Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 18:33:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

Code quality: Refactor layer attributes as scan parameter

Browse source 
The current implementation sets a "next layer attributes" flag field
in the scan context. This may introduce bugs if accidentally not cleared
during error handling, causing that attribute to be applied to a
different layer than intended.

This commit resolves that by adding an attribute flag to the major
internal scan functions and removing the "next layer attributes" from
the scan context. This attributes flag shares the same flag fields as
the attributes flag in the new file inspection callback and the flags
are defined in `clamav.h`.
This commit is contained in:
Micah Snyder 2022-03-09 22:26:40 -08:00 committed by Micah Snyder
parent c7c4ea6063
commit cd3134568a
45 changed files with 298 additions and 275 deletions
Download patch file Download diff file Expand all files Collapse all files

2
libclamav/7z_iface.c
View file

@ -191,7 +191,7 @@ int cli_7unz(cli_ctx *ctx, size_t offset)
cli_dbgmsg("cli_7unz: Saving to %s\n", tmp_name);
if (cli_writen(fd, outBuffer + offset, outSizeProcessed) != outSizeProcessed)
found = CL_EWRITE;
else if ((found = cli_magic_scan_desc(fd, tmp_name, ctx, name)) == CL_VIRUS)
else if (CL_VIRUS == (found = cli_magic_scan_desc(fd, tmp_name, ctx, name, LAYER_ATTRIBUTES_NONE)))
viruses_found++;
close(fd);
if (!ctx->engine->keeptmp && cli_unlink(tmp_name))

3
libclamav/apm.c
View file

@ -223,7 +223,8 @@ int cli_scanapm(cli_ctx *ctx)
apentry.pBlockStart, apentry.pBlockCount, partoff, partsize);
/* send the partition to cli_magic_scan_nested_fmap_type */
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, partoff, partsize, ctx, CL_TYPE_PART_ANY, (const char *)apentry.name);
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, partoff, partsize, ctx, CL_TYPE_PART_ANY,
(const char *)apentry.name, LAYER_ATTRIBUTES_NONE);
if (ret != CL_CLEAN) {
if (SCAN_ALLMATCHES && (ret == CL_VIRUS))
detection = CL_VIRUS;

4
libclamav/autoit.c
View file

@ -857,7 +857,7 @@ static int ea05(cli_ctx *ctx, const uint8_t *base, char *tmpd)
close(i);
return CL_ESEEK;
}
if (cli_magic_scan_desc(i, tempfile, ctx, NULL) == CL_VIRUS) {
if (CL_VIRUS == cli_magic_scan_desc(i, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE)) {
if (!SCAN_ALLMATCHES) {
close(i);
if (!ctx->engine->keeptmp)
@ -1474,7 +1474,7 @@ static int ea06(cli_ctx *ctx, const uint8_t *base, char *tmpd)
close(i);
return CL_ESEEK;
}
if (cli_magic_scan_desc(i, tempfile, ctx, NULL) == CL_VIRUS) {
if (CL_VIRUS == cli_magic_scan_desc(i, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE)) {
if (!SCAN_ALLMATCHES) {
close(i);
if (!ctx->engine->keeptmp)

8
libclamav/binhex.c
View file

@ -122,7 +122,7 @@ int cli_binhex(cli_ctx *ctx)
ret = CL_ESEEK;
break;
}
ret = cli_magic_scan_desc(datafd, dname, ctx, NULL);
ret = cli_magic_scan_desc(datafd, dname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
if (ret == CL_VIRUS) break;
}
if (dec_done)
@ -168,7 +168,7 @@ int cli_binhex(cli_ctx *ctx)
ret = CL_ESEEK;
break;
}
ret = cli_magic_scan_desc(resfd, rname, ctx, NULL);
ret = cli_magic_scan_desc(resfd, rname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
break;
}
}
@ -180,7 +180,7 @@ int cli_binhex(cli_ctx *ctx)
ret = CL_ESEEK;
break;
}
ret = cli_magic_scan_desc(datafd, dname, ctx, NULL);
ret = cli_magic_scan_desc(datafd, dname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
} else if (write_phase == IN_RES) {
cli_dbgmsg("cli_binhex: scanning partially extracted resource fork\n");
if (lseek(resfd, 0, SEEK_SET) == -1) {
@ -188,7 +188,7 @@ int cli_binhex(cli_ctx *ctx)
ret = CL_ESEEK;
break;
}
ret = cli_magic_scan_desc(resfd, rname, ctx, NULL);
ret = cli_magic_scan_desc(resfd, rname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
}
break;
}

2
libclamav/blob.c
View file

@ -661,7 +661,7 @@ int fileblobScan(const fileblob *fb)
virus_found = 1;
}
rc = cli_magic_scan_desc(fb->fd, fb->fullname, fb->ctx, fb->b.name);
rc = cli_magic_scan_desc(fb->fd, fb->fullname, fb->ctx, fb->b.name, LAYER_ATTRIBUTES_NONE);
if (rc == CL_VIRUS || virus_found != 0) {
cli_dbgmsg("%s is infected\n", fb->fullname);
return CL_VIRUS;

14
libclamav/bytecode.c
View file

@ -165,18 +165,14 @@ static int cli_bytecode_context_reset(struct cli_bc_ctx *ctx)
snprintf(fullname, 1024, "%s" PATHSEP "javascript", ctx->jsnormdir);
fd = open(fullname, O_RDONLY | O_BINARY);
if (fd >= 0) {
// This flag ingested by cli_recursion_stack_push().
cctx->next_layer_attributes |= LAYER_ATTRIBUTES_NORMALIZED;
ret = cli_scan_desc(fd, cctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL, NULL);
ret = cli_scan_desc(fd, cctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR,
NULL, NULL, LAYER_ATTRIBUTES_NORMALIZED);
if (ret == CL_CLEAN) {
if (lseek(fd, 0, SEEK_SET) == -1)
cli_dbgmsg("cli_bytecode: call to lseek() has failed\n");
else {
// This flag ingested by cli_recursion_stack_push().
cctx->next_layer_attributes |= LAYER_ATTRIBUTES_NORMALIZED;
ret = cli_scan_desc(fd, cctx, CL_TYPE_TEXT_ASCII, 0, NULL, AC_SCAN_VIR, NULL, NULL);
ret = cli_scan_desc(fd, cctx, CL_TYPE_TEXT_ASCII, 0, NULL, AC_SCAN_VIR,
NULL, NULL, LAYER_ATTRIBUTES_NORMALIZED);
}
}
close(fd);
@ -2912,7 +2908,7 @@ int cli_bytecode_runhook(cli_ctx *cctx, const struct cl_engine *engine, struct c
lseek(fd, 0, SEEK_SET);
cli_dbgmsg("***** Scanning unpacked file ******\n");
ret = cli_magic_scan_desc(fd, tempfile, cctx, NULL);
ret = cli_magic_scan_desc(fd, tempfile, cctx, NULL, LAYER_ATTRIBUTES_NONE);
if (!cctx->engine->keeptmp)
if (ftruncate(fd, 0) == -1)

2
libclamav/bytecode_api.c
View file

@ -550,7 +550,7 @@ int32_t cli_bcapi_extract_new(struct cli_bc_ctx *ctx, int32_t id)
cli_dbgmsg("bytecode: scanning extracted file %s\n", ctx->tempfile);
cctx = (cli_ctx *)ctx->ctx;
if (cctx) {
res = cli_magic_scan_desc_type(ctx->outfd, ctx->tempfile, cctx, ctx->containertype, NULL);
res = cli_magic_scan_desc_type(ctx->outfd, ctx->tempfile, cctx, ctx->containertype, NULL, LAYER_ATTRIBUTES_NONE);
if (res == CL_VIRUS) {
ctx->virname = cli_get_last_virus(cctx);
ctx->found = 1;

2
libclamav/clamav.h
View file

@ -492,7 +492,7 @@ extern void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cach
/*
* Attributes of each layer in scan.
*/
#define LAYER_ATTRIBUTES_NORMAL 0x0
#define LAYER_ATTRIBUTES_NONE 0x0
#define LAYER_ATTRIBUTES_NORMALIZED 0x1 /** This layer was modified to make matching more generic, reliable. */
#define LAYER_ATTRIBUTES_DECRYPTED 0x2 /** Decryption was used to extract this layer. I.e. had to decrypt some previous layer. */

9
libclamav/cpio.c
View file

@ -168,7 +168,8 @@ int cli_scancpio_old(cli_ctx *ctx)
if (ret == CL_EMAXFILES) {
goto leave;
} else if (ret == CL_SUCCESS) {
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, pos, filesize, ctx, CL_TYPE_ANY, fmap_name);
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, pos, filesize, ctx, CL_TYPE_ANY,
fmap_name, LAYER_ATTRIBUTES_NONE);
if (ret == CL_VIRUS) {
if (!SCAN_ALLMATCHES)
return ret;
@ -259,7 +260,8 @@ int cli_scancpio_odc(cli_ctx *ctx)
if (ret == CL_EMAXFILES) {
goto leave;
} else if (ret == CL_SUCCESS) {
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, pos, filesize, ctx, CL_TYPE_ANY, name);
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, pos, filesize, ctx, CL_TYPE_ANY,
name, LAYER_ATTRIBUTES_NONE);
if (ret == CL_VIRUS) {
if (!SCAN_ALLMATCHES)
return ret;
@ -352,7 +354,8 @@ int cli_scancpio_newc(cli_ctx *ctx, int crc)
if (ret == CL_EMAXFILES) {
goto leave;
} else if (ret == CL_SUCCESS) {
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, pos, filesize, ctx, CL_TYPE_ANY, name);
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, pos, filesize, ctx, CL_TYPE_ANY,
name, LAYER_ATTRIBUTES_NONE);
if (ret == CL_VIRUS) {
if (!SCAN_ALLMATCHES)
return ret;

5
libclamav/dmg.c
View file

@ -179,7 +179,8 @@ int cli_scandmg(cli_ctx *ctx)
}
/* scan XML with cli_magic_scan_nested_fmap_type */
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, (size_t)hdr.xmlOffset, (size_t)hdr.xmlLength, ctx, CL_TYPE_ANY, NULL);
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, (size_t)hdr.xmlOffset, (size_t)hdr.xmlLength,
ctx, CL_TYPE_ANY, NULL, LAYER_ATTRIBUTES_NONE);
if (ret != CL_CLEAN) {
cli_dbgmsg("cli_scandmg: retcode from scanning TOC xml: %s\n", cl_strerror(ret));
if (!ctx->engine->keeptmp)
@ -1083,7 +1084,7 @@ static int dmg_handle_mish(cli_ctx *ctx, unsigned int mishblocknum, char *dir,
/* If okay so far, scan rebuilt partition */
if (ret == CL_CLEAN) {
/* Have to keep partition typing separate */
ret = cli_magic_scan_desc_type(ofd, outfile, ctx, CL_TYPE_PART_ANY, NULL);
ret = cli_magic_scan_desc_type(ofd, outfile, ctx, CL_TYPE_PART_ANY, NULL, LAYER_ATTRIBUTES_NONE);
}
close(ofd);

2
libclamav/elf.c
View file

@ -870,7 +870,7 @@ int cli_unpackelf(cli_ctx *ctx)
cli_dbgmsg("cli_scanelf: Unpacked and rebuilt executable\n");
lseek(ndesc, 0, SEEK_SET);
cli_dbgmsg("***** Scanning rebuilt ELF file *****\n");
if (cli_magic_scan_desc(ndesc, tempfile, ctx, NULL) == CL_VIRUS) {
if (CL_VIRUS == cli_magic_scan_desc(ndesc, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE)) {
close(ndesc);
CLI_TMPUNLK();
free(tempfile);

7
libclamav/gif.c
View file

@ -416,8 +416,11 @@ scan_overlay:
// Is there an overlay?
if (offset < map->len) {
cli_dbgmsg("GIF: Found extra data after the end of the GIF data stream: %zu bytes, we'll scan it!\n", map->len - offset);
cl_error_t nested_scan_result = cli_magic_scan_nested_fmap_type(map, offset, map->len - offset, ctx, CL_TYPE_ANY, NULL);
status = nested_scan_result != CL_SUCCESS ? nested_scan_result : status;
cl_error_t nested_scan_result = cli_magic_scan_nested_fmap_type(map, offset, map->len - offset,
ctx, CL_TYPE_ANY, NULL,
LAYER_ATTRIBUTES_NONE);
status = nested_scan_result != CL_SUCCESS ? nested_scan_result : status;
}
done:

4
libclamav/gpt.c
View file

@ -344,7 +344,9 @@ static int gpt_scan_partitions(cli_ctx *ctx, struct gpt_header hdr, size_t secto
/* send the partition to cli_magic_scan_nested_fmap_type */
part_off = gpe.firstLBA * sectorsize;
part_size = (gpe.lastLBA - gpe.firstLBA + 1) * sectorsize;
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, part_off, part_size, ctx, CL_TYPE_PART_ANY, namestr);
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, part_off, part_size, ctx,
CL_TYPE_PART_ANY, namestr, LAYER_ATTRIBUTES_NONE);
if (NULL != namestr) {
free(namestr);
}

4
libclamav/hfsplus.c
View file

@ -433,7 +433,7 @@ static cl_error_t hfsplus_scanfile(cli_ctx *ctx, hfsPlusVolumeHeader *volHeader,
*filename = tmpname;
} else {
if (ret == CL_CLEAN) {
ret = cli_magic_scan_desc(ofd, tmpname, ctx, orig_filename);
ret = cli_magic_scan_desc(ofd, tmpname, ctx, orig_filename, LAYER_ATTRIBUTES_NONE);
}
if (!ctx->engine->keeptmp) {
@ -1319,7 +1319,7 @@ static cl_error_t hfsplus_walk_catalog(cli_ctx *ctx, hfsPlusVolumeHeader *volHea
cli_dbgmsg("hfsplus_walk_catalog: Extracted to %s\n", tmpname);
/* if successful so far, scan the output */
ret = cli_magic_scan_desc(ofd, tmpname, ctx, name_utf8);
ret = cli_magic_scan_desc(ofd, tmpname, ctx, name_utf8, LAYER_ATTRIBUTES_NONE);
if (ret == CL_VIRUS) {
has_alerts = 1;

37
libclamav/hwp.c
View file

@ -175,7 +175,7 @@ static cl_error_t decompress_and_callback(cli_ctx *ctx, fmap_t *input, size_t at
ret = cb(cbdata, ofd, tmpname, ctx);
} else {
/* default to scanning what we got */
ret = cli_magic_scan_desc(ofd, tmpname, ctx, NULL);
ret = cli_magic_scan_desc(ofd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
}
/* clean-up */
@ -293,8 +293,8 @@ cl_error_t cli_scanhwpole2(cli_ctx *ctx)
else
cli_dbgmsg("HWPOLE2: Matched uncompressed prefix and size: %u == %u\n", usize, asize);
return cli_magic_scan_nested_fmap_type(map, 4, 0, ctx, CL_TYPE_ANY, NULL);
// return cli_magic_scan_nested_fmap_type(map, 4, 0, ctx, CL_TYPE_OLE2);
return cli_magic_scan_nested_fmap_type(map, 4, 0, ctx,
CL_TYPE_ANY, NULL, LAYER_ATTRIBUTES_NONE);
}
/*** HWP5 ***/
@ -374,7 +374,7 @@ static cl_error_t hwp5_cb(void *cbdata, int fd, const char *filepath, cli_ctx *c
if (fd < 0 || !ctx)
return CL_ENULLARG;
return cli_magic_scan_desc(fd, filepath, ctx, NULL);
return cli_magic_scan_desc(fd, filepath, ctx, NULL, LAYER_ATTRIBUTES_NONE);
}
cl_error_t cli_scanhwp5_stream(cli_ctx *ctx, hwp5_header_t *hwp5, char *name, int fd, const char *filepath)
@ -394,7 +394,7 @@ cl_error_t cli_scanhwp5_stream(cli_ctx *ctx, hwp5_header_t *hwp5, char *name, in
if (hwp5->flags & HWP5_PASSWORD) {
cli_dbgmsg("HWP5.x: Password encrypted stream, scanning as-is\n");
return cli_magic_scan_desc(fd, filepath, ctx, name);
return cli_magic_scan_desc(fd, filepath, ctx, name, LAYER_ATTRIBUTES_NONE);
}
if (hwp5->flags & HWP5_COMPRESSED) {
@ -437,7 +437,7 @@ cl_error_t cli_scanhwp5_stream(cli_ctx *ctx, hwp5_header_t *hwp5, char *name, in
}
/* normal streams */
return cli_magic_scan_desc(fd, filepath, ctx, name);
return cli_magic_scan_desc(fd, filepath, ctx, name, LAYER_ATTRIBUTES_NONE);
}
/*** HWP3 ***/
@ -1642,7 +1642,8 @@ static inline cl_error_t parsehwp3_infoblk_1(cli_ctx *ctx, fmap_t *dmap, size_t
#endif
/* 32 bytes for extra data fields */
if (infolen > 0)
ret = cli_magic_scan_nested_fmap_type(map, *offset + 32, infolen - 32, ctx, CL_TYPE_ANY, NULL);
ret = cli_magic_scan_nested_fmap_type(map, *offset + 32, infolen - 32, ctx,
CL_TYPE_ANY, NULL, LAYER_ATTRIBUTES_NONE);
break;
case 2: /* OLE2 Data */
hwp3_debug("HWP3.x: Information Block[%llu]: TYPE: OLE2 Data\n", infoloc);
@ -1651,7 +1652,8 @@ static inline cl_error_t parsehwp3_infoblk_1(cli_ctx *ctx, fmap_t *dmap, size_t
cli_jsonstr(entry, "Type", "OLE2 Data");
#endif
if (infolen > 0)
ret = cli_magic_scan_nested_fmap_type(map, *offset, infolen, ctx, CL_TYPE_ANY, NULL);
ret = cli_magic_scan_nested_fmap_type(map, *offset, infolen, ctx,
CL_TYPE_ANY, NULL, LAYER_ATTRIBUTES_NONE);
break;
case 3: /* Hypertext/Hyperlink Information */
hwp3_debug("HWP3.x: Information Block[%llu]: TYPE: Hypertext/Hyperlink Information\n", infoloc);
@ -1679,7 +1681,8 @@ static inline cl_error_t parsehwp3_infoblk_1(cli_ctx *ctx, fmap_t *dmap, size_t
hwp3_debug("HWP3.x: Information Block[%llu]: %d: NAME: %s\n", infoloc, i, field);
#endif
/* scanning macros - TODO - check numbers */
ret = cli_magic_scan_nested_fmap_type(map, *offset + (617 * i) + 288, 325, ctx, CL_TYPE_ANY, NULL);
ret = cli_magic_scan_nested_fmap_type(map, *offset + (617 * i) + 288, 325, ctx,
CL_TYPE_ANY, NULL, LAYER_ATTRIBUTES_NONE);
}
break;
case 4: /* Presentation Information */
@ -1716,7 +1719,8 @@ static inline cl_error_t parsehwp3_infoblk_1(cli_ctx *ctx, fmap_t *dmap, size_t
#endif
/* 324 bytes for extra data fields */
if (infolen > 0)
ret = cli_magic_scan_nested_fmap_type(map, *offset + 324, infolen - 324, ctx, CL_TYPE_ANY, NULL);
ret = cli_magic_scan_nested_fmap_type(map, *offset + 324, infolen - 324, ctx,
CL_TYPE_ANY, NULL, LAYER_ATTRIBUTES_NONE);
break;
case 0x100: /* Table Extension */
hwp3_debug("HWP3.x: Information Block[%llu]: TYPE: Table Extension\n", infoloc);
@ -1737,7 +1741,8 @@ static inline cl_error_t parsehwp3_infoblk_1(cli_ctx *ctx, fmap_t *dmap, size_t
default:
cli_warnmsg("HWP3.x: Information Block[%llu]: TYPE: UNKNOWN(%u)\n", infoloc, infoid);
if (infolen > 0)
ret = cli_magic_scan_nested_fmap_type(map, *offset, infolen, ctx, CL_TYPE_ANY, NULL);
ret = cli_magic_scan_nested_fmap_type(map, *offset, infolen, ctx,
CL_TYPE_ANY, NULL, LAYER_ATTRIBUTES_NONE);
}
*offset += infolen;
@ -1860,8 +1865,8 @@ static cl_error_t hwp3_cb(void *cbdata, int fd, const char *filepath, cli_ctx *c
cl_error_t subret = ret;
size_t dlen = offset - start;
ret = cli_magic_scan_nested_fmap_type(map, start, dlen, ctx, CL_TYPE_ANY, NULL);
// ret = cli_magic_scan_nested_fmap_type(map, 0, 0, ctx, CL_TYPE_ANY);
ret = cli_magic_scan_nested_fmap_type(map, start, dlen, ctx,
CL_TYPE_ANY, NULL, LAYER_ATTRIBUTES_NONE);
if (ret == CL_SUCCESS)
ret = subret;
@ -1972,7 +1977,7 @@ static cl_error_t hwpml_scan_cb(void *cbdata, int fd, const char *filepath, cli_
if (fd < 0 || !ctx)
return CL_ENULLARG;
return cli_magic_scan_desc(fd, filepath, ctx, NULL);
return cli_magic_scan_desc(fd, filepath, ctx, NULL, LAYER_ATTRIBUTES_NONE);
}
static cl_error_t hwpml_binary_cb(int fd, const char *filepath, cli_ctx *ctx, int num_attribs, struct attrib_entry *attribs, void *cbdata)
@ -2008,7 +2013,7 @@ static cl_error_t hwpml_binary_cb(int fd, const char *filepath, cli_ctx *ctx, in
/* decode the binary data if needed - base64 */
if (enc < 0) {
cli_errmsg("HWPML: Unrecognized encoding method\n");
return cli_magic_scan_desc(fd, filepath, ctx, NULL);
return cli_magic_scan_desc(fd, filepath, ctx, NULL, LAYER_ATTRIBUTES_NONE);
} else if (enc == 1) {
STATBUF statbuf;
fmap_t *input;
@ -2040,7 +2045,7 @@ static cl_error_t hwpml_binary_cb(int fd, const char *filepath, cli_ctx *ctx, in
funmap(input);
if (!decoded) {
cli_errmsg("HWPML: Failed to get base64 decode binary data\n");
return cli_magic_scan_desc(fd, filepath, ctx, NULL);
return cli_magic_scan_desc(fd, filepath, ctx, NULL, LAYER_ATTRIBUTES_NONE);
}
/* open file for writing and scanning */

6
libclamav/ishield.c
View file

@ -311,7 +311,7 @@ int cli_scanishield_msi(cli_ctx *ctx, off_t off)
cli_dbgmsg("ishield-msi: call to lseek() failed\n");
ret = CL_ESEEK;
}
ret = cli_magic_scan_desc(ofd, tempfile, ctx, filename);
ret = cli_magic_scan_desc(ofd, tempfile, ctx, filename, LAYER_ATTRIBUTES_NONE);
}
close(ofd);
@ -502,7 +502,7 @@ static int is_dump_and_scan(cli_ctx *ctx, off_t off, size_t fsize)
cli_dbgmsg("ishield: call to lseek() failed\n");
ret = CL_ESEEK;
}
ret = cli_magic_scan_desc(ofd, fname, ctx, NULL);
ret = cli_magic_scan_desc(ofd, fname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
}
close(ofd);
if (!ctx->engine->keeptmp)
@ -802,7 +802,7 @@ static int is_extract_cab(cli_ctx *ctx, uint64_t off, uint64_t size, uint64_t cs
cli_dbgmsg("is_extract_cab: extracted to %s\n", tempfile);
if (lseek(ofd, 0, SEEK_SET) == -1)
cli_dbgmsg("is_extract_cab: call to lseek() failed\n");
ret = cli_magic_scan_desc(ofd, tempfile, ctx, NULL);
ret = cli_magic_scan_desc(ofd, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE);
}
close(ofd);

2
libclamav/iso9660.c
View file

@ -82,7 +82,7 @@ static int iso_scan_file(const iso9660_t *iso, unsigned int block, unsigned int
}
if (!len)
ret = cli_magic_scan_desc(fd, tmpf, iso->ctx, iso->buf);
ret = cli_magic_scan_desc(fd, tmpf, iso->ctx, iso->buf, LAYER_ATTRIBUTES_NONE);
close(fd);
if (!iso->ctx->engine->keeptmp) {

3
libclamav/jpeg.c
View file

@ -303,7 +303,8 @@ static cl_error_t jpeg_check_photoshop_8bim(cli_ctx *ctx, size_t *off)
offset += 4 + 28;
/* Scan the thumbnail JPEG */
retval = cli_magic_scan_nested_fmap_type(map, offset, 0, ctx, CL_TYPE_JPEG, "photoshop-thumbnail");
retval = cli_magic_scan_nested_fmap_type(map, offset, 0, ctx, CL_TYPE_JPEG,
"photoshop-thumbnail", LAYER_ATTRIBUTES_NONE);
return retval;
}

4
libclamav/libmspack.c
View file

@ -432,7 +432,7 @@ int cli_scanmscab(cli_ctx *ctx, off_t sfx_offset)
/* Failed to extract. Try to scan what is there */
cli_dbgmsg("%s() failed to extract %d\n", __func__, ret);
ret = cli_magic_scan_file(tmp_fname, ctx, cab_f->filename);
ret = cli_magic_scan_file(tmp_fname, ctx, cab_f->filename, LAYER_ATTRIBUTES_NONE);
if (CL_EOPEN == ret) {
ret = CL_CLEAN;
} else if (CL_VIRUS == ret) {
@ -549,7 +549,7 @@ int cli_scanmschm(cli_ctx *ctx)
/* Failed to extract. Try to scan what is there */
cli_dbgmsg("%s() failed to extract %d\n", __func__, ret);
ret = cli_magic_scan_file(tmp_fname, ctx, mschm_f->filename);
ret = cli_magic_scan_file(tmp_fname, ctx, mschm_f->filename, LAYER_ATTRIBUTES_NONE);
if (CL_EOPEN == ret) {
ret = CL_CLEAN;
} else if (CL_VIRUS == ret) {

5
libclamav/macho.c
View file

@ -569,7 +569,8 @@ int cli_scanmacho_unibin(cli_ctx *ctx)
RETURN_BROKEN;
}
ret = cli_magic_scan_nested_fmap_type(map, fat_arch.offset, fat_arch.size, ctx, CL_TYPE_ANY, NULL);
ret = cli_magic_scan_nested_fmap_type(map, fat_arch.offset, fat_arch.size, ctx,
CL_TYPE_ANY, NULL, LAYER_ATTRIBUTES_NONE);
if (ret == CL_VIRUS)
break;
}
@ -608,7 +609,7 @@ int cli_unpackmacho(cli_ctx *ctx)
cli_dbgmsg("cli_scanmacho: Unpacked and rebuilt executable\n");
lseek(ndesc, 0, SEEK_SET);
cli_dbgmsg("***** Scanning rebuilt Mach-O file *****\n");
if (cli_magic_scan_desc(ndesc, tempfile, ctx, NULL) == CL_VIRUS) {
if (CL_VIRUS == cli_magic_scan_desc(ndesc, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE)) {
close(ndesc);
CLI_TMPUNLK();
free(tempfile);

9
libclamav/matcher.c
View file

@ -769,7 +769,8 @@ int32_t cli_bcapi_matchicon(struct cli_bc_ctx *ctx, const uint8_t *grp1, int32_t
return (int32_t)ret;
}
cl_error_t cli_scan_desc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres, const char *name)
cl_error_t cli_scan_desc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset,
unsigned int acmode, struct cli_ac_result **acres, const char *name, uint32_t attributes)
{
cl_error_t status = CL_CLEAN;
int empty;
@ -785,7 +786,7 @@ cl_error_t cli_scan_desc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonl
goto done;
}
status = cli_recursion_stack_push(ctx, new_map, ftype, true); /* Perform scan with child fmap */
status = cli_recursion_stack_push(ctx, new_map, ftype, true, attributes); /* Perform scan with child fmap */
if (CL_SUCCESS != status) {
cli_dbgmsg("cli_scan_desc: Failed to scan fmap.\n");
goto done;
@ -803,8 +804,6 @@ done:
if (NULL != new_map) {
funmap(new_map);
}
// Clear the next-layer attributes so we don't accidentally apply them to subsequent layers.
ctx->next_layer_attributes = 0;
return status;
}
@ -879,7 +878,7 @@ static cl_error_t lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_a
memcpy(ctx->handlertype_hash, hash, 16);
status = cli_recursion_stack_push(ctx, new_map, ac_lsig->tdb.handlertype[0], true); /* Perform scan with child fmap */
status = cli_recursion_stack_push(ctx, new_map, ac_lsig->tdb.handlertype[0], true, LAYER_ATTRIBUTES_NONE); /* Perform scan with child fmap */
if (CL_SUCCESS != status) {
cli_dbgmsg("Failed to re-scan fmap as a new type.\n");
goto done;

4
libclamav/matcher.h
View file

@ -283,9 +283,11 @@ cl_error_t cli_scan_buff(const unsigned char *buffer, uint32_t length, uint32_t
* @param acmode Use AC_SCAN_VIR and AC_SCAN_FT to set scanning modes.
* @param[out] acres A list of cli_ac_result AC pattern matching results.
* @param name (optional) Original name of the file (to set fmap name metadata)
* @param attributes Layer attributes for the thing to be scanned.
* @return cl_error_t
*/
cl_error_t cli_scan_desc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres, const char *name);
cl_error_t cli_scan_desc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset,
unsigned int acmode, struct cli_ac_result **acres, const char *name, uint32_t attributes);
/**
* @brief Non-magic scan matching of the current fmap in the scan context. Newer API.

9
libclamav/mbr.c
View file

@ -184,7 +184,8 @@ int cli_scanmbr(cli_ctx *ctx, size_t sectorsize)
}
/* MBR is valid, examine bootstrap code */
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, 0, sectorsize, ctx, CL_TYPE_ANY, NULL);
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, 0, sectorsize, ctx,
CL_TYPE_ANY, NULL, LAYER_ATTRIBUTES_NONE);
if (ret != CL_CLEAN) {
if (SCAN_ALLMATCHES && (ret == CL_VIRUS))
detection = CL_VIRUS;
@ -240,7 +241,8 @@ int cli_scanmbr(cli_ctx *ctx, size_t sectorsize)
partoff = mbr.entries[i].firstLBA * sectorsize;
partsize = mbr.entries[i].numLBA * sectorsize;
mbr_parsemsg("cli_magic_scan_nested_fmap_type: [%u, +%u)\n", partoff, partsize);
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, partoff, partsize, ctx, CL_TYPE_PART_ANY, NULL);
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, partoff, partsize, ctx,
CL_TYPE_PART_ANY, NULL, LAYER_ATTRIBUTES_NONE);
if (ret != CL_CLEAN) {
if (SCAN_ALLMATCHES && (ret == CL_VIRUS))
detection = CL_VIRUS;
@ -381,7 +383,8 @@ static int mbr_scanextprtn(cli_ctx *ctx, unsigned *prtncount, size_t extlba, siz
return CL_EFORMAT;
}
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, partoff, partsize, ctx, CL_TYPE_PART_ANY, NULL);
ret = cli_magic_scan_nested_fmap_type(ctx->fmap, partoff, partsize, ctx,
CL_TYPE_PART_ANY, NULL, LAYER_ATTRIBUTES_NONE);
if (ret != CL_CLEAN) {
if (SCAN_ALLMATCHES && (ret == CL_VIRUS))
detection = CL_VIRUS;

2
libclamav/msxml_parser.c
View file

@ -462,7 +462,7 @@ static int msxml_parse_element(struct msxml_ctx *mxctx, xmlTextReaderPtr reader,
cli_dbgmsg("msxml_parse_element: extracted binary data to %s\n", tempfile);
ret = cli_magic_scan_desc(of, tempfile, ctx, NULL);
ret = cli_magic_scan_desc(of, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE);
close(of);
if (!(ctx->engine->keeptmp))
cli_unlink(tempfile);

4
libclamav/nsis/nulsft.c
View file

@ -546,9 +546,9 @@ int cli_scannulsft(cli_ctx *ctx, off_t offset)
return CL_ESEEK;
}
if (nsist.fno == 1)
ret = cli_scan_desc(nsist.ofd, ctx, 0, 0, NULL, AC_SCAN_VIR, NULL, NULL); /// TODO: Extract file names
ret = cli_scan_desc(nsist.ofd, ctx, 0, 0, NULL, AC_SCAN_VIR, NULL, NULL, LAYER_ATTRIBUTES_NONE); /// TODO: Extract file names
else
ret = cli_magic_scan_desc(nsist.ofd, nsist.ofn, ctx, NULL); /// TODO: Extract file names
ret = cli_magic_scan_desc(nsist.ofd, nsist.ofn, ctx, NULL, LAYER_ATTRIBUTES_NONE); /// TODO: Extract file names
close(nsist.ofd);
if (!ctx->engine->keeptmp)
if (cli_unlink(nsist.ofn)) ret = CL_EUNLINK;

4
libclamav/ole2_extract.c
View file

@ -1503,7 +1503,7 @@ static cl_error_t scan_mso_stream(int fd, cli_ctx *ctx)
}
/* scanning inflated stream */
ret = cli_magic_scan_desc(ofd, tmpname, ctx, NULL);
ret = cli_magic_scan_desc(ofd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
/* clean-up */
mso_end:
@ -1666,7 +1666,7 @@ static cl_error_t handler_otf(ole2_header_t *hdr, property_t *prop, const char *
ret = scan_mso_stream(ofd, ctx);
} else {
/* Normal File Scan */
ret = cli_magic_scan_desc(ofd, tempfile, ctx, NULL);
ret = cli_magic_scan_desc(ofd, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE);
}
ret = ret == CL_VIRUS ? CL_VIRUS : CL_SUCCESS;

12
libclamav/ooxml.c
View file

@ -146,12 +146,13 @@ static cl_error_t ooxml_parse_document(int fd, cli_ctx *ctx)
return ret;
}
static cl_error_t ooxml_core_cb(int fd, const char *filepath, cli_ctx *ctx, const char *name)
static cl_error_t ooxml_core_cb(int fd, const char *filepath, cli_ctx *ctx, const char *name, uint32_t attributes)
{
cl_error_t ret;
UNUSEDPARAM(filepath);
UNUSEDPARAM(name);
UNUSEDPARAM(attributes);
cli_dbgmsg("in ooxml_core_cb\n");
ret = ooxml_parse_document(fd, ctx);
@ -163,12 +164,13 @@ static cl_error_t ooxml_core_cb(int fd, const char *filepath, cli_ctx *ctx, cons
return ret;
}
static cl_error_t ooxml_extn_cb(int fd, const char *filepath, cli_ctx *ctx, const char *name)
static cl_error_t ooxml_extn_cb(int fd, const char *filepath, cli_ctx *ctx, const char *name, uint32_t attributes)
{
cl_error_t ret;
UNUSEDPARAM(filepath);
UNUSEDPARAM(name);
UNUSEDPARAM(attributes);
cli_dbgmsg("in ooxml_extn_cb\n");
ret = ooxml_parse_document(fd, ctx);
@ -180,7 +182,7 @@ static cl_error_t ooxml_extn_cb(int fd, const char *filepath, cli_ctx *ctx, cons
return ret;
}
static cl_error_t ooxml_content_cb(int fd, const char *filepath, cli_ctx *ctx, const char *name)
static cl_error_t ooxml_content_cb(int fd, const char *filepath, cli_ctx *ctx, const char *name, uint32_t attributes)
{
cl_error_t ret = CL_SUCCESS;
int tmp, toval = 0, state;
@ -192,6 +194,7 @@ static cl_error_t ooxml_content_cb(int fd, const char *filepath, cli_ctx *ctx, c
UNUSEDPARAM(filepath);
UNUSEDPARAM(name);
UNUSEDPARAM(attributes);
unsigned long sav_scansize = ctx->scansize;
unsigned int sav_scannedfiles = ctx->scannedfiles;
@ -351,13 +354,14 @@ ooxml_content_exit:
return ret;
}
static cl_error_t ooxml_hwp_cb(int fd, const char *filepath, cli_ctx *ctx, const char *name)
static cl_error_t ooxml_hwp_cb(int fd, const char *filepath, cli_ctx *ctx, const char *name, uint32_t attributes)
{
cl_error_t ret = CL_SUCCESS;
xmlTextReaderPtr reader = NULL;
UNUSEDPARAM(filepath);
UNUSEDPARAM(name);
UNUSEDPARAM(attributes);
cli_dbgmsg("in ooxml_hwp_cb\n");

6
libclamav/others.c
View file

@ -1381,7 +1381,7 @@ const char *cli_get_last_virus_str(const cli_ctx *ctx)
return "";
}
cl_error_t cli_recursion_stack_push(cli_ctx *ctx, cl_fmap_t *map, cli_file_t type, bool is_new_buffer)
cl_error_t cli_recursion_stack_push(cli_ctx *ctx, cl_fmap_t *map, cli_file_t type, bool is_new_buffer, uint32_t attributes)
{
cl_error_t status = CL_SUCCESS;
@ -1428,7 +1428,7 @@ cl_error_t cli_recursion_stack_push(cli_ctx *ctx, cl_fmap_t *map, cli_file_t typ
// Normalized layers should be ignored when using the get_type() and get_intermediate_type()
// functions so that signatures that specify the container or intermediates need not account
// for normalized layers "contained in" HTML / Javascript / etc.
new_container->attributes = ctx->next_layer_attributes;
new_container->attributes = attributes;
// If the current layer is marked "decrypted", all child-layers are also marked "decrypted".
if (current_container->attributes & LAYER_ATTRIBUTES_DECRYPTED) {
@ -1438,8 +1438,6 @@ cl_error_t cli_recursion_stack_push(cli_ctx *ctx, cl_fmap_t *map, cli_file_t typ
ctx->fmap = new_container->fmap;
done:
// Clear the next-layer attributes so we don't accidentally apply them to all subsequent layers.
ctx->next_layer_attributes = 0;
return status;
}

6
libclamav/others.h
View file

@ -209,9 +209,6 @@ typedef struct cli_ctx_tag {
uint32_t recursion_stack_size; /* stack size must == engine->max_recursion_level */
uint32_t recursion_level; /* Index into recursion_stack; current fmap recursion level from start of scan. */
fmap_t *fmap; /* Pointer to current fmap in recursion_stack, varies with recursion depth. For convenience. */
uint32_t next_layer_attributes; /* Indicate attributes that should apply to the next layer created.
* Notably for LAYER_ATTRIBUTES_NORMALIZED: Indicate that the next fmap pushed to the stack is
* normalized and should be ignored when checking container/intermediate types */
unsigned char handlertype_hash[16];
struct cli_dconf *dconf;
bitset_t *hook_lsig_matches;
@ -748,9 +745,10 @@ void cli_virus_found_cb(cli_ctx *ctx);
* @param map The fmap for the new layer.
* @param type The file type. May be CL_TYPE_ANY if unknown. Can change it later with cli_recursion_stack_change_type().
* @param is_new_buffer true if the fmap represents a new buffer/file, and not some window into an existing fmap.
* @param attributes Layer attributes for the thing to be scanned.
* @return cl_error_t CL_SUCCESS if successful, else CL_EMAXREC if exceeding the max recursion depth.
*/
cl_error_t cli_recursion_stack_push(cli_ctx *ctx, cl_fmap_t *map, cli_file_t type, bool is_new_buffer);
cl_error_t cli_recursion_stack_push(cli_ctx *ctx, cl_fmap_t *map, cli_file_t type, bool is_new_buffer, uint32_t attributes);
/**
* @brief Pop off a layer of our scan recursion stack.

4
libclamav/pdf.c
View file

@ -1419,7 +1419,7 @@ static int pdf_scan_contents(int fd, struct pdf_struct *pdf)
cli_writen(fout, s.out, s.out_pos);
lseek(fout, 0, SEEK_SET);
rc = cli_magic_scan_desc(fout, fullname, pdf->ctx, NULL);
rc = cli_magic_scan_desc(fout, fullname, pdf->ctx, NULL, LAYER_ATTRIBUTES_NONE);
close(fout);
if (!pdf->ctx->engine->keeptmp || (s.out_pos == 0))
@ -1814,7 +1814,7 @@ done:
/* TODO: invoke bytecode on this pdf obj with metainformation associated */
lseek(fout, 0, SEEK_SET);
rc2 = cli_magic_scan_desc(fout, fullname, pdf->ctx, NULL);
rc2 = cli_magic_scan_desc(fout, fullname, pdf->ctx, NULL, LAYER_ATTRIBUTES_NONE);
if (rc2 == CL_VIRUS || rc == CL_SUCCESS)
rc = rc2;

78
libclamav/pe.c
View file

@ -191,44 +191,44 @@
free(tempfile); \
break;
#define CLI_UNPRESULTS_(NAME, FSGSTUFF, EXPR, GOOD, FREEME) \
switch (EXPR) { \
case GOOD: /* Unpacked and rebuilt */ \
if (ctx->engine->keeptmp) \
cli_dbgmsg(NAME ": Unpacked and rebuilt executable saved in %s\n", tempfile); \
else \
cli_dbgmsg(NAME ": Unpacked and rebuilt executable\n"); \
cli_multifree FREEME; \
cli_exe_info_destroy(peinfo); \
lseek(ndesc, 0, SEEK_SET); \
cli_dbgmsg("***** Scanning rebuilt PE file *****\n"); \
SHA_OFF; \
if (cli_magic_scan_desc(ndesc, tempfile, ctx, NULL) == CL_VIRUS) { \
close(ndesc); \
SHA_RESET; \
CLI_TMPUNLK(); \
free(tempfile); \
return CL_VIRUS; \
} \
SHA_RESET; \
close(ndesc); \
CLI_TMPUNLK(); \
free(tempfile); \
return CL_CLEAN; \
\
FSGSTUFF; \
\
default: \
cli_dbgmsg(NAME ": Unpacking failed\n"); \
close(ndesc); \
if (cli_unlink(tempfile)) { \
cli_exe_info_destroy(peinfo); \
free(tempfile); \
cli_multifree FREEME; \
return CL_EUNLINK; \
} \
cli_multifree FREEME; \
free(tempfile); \
#define CLI_UNPRESULTS_(NAME, FSGSTUFF, EXPR, GOOD, FREEME) \
switch (EXPR) { \
case GOOD: /* Unpacked and rebuilt */ \
if (ctx->engine->keeptmp) \
cli_dbgmsg(NAME ": Unpacked and rebuilt executable saved in %s\n", tempfile); \
else \
cli_dbgmsg(NAME ": Unpacked and rebuilt executable\n"); \
cli_multifree FREEME; \
cli_exe_info_destroy(peinfo); \
lseek(ndesc, 0, SEEK_SET); \
cli_dbgmsg("***** Scanning rebuilt PE file *****\n"); \
SHA_OFF; \
if (CL_VIRUS == cli_magic_scan_desc(ndesc, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE)) { \
close(ndesc); \
SHA_RESET; \
CLI_TMPUNLK(); \
free(tempfile); \
return CL_VIRUS; \
} \
SHA_RESET; \
close(ndesc); \
CLI_TMPUNLK(); \
free(tempfile); \
return CL_CLEAN; \
\
FSGSTUFF; \
\
default: \
cli_dbgmsg(NAME ": Unpacking failed\n"); \
close(ndesc); \
if (cli_unlink(tempfile)) { \
cli_exe_info_destroy(peinfo); \
free(tempfile); \
cli_multifree FREEME; \
return CL_EUNLINK; \
} \
cli_multifree FREEME; \
free(tempfile); \
}
#define CLI_UNPRESULTS(NAME, EXPR, GOOD, FREEME) CLI_UNPRESULTS_(NAME, (void)0, EXPR, GOOD, FREEME)
@ -4026,7 +4026,7 @@ int cli_scanpe(cli_ctx *ctx)
cli_dbgmsg("***** Scanning decompressed file *****\n");
SHA_OFF;
if ((ret = cli_magic_scan_desc(ndesc, tempfile, ctx, NULL)) == CL_VIRUS) {
if ((ret = cli_magic_scan_desc(ndesc, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE)) == CL_VIRUS) {
close(ndesc);
SHA_RESET;
CLI_TMPUNLK();

3
libclamav/png.c
View file

@ -302,7 +302,8 @@ scan_overlay:
/* Check if there's an overlay, and scan it if one exists. */
if (map->len > offset) {
cli_dbgmsg("PNG: Found " STDu64 " additional data after end of PNG! Scanning as a nested file.\n", map->len - offset);
status = cli_magic_scan_nested_fmap_type(map, (size_t)offset, map->len - offset, ctx, CL_TYPE_ANY, NULL);
status = cli_magic_scan_nested_fmap_type(map, (size_t)offset, map->len - offset, ctx,
CL_TYPE_ANY, NULL, LAYER_ATTRIBUTES_NONE);
goto done;
}

2
libclamav/rtf.c
View file

@ -246,7 +246,7 @@ static int decode_and_scan(struct rtf_object_data* data, cli_ctx* ctx)
cli_dbgmsg("Decoding ole object\n");
ret = cli_scan_ole10(data->fd, ctx);
} else if (data->fd > 0)
ret = cli_magic_scan_desc(data->fd, data->name, ctx, NULL);
ret = cli_magic_scan_desc(data->fd, data->name, ctx, NULL, LAYER_ATTRIBUTES_NONE);
if (data->fd > 0)
close(data->fd);
data->fd = -1;

173
libclamav/scanners.c
View file

@ -128,15 +128,14 @@
#include <fcntl.h>
#include <string.h>
cl_error_t cli_magic_scan_dir(const char *dir, cli_ctx *ctx)
cl_error_t cli_magic_scan_dir(const char *dir, cli_ctx *ctx, uint32_t attributes)
{
cl_error_t status = CL_CLEAN;
DIR *dd = NULL;
struct dirent *dent;
STATBUF statbuf;
char *fname = NULL;
unsigned int viruses_found = 0;
uint32_t next_layer_attributes = ctx->next_layer_attributes;
char *fname = NULL;
unsigned int viruses_found = 0;
if ((dd = opendir(dir)) != NULL) {
while ((dent = readdir(dd))) {
@ -155,7 +154,7 @@ cl_error_t cli_magic_scan_dir(const char *dir, cli_ctx *ctx)
/* stat the file */
if (LSTAT(fname, &statbuf) != -1) {
if (S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) {
if (cli_magic_scan_dir(fname, ctx) == CL_VIRUS) {
if (cli_magic_scan_dir(fname, ctx, attributes) == CL_VIRUS) {
if (SCAN_ALLMATCHES) {
viruses_found++;
continue;
@ -166,10 +165,7 @@ cl_error_t cli_magic_scan_dir(const char *dir, cli_ctx *ctx)
}
} else {
if (S_ISREG(statbuf.st_mode)) {
// restore next-layer attributes, so it applies to all normalized/etc. files in this dir scan.
ctx->next_layer_attributes = next_layer_attributes;
if (CL_VIRUS == cli_magic_scan_file(fname, ctx, dent->d_name)) {
if (CL_VIRUS == cli_magic_scan_file(fname, ctx, dent->d_name, attributes)) {
if (SCAN_ALLMATCHES) {
viruses_found++;
continue;
@ -310,7 +306,7 @@ static cl_error_t cli_scanrar_file(const char *filepath, int desc, cli_ctx *ctx)
}
/* Scan the comment */
status = cli_magic_scan_buff(comment, comment_size, ctx, NULL);
status = cli_magic_scan_buff(comment, comment_size, ctx, NULL, LAYER_ATTRIBUTES_NONE);
if ((status == CL_VIRUS) && SCAN_ALLMATCHES) {
status = CL_CLEAN;
@ -466,7 +462,7 @@ static cl_error_t cli_scanrar_file(const char *filepath, int desc, cli_ctx *ctx)
* ... scan the extracted file.
*/
cli_dbgmsg("RAR: Extraction complete. Scanning now...\n");
status = cli_magic_scan_file(extract_fullpath, ctx, filename_base);
status = cli_magic_scan_file(extract_fullpath, ctx, filename_base, LAYER_ATTRIBUTES_NONE);
if (status == CL_EOPEN) {
cli_dbgmsg("RAR: File not found, Extraction failed!\n");
status = CL_CLEAN;
@ -756,7 +752,7 @@ static cl_error_t cli_scanegg(cli_ctx *ctx)
/*
* Scan the comment.
*/
status = cli_magic_scan_buff(comments[i], strlen(comments[i]), ctx, NULL);
status = cli_magic_scan_buff(comments[i], strlen(comments[i]), ctx, NULL, LAYER_ATTRIBUTES_NONE);
if ((status == CL_VIRUS) && SCAN_ALLMATCHES) {
status = CL_CLEAN;
@ -926,7 +922,7 @@ static cl_error_t cli_scanegg(cli_ctx *ctx)
* Scan the extracted file...
*/
cli_dbgmsg("EGG: Extraction complete. Scanning now...\n");
status = cli_magic_scan_buff(extract_buffer, extract_buffer_len, ctx, filename_base);
status = cli_magic_scan_buff(extract_buffer, extract_buffer_len, ctx, filename_base, LAYER_ATTRIBUTES_NONE);
if (status == CL_VIRUS) {
cli_dbgmsg("EGG: infected with %s\n", cli_get_last_virus(ctx));
status = CL_VIRUS;
@ -1092,7 +1088,7 @@ static cl_error_t cli_scanarj(cli_ctx *ctx)
if (lseek(metadata.ofd, 0, SEEK_SET) == -1) {
cli_dbgmsg("ARJ: call to lseek() failed\n");
}
status = cli_magic_scan_desc(metadata.ofd, NULL, ctx, metadata.filename);
status = cli_magic_scan_desc(metadata.ofd, NULL, ctx, metadata.filename, LAYER_ATTRIBUTES_NONE);
close(metadata.ofd);
if (status == CL_VIRUS) {
cli_dbgmsg("ARJ: infected with %s\n", cli_get_last_virus(ctx));
@ -1179,7 +1175,7 @@ static cl_error_t cli_scangzip_with_zib_from_the_80s(cli_ctx *ctx, unsigned char
gzclose(gz);
if ((ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL)) == CL_VIRUS) {
if (CL_VIRUS == (ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE))) {
cli_dbgmsg("GZip: Infected with %s\n", cli_get_last_virus(ctx));
close(fd);
if (!ctx->engine->keeptmp) {
@ -1281,7 +1277,7 @@ static cl_error_t cli_scangzip(cli_ctx *ctx)
inflateEnd(&z);
if ((ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL)) == CL_VIRUS) {
if (CL_VIRUS == (ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE))) {
cli_dbgmsg("GZip: Infected with %s\n", cli_get_last_virus(ctx));
close(fd);
if (!ctx->engine->keeptmp) {
@ -1387,7 +1383,7 @@ static cl_error_t cli_scanbzip(cli_ctx *ctx)
BZ2_bzDecompressEnd(&strm);
if ((ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL)) == CL_VIRUS) {
if (CL_VIRUS == (ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE))) {
cli_dbgmsg("Bzip: Infected with %s\n", cli_get_last_virus(ctx));
close(fd);
if (!ctx->engine->keeptmp) {
@ -1496,7 +1492,7 @@ static cl_error_t cli_scanxz(cli_ctx *ctx)
} while (XZ_STREAM_END != rc);
/* scan decompressed file */
if ((ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL)) == CL_VIRUS) {
if (CL_VIRUS == (ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE))) {
cli_dbgmsg("cli_scanxz: Infected with %s\n", cli_get_last_virus(ctx));
}
@ -1536,7 +1532,7 @@ static cl_error_t cli_scanszdd(cli_ctx *ctx)
}
cli_dbgmsg("MSEXPAND: Decompressed into %s\n", tmpname);
ret = cli_magic_scan_desc(ofd, tmpname, ctx, NULL);
ret = cli_magic_scan_desc(ofd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
close(ofd);
if (!ctx->engine->keeptmp)
if (cli_unlink(tmpname))
@ -1588,10 +1584,7 @@ static cl_error_t vba_scandata(const unsigned char *data, size_t len, cli_ctx *c
goto done;
}
// This flag ingested by cli_recursion_stack_push().
ctx->next_layer_attributes |= LAYER_ATTRIBUTES_NORMALIZED;
ret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_MSOLE2, true); /* Perform exp_eval with child fmap */
ret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_MSOLE2, true, LAYER_ATTRIBUTES_NONE); /* Perform exp_eval with child fmap */
if (CL_SUCCESS != ret) {
cli_dbgmsg("Failed to scan fmap.\n");
goto done;
@ -1754,7 +1747,7 @@ static cl_error_t cli_ole2_tempdir_scan_vba_new(const char *dir, cli_ctx *ctx, s
goto done;
}
ret = cli_scan_desc(tempfd, ctx, CL_TYPE_SCRIPT, 0, NULL, AC_SCAN_VIR, NULL, NULL);
ret = cli_scan_desc(tempfd, ctx, CL_TYPE_SCRIPT, 0, NULL, AC_SCAN_VIR, NULL, NULL, LAYER_ATTRIBUTES_NONE);
close(tempfd);
tempfd = -1;
@ -2006,7 +1999,7 @@ static cl_error_t cli_ole2_tempdir_scan_vba(const char *dir, cli_ctx *ctx, struc
continue;
}
if ((fullname = cli_ppt_vba_read(fd, ctx))) {
ret = cli_magic_scan_dir(fullname, ctx);
ret = cli_magic_scan_dir(fullname, ctx, LAYER_ATTRIBUTES_NONE);
if (!ctx->engine->keeptmp)
cli_rmdirs(fullname);
@ -2173,11 +2166,10 @@ static cl_error_t cli_scanhtml(cli_ctx *ctx)
snprintf(fullname, 1024, "%s" PATHSEP "nocomment.html", tempname);
fd = open(fullname, O_RDONLY | O_BINARY);
if (fd >= 0) {
// This flag ingested by cli_recursion_stack_push().
ctx->next_layer_attributes |= LAYER_ATTRIBUTES_NORMALIZED;
if ((ret = cli_scan_desc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL, NULL)) == CL_VIRUS)
if (CL_VIRUS == (ret = cli_scan_desc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR,
NULL, NULL, LAYER_ATTRIBUTES_NORMALIZED))) {
viruses_found++;
}
close(fd);
}
@ -2193,11 +2185,10 @@ static cl_error_t cli_scanhtml(cli_ctx *ctx)
snprintf(fullname, 1024, "%s" PATHSEP "notags.html", tempname);
fd = open(fullname, O_RDONLY | O_BINARY);
if (fd >= 0) {
// This flag ingested by cli_recursion_stack_push().
ctx->next_layer_attributes |= LAYER_ATTRIBUTES_NORMALIZED;
if ((ret = cli_scan_desc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL, NULL)) == CL_VIRUS)
if (CL_VIRUS == (ret = cli_scan_desc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR,
NULL, NULL, LAYER_ATTRIBUTES_NORMALIZED))) {
viruses_found++;
}
close(fd);
}
@ -2208,18 +2199,16 @@ static cl_error_t cli_scanhtml(cli_ctx *ctx)
snprintf(fullname, 1024, "%s" PATHSEP "javascript", tempname);
fd = open(fullname, O_RDONLY | O_BINARY);
if (fd >= 0) {
// This flag ingested by cli_recursion_stack_push().
ctx->next_layer_attributes |= LAYER_ATTRIBUTES_NORMALIZED;
if ((ret = cli_scan_desc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR, NULL, NULL)) == CL_VIRUS)
if (CL_VIRUS == (ret = cli_scan_desc(fd, ctx, CL_TYPE_HTML, 0, NULL, AC_SCAN_VIR,
NULL, NULL, LAYER_ATTRIBUTES_NORMALIZED))) {
viruses_found++;
}
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALLMATCHES)) {
// This flag ingested by cli_recursion_stack_push().
ctx->next_layer_attributes |= LAYER_ATTRIBUTES_NORMALIZED;
if ((ret = cli_scan_desc(fd, ctx, CL_TYPE_TEXT_ASCII, 0, NULL, AC_SCAN_VIR, NULL, NULL)) == CL_VIRUS)
if (CL_VIRUS == (ret = cli_scan_desc(fd, ctx, CL_TYPE_TEXT_ASCII, 0, NULL, AC_SCAN_VIR,
NULL, NULL, LAYER_ATTRIBUTES_NORMALIZED))) {
viruses_found++;
}
}
close(fd);
}
@ -2227,11 +2216,7 @@ static cl_error_t cli_scanhtml(cli_ctx *ctx)
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALLMATCHES)) {
snprintf(fullname, 1024, "%s" PATHSEP "rfc2397", tempname);
// This flag ingested by cli_recursion_stack_push() or cleared when cli_magic_scan_dir() is done.
ctx->next_layer_attributes |= LAYER_ATTRIBUTES_NORMALIZED;
ret = cli_magic_scan_dir(fullname, ctx);
ret = cli_magic_scan_dir(fullname, ctx, LAYER_ATTRIBUTES_NORMALIZED);
if (CL_EOPEN == ret) {
/* If the directory doesn't exist, that's fine */
ret = CL_CLEAN;
@ -2346,10 +2331,8 @@ static cl_error_t cli_scanscript(cli_ctx *ctx)
goto done;
}
// This flag ingested by cli_recursion_stack_push().
ctx->next_layer_attributes |= LAYER_ATTRIBUTES_NORMALIZED;
ret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_TEXT_ASCII, true); /* Perform cli_scan_fmap with child fmap */
/* Perform cli_scan_fmap with child fmap */
ret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_TEXT_ASCII, true, LAYER_ATTRIBUTES_NORMALIZED);
if (CL_SUCCESS != ret) {
cli_dbgmsg("Failed to scan fmap.\n");
goto done;
@ -2504,11 +2487,8 @@ static cl_error_t cli_scanhtml_utf16(cli_ctx *ctx)
goto done;
}
// s/normalized/transcoded, practically the same thing.
// This flag ingested by cli_recursion_stack_push().
ctx->next_layer_attributes |= LAYER_ATTRIBUTES_NORMALIZED;
status = cli_recursion_stack_push(ctx, new_map, CL_TYPE_HTML, true); /* Perform exp_eval with child fmap */
/* Perform exp_eval with child fmap */
status = cli_recursion_stack_push(ctx, new_map, CL_TYPE_HTML, true, LAYER_ATTRIBUTES_NORMALIZED);
if (CL_SUCCESS != status) {
cli_dbgmsg("Failed to scan fmap.\n");
goto done;
@ -2636,7 +2616,7 @@ static cl_error_t cli_ole2_scan_tempdir(
}
if (has_xlm || has_vba) {
status = cli_magic_scan_dir(dir, ctx);
status = cli_magic_scan_dir(dir, ctx, LAYER_ATTRIBUTES_NONE);
if (CL_VIRUS == status) {
viruses_found++;
if (!SCAN_ALLMATCHES) {
@ -2837,7 +2817,7 @@ static cl_error_t cli_scanscrenc(cli_ctx *ctx)
}
if (html_screnc_decode(ctx->fmap, tempname))
ret = cli_magic_scan_dir(tempname, ctx);
ret = cli_magic_scan_dir(tempname, ctx, LAYER_ATTRIBUTES_NONE);
if (!ctx->engine->keeptmp)
cli_rmdirs(tempname);
@ -2902,7 +2882,7 @@ static cl_error_t cli_scancryptff(cli_ctx *ctx)
cli_dbgmsg("CryptFF: Scanning decrypted data\n");
if ((ret = cli_magic_scan_desc(ndesc, tempfile, ctx, NULL)) == CL_VIRUS)
if (CL_VIRUS == (ret = cli_magic_scan_desc(ndesc, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE)))
cli_dbgmsg("CryptFF: Infected with %s\n", cli_get_last_virus(ctx));
close(ndesc);
@ -2956,7 +2936,7 @@ static cl_error_t cli_scantnef(cli_ctx *ctx)
ret = cli_tnef(dir, ctx);
if (ret == CL_CLEAN)
ret = cli_magic_scan_dir(dir, ctx);
ret = cli_magic_scan_dir(dir, ctx, LAYER_ATTRIBUTES_NONE);
if (!ctx->engine->keeptmp)
cli_rmdirs(dir);
@ -2982,7 +2962,7 @@ static cl_error_t cli_scanuuencoded(cli_ctx *ctx)
ret = cli_uuencode(dir, ctx->fmap);
if (ret == CL_CLEAN)
ret = cli_magic_scan_dir(dir, ctx);
ret = cli_magic_scan_dir(dir, ctx, LAYER_ATTRIBUTES_NONE);
if (!ctx->engine->keeptmp)
cli_rmdirs(dir);
@ -3023,7 +3003,7 @@ static cl_error_t cli_scanmail(cli_ctx *ctx)
}
}
ret = cli_magic_scan_dir(dir, ctx);
ret = cli_magic_scan_dir(dir, ctx, LAYER_ATTRIBUTES_NONE);
if (!ctx->engine->keeptmp)
cli_rmdirs(dir);
@ -3183,7 +3163,7 @@ static cl_error_t cli_scanembpe(cli_ctx *ctx, off_t offset)
corrupted_input = ctx->corrupted_input;
ctx->corrupted_input = 1;
ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL);
ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
ctx->corrupted_input = corrupted_input;
if (ret == CL_VIRUS) {
cli_dbgmsg("cli_scanembpe: Infected with %s\n", cli_get_last_virus(ctx));
@ -3650,7 +3630,8 @@ static cl_error_t scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_fi
break;
}
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_RAR, false); /* Perform scan with child fmap */
/* Perform scan with child fmap */
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_RAR, false, LAYER_ATTRIBUTES_NONE);
if (CL_SUCCESS != nret) {
ret = nret;
cli_dbgmsg("scanraw: Failed to add map to recursion stack to scan embedded file.\n");
@ -3673,7 +3654,8 @@ static cl_error_t scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_fi
break;
}
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_EGG, false); /* Perform scan with child fmap */
/* Perform scan with child fmap */
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_EGG, false, LAYER_ATTRIBUTES_NONE);
if (CL_SUCCESS != nret) {
ret = nret;
cli_dbgmsg("scanraw: Failed to add map to recursion stack to scan embedded file.\n");
@ -3696,7 +3678,8 @@ static cl_error_t scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_fi
break;
}
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_ZIP, false); /* Perform scan with child fmap */
/* Perform scan with child fmap */
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_ZIP, false, LAYER_ATTRIBUTES_NONE);
if (CL_SUCCESS != nret) {
ret = nret;
cli_dbgmsg("scanraw: Failed to add map to recursion stack to scan embedded file.\n");
@ -3719,7 +3702,8 @@ static cl_error_t scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_fi
break;
}
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_MSCAB, false); /* Perform scan with child fmap */
/* Perform scan with child fmap */
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_MSCAB, false, LAYER_ATTRIBUTES_NONE);
if (CL_SUCCESS != nret) {
ret = nret;
cli_dbgmsg("scanraw: Failed to add map to recursion stack to scan embedded file.\n");
@ -3742,7 +3726,8 @@ static cl_error_t scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_fi
break;
}
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_ARJ, false); /* Perform scan with child fmap */
/* Perform scan with child fmap */
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_ARJ, false, LAYER_ATTRIBUTES_NONE);
if (CL_SUCCESS != nret) {
ret = nret;
cli_dbgmsg("scanraw: Failed to add map to recursion stack to scan embedded file.\n");
@ -3765,7 +3750,8 @@ static cl_error_t scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_fi
break;
}
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_7Z, false); /* Perform scan with child fmap */
/* Perform scan with child fmap */
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_7Z, false, LAYER_ATTRIBUTES_NONE);
if (CL_SUCCESS != nret) {
ret = nret;
cli_dbgmsg("scanraw: Failed to add map to recursion stack to scan embedded file.\n");
@ -3788,7 +3774,8 @@ static cl_error_t scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_fi
break;
}
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_NULSFT, false); /* Perform scan with child fmap */
/* Perform scan with child fmap */
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_NULSFT, false, LAYER_ATTRIBUTES_NONE);
if (CL_SUCCESS != nret) {
ret = nret;
cli_dbgmsg("scanraw: Failed to add map to recursion stack to scan embedded file.\n");
@ -3811,7 +3798,8 @@ static cl_error_t scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_fi
break;
}
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_AUTOIT, false); /* Perform scan with child fmap */
/* Perform scan with child fmap */
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_AUTOIT, false, LAYER_ATTRIBUTES_NONE);
if (CL_SUCCESS != nret) {
ret = nret;
cli_dbgmsg("scanraw: Failed to add map to recursion stack to scan embedded file.\n");
@ -3834,7 +3822,8 @@ static cl_error_t scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_fi
break;
}
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_ISHIELD_MSI, false); /* Perform scan with child fmap */
/* Perform scan with child fmap */
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_ISHIELD_MSI, false, LAYER_ATTRIBUTES_NONE);
if (CL_SUCCESS != nret) {
ret = nret;
cli_dbgmsg("scanraw: Failed to add map to recursion stack to scan embedded file.\n");
@ -3857,7 +3846,8 @@ static cl_error_t scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_fi
break;
}
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_PDF, false); /* Perform scan with child fmap */
/* Perform scan with child fmap */
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_PDF, false, LAYER_ATTRIBUTES_NONE);
if (CL_SUCCESS != nret) {
ret = nret;
cli_dbgmsg("scanraw: Failed to add map to recursion stack to scan embedded file.\n");
@ -3885,7 +3875,8 @@ static cl_error_t scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_fi
break;
}
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_MSEXE, false); /* Perform scan with child fmap */
/* Perform scan with child fmap */
nret = cli_recursion_stack_push(ctx, new_map, CL_TYPE_MSEXE, false, LAYER_ATTRIBUTES_NONE);
if (CL_SUCCESS != nret) {
ret = nret;
cli_dbgmsg("scanraw: Failed to add map to recursion stack to scan embedded file.\n");
@ -5130,7 +5121,8 @@ early_ret:
return ret;
}
cl_error_t cli_magic_scan_desc_type(int desc, const char *filepath, cli_ctx *ctx, cli_file_t type, const char *name)
cl_error_t cli_magic_scan_desc_type(int desc, const char *filepath, cli_ctx *ctx, cli_file_t type,
const char *name, uint32_t attributes)
{
STATBUF sb;
cl_error_t status = CL_CLEAN;
@ -5175,7 +5167,7 @@ cl_error_t cli_magic_scan_desc_type(int desc, const char *filepath, cli_ctx *ctx
goto done;
}
status = cli_recursion_stack_push(ctx, new_map, type, true); /* Perform scan with child fmap */
status = cli_recursion_stack_push(ctx, new_map, type, true, attributes); /* Perform scan with child fmap */
if (CL_SUCCESS != status) {
cli_dbgmsg("Failed to scan fmap.\n");
goto done;
@ -5192,15 +5184,12 @@ done:
ctx->sub_filepath = parent_filepath;
// Clear the next-layer attributes so we don't accidentally apply them to subsequent layers.
ctx->next_layer_attributes = 0;
return status;
}
cl_error_t cli_magic_scan_desc(int desc, const char *filepath, cli_ctx *ctx, const char *name)
cl_error_t cli_magic_scan_desc(int desc, const char *filepath, cli_ctx *ctx, const char *name, uint32_t attributes)
{
return cli_magic_scan_desc_type(desc, filepath, ctx, CL_TYPE_ANY, name);
return cli_magic_scan_desc_type(desc, filepath, ctx, CL_TYPE_ANY, name, attributes);
}
cl_error_t cl_scandesc(int desc, const char *filename, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, struct cl_scan_options *scanoptions)
@ -5221,7 +5210,8 @@ cl_error_t cl_scandesc(int desc, const char *filename, const char **virname, uns
* @param name (optional) Original name of the file (to set fmap name metadata)
* @return int CL_SUCCESS, or an error code.
*/
static cl_error_t magic_scan_nested_fmap_type(cl_fmap_t *map, size_t offset, size_t length, cli_ctx *ctx, cli_file_t type, const char *name)
static cl_error_t magic_scan_nested_fmap_type(cl_fmap_t *map, size_t offset, size_t length, cli_ctx *ctx,
cli_file_t type, const char *name, uint32_t attributes)
{
cl_error_t status = CL_CLEAN;
fmap_t *new_map = NULL;
@ -5254,7 +5244,7 @@ static cl_error_t magic_scan_nested_fmap_type(cl_fmap_t *map, size_t offset, siz
goto done;
}
status = cli_recursion_stack_push(ctx, new_map, type, false); /* Perform scan with child fmap */
status = cli_recursion_stack_push(ctx, new_map, type, false, attributes); /* Perform scan with child fmap */
if (CL_SUCCESS != status) {
cli_dbgmsg("magic_scan_nested_fmap_type: Failed to add map to recursion stack for magic scan.\n");
goto done;
@ -5273,7 +5263,8 @@ done:
}
/* For map scans that may be forced to disk */
cl_error_t cli_magic_scan_nested_fmap_type(cl_fmap_t *map, size_t offset, size_t length, cli_ctx *ctx, cli_file_t type, const char *name)
cl_error_t cli_magic_scan_nested_fmap_type(cl_fmap_t *map, size_t offset, size_t length, cli_ctx *ctx,
cli_file_t type, const char *name, uint32_t attributes)
{
cl_error_t ret = CL_CLEAN;
@ -5331,7 +5322,7 @@ cl_error_t cli_magic_scan_nested_fmap_type(cl_fmap_t *map, size_t offset, size_t
}
/* scan the temp file */
ret = cli_magic_scan_desc_type(fd, tempfile, ctx, type, name);
ret = cli_magic_scan_desc_type(fd, tempfile, ctx, type, name, attributes);
/* remove the temp file, if needed */
if (fd >= 0) {
@ -5350,12 +5341,12 @@ cl_error_t cli_magic_scan_nested_fmap_type(cl_fmap_t *map, size_t offset, size_t
*
* Just use nested map by scanning given fmap at offset + length.
*/
ret = magic_scan_nested_fmap_type(map, offset, length, ctx, type, name);
ret = magic_scan_nested_fmap_type(map, offset, length, ctx, type, name, attributes);
}
return ret;
}
cl_error_t cli_magic_scan_buff(const void *buffer, size_t length, cli_ctx *ctx, const char *name)
cl_error_t cli_magic_scan_buff(const void *buffer, size_t length, cli_ctx *ctx, const char *name, uint32_t attributes)
{
cl_error_t ret;
fmap_t *map = NULL;
@ -5365,7 +5356,7 @@ cl_error_t cli_magic_scan_buff(const void *buffer, size_t length, cli_ctx *ctx,
return CL_EMAP;
}
ret = cli_magic_scan_nested_fmap_type(map, 0, length, ctx, CL_TYPE_ANY, name);
ret = cli_magic_scan_nested_fmap_type(map, 0, length, ctx, CL_TYPE_ANY, name, attributes);
funmap(map);
@ -5587,7 +5578,7 @@ static cl_error_t scan_common(cl_fmap_t *map, const char *filepath, const char *
)) {
cli_dbgmsg("scan_common: running deprecated preclass bytecodes for target type 13\n");
ctx.options->general &= ~CL_SCAN_GENERAL_COLLECT_METADATA;
status = cli_magic_scan_buff(jstring, strlen(jstring), &ctx, NULL);
status = cli_magic_scan_buff(jstring, strlen(jstring), &ctx, NULL, LAYER_ATTRIBUTES_NONE);
}
}
@ -5761,7 +5752,7 @@ cl_error_t cli_found_possibly_unwanted(cli_ctx *ctx)
return CL_CLEAN;
}
cl_error_t cli_magic_scan_file(const char *filename, cli_ctx *ctx, const char *original_name)
cl_error_t cli_magic_scan_file(const char *filename, cli_ctx *ctx, const char *original_name, uint32_t attributes)
{
int fd = -1;
cl_error_t ret = CL_EOPEN;
@ -5772,14 +5763,12 @@ cl_error_t cli_magic_scan_file(const char *filename, cli_ctx *ctx, const char *o
goto done;
}
ret = cli_magic_scan_desc(fd, filename, ctx, original_name);
ret = cli_magic_scan_desc(fd, filename, ctx, original_name, attributes);
done:
if (fd >= 0) {
close(fd);
}
// Clear the next-layer attributes so we don't accidentally apply them to subsequent layers.
ctx->next_layer_attributes = 0;
return ret;
}

73
libclamav/scanners.h
View file

@ -31,34 +31,38 @@
*
* This API allows you to specify the file type in advance if you know it.
*
* @param desc File descriptor
* @param filepath (optional) Full file path.
* @param ctx Scanning context structure.
* @param type CL_TYPE of data to be scanned.
* @param name (optional) Original name of the file (to set fmap name metadata)
* @param desc File descriptor
* @param filepath (optional) Full file path.
* @param ctx Scanning context structure.
* @param type CL_TYPE of data to be scanned.
* @param name (optional) Original name of the file (to set fmap name metadata)
* @param attributes Layer attributes of the file being scanned (is it normalized, decrypted, etc)
* @return cl_error_t
*/
cl_error_t cli_magic_scan_desc_type(int desc, const char *filepath, cli_ctx *ctx, cli_file_t type, const char *name);
cl_error_t cli_magic_scan_desc_type(int desc, const char *filepath, cli_ctx *ctx, cli_file_t type,
const char *name, uint32_t attributes);
/**
* @brief Scan a tempfile / sub-file of _any_ type, passing in the fd, filepath (if available), and the scanning context.
*
* @param desc File descriptor
* @param filepath (optional) Full file path.
* @param ctx Scanning context structure.
* @param name (optional) Original name of the file (to set fmap name metadata)
* @return int CL_SUCCESS, or an error code.
* @param desc File descriptor
* @param filepath (optional) Full file path.
* @param ctx Scanning context structure.
* @param name (optional) Original name of the file (to set fmap name metadata)
* @param attributes Layer attributes of the file being scanned (is it normalized, decrypted, etc)
* @return int CL_SUCCESS, or an error code.
*/
cl_error_t cli_magic_scan_desc(int desc, const char *filepath, cli_ctx *ctx, const char *name);
cl_error_t cli_magic_scan_desc(int desc, const char *filepath, cli_ctx *ctx,
const char *name, uint32_t attributes);
/**
* @brief Perform a magic scan on the current ctx.
*
* Calls to cli_magic_scan() should be wrapped with a cli_recursion_stack_push/pop, except in scan_common()
*
* @param ctx Scanning context structure.
* @param type CL_TYPE of data to be scanned.
* @return int CL_SUCCESS, or an error code.
* @param ctx Scanning context structure.
* @param type CL_TYPE of data to be scanned.
* @return int CL_SUCCESS, or an error code.
*/
cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type);
@ -71,28 +75,32 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type);
* or if force-to-disk IS enabled, it will write the file to a temp file and then
* will scan with cli_magic_scan_desc_type().
*
* @param map File map.
* @param offset Offset into file map.
* @param length Length from offset.
* @param ctx Scanning context structure.
* @param type CL_TYPE of data to be scanned.
* @param name (optional) Original name of the file (to set fmap name metadata)
* @return int CL_SUCCESS, or an error code.
* @param map File map.
* @param offset Offset into file map.
* @param length Length from offset.
* @param ctx Scanning context structure.
* @param type CL_TYPE of data to be scanned.
* @param name (optional) Original name of the file (to set fmap name metadata)
* @param attributes Layer attributes of the file being scanned (is it normalized, decrypted, etc)
* @return int CL_SUCCESS, or an error code.
*/
cl_error_t cli_magic_scan_nested_fmap_type(cl_fmap_t *map, size_t offset, size_t length, cli_ctx *ctx, cli_file_t type, const char *name);
cl_error_t cli_magic_scan_nested_fmap_type(cl_fmap_t *map, size_t offset, size_t length, cli_ctx *ctx,
cli_file_t type, const char *name, uint32_t attributes);
/**
* @brief Convenience wrapper for cli_magic_scan_nested_fmap_type().
*
* Creates an fmap and calls cli_magic_scan_nested_fmap_type() for you, with type CL_TYPE_ANY.
*
* @param buffer Pointer to the buffer to be scanned.
* @param length Size in bytes of the buffer being scanned.
* @param ctx Scanning context structure.
* @param name (optional) Original name of the file (to set fmap name metadata)
* @return int CL_SUCCESS, or an error code.
* @param buffer Pointer to the buffer to be scanned.
* @param length Size in bytes of the buffer being scanned.
* @param ctx Scanning context structure.
* @param name (optional) Original name of the file (to set fmap name metadata)
* @param attributes Layer attributes of the file being scanned (is it normalized, decrypted, etc)
* @return int CL_SUCCESS, or an error code.
*/
cl_error_t cli_magic_scan_buff(const void *buffer, size_t length, cli_ctx *ctx, const char *name);
cl_error_t cli_magic_scan_buff(const void *buffer, size_t length, cli_ctx *ctx,
const char *name, uint32_t attributes);
cl_error_t cli_found_possibly_unwanted(cli_ctx *ctx);
@ -104,9 +112,11 @@ cl_error_t cli_found_possibly_unwanted(cli_ctx *ctx);
* @param filename Filepath of the file to be scanned.
* @param ctx Scanning context structure.
* @param original_name (optional) Original name of the file (to set fmap name metadata)
* @param attributes Layer attributes of the file being scanned (is it normalized, decrypted, etc)
* @return cl_error_t
*/
cl_error_t cli_magic_scan_file(const char *filename, cli_ctx *ctx, const char *original_name);
cl_error_t cli_magic_scan_file(const char *filename, cli_ctx *ctx,
const char *original_name, uint32_t attributes);
/**
* @brief Internal function to recursively scan a directory.
@ -115,9 +125,10 @@ cl_error_t cli_magic_scan_file(const char *filename, cli_ctx *ctx, const char *o
*
* @param dirname Filepath of the directory to be scanned.
* @param ctx Scanning context structure.
* @param attributes Layer attributes of the file being scanned (is it normalized, decrypted, etc)
* @return cl_error_t
*/
cl_error_t cli_magic_scan_dir(const char *dirname, cli_ctx *ctx);
cl_error_t cli_magic_scan_dir(const char *dirname, cli_ctx *ctx, uint32_t attributes);
/**
* @brief Mark all scan recursion fmap layers as non-cacheable.

4
libclamav/sis.c
View file

@ -517,7 +517,7 @@ static cl_error_t real_scansis(cli_ctx *ctx, const char *tmpd)
FREE(decomp);
if (cli_magic_scan_desc(fd, ofn, ctx, original_filepath) == CL_VIRUS) {
if (CL_VIRUS == cli_magic_scan_desc(fd, ofn, ctx, original_filepath, LAYER_ATTRIBUTES_NONE)) {
status = CL_VIRUS;
goto done;
}
@ -840,7 +840,7 @@ static cl_error_t real_scansis9x(cli_ctx *ctx, const char *tmpd)
break;
}
free(dst);
if (cli_magic_scan_desc(fd, tempf, ctx, NULL) == CL_VIRUS) {
if (cli_magic_scan_desc(fd, tempf, ctx, NULL, LAYER_ATTRIBUTES_NONE) == CL_VIRUS) {
close(fd);
return CL_VIRUS;
}

4
libclamav/swf.c
View file

@ -288,7 +288,7 @@ static cl_error_t scanzws(cli_ctx *ctx, struct swf_file_hdr *hdr)
hdr->filesize, (long long unsigned)outsize);
}
ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL);
ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
close(fd);
if (!(ctx->engine->keeptmp)) {
@ -424,7 +424,7 @@ static cl_error_t scancws(cli_ctx *ctx, struct swf_file_hdr *hdr)
hdr->filesize, outsize);
}
ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL);
ret = cli_magic_scan_desc(fd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
close(fd);
if (!ctx->engine->keeptmp) {

4
libclamav/untar.c
View file

@ -173,7 +173,7 @@ cl_error_t cli_untar(const char *dir, unsigned int posix, cli_ctx *ctx)
if (fout >= 0) {
lseek(fout, 0, SEEK_SET);
ret = cli_magic_scan_desc(fout, fullname, ctx, name);
ret = cli_magic_scan_desc(fout, fullname, ctx, name, LAYER_ATTRIBUTES_NONE);
close(fout);
if (!ctx->engine->keeptmp)
if (cli_unlink(fullname)) return CL_EUNLINK;
@ -369,7 +369,7 @@ cl_error_t cli_untar(const char *dir, unsigned int posix, cli_ctx *ctx)
}
if (fout >= 0) {
lseek(fout, 0, SEEK_SET);
ret = cli_magic_scan_desc(fout, fullname, ctx, name);
ret = cli_magic_scan_desc(fout, fullname, ctx, name, LAYER_ATTRIBUTES_NONE);
close(fout);
if (!ctx->engine->keeptmp)
if (cli_unlink(fullname)) return CL_EUNLINK;

23
libclamav/unzip.c
View file

@ -115,7 +115,8 @@ static cl_error_t unz(
cli_ctx *ctx,
char *tmpd,
zip_cb zcb,
const char *original_filename)
const char *original_filename,
bool decrypted)
{
char obuf[BUFSIZ] = {0};
char *tempfile = NULL;
@ -146,7 +147,8 @@ static cl_error_t unz(
if (csize < usize) {
unsigned int fake = *num_files_unzipped + 1;
cli_dbgmsg("cli_unzip: attempting to inflate stored file with inconsistent size\n");
if ((ret = unz(src, csize, usize, ALG_DEFLATE, 0, &fake, ctx, tmpd, zcb, original_filename)) == CL_CLEAN) {
if (CL_CLEAN == (ret = unz(src, csize, usize, ALG_DEFLATE, 0, &fake, ctx,
tmpd, zcb, original_filename, decrypted))) {
(*num_files_unzipped)++;
res = fake - (*num_files_unzipped);
} else
@ -154,7 +156,8 @@ static cl_error_t unz(
}
if (res == 1) {
if (ctx->engine->maxfilesize && csize > ctx->engine->maxfilesize) {
cli_dbgmsg("cli_unzip: trimming output size to maxfilesize (%lu)\n", (long unsigned int)ctx->engine->maxfilesize);
cli_dbgmsg("cli_unzip: trimming output size to maxfilesize (%lu)\n",
(long unsigned int)ctx->engine->maxfilesize);
csize = ctx->engine->maxfilesize;
}
if (cli_writen(out_file, src, csize) != csize)
@ -354,7 +357,7 @@ static cl_error_t unz(
close(out_file);
return CL_ESEEK;
}
ret = zcb(out_file, tempfile, ctx, original_filename);
ret = zcb(out_file, tempfile, ctx, original_filename, decrypted);
close(out_file);
if (!ctx->engine->keeptmp)
if (cli_unlink(tempfile)) ret = CL_EUNLINK;
@ -541,9 +544,6 @@ static inline cl_error_t zdecrypt(
cli_dbgmsg("cli_unzip: decrypt - decrypted %zu bytes to %s\n", total, tempfile);
/* The next call to push a layer onto the recursion stack will collect this "was decrypted" status. */
ctx->next_layer_attributes |= LAYER_ATTRIBUTES_DECRYPTED;
/* decrypt data to new fmap -> buffer */
if (!(dcypt_map = fmap(out_file, 0, total, NULL))) {
cli_warnmsg("cli_unzip: decrypt - failed to create fmap on decrypted file %s\n", tempfile);
@ -559,7 +559,8 @@ static inline cl_error_t zdecrypt(
}
/* call unz on decrypted output */
ret = unz(dcypt_zip, csize - SIZEOF_ENCRYPTION_HEADER, usize, LOCAL_HEADER_method, LOCAL_HEADER_flags, num_files_unzipped, ctx, tmpd, zcb, original_filename);
ret = unz(dcypt_zip, csize - SIZEOF_ENCRYPTION_HEADER, usize, LOCAL_HEADER_method, LOCAL_HEADER_flags,
num_files_unzipped, ctx, tmpd, zcb, original_filename, true);
/* clean-up and return */
funmap(dcypt_map);
@ -731,7 +732,8 @@ static unsigned int parse_local_file_header(
*ret = zdecrypt(zip, csize, usize, local_header, num_files_unzipped, ctx, tmpd, zcb, original_filename);
} else {
if (fmap_need_ptr_once(map, zip, csize))
*ret = unz(zip, csize, usize, LOCAL_HEADER_method, LOCAL_HEADER_flags, num_files_unzipped, ctx, tmpd, zcb, original_filename);
*ret = unz(zip, csize, usize, LOCAL_HEADER_method, LOCAL_HEADER_flags, num_files_unzipped,
ctx, tmpd, zcb, original_filename, false);
}
} else {
if ((NULL == original_filename) ||
@ -1287,7 +1289,8 @@ cl_error_t cli_unzip(cli_ctx *ctx)
ctx,
tmpd,
zip_scan_cb,
zip_catalogue[i].original_filename);
zip_catalogue[i].original_filename,
false);
}
file_count++;

3
libclamav/unzip.h
View file

@ -28,7 +28,8 @@
#include "others.h"
typedef cl_error_t (*zip_cb)(int fd, const char *filepath, cli_ctx *ctx, const char *name);
// Callback is the same as cli_magic_scan_desc
typedef cl_error_t (*zip_cb)(int fd, const char *filepath, cli_ctx *ctx, const char *name, uint32_t attributes);
#define zip_scan_cb cli_magic_scan_desc
#define MAX_ZIP_REQUESTS 10

2
libclamav/vba_extract.c
View file

@ -1723,7 +1723,7 @@ int cli_scan_ole10(int fd, cli_ctx *ctx)
cli_dbgmsg("cli_decode_ole_object: decoding to %s\n", fullname);
ole_copy_file_data(fd, ofd, object_size);
lseek(ofd, 0, SEEK_SET);
ret = cli_magic_scan_desc(ofd, fullname, ctx, NULL);
ret = cli_magic_scan_desc(ofd, fullname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
close(ofd);
if (ctx && !ctx->engine->keeptmp)
if (cli_unlink(fullname))

6
libclamav/xar.c
View file

@ -308,7 +308,7 @@ static int xar_scan_subdocuments(xmlTextReaderPtr reader, cli_ctx *ctx)
}
subdoc_len = xmlStrlen(subdoc);
cli_dbgmsg("cli_scanxar: in-memory scan of xml subdocument, len %i.\n", subdoc_len);
rc = cli_magic_scan_buff(subdoc, subdoc_len, ctx, NULL);
rc = cli_magic_scan_buff(subdoc, subdoc_len, ctx, NULL, LAYER_ATTRIBUTES_NONE);
if (rc == CL_VIRUS && SCAN_ALLMATCHES)
rc = CL_SUCCESS;
@ -517,7 +517,7 @@ int cli_scanxar(cli_ctx *ctx)
/* scan the xml */
cli_dbgmsg("cli_scanxar: scanning xar TOC xml in memory.\n");
rc = cli_magic_scan_buff(toc, hdr.toc_length_decompressed, ctx, NULL);
rc = cli_magic_scan_buff(toc, hdr.toc_length_decompressed, ctx, NULL, LAYER_ATTRIBUTES_NONE);
if (rc != CL_SUCCESS) {
if (rc != CL_VIRUS || !SCAN_ALLMATCHES)
goto exit_toc;
@ -846,7 +846,7 @@ int cli_scanxar(cli_ctx *ctx)
}
}
rc = cli_magic_scan_desc(fd, tmpname, ctx, NULL); /// TODO: collect file names in xar_get_toc_data_values()
rc = cli_magic_scan_desc(fd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE); /// TODO: collect file names in xar_get_toc_data_values()
if (rc != CL_SUCCESS) {
if (rc == CL_VIRUS) {
cli_dbgmsg("cli_scanxar: Infected with %s\n", cli_get_last_virus(ctx));

2
libclamav/xdp.c
View file

@ -159,7 +159,7 @@ cl_error_t cli_scanxdp(cli_ctx *ctx)
break;
}
rc = cli_magic_scan_buff(decoded, decodedlen, ctx, NULL);
rc = cli_magic_scan_buff(decoded, decodedlen, ctx, NULL, LAYER_ATTRIBUTES_NONE);
free(decoded);
if (rc != CL_SUCCESS || rc == CL_BREAK) {
xmlFree((void *)value);

8
libclamav/xlm_extract.c
View file

@ -4350,10 +4350,11 @@ cl_error_t process_blip_record(struct OfficeArtRecordHeader_Unpacked *rh, const
goto done;
}
ret = cli_magic_scan_desc_type(extracted_image_tempfd, extracted_image_filepath, ctx, CL_TYPE_ANY, NULL);
ret = cli_magic_scan_desc_type(extracted_image_tempfd, extracted_image_filepath, ctx, CL_TYPE_ANY,
NULL, LAYER_ATTRIBUTES_NONE);
} else {
/* Scan the buffer */
ret = cli_magic_scan_buff(start_of_image, size_of_image, ctx, NULL);
ret = cli_magic_scan_buff(start_of_image, size_of_image, ctx, NULL, LAYER_ATTRIBUTES_NONE);
}
if (ret == CL_VIRUS) {
if (!SCAN_ALLMATCHES) {
@ -4976,7 +4977,8 @@ cl_error_t cli_extract_xlm_macros_and_images(const char *dir, cli_ctx *ctx, char
goto done;
}
if (cli_scan_desc(out_fd, ctx, CL_TYPE_SCRIPT, 0, NULL, AC_SCAN_VIR, NULL, NULL) == CL_VIRUS) {
if (CL_VIRUS == cli_scan_desc(out_fd, ctx, CL_TYPE_SCRIPT, 0, NULL, AC_SCAN_VIR,
NULL, NULL, LAYER_ATTRIBUTES_NONE)) {
status = CL_VIRUS;
goto done;
}

3
libclamav_rust/src/sys.rs
View file

@ -119,7 +119,7 @@ pub type clcb_pre_cache = ::std::option::Option<
#[doc = ""]
#[doc = " @param fd Current file descriptor which is about to be scanned."]
#[doc = " @param type Current file type detected via magic - i.e. NOT on the fly - (e.g. \"CL_TYPE_MSEXE\")."]
#[doc = " @param ancestors A list of ancestors filenames, delimited by \" > \". Unnamed files are given the name \"(no name)\"."]
#[doc = " @param ancestors An array of ancestors filenames of size `recursion_level`. filenames may be NULL."]
#[doc = " @param parent_file_size Parent file size."]
#[doc = " @param file_name Current file name, or NULL if the file does not have a name or ClamAV failed to record the name."]
#[doc = " @param file_size Current file size."]
@ -801,7 +801,6 @@ pub struct cli_ctx_tag {
pub recursion_stack_size: u32,
pub recursion_level: u32,
pub fmap: *mut fmap_t,
pub next_layer_attributes: u32,
pub handlertype_hash: [::std::os::raw::c_uchar; 16usize],
pub dconf: *mut cli_dconf,
pub hook_lsig_matches: *mut bitset_t,