Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
S
Sleuthkit
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
IRT
Sleuthkit
Commits
b5f35198
Commit
b5f35198
authored
14 years ago
by
Brian Carrier
Browse files
Options
Downloads
Patches
Plain Diff
added more checks if backup FAT boot sector is used during open
parent
a8dc242f
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
NEWS.txt
+3
-0
3 additions, 0 deletions
NEWS.txt
tsk3/fs/fatfs.c
+74
-1
74 additions, 1 deletion
tsk3/fs/fatfs.c
with
77 additions
and
1 deletion
NEWS.txt
+
3
−
0
View file @
b5f35198
...
@@ -14,6 +14,9 @@ New Features:
...
@@ -14,6 +14,9 @@ New Features:
- DOS partitions are loaded even if an extended partition fails to load
- DOS partitions are loaded even if an extended partition fails to load
- new TskAuto::findFilesInFs(TSK_FS_INFO *) method
- new TskAuto::findFilesInFs(TSK_FS_INFO *) method
Bug Fixes:
- Added check to fatfs_open to compare first sectors of FAT if we used backup boot sector and verify it is FAT32.
---------------- VERSION 3.2.2 --------------
---------------- VERSION 3.2.2 --------------
Bug Fixes
Bug Fixes
...
...
This diff is collapsed.
Click to expand it.
tsk3/fs/fatfs.c
+
74
−
1
View file @
b5f35198
...
@@ -1332,6 +1332,7 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset,
...
@@ -1332,6 +1332,7 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset,
TSK_DADDR_T
sectors
;
TSK_DADDR_T
sectors
;
ssize_t
cnt
;
ssize_t
cnt
;
int
i
;
int
i
;
uint8_t
used_backup_boot
=
0
;
// set to 1 if we used the backup boot sector
// clean up any error messages that are lying around
// clean up any error messages that are lying around
tsk_error_reset
();
tsk_error_reset
();
...
@@ -1406,7 +1407,10 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset,
...
@@ -1406,7 +1407,10 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset,
return
NULL
;
return
NULL
;
}
}
}
}
// found the magic
else
{
else
{
if
(
sb_off
)
used_backup_boot
=
1
;
break
;
break
;
}
}
}
}
...
@@ -1596,7 +1600,76 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset,
...
@@ -1596,7 +1600,76 @@ fatfs_open(TSK_IMG_INFO * img_info, TSK_OFF_T offset,
(
"Invalid FAT image (numroot == 0, and not TSK_FS_TYPE_FAT32)"
);
(
"Invalid FAT image (numroot == 0, and not TSK_FS_TYPE_FAT32)"
);
return
NULL
;
return
NULL
;
}
}
/* additional sanity checks if we think we are using the backup boot sector.
* The scenario to prevent here is if fat_open is called 6 sectors before the real start
* of the file system, then we want to detect that it was not a backup that we saw.
*/
if
(
used_backup_boot
)
{
// only FAT32 has backup boot sectors..
if
(
ftype
!=
TSK_FS_TYPE_FAT32
)
{
fs
->
tag
=
0
;
free
(
fatsb
);
free
(
fatfs
);
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_FS_MAGIC
);
tsk_error_set_errstr
(
"Invalid FAT image (Used what we thought was a backup boot sector, but it is not TSK_FS_TYPE_FAT32)"
);
return
NULL
;
}
if
(
fatfs
->
numroot
>
1
)
{
uint8_t
buf1
[
512
];
uint8_t
buf2
[
512
];
int
i2
;
int
numDiffs
;
cnt
=
tsk_fs_read
(
fs
,
fatfs
->
firstfatsect
*
fatfs
->
ssize
,
(
char
*
)
buf1
,
512
);
if
(
cnt
!=
512
)
{
if
(
cnt
>=
0
)
{
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_FS_READ
);
}
tsk_error_set_errstr2
(
"%s: FAT1"
,
myname
);
fs
->
tag
=
0
;
free
(
fatfs
->
sb
);
free
(
fatfs
);
return
NULL
;
}
cnt
=
tsk_fs_read
(
fs
,
(
fatfs
->
firstfatsect
+
fatfs
->
sectperfat
)
*
fatfs
->
ssize
,
(
char
*
)
buf2
,
512
);
if
(
cnt
!=
512
)
{
if
(
cnt
>=
0
)
{
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_FS_READ
);
}
tsk_error_set_errstr2
(
"%s: FAT2"
,
myname
);
fs
->
tag
=
0
;
free
(
fatfs
->
sb
);
free
(
fatfs
);
return
NULL
;
}
numDiffs
=
0
;
for
(
i2
=
0
;
i2
<
512
;
i2
++
)
{
if
(
buf1
[
i2
]
!=
buf2
[
i2
])
{
numDiffs
++
;
}
}
if
(
numDiffs
>
25
)
{
fs
->
tag
=
0
;
free
(
fatsb
);
free
(
fatfs
);
tsk_error_reset
();
tsk_error_set_errno
(
TSK_ERR_FS_MAGIC
);
tsk_error_set_errstr
(
"Invalid FAT image (Too many differences between FATS from guessing (%d diffs))"
,
numDiffs
);
return
NULL
;
}
}
}
/* Set the mask to use on the cluster values */
/* Set the mask to use on the cluster values */
if
(
ftype
==
TSK_FS_TYPE_FAT12
)
{
if
(
ftype
==
TSK_FS_TYPE_FAT12
)
{
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment