From f1c408bd11e756641786858493911f05b2c6992b Mon Sep 17 00:00:00 2001
From: Brian Carrier <carrier@sleuthkit.org>
Date: Thu, 7 May 2009 04:47:04 +0000
Subject: [PATCH] First part of fix for 2367426 so that 0s are written in
unitialized areas of NTFS files
---
CHANGES.txt | 3 +++
tsk3/fs/fatfs_meta.c | 8 +++++---
tsk3/fs/fs_attr.c | 36 ++++++++++++------------------------
tsk3/fs/hfs.c | 11 +++++++++--
tsk3/fs/iso9660.c | 2 +-
tsk3/fs/ntfs.c | 6 ++++--
tsk3/fs/tsk_fs.h | 4 ++--
tsk3/fs/tsk_fs_i.h | 4 ++--
tsk3/fs/unix_misc.c | 3 ++-
9 files changed, 40 insertions(+), 37 deletions(-)
diff --git a/CHANGES.txt b/CHANGES.txt
index 8dc915a4e..4ba8756e6 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -71,6 +71,9 @@ Bug 2786963.
being set too small (and other values were not being reset). Reported
by Charlie Daly . Bug 2645156.
+5/6/09: Bug Fix: Fixed part of bug 2367426 that addressed writing zeros
+after the initialized part of an NTFS file (VDL Slack).
+
---------------- VERSION 3.0.1 --------------
11/11/08: Bug Fix: Fixed crashing bug in ifind on FAT file system.
diff --git a/tsk3/fs/fatfs_meta.c b/tsk3/fs/fatfs_meta.c
index 5f8f0a0da..abfc742c7 100644
--- a/tsk3/fs/fatfs_meta.c
+++ b/tsk3/fs/fatfs_meta.c
@@ -1581,6 +1581,7 @@ fatfs_make_data_run(TSK_FS_FILE * a_fs_file)
if (tsk_fs_attr_set_run(a_fs_file, fs_attr, data_run, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
data_run->len * fs->block_size,
+ data_run->len * fs->block_size,
data_run->len * fs->block_size, 0, 0)) {
return 1;
}
@@ -1617,6 +1618,7 @@ fatfs_make_data_run(TSK_FS_FILE * a_fs_file)
if (tsk_fs_attr_set_run(a_fs_file, fs_attr, data_run, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
data_run->len * fs->block_size,
+ data_run->len * fs->block_size,
data_run->len * fs->block_size, 0, 0)) {
return 1;
}
@@ -1756,7 +1758,7 @@ fatfs_make_data_run(TSK_FS_FILE * a_fs_file)
// initialize the data run
if (tsk_fs_attr_set_run(a_fs_file, fs_attr, data_run_head,
NULL, TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
- fs_meta->size, roundup(fs_meta->size,
+ fs_meta->size, fs_meta->size, roundup(fs_meta->size,
fatfs->csize * fs->block_size), 0, 0)) {
fs_meta->attr_state = TSK_FS_META_ATTR_ERROR;
return 1;
@@ -1777,7 +1779,7 @@ fatfs_make_data_run(TSK_FS_FILE * a_fs_file)
// initialize the data run
if (tsk_fs_attr_set_run(a_fs_file, fs_attr, data_run_tmp, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
- fs_meta->size, roundup(fs_meta->size,
+ fs_meta->size, fs_meta->size, roundup(fs_meta->size,
fatfs->csize * fs->block_size), 0, 0)) {
fs_meta->attr_state = TSK_FS_META_ATTR_ERROR;
return 1;
@@ -1891,7 +1893,7 @@ fatfs_make_data_run(TSK_FS_FILE * a_fs_file)
// initialize the data run
if (tsk_fs_attr_set_run(a_fs_file, fs_attr, data_run_head, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
- fs_meta->size, roundup(fs_meta->size,
+ fs_meta->size, fs_meta->size, roundup(fs_meta->size,
fatfs->csize * fs->block_size), 0, 0)) {
fs_meta->attr_state = TSK_FS_META_ATTR_ERROR;
return 1;
diff --git a/tsk3/fs/fs_attr.c b/tsk3/fs/fs_attr.c
index 7bc17e28d..a8313cc10 100644
--- a/tsk3/fs/fs_attr.c
+++ b/tsk3/fs/fs_attr.c
@@ -262,7 +262,8 @@ tsk_fs_attr_set_str(TSK_FS_FILE * a_fs_file, TSK_FS_ATTR * a_fs_attr,
* @param type Type of attribute to add run to
* @param id Id of attribute to add run to
* @param size Total size of the attribute (can be larger than length of initial run being added)
- * (note that this sets the size for the attribute and it will not be updated as more runs are added).
+ * @param init_size Number of bytes in attribute that have been initialized (less then or equal to size)
+ * (note that this sets the initialized size for the attribute and it will not be updated as more runs are added).
* @param alloc_size Allocated size of the attribute (>= size). Identifies the slack space.
* (note that this sets the allocated size for the attribute and it will not be updated as more runs are added).
* @param flags Flags about compression, sparse etc. of data
@@ -274,7 +275,8 @@ uint8_t
tsk_fs_attr_set_run(TSK_FS_FILE * a_fs_file, TSK_FS_ATTR * a_fs_attr,
TSK_FS_ATTR_RUN * a_data_run_new, const char *name,
TSK_FS_ATTR_TYPE_ENUM type, uint16_t id, TSK_OFF_T size,
- TSK_OFF_T alloc_size, TSK_FS_ATTR_FLAG_ENUM flags, uint32_t compsize)
+ TSK_OFF_T init_size, TSK_OFF_T alloc_size,
+ TSK_FS_ATTR_FLAG_ENUM flags, uint32_t compsize)
{
TSK_FS_INFO *fs;
@@ -310,7 +312,7 @@ tsk_fs_attr_set_run(TSK_FS_FILE * a_fs_file, TSK_FS_ATTR * a_fs_attr,
a_fs_attr->id = id;
a_fs_attr->size = size;
a_fs_attr->nrd.allocsize = alloc_size;
- a_fs_attr->nrd.initsize = 0;
+ a_fs_attr->nrd.initsize = init_size;
a_fs_attr->nrd.compsize = compsize;
if (fs_attr_put_name(a_fs_attr, name)) {
@@ -351,14 +353,10 @@ tsk_fs_attr_set_run(TSK_FS_FILE * a_fs_file, TSK_FS_ATTR * a_fs_attr,
a_fs_attr->nrd.run = a_data_run_new;
- // update the pointer to the end of the list and the initsize
+ // update the pointer to the end of the list
a_fs_attr->nrd.run_end = a_data_run_new;
- a_fs_attr->nrd.initsize =
- (a_fs_attr->nrd.run_end->len * fs->block_size);
while (a_fs_attr->nrd.run_end->next) {
a_fs_attr->nrd.run_end = a_fs_attr->nrd.run_end->next;
- a_fs_attr->nrd.initsize +=
- (a_fs_attr->nrd.run_end->len * fs->block_size);
}
return 0;
@@ -416,8 +414,6 @@ tsk_fs_attr_add_run(TSK_FS_INFO * a_fs, TSK_FS_ATTR * a_fs_attr,
a_data_run_new->offset)) {
a_fs_attr->nrd.run_end->next = a_data_run_new;
- a_fs_attr->nrd.initsize += (run_len * a_fs->block_size);
-
// update the pointer to the end of the list
while (a_fs_attr->nrd.run_end->next)
a_fs_attr->nrd.run_end = a_fs_attr->nrd.run_end->next;
@@ -589,18 +585,8 @@ tsk_fs_attr_add_run(TSK_FS_INFO * a_fs, TSK_FS_ATTR * a_fs_attr,
tmprun->len = a_data_run_new->offset - tmprun->offset;
tmprun->flags = TSK_FS_ATTR_RUN_FLAG_FILLER;
tmprun->next = a_data_run_new;
-
- /* Adjust the length of the TSK_FS_ATTR structure to reflect the
- * new FILLER run
- */
- a_fs_attr->nrd.initsize += (tmprun->len * a_fs->block_size);
}
- /* Adjust the length of the TSK_FS_ATTR structure to reflect the
- * new run
- */
- a_fs_attr->nrd.initsize += (run_len * a_fs->block_size);
-
// update the pointer to the end of the list
a_fs_attr->nrd.run_end = a_data_run_new;
while (a_fs_attr->nrd.run_end->next)
@@ -649,13 +635,9 @@ tsk_fs_attr_append_run(TSK_FS_INFO * a_fs, TSK_FS_ATTR * a_fs_attr,
// update the rest of the offsets in the run (if any exist)
data_run_cur = a_data_run;
- a_fs_attr->nrd.initsize += (data_run_cur->len * a_fs->block_size);
while (data_run_cur->next) {
data_run_cur->next->offset =
data_run_cur->offset + data_run_cur->len;
-
- a_fs_attr->nrd.initsize +=
- (data_run_cur->next->len * a_fs->block_size);
a_fs_attr->nrd.run_end = data_run_cur->next;
data_run_cur = data_run_cur->next;
}
@@ -853,6 +835,12 @@ tsk_fs_attr_walk_nonres(const TSK_FS_ATTR * fs_attr,
PRIuDADDR, addr + len_idx);
return 1;
}
+
+ if (off + fs->block_size > fs_attr->nrd.initsize) {
+ memset(&buf[fs_attr->nrd.initsize - off], 0,
+ fs->block_size - (fs_attr->nrd.initsize -
+ off));
+ }
}
}
diff --git a/tsk3/fs/hfs.c b/tsk3/fs/hfs.c
index 494336481..77a1568ff 100644
--- a/tsk3/fs/hfs.c
+++ b/tsk3/fs/hfs.c
@@ -1368,6 +1368,7 @@ hfs_make_catalog(HFS_INFO * hfs, TSK_FS_FILE * fs_file)
if (tsk_fs_attr_set_run(fs_file, fs_attr, attr_run, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
tsk_getu64(fs->endian, hfs->fs->cat_file.logic_sz),
+ tsk_getu64(fs->endian, hfs->fs->cat_file.logic_sz),
tsk_getu64(fs->endian, hfs->fs->cat_file.logic_sz), 0, 0)) {
strncat(tsk_errstr2, " - hfs_make_catalog",
TSK_ERRSTR_L - strlen(tsk_errstr2));
@@ -1439,6 +1440,7 @@ hfs_make_extents(HFS_INFO * hfs, TSK_FS_FILE * fs_file)
if (tsk_fs_attr_set_run(fs_file, fs_attr, attr_run, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
tsk_getu64(fs->endian, hfs->fs->ext_file.logic_sz),
+ tsk_getu64(fs->endian, hfs->fs->ext_file.logic_sz),
tsk_getu64(fs->endian, hfs->fs->ext_file.logic_sz), 0, 0)) {
strncat(tsk_errstr2, " - hfs_make_extents",
TSK_ERRSTR_L - strlen(tsk_errstr2));
@@ -1504,6 +1506,7 @@ hfs_make_blockmap(HFS_INFO * hfs, TSK_FS_FILE * fs_file)
if (tsk_fs_attr_set_run(fs_file, fs_attr, attr_run, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
tsk_getu64(fs->endian, hfs->fs->alloc_file.logic_sz),
+ tsk_getu64(fs->endian, hfs->fs->alloc_file.logic_sz),
tsk_getu64(fs->endian, hfs->fs->alloc_file.logic_sz), 0, 0)) {
strncat(tsk_errstr2, " - hfs_make_blockmap",
TSK_ERRSTR_L - strlen(tsk_errstr2));
@@ -1575,6 +1578,7 @@ hfs_make_startfile(HFS_INFO * hfs, TSK_FS_FILE * fs_file)
if (tsk_fs_attr_set_run(fs_file, fs_attr, attr_run, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
tsk_getu64(fs->endian, hfs->fs->start_file.logic_sz),
+ tsk_getu64(fs->endian, hfs->fs->start_file.logic_sz),
tsk_getu64(fs->endian, hfs->fs->start_file.logic_sz), 0, 0)) {
strncat(tsk_errstr2, " - hfs_make_startfile",
TSK_ERRSTR_L - strlen(tsk_errstr2));
@@ -1646,6 +1650,7 @@ hfs_make_attrfile(HFS_INFO * hfs, TSK_FS_FILE * fs_file)
if (tsk_fs_attr_set_run(fs_file, fs_attr, attr_run, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
tsk_getu64(fs->endian, hfs->fs->attr_file.logic_sz),
+ tsk_getu64(fs->endian, hfs->fs->attr_file.logic_sz),
tsk_getu64(fs->endian, hfs->fs->attr_file.logic_sz), 0, 0)) {
strncat(tsk_errstr2, " - hfs_make_attrfile",
TSK_ERRSTR_L - strlen(tsk_errstr2));
@@ -1704,7 +1709,8 @@ hfs_make_badblockfile(HFS_INFO * hfs, TSK_FS_FILE * fs_file)
// dd the run to the file.
if (tsk_fs_attr_set_run(fs_file, fs_attr, NULL, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
- fs_file->meta->size, fs_file->meta->size, 0, 0)) {
+ fs_file->meta->size, fs_file->meta->size, fs_file->meta->size,
+ 0, 0)) {
strncat(tsk_errstr2, " - hfs_make_attrfile",
TSK_ERRSTR_L - strlen(tsk_errstr2));
tsk_fs_attr_free(fs_attr);
@@ -2018,7 +2024,7 @@ hfs_load_attrs(TSK_FS_FILE * fs_file)
&& (fs_file->meta->type != TSK_FS_META_TYPE_LNK)) {
if (tsk_fs_attr_set_run(fs_file, fs_attr, NULL, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT, 0, 0, 0,
- 0)) {
+ 0, 0)) {
strncat(tsk_errstr2, " - hfs_load_attrs (non-file)",
TSK_ERRSTR_L - strlen(tsk_errstr2));
return 1;
@@ -2060,6 +2066,7 @@ hfs_load_attrs(TSK_FS_FILE * fs_file)
if (tsk_fs_attr_set_run(fs_file, fs_attr, attr_run, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
tsk_getu64(fs->endian, fork->logic_sz),
+ tsk_getu64(fs->endian, fork->logic_sz),
tsk_getu32(fs->endian, fork->total_blk) * fs->block_size, 0,
0)) {
strncat(tsk_errstr2, " - hfs_load_attrs",
diff --git a/tsk3/fs/iso9660.c b/tsk3/fs/iso9660.c
index 2d9ef6138..e5ff29cdd 100644
--- a/tsk3/fs/iso9660.c
+++ b/tsk3/fs/iso9660.c
@@ -1302,7 +1302,7 @@ iso9660_make_data_run(TSK_FS_FILE * a_fs_file)
// initialize the data run
if (tsk_fs_attr_set_run(a_fs_file, fs_attr, data_run, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
- a_fs_file->meta->size,
+ a_fs_file->meta->size, a_fs_file->meta->size,
roundup(a_fs_file->meta->size + dd.ext_len,
fs->block_size) - dd.ext_len, 0, 0)) {
return 1;
diff --git a/tsk3/fs/ntfs.c b/tsk3/fs/ntfs.c
index 80b2ef225..445c122b7 100644
--- a/tsk3/fs/ntfs.c
+++ b/tsk3/fs/ntfs.c
@@ -5,7 +5,7 @@
** Content and meta data layer support for the NTFS file system
**
** Brian Carrier [carrier <at> sleuthkit [dot] org]
-** Copyright (c) 2006-2008 Brian Carrier, Basis Technology. All Rights reserved
+** Copyright (c) 2006-2009 Brian Carrier, Basis Technology. All Rights reserved
** Copyright (c) 2003-2005 Brian Carrier. All rights reserved
**
** TASK
@@ -1876,7 +1876,9 @@ ntfs_proc_attrseq(NTFS_INFO * ntfs,
if (tsk_fs_attr_set_run(fs_file, fs_attr,
fs_attr_run, name,
- type, id, ssize, alen, data_flag, compsize)) {
+ type, id, ssize,
+ tsk_getu64(fs->endian, attr->c.nr.initsize),
+ alen, data_flag, compsize)) {
strncat(tsk_errstr2, " - proc_attrseq: set run",
TSK_ERRSTR_L - strlen(tsk_errstr2));
return TSK_ERR;
diff --git a/tsk3/fs/tsk_fs.h b/tsk3/fs/tsk_fs.h
index 081013475..c6f8a0ffd 100644
--- a/tsk3/fs/tsk_fs.h
+++ b/tsk3/fs/tsk_fs.h
@@ -263,8 +263,8 @@ extern "C" {
TSK_FS_ATTR_RUN *run; ///< Linked list of runs for non-resident attributes
TSK_FS_ATTR_RUN *run_end; ///< Pointer to final run in the list
uint32_t skiplen; ///< Number of initial bytes in run to skip before content begins. The size field does not include this length.
- TSK_OFF_T allocsize; ///< Number of bytes that are allocated in all clusters of non-resident run (will be larger than size - does not include skiplen). This is used for slack space.
- TSK_OFF_T initsize; ///< Number of bytes (starting from offset 0) that have data (including FILLER) saved for them (smaller then or equal to size - NTFS only).
+ TSK_OFF_T allocsize; ///< Number of bytes that are allocated in all clusters of non-resident run (will be larger than size - does not include skiplen). This is defined when the attribute is created and used to determine slack space.
+ TSK_OFF_T initsize; ///< Number of bytes (starting from offset 0) that have data (including FILLER) saved for them (smaller then or equal to size). This is defined when the attribute is created.
uint32_t compsize; ///< Size of compression units (needed only if NTFS file is compressed)
} nrd;
diff --git a/tsk3/fs/tsk_fs_i.h b/tsk3/fs/tsk_fs_i.h
index 753815539..640b13a99 100644
--- a/tsk3/fs/tsk_fs_i.h
+++ b/tsk3/fs/tsk_fs_i.h
@@ -97,8 +97,8 @@ extern "C" {
extern uint8_t tsk_fs_attr_set_run(TSK_FS_FILE *,
TSK_FS_ATTR * a_fs_attr, TSK_FS_ATTR_RUN * data_run_new,
const char *name, TSK_FS_ATTR_TYPE_ENUM type, uint16_t id,
- TSK_OFF_T size, TSK_OFF_T allocsize, TSK_FS_ATTR_FLAG_ENUM flags,
- uint32_t compsize);
+ TSK_OFF_T size, TSK_OFF_T initsize, TSK_OFF_T allocsize,
+ TSK_FS_ATTR_FLAG_ENUM flags, uint32_t compsize);
extern uint8_t tsk_fs_attr_add_run(TSK_FS_INFO * fs,
TSK_FS_ATTR * a_fs_attr, TSK_FS_ATTR_RUN * data_run_new);
extern void tsk_fs_attr_append_run(TSK_FS_INFO * fs,
diff --git a/tsk3/fs/unix_misc.c b/tsk3/fs/unix_misc.c
index 140685c14..cc5f94b03 100644
--- a/tsk3/fs/unix_misc.c
+++ b/tsk3/fs/unix_misc.c
@@ -282,7 +282,8 @@ tsk_fs_unix_make_data_run(TSK_FS_FILE * fs_file)
// initialize the data run
if (tsk_fs_attr_set_run(fs_file, fs_attr, NULL, NULL,
TSK_FS_ATTR_TYPE_DEFAULT, TSK_FS_ATTR_ID_DEFAULT,
- fs_meta->size, roundup(fs_meta->size, fs->block_size), 0, 0)) {
+ fs_meta->size, fs_meta->size, roundup(fs_meta->size,
+ fs->block_size), 0, 0)) {
return 1;
}
--
GitLab