[sleuthkit-developers] [ sleuthkit-Bugs-2796945 ] infinite loop in fs_attr

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Bugs item #2796945, was opened at 2009-05-26 11:48
Message generated for change (Comment added) made by carrier
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2796945&group_id=55685

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: File System Tools
Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Brian Carrier (carrier)
Assigned to: Brian Carrier (carrier)
Summary: infinite loop in fs_attr

Initial Comment:
>From Simson Garfinkel:

I seem to have found an infinite loop in sleuthkit-trunk-2009.5.4

The problems comes when setting the TSK_FS_FILE_WALK_FLAG_AONLY flag when calling  tsk_fs_file_walk.

The problem seems to be in tsk_fs_attr_walk_res in fs_attr.c:

Here is the code at line 695:
      /* Allocate a buffer that is at most a block size in length */
      if ((a_flags & TSK_FS_FILE_WALK_FLAG_AONLY) == 0) {
          buf_len = (size_t) fs_attr->size;
          if (buf_len > fs->block_size)
              buf_len = fs->block_size;

          if ((buf = tsk_malloc(buf_len)) == NULL) {
              return 1;
          }
      }

Because TSK_FS_FILE_WALK_FLAG_AONLY is set, buf_len is set to 0.

But then in this loop, read_len is set to buf_len:

      for (off = 0; off < fs_attr->size; off += read_len) {

  =>      if (fs_attr->size - off > buf_len)
              read_len = buf_len;
          else
              read_len = (size_t) (fs_attr->size - off);

          if (buf) {
              // wipe rest of buffer if we are not going to read into all of it                                                                                                                                                                            
              if (read_len != buf_len)
                  memset(&buf[read_len], 0, buf_len - read_len);

              memcpy(buf, &fs_attr->rd.buf[off], read_len);
          }
          retval =
              a_action(fs_attr->fs_file, off, 0, buf, read_len, myflags,
              a_ptr);

          if (retval != TSK_WALK_CONT)
              break;
      }

The problem is that buf_len is 0, so we have an infinite loop.

----------------------------------------------------------------------

>Comment By: Brian Carrier (carrier)
Date: 2009-05-26 12:26

Message:
Sending        CHANGES.txt
Sending        tsk3/fs/fs_attr.c
Transmitting file data ..
Committed revision 98.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=477889&aid=2796945&group_id=55685