Libguestfs - Sep 2011 - [PATCH 5/7] hivex: Add offset-&-length function for long value data

This patch adds value_data_cell_offset to the hivex ABI, to report the
hive space used for long value data.

Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu>
---
 generator/generator.ml |   11 +++++++++++
 lib/hivex.c            |   45 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 0 deletions(-)

diff --git a/generator/generator.ml b/generator/generator.ml
index 5a71930..b607421 100755
--- a/generator/generator.ml
+++ b/generator/generator.ml
@@ -276,6 +276,17 @@ and sets errno on error.";
 Return the length of the value data structure.  Returns 0
 and sets errno on error.";
 
+  "value_data_cell_offset", (RLenValue, [AHive; AValue
"val"]),
+    "return the offset and length of a value data cell",
+    "\
+Return the offset and length of the value's data cell, not value cell.
+E.g. if the value were \"foobar\" then the length would be 6, and the
+offset would be to a value data cell, which is the data prefixed with
+4 bytes describing the size.  If the length is not greater than 4,
+then 0 is returned, as the data are inline in the value.
+
+Returns 0 and sets errno on error.";
+
   "value_value", (RLenTypeVal, [AHive; AValue "val"]),
     "return data length, data type and data of a value",
     "\
diff --git a/lib/hivex.c b/lib/hivex.c
index d8ffa63..04ceed3 100644
--- a/lib/hivex.c
+++ b/lib/hivex.c
@@ -1294,6 +1294,51 @@ hivex_value_type (hive_h *h, hive_value_h value,
hive_type *t, size_t *len)
   return 0;
 }
 
+hive_value_h
+hivex_value_data_cell_offset (hive_h *h, hive_value_h value, size_t *len)
+{
+  if (!IS_VALID_BLOCK (h, value) || !BLOCK_ID_EQ (h, value, "vk")) {
+    errno = EINVAL;
+    return 0;
+  }
+
+  struct ntreg_vk_record *vk = (struct ntreg_vk_record *) (h->addr + value);
+
+  size_t data_len;
+  int is_inline;
+
+  data_len = le32toh (vk->data_len);
+  is_inline = !!(data_len & 0x80000000);
+  data_len &= 0x7fffffff;
+
+  if (is_inline && data_len > 4) {
+    errno = ENOTSUP;
+    return 0;
+  }
+
+  if (is_inline) {
+    /* There is no other location for the value data. */
+    if (len)
+      *len = 0;
+    return 0;
+  } else {
+    if (len)
+      *len = data_len + 4;  /* Include 4 header length bytes */
+  }
+
+  size_t data_offset = le32toh (vk->data_offset);
+  data_offset += 0x1000;  /* Add 0x1000 because everything's off by 4KiB */
+  if (!IS_VALID_BLOCK (h, data_offset)) {
+    if (h->msglvl >= 2)
+      fprintf (stderr, "hivex_value_data_cell_offset: returning EFAULT
because data "
+               "offset is not a valid block (0x%zx)\n",
+               data_offset);
+    errno = EFAULT;
+    return 0;
+  }
+  return data_offset;
+}
+
 char *
 hivex_value_value (hive_h *h, hive_value_h value,
                    hive_type *t_rtn, size_t *len_rtn)
-- 
1.7.6

On Thu, Sep 01, 2011 at 06:17:39PM -0700, Alex Nelson
wrote:
> This patch adds value_data_cell_offset to the hivex ABI, to report the
> hive space used for long value data.
Yup, generally ok.  Just needs patch 3 to be reworked before
I can apply it.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw