search for: set_errno

Hi, Here is one trivial initialization fix and another patch to convert a huge macro to an inline function. The result of the expansion would show up in an assertion which triggered a -Woverlength-strings warning. Peter Wu (2): Fix garbage return value on error Fix overly long assertion string lib/hivex-internal.h | 28 ++++++++++++++++------------ lib/node.c | 18

This is, hopefully, a full fix for handling of li-records. See: https://bugzilla.redhat.com/show_bug.cgi?id=717583 https://bugzilla.redhat.com/show_bug.cgi?id=987463 Rich.

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be looking at

Hello, The following patches address issues when dealing with hives that have corrupted data in them but are otherwise readable/writable. Those were found on some rather rare Windows installations that seem to work fine but current hivex fails to even open. Those patches change hivex to simply log and ignore such "corrupted" regions instead of aborting because the caller might be

...IN32 #define errno (translate_to_errno (WSAGetLastError ())) #endif which reads the last error and translates WSA* to E* codes. This would solve (1) and is not very invasive for existing code. We'd have to then need to wrap all assignments to errno in a macro like: #ifndef WIN32 #define set_errno(v) (errno = (v)) #else #define set_errno(v) (WSASetLastError (translate_from_errno (v))) #endif This is very invasive for existing code. There are ~60 places in the existing code which seem to assign to errno, but some of these either set errno = 0 or are preserving errno (item (3) above), and...

...b/lib/handle.c > > > @@ -226,11 +226,30 @@ hivex_open (const char *filename, int flags) > > >          page->magic[1] != 'b' || > > >          page->magic[2] != 'i' || > > >          page->magic[3] != 'n') { > > > -      SET_ERRNO (ENOTSUP, > > > -                 "%s: trailing garbage at end of file " > > > -                 "(at 0x%zx, after %zu pages)", > > > -                 filename, off, pages); > > > -      goto error; > > > + > > > +      DEBU...

...ffset check I'm referring to is: > > /* get "stated" hbin offset from header */ > size_t page_offset = le32to(page->offset_first) + 0x1000; > > /* if that does not match our current file offset, > then exit with error */ > if (page_offset != off) { > SET_ERRNO... > } Still, what kind of corruption would move a genuine hbin to a non-page-sized offset in the file? It seems unlikely to me ... Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com v...

...d..e183ff2 100644 > --- a/lib/handle.c > +++ b/lib/handle.c > @@ -226,11 +226,30 @@ hivex_open (const char *filename, int flags) > page->magic[1] != 'b' || > page->magic[2] != 'i' || > page->magic[3] != 'n') { > - SET_ERRNO (ENOTSUP, > - "%s: trailing garbage at end of file " > - "(at 0x%zx, after %zu pages)", > - filename, off, pages); > - goto error; > + > + DEBUG (2, > + "page not found at expected of...

...ex 1e122ea..9be3b5f 100644 > --- a/lib/handle.c > +++ b/lib/handle.c > @@ -300,10 +300,15 @@ hivex_open (const char *filename, int flags) > int used; > seg_len = block_len (h, blkoff, &used); > if (seg_len <= 4 || (seg_len & 3) != 0) { > - SET_ERRNO (ENOTSUP, > - "%s: block size %" PRIi32 " at 0x%zx, bad registry", > - filename, le32toh (block->seg_len), blkoff); > - goto error; > + if (is_root) { > + bad_root_block = 1; > + } else { >...

...andle.c b/lib/handle.c index 4565d7d..1e122ea 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -226,11 +226,30 @@ hivex_open (const char *filename, int flags) page->magic[1] != 'b' || page->magic[2] != 'i' || page->magic[3] != 'n') { - SET_ERRNO (ENOTSUP, - "%s: trailing garbage at end of file " - "(at 0x%zx, after %zu pages)", - filename, off, pages); - goto error; + + DEBUG(2, + "page not found at expected offset 0x%zx, " + &quot...

...t a/lib/handle.c b/lib/handle.c index 1e122ea..9be3b5f 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -300,10 +300,15 @@ hivex_open (const char *filename, int flags) int used; seg_len = block_len (h, blkoff, &used); if (seg_len <= 4 || (seg_len & 3) != 0) { - SET_ERRNO (ENOTSUP, - "%s: block size %" PRIi32 " at 0x%zx, bad registry", - filename, le32toh (block->seg_len), blkoff); - goto error; + if (is_root) { + bad_root_block = 1; + } else { + DEBUG(2, +...

...andle.c b/lib/handle.c index 4565d7d..e183ff2 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -226,11 +226,30 @@ hivex_open (const char *filename, int flags) page->magic[1] != 'b' || page->magic[2] != 'i' || page->magic[3] != 'n') { - SET_ERRNO (ENOTSUP, - "%s: trailing garbage at end of file " - "(at 0x%zx, after %zu pages)", - filename, off, pages); - goto error; + + DEBUG (2, + "page not found at expected offset 0x%zx, " + &q...

...andle.c b/lib/handle.c index d33c1d0..42fd672 100644 --- a/lib/handle.c +++ b/lib/handle.c @@ -226,11 +226,30 @@ hivex_open (const char *filename, int flags) page->magic[1] != 'b' || page->magic[2] != 'i' || page->magic[3] != 'n') { - SET_ERRNO (ENOTSUP, - "%s: trailing garbage at end of file " - "(at 0x%zx, after %zu pages)", - filename, off, pages); - goto error; + + DEBUG (2, + "page not found at expected offset 0x%zx, " + &q...

...len = hivex_value_key_len (h, value); - if (len == 0 && errno != 0) - return NULL; size_t flags = le16toh (vk->flags); + size_t len = le16toh (vk->name_len); + + size_t seg_len = block_len (h, value, NULL); + if (sizeof (struct ntreg_vk_record) + len - 1 > seg_len) { + SET_ERRNO (EFAULT, "key length is too long (%zu, %zu)", len, seg_len); + return 0; + } if (flags & 0x01) { return _hivex_windows_latin1_to_utf8 (vk->name, len); } else { -- 1.8.5.2

...tion(+), 1 deletion(-) diff --git a/lib/value.c b/lib/value.c index c4e21ec..f222b41 100644 --- a/lib/value.c +++ b/lib/value.c @@ -334,7 +334,7 @@ hivex_value_value (hive_h *h, hive_value_h value, /* Arbitrarily limit the length that we will read. */ if (len > HIVEX_MAX_VALUE_LEN) { SET_ERRNO (ERANGE, "data length > HIVEX_MAX_VALUE_LEN (%zu > %d)", - len, HIVEX_MAX_SUBKEYS); + len, HIVEX_MAX_VALUE_LEN); return NULL; } -- 1.9.rc1

...1 +226,30 @@ hivex_open (const char *filename, int > > > > flags) > > > >          page->magic[1] != 'b' || > > > >          page->magic[2] != 'i' || > > > >          page->magic[3] != 'n') { > > > > -      SET_ERRNO (ENOTSUP, > > > > -                 "%s: trailing garbage at end of file " > > > > -                 "(at 0x%zx, after %zu pages)", > > > > -                 filename, off, pages); > > > > -      goto error; > > > > + &...

...ULL; > size_t flags = le16toh (vk->flags); > + size_t len = le16toh (vk->name_len); I think this effectively removes a check. hivex_value_key_len contains this code: size_t seg_len = block_len (h, value, NULL); if (sizeof (struct ntreg_vk_record) + len - 1 > seg_len) { SET_ERRNO (EFAULT, "key length is too long (%zu, %zu)", len, seg_len); return 0; } but after this change, this would no longer be run, so it would be possible to overrun the registry, or at least overrun the end of a block. Is there a reason for this patch? It seems like just an optimizati...

On Windows, there exist at least two APIs for dealing with the Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works with null-terminated ASCII or UTF-16 strings. The native API (ZwCreateKey, etc.), on the other hand works with UTF-16 strings that are stored as buffers+length and may contain null characters. Malware authors have been relying on the Win32 API's inability to