Skip to content
Snippets Groups Projects
Commit b5f35198 authored by Brian Carrier's avatar Brian Carrier
Browse files

added more checks if backup FAT boot sector is used during open

parent a8dc242f
No related branches found
No related tags found
No related merge requests found
...@@ -14,6 +14,9 @@ New Features: ...@@ -14,6 +14,9 @@ New Features:
- DOS partitions are loaded even if an extended partition fails to load - DOS partitions are loaded even if an extended partition fails to load
- new TskAuto::findFilesInFs(TSK_FS_INFO *) method - new TskAuto::findFilesInFs(TSK_FS_INFO *) method
Bug Fixes:
- Added check to fatfs_open to compare first sectors of FAT if we used backup boot sector and verify it is FAT32.
---------------- VERSION 3.2.2 -------------- ---------------- VERSION 3.2.2 --------------
Bug Fixes Bug Fixes
......
...@@ -1332,6 +1332,7 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset, ...@@ -1332,6 +1332,7 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset,
TSK_DADDR_T sectors; TSK_DADDR_T sectors;
ssize_t cnt; ssize_t cnt;
int i; int i;
uint8_t used_backup_boot = 0; // set to 1 if we used the backup boot sector
// clean up any error messages that are lying around // clean up any error messages that are lying around
tsk_error_reset(); tsk_error_reset();
...@@ -1406,7 +1407,10 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset, ...@@ -1406,7 +1407,10 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset,
return NULL; return NULL;
} }
} }
// found the magic
else { else {
if (sb_off)
used_backup_boot = 1;
break; break;
} }
} }
...@@ -1596,7 +1600,76 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset, ...@@ -1596,7 +1600,76 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset,
("Invalid FAT image (numroot == 0, and not TSK_FS_TYPE_FAT32)"); ("Invalid FAT image (numroot == 0, and not TSK_FS_TYPE_FAT32)");
return NULL; return NULL;
} }
/* additional sanity checks if we think we are using the backup boot sector.
* The scenario to prevent here is if fat_open is called 6 sectors before the real start
* of the file system, then we want to detect that it was not a backup that we saw.
*/
if (used_backup_boot) {
// only FAT32 has backup boot sectors..
if (ftype != TSK_FS_TYPE_FAT32) {
fs->tag = 0;
free(fatsb);
free(fatfs);
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_MAGIC);
tsk_error_set_errstr(
"Invalid FAT image (Used what we thought was a backup boot sector, but it is not TSK_FS_TYPE_FAT32)");
return NULL;
}
if (fatfs->numroot > 1) {
uint8_t buf1[512];
uint8_t buf2[512];
int i2;
int numDiffs;
cnt = tsk_fs_read(fs, fatfs->firstfatsect * fatfs->ssize, (char *) buf1, 512);
if (cnt != 512) {
if (cnt >= 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_READ);
}
tsk_error_set_errstr2(
"%s: FAT1", myname);
fs->tag = 0;
free(fatfs->sb);
free(fatfs);
return NULL;
}
cnt = tsk_fs_read(fs, (fatfs->firstfatsect + fatfs->sectperfat)*fatfs->ssize, (char *) buf2, 512);
if (cnt != 512) {
if (cnt >= 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_READ);
}
tsk_error_set_errstr2(
"%s: FAT2", myname);
fs->tag = 0;
free(fatfs->sb);
free(fatfs);
return NULL;
}
numDiffs = 0;
for (i2 = 0; i2 < 512; i2++) {
if (buf1[i2] != buf2[i2]) {
numDiffs++;
}
}
if (numDiffs > 25) {
fs->tag = 0;
free(fatsb);
free(fatfs);
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_MAGIC);
tsk_error_set_errstr(
"Invalid FAT image (Too many differences between FATS from guessing (%d diffs))", numDiffs);
return NULL;
}
}
}
/* Set the mask to use on the cluster values */ /* Set the mask to use on the cluster values */
if (ftype == TSK_FS_TYPE_FAT12) { if (ftype == TSK_FS_TYPE_FAT12) {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment