Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Okay. Here is the correct code, starting at line 287:

             /* we know deleted entries with an inode of 0 are not  
legit because
              * that is the MFT value.  Free it so it does not confuse
              * people with invalid data
              */
             if (fs_dent->inode == 0) {
+                if(fs_dent->fsi != NULL){
                     fs_inode_free(fs_dent->fsi);
                     fs_dent->fsi = NULL;
+                }
             }

(I also patched fs_inode_free() to just return if it got a NUL. Now I  
understand that it's getting a NULL because 0 is a special MFT value.)

On Aug 23, 2006, at 6:02 AM, Svein Yngvar Willassen wrote:

> Pardon; those line numbers came from my modified version. The call to
> fs_inode_free is at line 288:
>
> 	   /* we know deleted entries with an inode of 0 are not legit
> because
> 	     * that is the MFT value.  Free it so it does not confuse
> 	     * people with invalid data
> 	     */
> 	    if (fs_dent->inode == 0) {
> 		fs_inode_free(fs_dent->fsi);      <----
> 		fs_dent->fsi = NULL;
> 	    }
>
> Svein
>
>
>> -----Original Message-----
>> From: sle...@li...  
>> [mailto:sleuthkit-
>> use...@li...] On Behalf Of Svein Yngvar  
>> Willassen
>> Sent: 23. august 2006 14:56
>> To: sle...@li...
>> Subject: Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>>
>> Apparently fs_inode is NULL. In your case it's called from line  
>> 305 in
>> ntfs.dent.c.
>>
>> I notice there's a check for fs_inode != NULL in the call to  
>> fs_inode_free
>> at line 97.  There should probably be a similar check at line  
>> 305.  Such a
>> check should at least eliminate your current crash.
>>
>> Regards,
>>
>> Svein Willassen
>>
>>
>>> -----Original Message-----
>>> From: sle...@li...  
>>> [mailto:sleuthkit-
>>> use...@li...] On Behalf Of Simson Garfinkel
>>> Sent: 23. august 2006 14:41
>>> To: sle...@li...
>>> Subject: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>>>
>>> I have an image to generates a crash in the ntfs_dent_idxentry()
>>> function.
>>>
>>> Here is the stack trace:
>>>
>>> (gdb) where
>>> #0  fs_inode_free (fs_inode=0x0) at fs_inode.c:96
>>> #1  0x000000000042adf7 in ntfs_dent_idxentry (ntfs=0x566400,
>>> dinfo=0x7fffffffdda0, idxe=0x1e57040, size=4032, len=31813712,  
>>> flags=7,
>>>      action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:288
>>> #2  0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
>>> dinfo=0x7fffffffdda0, inum=31817728, flags=7, action=0x402530
>>> <dent_act>, ptr=0x0)
>>>      at ntfs_dent.c:818
>>> #3  0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
>>> dinfo=0x7fffffffdda0, idxe=0x15787e8, size=4032, len=22513656,  
>>> flags=7,
>>>      action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
>>> #4  0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
>>> dinfo=0x7fffffffdda0, inum=22515712, flags=7, action=0x402530
>>> <dent_act>, ptr=0x0)
>>>      at ntfs_dent.c:818
>>> #5  0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
>>> dinfo=0x7fffffffdda0, idxe=0x1573458, size=4032, len=22492264,  
>>> flags=7,
>>>      action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
>>> #6  0x000000000042c142 in ntfs_dent_walk_lcl (fs=0x566400,
>>> dinfo=0x7fffffffdda0, inum=4203824, flags=7, action=0x402530
>>> <dent_act>, ptr=0x0)
>>>      at ntfs_dent.c:863
>>> #7  0x000000000042b3ad in ntfs_dent_walk (fs=0x566400, inum=5,
>>> flags=7, action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:464
>>> #8  0x0000000000402ae2 in do_vol (img=0x564000, start=32256) at
>>> iwalk.cpp:170
>>> #9  0x0000000000402b7c in mm_act (mm=0x564080, pnum=2,  
>>> part=0x563180,
>>> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
>>> #10 0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
>>> last=4, flags=10, action=0x402b30 <mm_act>, ptr=0x44a304 "") at  
>>> dos.c:
>>> 1013
>>> #11 0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
>>> boring test comment") at iwalk.cpp:229
>>> #12 0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
>>> iwalk.cpp:294
>>> (gdb)
>>>
>>> And here is the code itself:
>>>
>>> /* fs_inode_free - destroy generic inode structure */
>>>
>>> void
>>> fs_inode_free(FS_INODE * fs_inode)
>>> {
>>>      FS_NAME *fs_name, *fs_name2;
>>>
>>> =>  if (fs_inode->direct_addr)
>>>          free((char *) fs_inode->direct_addr);
>>>      fs_inode->direct_addr = NULL;
>>>
>>>      if (fs_inode->indir_addr)
>>>          free((char *) fs_inode->indir_addr);
>>>      fs_inode->indir_addr = NULL;
>>>
>>>
>>> Any ideas?
>>>
>>> This is TSK 2.05
>>
>>
>> --------------------------------------------------------------------- 
>> ----
>> Using Tomcat but need to do more? Need to support web services,  
>> security?
>> Get stuff done quickly with pre-integrated technology to make your  
>> job
>> easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
>> Geronimo
>> http://sel.as-us.falkag.net/sel? 
>> cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>
>
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>