Hi,
I think there is a bug in the cli_ac_addpatt() function.
in my kernel module version of clamav, I check for wildcard characters
in the first 2 bytes of the pattern:
for(i = 0; i < AC_MIN_LENGTH; i++) {
// wild card characters not allowed in hash
if (pattern->pattern[i] == CLI_IGN || pattern->pattern[i] == CLI_ALT)
return CL_EPATSHORT;
}
I do that because if such a node is added to the AC trie,
that node will never be found by cli_ac_scanbuff().
there are 2 examples I found in the clamav db for signatures that have
a wildcard character as the 2nd bytes of the pattern:
Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)...
Trojan.IRC-Script-28:0:*:6e??...
please let me know if I got it wrong.
Thanks,
Amir.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
