Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
|
From: Svein Y. W. <sv...@wi...> - 2006-08-23 13:02:34
|
Pardon; those line numbers came from my modified version. The call to
fs_inode_free is at line 288:
/* we know deleted entries with an inode of 0 are not legit
because
* that is the MFT value. Free it so it does not confuse
* people with invalid data
*/
if (fs_dent->inode == 0) {
fs_inode_free(fs_dent->fsi); <----
fs_dent->fsi = NULL;
}
Svein
> -----Original Message-----
> From: sle...@li... [mailto:sleuthkit-
> use...@li...] On Behalf Of Svein Yngvar Willassen
> Sent: 23. august 2006 14:56
> To: sle...@li...
> Subject: Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>
> Apparently fs_inode is NULL. In your case it's called from line 305 in
> ntfs.dent.c.
>
> I notice there's a check for fs_inode != NULL in the call to fs_inode_free
> at line 97. There should probably be a similar check at line 305. Such a
> check should at least eliminate your current crash.
>
> Regards,
>
> Svein Willassen
>
>
> > -----Original Message-----
> > From: sle...@li... [mailto:sleuthkit-
> > use...@li...] On Behalf Of Simson Garfinkel
> > Sent: 23. august 2006 14:41
> > To: sle...@li...
> > Subject: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
> >
> > I have an image to generates a crash in the ntfs_dent_idxentry()
> > function.
> >
> > Here is the stack trace:
> >
> > (gdb) where
> > #0 fs_inode_free (fs_inode=0x0) at fs_inode.c:96
> > #1 0x000000000042adf7 in ntfs_dent_idxentry (ntfs=0x566400,
> > dinfo=0x7fffffffdda0, idxe=0x1e57040, size=4032, len=31813712, flags=7,
> > action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:288
> > #2 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
> > dinfo=0x7fffffffdda0, inum=31817728, flags=7, action=0x402530
> > <dent_act>, ptr=0x0)
> > at ntfs_dent.c:818
> > #3 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
> > dinfo=0x7fffffffdda0, idxe=0x15787e8, size=4032, len=22513656, flags=7,
> > action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
> > #4 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
> > dinfo=0x7fffffffdda0, inum=22515712, flags=7, action=0x402530
> > <dent_act>, ptr=0x0)
> > at ntfs_dent.c:818
> > #5 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
> > dinfo=0x7fffffffdda0, idxe=0x1573458, size=4032, len=22492264, flags=7,
> > action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
> > #6 0x000000000042c142 in ntfs_dent_walk_lcl (fs=0x566400,
> > dinfo=0x7fffffffdda0, inum=4203824, flags=7, action=0x402530
> > <dent_act>, ptr=0x0)
> > at ntfs_dent.c:863
> > #7 0x000000000042b3ad in ntfs_dent_walk (fs=0x566400, inum=5,
> > flags=7, action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:464
> > #8 0x0000000000402ae2 in do_vol (img=0x564000, start=32256) at
> > iwalk.cpp:170
> > #9 0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180,
> > flag=0, ptr=0x44a304 "") at iwalk.cpp:195
> > #10 0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
> > last=4, flags=10, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:
> > 1013
> > #11 0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
> > boring test comment") at iwalk.cpp:229
> > #12 0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
> > iwalk.cpp:294
> > (gdb)
> >
> > And here is the code itself:
> >
> > /* fs_inode_free - destroy generic inode structure */
> >
> > void
> > fs_inode_free(FS_INODE * fs_inode)
> > {
> > FS_NAME *fs_name, *fs_name2;
> >
> > => if (fs_inode->direct_addr)
> > free((char *) fs_inode->direct_addr);
> > fs_inode->direct_addr = NULL;
> >
> > if (fs_inode->indir_addr)
> > free((char *) fs_inode->indir_addr);
> > fs_inode->indir_addr = NULL;
> >
> >
> > Any ideas?
> >
> > This is TSK 2.05
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
