Thank you for fast reply, Sorry for bothering you again. I am missing something in this huge project. I cannot understand why both functions: cli_ac_scanbuff and cli_ac_scanbuff are called in one cli_scandesc() function call. I just have one signature in database and for me it was obvious that file will be scanned once using AC or BM. But both algorithms are used. Have a look below:
Here is output: --------------output------------- groot->maxpatlen: 24 troot->ac_only IN TROOT!!!1 <<<<<<<<<<<cli_ac_scanbuff_function_call>>>>>>>>>>>><<<<<<<<<<<root->ac_root6488480>>>>>>>>>>>> RET IN TROOT!!!0 groot->ac_only IN GROOT!!!0 <<<<<<<<<<<cli_bm_scanbuff_function_call>>>>>>>>>>>>><<<<<<<<<<<root6346288>>>>>>>>>>>> RET IN GROOT!!!1 ------------end_output--------------------- from this code: ------------code-------------------- if(troot) {printf("\ntroot->ac_only IN TROOT!!!%d \n",troot->ac_only); if(troot->ac_only || (ret = cli_bm_scanbuff(upt, length, ctx->virname, troot, offset, ftype, desc)) != CL_VIRUS) ret = cli_ac_scanbuff(upt, length, ctx->virname, NULL, NULL, troot, &tdata, offset, ftype, desc, ftoffset, acmode, NULL); printf("\nRET IN TROOT!!!%d \n", ret); if(ret == CL_VIRUS) { free(buffer); if(!ftonly) cli_ac_freedata(&gdata); <----------cut-----------> else return CL_VIRUS; } } if(!ftonly) {printf("\ngroot->ac_only IN GROOT!!!%d \n",groot->ac_only); if(groot->ac_only || (ret = cli_bm_scanbuff(upt, length, ctx->virname, groot, offset, ftype, desc)) != CL_VIRUS) ret = cli_ac_scanbuff(upt, length, ctx->virname, NULL, NULL, groot, &gdata, offset, ftype, desc, ftoffset, acmode, NULL); printf("\nRET IN GROOT!!!%d \n", ret); if(ret == CL_VIRUS) { free(buffer); cli_ac_freedata(&gdata); <----------cut-----------> --------------end_code------------------ Maybe there is something magic with groot & troot but they are just pointing to cli_matcher struct. struct cli_matcher *groot = NULL, *troot = NULL; struct cli_matcher { /* Extended Boyer-Moore */ uint8_t *bm_shift; struct cli_bm_patt **bm_suffix; struct hashset md5_sizes_hs; uint32_t *soff, soff_len; /* for PE section sigs */ uint32_t bm_patterns; /* Extended Aho-Corasick */ uint32_t ac_partsigs, ac_nodes, ac_patterns, ac_lsigs; struct cli_ac_lsig **ac_lsigtable; struct cli_ac_node *ac_root, **ac_nodetable; struct cli_ac_patt **ac_pattable; uint8_t ac_mindepth, ac_maxdepth; uint16_t maxpatlen; uint8_t ac_only; }; Am I missing something? Best Regards, Tom On Tue, Dec 9, 2008 at 5:00 PM, Török Edwin <[EMAIL PROTECTED]> wrote: > On 2008-12-09 18:51, Thomasz Blaszczyk wrote: >> Thank you for answer, >> >> I have another question. I cannot figure out meaning for ftonly and troot. >> Can I get some explanation for this 2 variables? >> >> They are used in matcher.c [code snipped]: >> >> if(!ftonly && (ret = cli_ac_initdata(&gdata, groot->ac_partsigs, >> groot->ac_lsigs, AC_DEFAULT_TRACKLEN))) >> return ret; >> > > ft stands for filetype. > >> if(troot) { >> if((ret = cli_ac_initdata(&tdata, troot->ac_partsigs, >> troot->ac_lsigs, AC_DEFAULT_TRACKLEN))) >> return ret; >> } > > Look at signatures.pdf again, in the .ndb format each pattern has a > TargetType field, hence a different trie is used for each type. > > As for groot, there is a comment explaining what it is: > groot = ctx->engine->root[0]; /* generic signatures */ > > > Best regards, > --Edwin > _______________________________________________ _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net