[sleuthkit-developers] [ sleuthkit-Bugs-3023606 ] Corrupt ext2 listing
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] [ sleuthkit-Bugs-3023606 ] Corrupt ext2 listing
|
From: SourceForge.net <no...@so...> - 2010-07-01 01:54:04
|
Bugs item #3023606, was opened at 2010-06-30 20:41 Message generated for change (Comment added) made by carrier You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3023606&group_id=55685 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: File System Tools Group: None >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: Brian Carrier (carrier) Assigned to: Brian Carrier (carrier) Summary: Corrupt ext2 listing Initial Comment: To the users list: Hello everyone, I have found a problem with a specific image file (.E01 format) with The Sleuth Kit, version 3.1.2. I work in a Ubuntu GNU/Linux environment, version 10.04 LTS (Lucid Lynx). The image file I am working with includes a partition with a EXT2 file system. When I use the fls utility in a specific folder of this image, the contents are not retrieved right (fls -v -o 63 image.E* 524447). I have seen in the source code in the function named ext2fs_dent_parse_block (file tsk3/fs/ext2fs_dent.c), that the variable minreclen is calculated using the namelen variable (minreclen = EXT2FS_DIRSIZ_lcl(namelen), this is, 11 bytes plus the name length, aligned on 4 bytes boundaries). Shouldn't it be calculated using the reclen variable ? In the case I am working with, there are some bytes in the end of a specific record that are not used in the name, so the record is 28 bytes long: the header (8 bytes), the name length is 14 characters, and there are 6 extra unused bytes unitl the next entry, so using the record length is better than using the name length + 8 bytes. In my case the ext2 linked list directory was like this (each entry in a line): 9f 00 08 00 0c 00 01 02 2e 00 00 00 8e 00 08 00 0c 00 02 02 2e 2e 00 00 a1 00 08 00 1c 00 0e 01 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 35 33 64 36 64 00 a0 00 08 00 cc 0f 0a 01 62 61 6e 6e 65 72 2e 63 73 73 00 00 a1 00 08 00 b8 0f 17 01 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 3b 34 39 39 35 33 64 36 64 00 00 00 00 The fls utility retrieved 3 entries in this folder (the first one was "stylesheet.css", and "stylesheet.css;49953d6d" as the third one. The second one, the name should be "banner.css", wasn't displayed right (the name was "^^^bann", and the rest of metadata was wrong). If I change the minreclen calculation to "minreclen=reclen", the three entries are displayed right. Regards, Jordi Gilabert Vall ---------------------------------------------------------------------- >Comment By: Brian Carrier (carrier) Date: 2010-06-30 20:53 Message: Added else statement to update minreclen if no entry could exist in unused space. Sending branches/sleuthkit-3.1/NEWS.txt Sending branches/sleuthkit-3.1/tsk3/fs/ext2fs_dent.c Sending branches/sleuthkit-3.1/tsk3/fs/ffs_dent.c Sending trunk/NEWS.txt Sending trunk/tsk3/fs/ext2fs_dent.c Sending trunk/tsk3/fs/ffs_dent.c Transmitting file data ...... Committed revision 215. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=477889&aid=3023606&group_id=55685 |
