Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Apparently fs_inode is NULL. In your case it's called from line 305 in
ntfs.dent.c. 

I notice there's a check for fs_inode != NULL in the call to fs_inode_free
at line 97.  There should probably be a similar check at line 305.  Such a
check should at least eliminate your current crash.

Regards,

Svein Willassen

> -----Original Message-----
> From: sle...@li... [mailto:sleuthkit-
> use...@li...] On Behalf Of Simson Garfinkel
> Sent: 23. august 2006 14:41
> To: sle...@li...
> Subject: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
> 
> I have an image to generates a crash in the ntfs_dent_idxentry()
> function.
> 
> Here is the stack trace:
> 
> (gdb) where
> #0  fs_inode_free (fs_inode=0x0) at fs_inode.c:96
> #1  0x000000000042adf7 in ntfs_dent_idxentry (ntfs=0x566400,
> dinfo=0x7fffffffdda0, idxe=0x1e57040, size=4032, len=31813712, flags=7,
>      action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:288
> #2  0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
> dinfo=0x7fffffffdda0, inum=31817728, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
>      at ntfs_dent.c:818
> #3  0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
> dinfo=0x7fffffffdda0, idxe=0x15787e8, size=4032, len=22513656, flags=7,
>      action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
> #4  0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
> dinfo=0x7fffffffdda0, inum=22515712, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
>      at ntfs_dent.c:818
> #5  0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
> dinfo=0x7fffffffdda0, idxe=0x1573458, size=4032, len=22492264, flags=7,
>      action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
> #6  0x000000000042c142 in ntfs_dent_walk_lcl (fs=0x566400,
> dinfo=0x7fffffffdda0, inum=4203824, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
>      at ntfs_dent.c:863
> #7  0x000000000042b3ad in ntfs_dent_walk (fs=0x566400, inum=5,
> flags=7, action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:464
> #8  0x0000000000402ae2 in do_vol (img=0x564000, start=32256) at
> iwalk.cpp:170
> #9  0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180,
> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
> #10 0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
> last=4, flags=10, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:
> 1013
> #11 0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
> boring test comment") at iwalk.cpp:229
> #12 0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
> iwalk.cpp:294
> (gdb)
> 
> And here is the code itself:
> 
> /* fs_inode_free - destroy generic inode structure */
> 
> void
> fs_inode_free(FS_INODE * fs_inode)
> {
>      FS_NAME *fs_name, *fs_name2;
> 
> =>  if (fs_inode->direct_addr)
>          free((char *) fs_inode->direct_addr);
>      fs_inode->direct_addr = NULL;
> 
>      if (fs_inode->indir_addr)
>          free((char *) fs_inode->indir_addr);
>      fs_inode->indir_addr = NULL;
> 
> 
> Any ideas?
> 
> This is TSK 2.05