Hilko Bengen
2013-Jun-19 16:57 UTC
[Libguestfs] [PATCH] Relax size checks for integer types
I recenetly came across a Windows XP image, where one REG_QWORD value (HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\0\0\ExecTime) would be displayed by hivexsh but hivex_value_qword() would return -1. It turned out that the data length of this value was 16 bytes instead of 8. There is no problem in simply interpreting the first 4 (DWORD) or 8 (QWORD) bytes -- if there are enough bytes to be interpreted. --- lib/hivex.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/hivex.c b/lib/hivex.c index a2bd43b..efc27f8 100644 --- a/lib/hivex.c +++ b/lib/hivex.c @@ -1624,7 +1624,7 @@ hivex_value_dword (hive_h *h, hive_value_h value) if (data == NULL) return -1; - if ((t != hive_t_dword && t != hive_t_dword_be) || len != 4) { + if ((t != hive_t_dword && t != hive_t_dword_be) || len < 4) { free (data); errno = EINVAL; return -1; @@ -1650,7 +1650,7 @@ hivex_value_qword (hive_h *h, hive_value_h value) if (data == NULL) return -1; - if (t != hive_t_qword || len != 8) { + if (t != hive_t_qword || len < 8) { free (data); errno = EINVAL; return -1; -- 1.8.3.1
Richard W.M. Jones
2013-Jun-21 14:58 UTC
Re: [Libguestfs] [PATCH] Relax size checks for integer types
On Wed, Jun 19, 2013 at 06:57:33PM +0200, Hilko Bengen wrote:> I recenetly came across a Windows XP image, where one REG_QWORD value > (HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\0\0\ExecTime) > would be displayed by hivexsh but hivex_value_qword() would return -1. > > It turned out that the data length of this value was 16 bytes instead > of 8. > > There is no problem in simply interpreting the first 4 (DWORD) or > 8 (QWORD) bytes -- if there are enough bytes to be interpreted.Yeah .. turns out that the type field in hives is mostly useless and occasionally harmful. It bears no relationship to what the field might actually contain. ACK to this patch as it only affects the deprecated hivex_value_dword and hivex_value_qword functions, making them a little bit more useful. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v
Hilko Bengen
2013-Jun-21 16:28 UTC
Re: [Libguestfs] [PATCH] Relax size checks for integer types
* Richard W.M. Jones:> ACK to this patch as it only affects the deprecated hivex_value_dword > and hivex_value_qword functions, making them a little bit more useful.I didn't see anything about those functions being "deprecated". What did I miss? Cheers, -Hilko
Apparently Analagous Threads
- Re: [PATCH] Relax size checks for integer types
- Re: [PATCH] Relax size checks for integer types
- [PATCH hivex] maint: split long lines
- ANNOUNCE: hivex 1.2.8 - A library for reading and writing Windows Registry hive files
- [PATCH hivex 00/19] Fix read/write handling of li-records.