From ecaff4cb74e37f5c9f5a7a941162a64db6e94528 Mon Sep 17 00:00:00 2001 From: Greg DiCristofaro <gregd@basistech.com> Date: Tue, 27 Sep 2022 08:09:45 -0400 Subject: [PATCH] fix for files appearing in OrphanFiles instead of deleted folder --- tsk/fs/ntfs_dent.cpp | 70 +++++++++++++++++++++++++++++--------------- 1 file changed, 47 insertions(+), 23 deletions(-) diff --git a/tsk/fs/ntfs_dent.cpp b/tsk/fs/ntfs_dent.cpp index b666131bd..456a45960 100644 --- a/tsk/fs/ntfs_dent.cpp +++ b/tsk/fs/ntfs_dent.cpp @@ -1024,21 +1024,23 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, } // Taking 128 MiB as an arbitrary upper bound - if ((fs_attr_idx->nrd.allocsize == 0) || (fs_attr_idx->nrd.allocsize > (128 * 1024 * 1024))) { - tsk_error_reset(); - tsk_error_set_errno(TSK_ERR_FS_INODE_COR); - tsk_error_set_errstr - ("fs_attr_idx->nrd.allocsize value out of bounds"); - return TSK_COR; + if (fs_attr_idx->nrd.allocsize > (128 * 1024 * 1024)) { + tsk_error_reset(); + tsk_error_set_errno(TSK_ERR_FS_INODE_COR); + tsk_error_set_errstr + ("fs_attr_idx->nrd.allocsize value out of bounds"); + return TSK_COR; } /* * Copy the index allocation run into a big buffer */ idxalloc_len = fs_attr_idx->nrd.allocsize; - if ((idxalloc = (char *)tsk_malloc((size_t) idxalloc_len)) == NULL) { - return TSK_ERR; - } + // default to null unless length is greater than 0 + idxalloc = NULL; + if ((idxalloc_len > 0) && ((idxalloc = (char *)tsk_malloc((size_t)idxalloc_len)) == NULL)) { + return TSK_ERR; + } /* Fill in the loading data structure */ load_file.total = load_file.left = (size_t) idxalloc_len; @@ -1048,17 +1050,21 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, tsk_fprintf(stderr, "ntfs_dir_open_meta: Copying $IDX_ALLOC into buffer\n"); - if (tsk_fs_attr_walk(fs_attr_idx, - TSK_FS_FILE_WALK_FLAG_SLACK, tsk_fs_load_file_action, - (void *) &load_file)) { - free(idxalloc); + if (tsk_fs_attr_walk(fs_attr_idx, + TSK_FS_FILE_WALK_FLAG_SLACK, tsk_fs_load_file_action, + (void *)&load_file)) { + if (idxalloc != NULL) { + free(idxalloc); + } tsk_error_errstr2_concat(" - ntfs_dir_open_meta"); return TSK_COR; // this could be an error though } /* Not all of the directory was copied, so we exit */ if (load_file.left > 0) { - free(idxalloc); + if (idxalloc != NULL) { + free(idxalloc); + } tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_FWALK); @@ -1093,7 +1099,9 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, tsk_error_set_errno(TSK_ERR_FS_INODE_COR); tsk_error_set_errstr ("ntfs_dir_open_meta: Not enough data in idxalloc buffer for an idxrec."); - free(idxalloc); + if (idxalloc != NULL) { + free(idxalloc); + } return TSK_COR; } @@ -1133,7 +1141,9 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, /* remove the update sequence in the index record */ if (ntfs_fix_idxrec(ntfs, idxrec_p, rec_len)) { - free(idxalloc); + if (idxalloc != NULL) { + free(idxalloc); + } return TSK_COR; } @@ -1159,7 +1169,9 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, tsk_error_set_errstr ("Error: Index list offsets are invalid on entry: %" PRIuINUM, fs_dir->fs_file->meta->addr); - free(idxalloc); + if (idxalloc != NULL) { + free(idxalloc); + } return TSK_COR; } @@ -1173,7 +1185,9 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, idxelist->begin_off)); // stop if we get an error, record if we get corruption if (retval_tmp == TSK_ERR) { - free(idxalloc); + if (idxalloc != NULL) { + free(idxalloc); + } return TSK_ERR; } else if (retval_tmp == TSK_COR) { @@ -1202,7 +1216,9 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, /* remove the update sequence */ if (ntfs_fix_idxrec(ntfs, idxrec_p, rec_len)) { - free(idxalloc); + if (idxalloc != NULL) { + free(idxalloc); + } return TSK_COR; } @@ -1213,7 +1229,9 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, tsk_error_set_errstr ("Error: Index list offsets are invalid on entry: %" PRIuINUM, fs_dir->fs_file->meta->addr); - free(idxalloc); + if (idxalloc != NULL) { + free(idxalloc); + } return TSK_COR; } @@ -1235,7 +1253,9 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, tsk_error_set_errstr ("Error: Index list offsets are invalid on entry: %" PRIuINUM, fs_dir->fs_file->meta->addr); - free(idxalloc); + if (idxalloc != NULL) { + free(idxalloc); + } return TSK_COR; } @@ -1248,7 +1268,9 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, idxelist->begin_off)); // stop if we get an error, record if we get corruption if (retval_tmp == TSK_ERR) { - free(idxalloc); + if (idxalloc != NULL) { + free(idxalloc); + } return TSK_ERR; } else if (retval_tmp == TSK_COR) { @@ -1256,7 +1278,9 @@ ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, } } - free(idxalloc); + if (idxalloc != NULL) { + free(idxalloc); + } } -- GitLab