search for: hivex_max_valu

Hello, As we discussed briefly on IRC about a month ago, HKLM\SYSTEM\MountedDevices can contain greater than 55000 (HIVEX_MAX_VALUES) values if VMWare’s snapshot functionality is frequently used. This is due to an unintended interaction between Windows and VMWare’s snapshot functionality. VMware has a knowledge base article regarding this issue, although it does not directly mention MountedDevices: https://kb.vmware.com/s/art...

...values. I feel a conservative approach would be to increase the limits to approximately 1.5 times the largest observed counts: • If we decide to go with the values observed from just the 'Microsoft\Windows NT\CurrentVersion' key in our cloud, then HIVEX_MAX_SUBKEYS would become 70000 and HIVEX_MAX_VALUES would become 55000. These are the initial values I was going to base my patch on, since (selfishly) that's all my code cares about, but I figured it makes more sense to account for all regions of the hive. • If we decide to go with the values from the whole software hive, then HIVEX_MAX_SUB...

> /* These limits are in place to stop really stupid stuff and/or exploits. */ > -#define HIVEX_MAX_SUBKEYS 25000 > -#define HIVEX_MAX_VALUES 10000 > +#define HIVEX_MAX_SUBKEYS 3600000 > +#define HIVEX_MAX_VALUES 110000 > #define HIVEX_MAX_VALUE_LEN 8000000 > #define HIVEX_MAX_ALLOCATION 1000000 Do you have the alternate patch that just increases the limits to 1.5x what you need? We're building a...

> Do you have the alternate patch that just increases the limits to 1.5x what you need? I've attached an updated patch that increases the limits based on the counts observed in the Microsoft\Windows NT\CurrentVersion subkey of the software hive. > We're building a list of (up to) HIVEX_MAX_SUBKEYS * 4 bytes (not counting intermediate blocks) in the _get_children function. While

...+- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/value.c b/lib/value.c index c4e21ec..f222b41 100644 --- a/lib/value.c +++ b/lib/value.c @@ -334,7 +334,7 @@ hivex_value_value (hive_h *h, hive_value_h value, /* Arbitrarily limit the length that we will read. */ if (len > HIVEX_MAX_VALUE_LEN) { SET_ERRNO (ERANGE, "data length > HIVEX_MAX_VALUE_LEN (%zu > %d)", - len, HIVEX_MAX_SUBKEYS); + len, HIVEX_MAX_VALUE_LEN); return NULL; } -- 1.9.rc1

...ing EFAULT" + " because parent is not a valid block (0x%zx)\n", ret); errno = EFAULT; return 0; @@ -1006,7 +1022,8 @@ get_values (hive_h *h, hive_node_h node, /* Arbitrarily limit the number of values we will ever deal with. */ if (nr_values > HIVEX_MAX_VALUES) { if (h->msglvl >= 2) - fprintf (stderr, "hivex: get_values: returning ERANGE because nr_values > HIVEX_MAX_VALUES (%zu > %d)\n", + fprintf (stderr, "hivex: get_values: returning ERANGE" + " because nr_values > HIVEX_MAX_VALUES (%zu &...

...3c..bfd24c8 100644 --- a/lib/hivex-internal.h +++ b/lib/hivex-internal.h @@ -321,7 +321,7 @@ extern int _hivex_get_values (hive_h *h, hive_node_h node, hive_value_h **values /* These limits are in place to stop really stupid stuff and/or exploits. */ #define HIVEX_MAX_SUBKEYS 15000 #define HIVEX_MAX_VALUES 10000 -#define HIVEX_MAX_VALUE_LEN 1000000 +#define HIVEX_MAX_VALUE_LEN 2000000 #define HIVEX_MAX_ALLOCATION 1000000 #endif /* HIVEX_INTERNAL_H_ */ -- 1.9.rc1

--- hivex/hivexsh.pod | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/hivex/hivexsh.pod b/hivex/hivexsh.pod index 277e3ae..9336798 100644 --- a/hivex/hivexsh.pod +++ b/hivex/hivexsh.pod @@ -100,7 +100,14 @@ or even: Path elements (node names) are matched case insensitively, and characters like space, C<*>, and C<?> have I<no> special

This is, hopefully, a full fix for handling of li-records. See: https://bugzilla.redhat.com/show_bug.cgi?id=717583 https://bugzilla.redhat.com/show_bug.cgi?id=987463 Rich.