From 954cf3a95d6a63d0ead0af6118669cf8efcc3eb0 Mon Sep 17 00:00:00 2001
From: Eamonn Saunders <esaunders@basistech.com>
Date: Mon, 9 Sep 2013 11:49:47 -0400
Subject: [PATCH] Applied fix that takes sequence number into account when
 looking up parent.

---
 framework/tsk/framework/services/TskImgDB.cpp | 43 +++++++++----------
 framework/tsk/framework/services/TskImgDB.h   | 18 ++++----
 .../framework/services/TskImgDBPostgreSQL.cpp |  4 +-
 .../tsk/framework/services/TskImgDBSqlite.cpp |  4 +-
 4 files changed, 34 insertions(+), 35 deletions(-)

diff --git a/framework/tsk/framework/services/TskImgDB.cpp b/framework/tsk/framework/services/TskImgDB.cpp
index caf159da4..d53eed1fa 100755
--- a/framework/tsk/framework/services/TskImgDB.cpp
+++ b/framework/tsk/framework/services/TskImgDB.cpp
@@ -25,33 +25,32 @@ TskImgDB::~TskImgDB()
 {
 }
 
-/**
- * Store meta_addr to object id mapping of the directory in a local cache map
- * @param fsObjId fs id of this directory
- * @param meta_addr meta_addr of this directory
- * @param objId object id of this directory from the objects table
- */
-void TskImgDB::storeParObjId(const int64_t & fsObjId, const TSK_INUM_T & meta_addr, const int64_t & objId) {
-	map<TSK_INUM_T,int64_t> &tmpMap = m_parentDirIdCache[fsObjId];
-	//store only if does not exist
-	if (tmpMap.count(meta_addr) == 0)
-		tmpMap[meta_addr] = objId;
+void TskImgDB::storeParObjId(const int64_t & fsObjId, const TSK_FS_FILE * fs_file, const int64_t & objId) {
+    map<TSK_INUM_T, map<uint32_t, int64_t> > &fsMap = m_parentDirIdCache[fsObjId];
+    //store only if does not exist -- otherwise '..' and '.' entries will overwrite
+    if (fsMap.count(fs_file->name->meta_addr) == 0) {
+        fsMap[fs_file->name->meta_addr][fs_file->name->meta_seq] = objId;
+    }
+    else {
+        map<uint32_t, int64_t> &fileMap = fsMap[fs_file->name->meta_addr];
+        if (fileMap.count(fs_file->name->meta_seq) == 0) {
+            fileMap[fs_file->name->meta_seq] = objId;
+        }
+    }
 }
 
-/**
- * Find parent object id of TSK_FS_FILE. Use local cache map, if not found, fall back to SQL
- * @param fsObjId fs id of this file
- * @param meta_addr Meta address to find parent obj id for
- * @returns parent obj id ( > 0), -1 on error
- */
-int64_t TskImgDB::findParObjId(const int64_t & fsObjId, TSK_INUM_T meta_addr) {
+int64_t TskImgDB::findParObjId(const TSK_FS_FILE * fs_file, const int64_t & fsObjId) {
     //get from cache by parent meta addr, if available
-    map<TSK_INUM_T,int64_t> &tmpMap = m_parentDirIdCache[fsObjId];
-    if (tmpMap.count(meta_addr) > 0) {
-        return tmpMap[meta_addr];
+    map<TSK_INUM_T, map<uint32_t, int64_t> > &fsMap = m_parentDirIdCache[fsObjId];
+    if (fsMap.count(fs_file->name->par_addr) > 0) {
+        map<uint32_t, int64_t> &fileMap = fsMap[fs_file->name->par_addr];
+        if (fileMap.count(fs_file->name->par_seq) > 0) {
+            return fileMap[fs_file->name->par_seq];
+        }
     }
 
-    return getFileId(fsObjId, meta_addr);
+
+    return getFileId(fsObjId, fs_file->name->par_addr);
 }
 
 TskBlackboardAttribute TskImgDB::createAttribute(uint64_t artifactID, int attributeTypeID, uint64_t objectID, string moduleName, string context,
diff --git a/framework/tsk/framework/services/TskImgDB.h b/framework/tsk/framework/services/TskImgDB.h
index b370afb37..a9defe025 100755
--- a/framework/tsk/framework/services/TskImgDB.h
+++ b/framework/tsk/framework/services/TskImgDB.h
@@ -409,23 +409,23 @@ class TSK_FRAMEWORK_API TskImgDB
     friend class TskDBBlackboard;
 
 protected:
-    map<int64_t, map<TSK_INUM_T,int64_t> > m_parentDirIdCache; //maps a file system ID to a map, which maps a directory file system meta address to its parent's ID in the database
+    map<int64_t, map<TSK_INUM_T, map<uint32_t, int64_t> > > m_parentDirIdCache; //maps a file system ID to a map, which maps a directory file system meta address to a map, which maps a sequence ID to its object ID in the database
 
-	/**
+    /**
 	 * Store meta_addr to object id mapping of the directory in a local cache map
-	 * @param fsObjId fs id of this directory
-	 * @param meta_addr meta_addr of this directory
-	 * @param objId object id of this directory from the objects table
+	 * @param fsObjId fs id of the directory
+	 * @param fs_file file object for the directory
+	 * @param objId object id of the directory from the objects table
 	 */
-    void storeParObjId(const int64_t & fsObjId, const TSK_INUM_T & meta_addr, const int64_t & objId);
+    void storeParObjId(const int64_t & fsObjId, const TSK_FS_FILE * fs_file, const int64_t & objId);
 
 	/**
 	 * Find parent object id of TSK_FS_FILE. Use local cache map, if not found, fall back to SQL
-	 * @param fsObjId Id of file system that this file and parent should be in.
-	 * @param meta_addr File system address to find parent of
+     * @param fs_file file to find parent obj id for
+     * @param fsObjId fs id of this file
 	 * @returns parent obj id ( > 0), -1 on error
 	 */	
-	int64_t findParObjId(const int64_t & fsObjId, TSK_INUM_T meta_addr);    
+	int64_t findParObjId(const TSK_FS_FILE * fs_file, const int64_t & fsObjId);    
 
 	// Blackboard methods.
     virtual TskBlackboardArtifact createBlackboardArtifact(uint64_t file_id, int artifactTypeID) = 0;
diff --git a/framework/tsk/framework/services/TskImgDBPostgreSQL.cpp b/framework/tsk/framework/services/TskImgDBPostgreSQL.cpp
index 998d3d153..ba2f217e7 100755
--- a/framework/tsk/framework/services/TskImgDBPostgreSQL.cpp
+++ b/framework/tsk/framework/services/TskImgDBPostgreSQL.cpp
@@ -614,7 +614,7 @@ int TskImgDBPostgreSQL::addFsFileInfo(int fileSystemID, const TSK_FS_FILE *fileS
 
     fileName = fileNameAsString.c_str();
 
-    uint64_t parFileId = findParObjId(fileSystemID, fileSystemFile->name->par_addr);
+    uint64_t parFileId = findParObjId(fileSystemFile, fileSystemID);
 
     // Get the file size.
     TSK_OFF_T size = 0; 
@@ -715,7 +715,7 @@ int TskImgDBPostgreSQL::addFsFileInfo(int fileSystemID, const TSK_FS_FILE *fileS
 
     //if dir, update parent id cache
     if (meta_type == TSK_FS_META_TYPE_DIR) {
-        storeParObjId(fileSystemID, fileSystemFile->name->meta_addr, fileID);
+        storeParObjId(fileSystemID, fileSystemFile, fileID);
     }
 
     return 0;
diff --git a/framework/tsk/framework/services/TskImgDBSqlite.cpp b/framework/tsk/framework/services/TskImgDBSqlite.cpp
index 7078b27ae..0f06e7958 100755
--- a/framework/tsk/framework/services/TskImgDBSqlite.cpp
+++ b/framework/tsk/framework/services/TskImgDBSqlite.cpp
@@ -783,7 +783,7 @@ int TskImgDBSqlite::addFsFileInfo(int fileSystemID, const TSK_FS_FILE *fileSyste
         "dir_flags, meta_flags, size, crtime, ctime, atime, mtime, mode, gid, uid, full_path) VALUES (NULL, %d, %d,"
         "'%q',%llu,%d,%d,%d,%d,%" PRIuOFF",%d,%d,%d,%d,%d,%d,%d,'%q')", 
         IMGDB_FILES_TYPE_FS, IMGDB_FILES_STATUS_READY_FOR_ANALYSIS, fileName, 
-        findParObjId(fileSystemID, fileSystemFile->name->par_addr), 
+        findParObjId(fileSystemFile, fileSystemID), 
         fileSystemFile->name->type, meta_type,
         fileSystemFile->name->flags, meta_flags, size, crtime, ctime, atime,
         mtime, meta_mode, gid, uid, fullpath.c_str());
@@ -818,7 +818,7 @@ int TskImgDBSqlite::addFsFileInfo(int fileSystemID, const TSK_FS_FILE *fileSyste
 
     //if dir, update parent id cache
     if (meta_type == TSK_FS_META_TYPE_DIR) {
-        storeParObjId(fileSystemID, fileSystemFile->name->meta_addr, fileID);
+        storeParObjId(fileSystemID, fileSystemFile, fileID);
     }
 
     return 0;
-- 
GitLab