search for: offset_first

..."hbin" offset validation > check couple of lines below to make sure that the "hbin" we found by > searching is a proper one. The offset check I'm referring to is: > > /* get "stated" hbin offset from header */ > size_t page_offset = le32to(page->offset_first) + 0x1000; > > /* if that does not match our current file offset, > then exit with error */ > if (page_offset != off) { > SET_ERRNO... > } Still, what kind of corruption would move a genuine hbin to a non-page-sized offset in the file? It seems unlikely to me ... Rich....

...f lines below to make sure that the "hbin" we found > > > by > > > searching is a proper one. The offset check I'm referring to is: > > > > > > /* get "stated" hbin offset from header */ > > > size_t page_offset = le32to(page->offset_first) + 0x1000; > > > > > > /* if that does not match our current file offset, > > >    then exit with error */ > > > if (page_offset != off) {  > > >   SET_ERRNO... > > > } > > > > Still, what kind of corruption would move a genuine hb...

On Wed, Feb 15, 2017 at 01:48:29PM -0500, Dawid Zamirski wrote: > On Wed, 2017-02-15 at 16:54 +0000, Richard W.M. Jones wrote: > > On Tue, Feb 14, 2017 at 12:05:20PM -0500, Dawid Zamirski wrote: > > > * hivex_open: when looping over hbin sections (aka pages), handle a > > >   case where following hbin section may not begin at exactly at the > > > end > >

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

...DEBUG(2, "page not found and end of pages section reached"); + break; + } } size_t page_size = le32toh (page->page_size); @@ -254,6 +273,16 @@ hivex_open (const char *filename, int flags) goto error; } + size_t page_offset = le32toh(page->offset_first) + 0x1000; + + if (page_offset != off) { + SET_ERRNO(ENOTSUP, + "%s: declared page offset (0x%zx) does not match computed " + "offset (0x%zx), bad registry", + filename, page_offset, off); + goto error; + } + /* R...

...DEBUG (2, "page not found and end of pages section reached"); + break; + } } size_t page_size = le32toh (page->page_size); @@ -254,6 +273,16 @@ hivex_open (const char *filename, int flags) goto error; } + size_t page_offset = le32toh(page->offset_first) + 0x1000; + + if (page_offset != off) { + SET_ERRNO (ENOTSUP, + "%s: declared page offset (0x%zx) does not match computed " + "offset (0x%zx), bad registry", + filename, page_offset, off); + goto error; + } +...

...DEBUG (2, "page not found and end of pages section reached"); + break; + } } size_t page_size = le32toh (page->page_size); @@ -254,6 +273,16 @@ hivex_open (const char *filename, int flags) goto error; } + size_t page_offset = le32toh(page->offset_first) + 0x1000; + + if (page_offset != off) { + SET_ERRNO (ENOTSUP, + "%s: declared page offset (0x%zx) does not match computed " + "offset (0x%zx), bad registry", + filename, page_offset, off); + goto error; + } +...

...> > check couple of lines below to make sure that the "hbin" we found > > by > > searching is a proper one. The offset check I'm referring to is: > > > > /* get "stated" hbin offset from header */ > > size_t page_offset = le32to(page->offset_first) + 0x1000; > > > > /* if that does not match our current file offset, > >    then exit with error */ > > if (page_offset != off) {  > >   SET_ERRNO... > > } > > Still, what kind of corruption would move a genuine hbin to a > non-page-sized offset in th...

...e that the "hbin" we found > > > > by > > > > searching is a proper one. The offset check I'm referring to is: > > > > > > > > /* get "stated" hbin offset from header */ > > > > size_t page_offset = le32to(page->offset_first) + 0x1000; > > > > > > > > /* if that does not match our current file offset, > > > >    then exit with error */ > > > > if (page_offset != off) {  > > > >   SET_ERRNO... > > > > } > > > > > > Still, what ki...

...ell. That's why I put "hbin" offset validation check couple of lines below to make sure that the "hbin" we found by searching is a proper one. The offset check I'm referring to is: /* get "stated" hbin offset from header */ size_t page_offset = le32to(page->offset_first) + 0x1000; /* if that does not match our current file offset, then exit with error */ if (page_offset != off) { SET_ERRNO... }

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

...section reached"); > + break; > + } > } > > size_t page_size = le32toh (page->page_size); > @@ -254,6 +273,16 @@ hivex_open (const char *filename, int flags) > goto error; > } > > + size_t page_offset = le32toh(page->offset_first) + 0x1000; > + > + if (page_offset != off) { > + SET_ERRNO (ENOTSUP, > + "%s: declared page offset (0x%zx) does not match computed " > + "offset (0x%zx), bad registry", > + filename, page_offset, off); &gt...

Hello, The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

This is, hopefully, a full fix for handling of li-records. See: https://bugzilla.redhat.com/show_bug.cgi?id=717583 https://bugzilla.redhat.com/show_bug.cgi?id=987463 Rich.