRUS; break; }
d119f7a0	if((hret = sn_sigscan_resultfree(resulthandle)) < 0) { cli_errmsg("cli_scanbuff: can't free results: %d\n", ret); return CL_EHWIO; } return ret; }
7def75f3	#endif /* HAVE_NCORE */
d119f7a0
f477691c	groot = engine->root[0]; /* generic signatures / if(ftype) { for(i = 0; i < CL_TARGET_TABLE_SIZE; i++) { if(targettab[i] == ftype) { tid = i; break; } } if(tid) troot = engine->root[tid]; } if(troot) { if((partcnt = (int ) cli_calloc(troot->ac_partsigs + 1, sizeof(int))) == NULL) {
50c12868	cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(int));
f477691c	return CL_EMEM; } if((partoff = (unsigned long int *) cli_calloc(troot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) {
50c12868	cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(unsigned long int));
f477691c	free(partcnt); return CL_EMEM; }
9f986368	if(troot->ac_only \|\| (ret = cli_bm_scanbuff(buffer, length, virname, troot, 0, ftype, -1)) != CL_VIRUS)
f477691c	ret = cli_ac_scanbuff(buffer, length, virname, troot, partcnt, 0, 0, partoff, ftype, -1, NULL); free(partcnt); free(partoff); if(ret == CL_VIRUS) return ret; } if((partcnt = (int *) cli_calloc(groot->ac_partsigs + 1, sizeof(int))) == NULL) {
50c12868	cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(int));
f91f55e0	return CL_EMEM;
b151ef55	}
f477691c	if((partoff = (unsigned long int *) cli_calloc(groot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) {
50c12868	cli_dbgmsg("cli_scanbuff(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(unsigned long int));
f91f55e0	free(partcnt);
e8217f5a	return CL_EMEM;
9c1c9007	}
b151ef55
9f986368	if(groot->ac_only \|\| (ret = cli_bm_scanbuff(buffer, length, virname, groot, 0, ftype, -1)) != CL_VIRUS)
f477691c	ret = cli_ac_scanbuff(buffer, length, virname, groot, partcnt, 0, 0, partoff, ftype, -1, NULL);
f91f55e0	free(partcnt); free(partoff); return ret;
b151ef55	}
f477691c	static struct cli_md5_node cli_vermd5(const unsigned char md5, const struct cl_engine *engine)
b151ef55	{
f91f55e0	struct cli_md5_node *pt;
b151ef55
f477691c	if(!(pt = engine->md5_hlist[md5[0] & 0xff]))
b151ef55	return NULL;
f91f55e0	while(pt) { if(!memcmp(pt->md5, md5, 16)) return pt;
b151ef55
f91f55e0	pt = pt->next;
e8217f5a	}
b151ef55
f91f55e0	return NULL;
b151ef55	}
1ec94c6b	static long int cli_caloff(const char *offstr, int fd, unsigned short ftype)
856d9c84	{
1ec94c6b	struct cli_exe_info exeinfo; int (einfo)(int, struct cli_exe_info ) = NULL;
856d9c84	long int offset = -1; int n;
1ec94c6b	if(ftype == CL_TYPE_MSEXE) einfo = cli_peheader; else if(ftype == CL_TYPE_ELF) einfo = cli_elfheader;
856d9c84	if(isdigit(offstr[0])) { return atoi(offstr);
1ec94c6b	} else if(einfo && (!strncmp(offstr, "EP+", 3) \|\| !strncmp(offstr, "EP-", 3))) {
856d9c84	if((n = lseek(fd, 0, SEEK_CUR)) == -1) { cli_dbgmsg("Invalid descriptor\n"); return -1; } lseek(fd, 0, SEEK_SET);
1ec94c6b	if(einfo(fd, &exeinfo)) {
9bd73bcb	lseek(fd, n, SEEK_SET);
856d9c84	return -1;
9bd73bcb	}
1ec94c6b	free(exeinfo.section);
856d9c84	lseek(fd, n, SEEK_SET);
3af12024	if(offstr[2] == '+')
1ec94c6b	return exeinfo.ep + atoi(offstr + 3);
3af12024	else
1ec94c6b	return exeinfo.ep - atoi(offstr + 3);
3af12024
1ec94c6b	} else if(einfo && offstr[0] == 'S') {
856d9c84	if((n = lseek(fd, 0, SEEK_CUR)) == -1) { cli_dbgmsg("Invalid descriptor\n"); return -1; } lseek(fd, 0, SEEK_SET);
1ec94c6b	if(einfo(fd, &exeinfo)) {
9bd73bcb	lseek(fd, n, SEEK_SET);
856d9c84	return -1;
9bd73bcb	}
856d9c84	lseek(fd, n, SEEK_SET);
d19fc3f0	if(!strncmp(offstr, "SL", 2)) {
856d9c84
d19fc3f0	if(sscanf(offstr, "SL+%ld", &offset) != 1) {
1ec94c6b	free(exeinfo.section);
d19fc3f0	return -1; }
1ec94c6b	offset += exeinfo.section[exeinfo.nsections - 1].raw;
d19fc3f0	} else { if(sscanf(offstr, "S%d+%ld", &n, &offset) != 2) {
1ec94c6b	free(exeinfo.section);
d19fc3f0	return -1; }
1ec94c6b	if(n >= exeinfo.nsections) { free(exeinfo.section);
d19fc3f0	return -1; }
1ec94c6b	offset += exeinfo.section[n].raw;
856d9c84	}
1ec94c6b	free(exeinfo.section);
856d9c84	return offset;
d19fc3f0
856d9c84	} else if(!strncmp(offstr, "EOF-", 4)) { struct stat sb; if(fstat(fd, &sb) == -1) return -1; return sb.st_size - atoi(offstr + 4); } return -1; }
a2c0f775	static int cli_checkfp(int fd, const struct cl_engine *engine)
3f66a5af	{ struct cli_md5_node *md5_node;
3c9c82bf	unsigned char *digest;
3f66a5af
f477691c	if(engine->md5_hlist) {
3f66a5af	if(!(digest = cli_md5digest(fd))) { cli_errmsg("cli_checkfp(): Can't generate MD5 checksum\n"); return 0; }
f477691c	if((md5_node = cli_vermd5(digest, engine)) && md5_node->fp) {
3f66a5af	struct stat sb; if(fstat(fd, &sb)) return CL_EIO;
a8b53539	if((unsigned int) sb.st_size != md5_node->size) {
3f66a5af	cli_warnmsg("Detected false positive MD5 match. Please report.\n"); } else { cli_dbgmsg("Eliminated false positive match (fp sig: %s)\n", md5_node->virname); free(digest); return 1; } } free(digest); } return 0; }
e2b5770b	int cli_validatesig(unsigned short ftype, const char offstr, unsigned long int fileoff, int desc, const char virname)
856d9c84	{ if(offstr && desc != -1) {
1ec94c6b	long int off = cli_caloff(offstr, desc, ftype);
856d9c84	if(off == -1) { cli_dbgmsg("Bad offset in signature (%s)\n", virname); return 0; }
a8b53539	if(fileoff != (unsigned long int) off) {
59afa53d	cli_dbgmsg("Virus offset: %ld, expected: %ld (%s)\n", fileoff, off, virname);
856d9c84	return 0; } } return 1; }
605b8cf0	int cli_scandesc(int desc, cli_ctx ctx, unsigned short otfrec, unsigned short ftype, struct cli_matched_type *ftoffset)
b151ef55	{
f91f55e0	char buffer, buff, endbl, pt;
7f7736bb	int ret = CL_CLEAN, gpartcnt = NULL, tpartcnt = NULL, type = CL_CLEAN, i, tid = 0, bytes;
3b4ee075	unsigned int buffersize, length, maxpatlen, shift = 0;
7f7736bb	unsigned long int gpartoff = NULL, tpartoff = NULL, offset = 0;
605b8cf0	MD5_CTX md5ctx;
d2a12ffd	unsigned char digest[16];
f91f55e0	struct cli_md5_node *md5_node;
f477691c	struct cli_matcher groot, troot = NULL;
7def75f3	#ifdef HAVE_NCORE
d119f7a0	void streamhandle; void resulthandle; unsigned long long hoffset;
2de1f9b7	uint32_t datamask[2] = { 0xffffffff, 0xffffffff };
d119f7a0	int count, hret;
7f9ddaeb	off_t origoff;
d119f7a0	#endif
2fe19b26
605b8cf0	if(!ctx->engine) {
f477691c	cli_errmsg("cli_scandesc: engine == NULL\n");
f91f55e0	return CL_ENULLARG;
ff8cb48b	}
7def75f3	#ifdef HAVE_NCORE if(ctx->engine->ncore) {
d119f7a0	/* TODO: Setup proper data bitmask (need specs) / if((hret = sn_sigscan_createstream(ctx->engine->hwdb, datamask, 2, &streamhandle)) < 0) { cli_errmsg("cli_scandesc: can't create new hardware stream: %d\n", hret); return CL_EHWIO; } if(!(buffer = (char ) cli_calloc(HWBUFFSIZE, sizeof(char)))) { cli_dbgmsg("cli_scandesc: unable to cli_calloc(%u)\n", HWBUFFSIZE); return CL_EMEM; }
7f9ddaeb	if((origoff = lseek(desc, 0, SEEK_CUR)) == -1) { cli_errmsg("cli_scandesc: lseek() failed for descriptor %d\n", desc); free(buffer); return CL_EIO; }
a2c0f775	if(ctx->engine->md5_hlist) MD5_Init(&md5ctx);
d119f7a0	while((bytes = cli_readn(desc, buffer, HWBUFFSIZE)) > 0) { if((hret = sn_sigscan_writestream(streamhandle, buffer, bytes)) < 0) { cli_errmsg("cli_scandesc: can't write to hardware stream: %d\n", hret); ret = CL_EHWIO; break; } else { if(ctx->scanned) *ctx->scanned += bytes / CL_COUNT_PRECISION;
a2c0f775	if(ctx->engine->md5_hlist) MD5_Update(&md5ctx, buffer, bytes);
d119f7a0	} } free(buffer); if((hret = sn_sigscan_closestream(streamhandle, &resulthandle)) < 0) { cli_errmsg("cli_scandesc: can't close hardware stream: %d\n", hret); return CL_EHWIO; } count = sn_sigscan_resultcount(resulthandle);
7f9ddaeb	for(i = 0; i < count; i++) { const char matchname = NULL, offsetstring = NULL, *optionalsigdata = NULL; unsigned long long startoffset = 0; int targettype = 0; if((hret = sn_sigscan_resultget_name(resulthandle, i, &matchname) < 0)) { cli_errmsg("cli_scandesc: sn_sigscan_resultget_name failed for result %d: %d\n", i, hret);
d119f7a0	sn_sigscan_resultfree(resulthandle); return CL_EHWIO; }
7f9ddaeb	if(!matchname) { cli_errmsg("cli_scandesc: HW Result[%d]: Signature without name\n", i); sn_sigscan_resultfree(resulthandle); return CL_EMALFDB; } if((hret = sn_sigscan_resultget_targettype(resulthandle, i, &targettype) < 0)) { cli_errmsg("cli_scandesc: sn_sigscan_resultget_targettype failed for result %d, signature %s: %d\n", i, matchname, hret); sn_sigscan_resultfree(resulthandle); return CL_EHWIO; } if(targettype && targettab[targettype] != (int) ftype) { cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Target type: %d, expected: %d\n", i, matchname, targettab[targettype], ftype); continue; } if((hret = sn_sigscan_resultget_offsetstring(resulthandle, i, &offsetstring) < 0)) { cli_errmsg("cli_scandesc: sn_sigscan_resultget_offsetstring failed for result %d, signature %s: %d\n", i, matchname, hret); sn_sigscan_resultfree(resulthandle); return CL_EHWIO; } if((hret = sn_sigscan_resultget_startoffset(resulthandle, i, &startoffset) < 0)) { cli_errmsg("cli_scandesc: sn_sigscan_resultget_startoffset failed for result %d, signature %s: %d\n", i, matchname, hret); sn_sigscan_resultfree(resulthandle); return CL_EHWIO; } if(offsetstring && strcmp(offsetstring, "")) { long int off = cli_caloff(offsetstring, desc, ftype); if(off == -1) { cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Bad offset in signature\n", i, matchname); sn_sigscan_resultfree(resulthandle); return CL_EMALFDB; } if(startoffset != (unsigned long long) off) { cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Virus offset: %Lu, expected: %ld\n", i, matchname, startoffset, off); continue; } } if((hret = sn_sigscan_resultget_extradata(resulthandle, i, &optionalsigdata) < 0)) { cli_errmsg("cli_scandesc: sn_sigscan_resultget_extradata failed for result %d, signature %s: %d\n", i, matchname, hret); sn_sigscan_resultfree(resulthandle); return CL_EHWIO; } if(optionalsigdata) { if((pt = cli_strtok(optionalsigdata, 1, ":"))) { / max version / if(!isdigit(pt)) { free(pt); cli_errmsg("cli_scandesc: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata); sn_sigscan_resultfree(resulthandle); return CL_EMALFDB; } if(atoi(pt) < cl_retflevel()) { cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature max flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel()); free(pt); continue; } free(pt); if((pt = cli_strtok(optionalsigdata, 0, ":"))) { /* min version / if(!isdigit(pt)) { free(pt); cli_errmsg("cli_scandesc: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata); sn_sigscan_resultfree(resulthandle); return CL_EMALFDB; } if(atoi(pt) > cl_retflevel()) { cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(pt), cl_retflevel()); free(pt); continue; } free(pt); } } else { if(!isdigit(optionalsigdata)) { cli_errmsg("cli_scandesc: HW Result[%d]: %s: Incorrect optional signature data: %s\n", i, matchname, optionalsigdata); sn_sigscan_resultfree(resulthandle); return CL_EMALFDB; } if(atoi(optionalsigdata) > cl_retflevel()) { cli_dbgmsg("cli_scandesc: HW Result[%d]: %s: Signature required flevel: %d, current: %d\n", i, matchname, atoi(optionalsigdata), cl_retflevel()); continue; } } } ctx->virname = matchname; ret = CL_VIRUS; break;
d119f7a0	} if((hret = sn_sigscan_resultfree(resulthandle)) < 0) { cli_errmsg("cli_scandesc: can't free results: %d\n", ret); return CL_EHWIO; }
a2c0f775	if(ctx->engine->md5_hlist) { MD5_Final(digest, &md5ctx); if((md5_node = cli_vermd5(digest, ctx->engine))) { struct stat sb; if(fstat(desc, &sb)) return CL_EIO; if((unsigned int) sb.st_size != md5_node->size) { cli_warnmsg("Detected false positive MD5 match. Please report.\n"); } else { if(md5_node->fp) { cli_dbgmsg("Eliminated false positive match (fp sig: %s)\n", md5_node->virname); ret = CL_CLEAN; } else { if(ctx->virname) *ctx->virname = md5_node->virname; ret = CL_VIRUS; } } } }
7f9ddaeb	if(ret == CL_VIRUS \|\| (ftype != CL_TYPE_UNKNOWN_TEXT && ftype != CL_TYPE_UNKNOWN_DATA)) return ret; if((origoff = lseek(desc, origoff, SEEK_SET)) == -1) { cli_errmsg("cli_scandesc: lseek() failed for descriptor %d\n", desc); return CL_EIO; }
d119f7a0	}
7def75f3	#endif /* HAVE_NCORE */
d119f7a0
605b8cf0	groot = ctx->engine->root[0]; /* generic signatures */
f477691c	if(ftype) { for(i = 0; i < CL_TARGET_TABLE_SIZE; i++) { if(targettab[i] == ftype) { tid = i; break; } } if(tid)
605b8cf0	troot = ctx->engine->root[tid];
f477691c	} if(troot) maxpatlen = MAX(troot->maxpatlen, groot->maxpatlen); else maxpatlen = groot->maxpatlen;
f91f55e0	/* prepare the buffer */
cec4e61d	buffersize = maxpatlen + SCANBUFF; if(!(buffer = (char *) cli_calloc(buffersize, sizeof(char)))) { cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d)\n", buffersize);
f91f55e0	return CL_EMEM; }
2fe19b26
f477691c	if((gpartcnt = (int *) cli_calloc(groot->ac_partsigs + 1, sizeof(int))) == NULL) { cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(int));
f91f55e0	free(buffer); return CL_EMEM; }
b151ef55
f477691c	if((gpartoff = (unsigned long int *) cli_calloc(groot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) { cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", groot->ac_partsigs + 1, sizeof(unsigned long int));
f91f55e0	free(buffer);
f477691c	free(gpartcnt);
f91f55e0	return CL_EMEM; }
b151ef55
f477691c	if(troot) { if((tpartcnt = (int ) cli_calloc(troot->ac_partsigs + 1, sizeof(int))) == NULL) { cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(int)); free(buffer); free(gpartcnt); free(gpartoff); return CL_EMEM; } if((tpartoff = (unsigned long int ) cli_calloc(troot->ac_partsigs + 1, sizeof(unsigned long int))) == NULL) { cli_dbgmsg("cli_scandesc(): unable to cli_calloc(%d, %d)\n", troot->ac_partsigs + 1, sizeof(unsigned long int)); free(buffer); free(gpartcnt); free(gpartoff); free(tpartcnt); return CL_EMEM; } }
605b8cf0	if(ctx->engine->md5_hlist) MD5_Init(&md5ctx);
b151ef55
9ce8ad74
f91f55e0	buff = buffer;
f477691c	buff += maxpatlen; /* pointer to read data block / endbl = buff + SCANBUFF - maxpatlen; / pointer to the last block * length of maxpatlen
f91f55e0	*/
b151ef55
d2a12ffd	pt = buff;
cec4e61d	while((bytes = cli_readn(desc, buff + shift, SCANBUFF - shift)) > 0) {
b151ef55
605b8cf0	if(ctx->scanned) *ctx->scanned += bytes / CL_COUNT_PRECISION;
b151ef55
cec4e61d	length = shift + bytes; if(pt == buffer) length += maxpatlen;
ff8cb48b
f477691c	if(troot) {
605b8cf0	if(troot->ac_only \|\| (ret = cli_bm_scanbuff(pt, length, ctx->virname, troot, offset, ftype, desc)) != CL_VIRUS) ret = cli_ac_scanbuff(pt, length, ctx->virname, troot, tpartcnt, otfrec, offset, tpartoff, ftype, desc, ftoffset);
9f986368	if(ret == CL_VIRUS) {
f477691c	free(buffer); free(gpartcnt); free(gpartoff); free(tpartcnt); free(tpartoff); lseek(desc, 0, SEEK_SET);
605b8cf0	if(cli_checkfp(desc, ctx->engine))
f477691c	return CL_CLEAN; else return CL_VIRUS; } }
3f66a5af
605b8cf0	if(groot->ac_only \|\| (ret = cli_bm_scanbuff(pt, length, ctx->virname, groot, offset, ftype, desc)) != CL_VIRUS) ret = cli_ac_scanbuff(pt, length, ctx->virname, groot, gpartcnt, otfrec, offset, gpartoff, ftype, desc, ftoffset);
9f986368	if(ret == CL_VIRUS) {
f477691c	free(buffer); free(gpartcnt); free(gpartoff); if(troot) { free(tpartcnt); free(tpartoff); }
3f66a5af	lseek(desc, 0, SEEK_SET);
605b8cf0	if(cli_checkfp(desc, ctx->engine))
3f66a5af	return CL_CLEAN; else return CL_VIRUS;
b151ef55
df757556	} else if(otfrec && ret >= CL_TYPENO) {
f91f55e0	if(ret >= type) type = ret; }
b151ef55
cec4e61d	if(ctx->engine->md5_hlist) MD5_Update(&md5ctx, buff + shift, bytes); if(bytes + shift == SCANBUFF) {
f477691c	memmove(buffer, endbl, maxpatlen);
cec4e61d	offset += SCANBUFF;
1f73f3ff
cec4e61d	if(pt == buff) {
34dd51a6	pt = buffer;
cec4e61d	offset -= maxpatlen;
34dd51a6	}
cec4e61d	shift = 0; } else { shift += bytes;
34dd51a6	}
d898865b
f91f55e0	}
d898865b
f91f55e0	free(buffer);
f477691c	free(gpartcnt); free(gpartoff); if(troot) { free(tpartcnt); free(tpartoff); }
1f73f3ff
605b8cf0	if(ctx->engine->md5_hlist) { MD5_Final(digest, &md5ctx);
1f73f3ff
605b8cf0	if((md5_node = cli_vermd5(digest, ctx->engine)) && !md5_node->fp) {
61f31052	struct stat sb; if(fstat(desc, &sb)) return CL_EIO;
a8b53539	if((unsigned int) sb.st_size != md5_node->size) {
61f31052	cli_warnmsg("Detected false positive MD5 match. Please report.\n"); } else {
605b8cf0	if(ctx->virname) *ctx->virname = md5_node->virname;
61f31052	return CL_VIRUS; }
f91f55e0	}
1f73f3ff	}
df757556	return otfrec ? type : CL_CLEAN;
1f73f3ff	}