Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I'm not sure when this bug was introduced, but it didn't exist a couple 
of versions ago.  Anyway, a couple of other users reported it a few 
weeks ago and it is fixed in the next release, which should be at the 
end of this week or early next week.

thanks,
brian

Simson Garfinkel wrote:
> Okay. Here is the correct code, starting at line 287:
> 
>             /* we know deleted entries with an inode of 0 are not legit 
> because
>              * that is the MFT value.  Free it so it does not confuse
>              * people with invalid data
>              */
>             if (fs_dent->inode == 0) {
> +                if(fs_dent->fsi != NULL){
>                     fs_inode_free(fs_dent->fsi);
>                     fs_dent->fsi = NULL;
> +                }
>             }
> 
> (I also patched fs_inode_free() to just return if it got a NUL. Now I 
> understand that it's getting a NULL because 0 is a special MFT value.)
> 
> On Aug 23, 2006, at 6:02 AM, Svein Yngvar Willassen wrote:
> 
>> Pardon; those line numbers came from my modified version. The call to
>> fs_inode_free is at line 288:
>>
>>        /* we know deleted entries with an inode of 0 are not legit
>> because
>>          * that is the MFT value.  Free it so it does not confuse
>>          * people with invalid data
>>          */
>>         if (fs_dent->inode == 0) {
>>         fs_inode_free(fs_dent->fsi);      <----
>>         fs_dent->fsi = NULL;
>>         }
>>
>> Svein
>>
>>
>>> -----Original Message-----
>>> From: sle...@li... [mailto:sleuthkit-
>>> use...@li...] On Behalf Of Svein Yngvar Willassen
>>> Sent: 23. august 2006 14:56
>>> To: sle...@li...
>>> Subject: Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>>>
>>> Apparently fs_inode is NULL. In your case it's called from line 305 in
>>> ntfs.dent.c.
>>>
>>> I notice there's a check for fs_inode != NULL in the call to 
>>> fs_inode_free
>>> at line 97.  There should probably be a similar check at line 305.  
>>> Such a
>>> check should at least eliminate your current crash.
>>>
>>> Regards,
>>>
>>> Svein Willassen
>>>
>>>
>>>> -----Original Message-----
>>>> From: sle...@li... [mailto:sleuthkit-
>>>> use...@li...] On Behalf Of Simson Garfinkel
>>>> Sent: 23. august 2006 14:41
>>>> To: sle...@li...
>>>> Subject: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>>>>
>>>> I have an image to generates a crash in the ntfs_dent_idxentry()
>>>> function.
>>>>
>>>> Here is the stack trace:
>>>>
>>>> (gdb) where
>>>> #0  fs_inode_free (fs_inode=0x0) at fs_inode.c:96
>>>> #1  0x000000000042adf7 in ntfs_dent_idxentry (ntfs=0x566400,
>>>> dinfo=0x7fffffffdda0, idxe=0x1e57040, size=4032, len=31813712, flags=7,
>>>>      action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:288
>>>> #2  0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
>>>> dinfo=0x7fffffffdda0, inum=31817728, flags=7, action=0x402530
>>>> <dent_act>, ptr=0x0)
>>>>      at ntfs_dent.c:818
>>>> #3  0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
>>>> dinfo=0x7fffffffdda0, idxe=0x15787e8, size=4032, len=22513656, flags=7,
>>>>      action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
>>>> #4  0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
>>>> dinfo=0x7fffffffdda0, inum=22515712, flags=7, action=0x402530
>>>> <dent_act>, ptr=0x0)
>>>>      at ntfs_dent.c:818
>>>> #5  0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
>>>> dinfo=0x7fffffffdda0, idxe=0x1573458, size=4032, len=22492264, flags=7,
>>>>      action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
>>>> #6  0x000000000042c142 in ntfs_dent_walk_lcl (fs=0x566400,
>>>> dinfo=0x7fffffffdda0, inum=4203824, flags=7, action=0x402530
>>>> <dent_act>, ptr=0x0)
>>>>      at ntfs_dent.c:863
>>>> #7  0x000000000042b3ad in ntfs_dent_walk (fs=0x566400, inum=5,
>>>> flags=7, action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:464
>>>> #8  0x0000000000402ae2 in do_vol (img=0x564000, start=32256) at
>>>> iwalk.cpp:170
>>>> #9  0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180,
>>>> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
>>>> #10 0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
>>>> last=4, flags=10, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:
>>>> 1013
>>>> #11 0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
>>>> boring test comment") at iwalk.cpp:229
>>>> #12 0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
>>>> iwalk.cpp:294
>>>> (gdb)
>>>>
>>>> And here is the code itself:
>>>>
>>>> /* fs_inode_free - destroy generic inode structure */
>>>>
>>>> void
>>>> fs_inode_free(FS_INODE * fs_inode)
>>>> {
>>>>      FS_NAME *fs_name, *fs_name2;
>>>>
>>>> =>  if (fs_inode->direct_addr)
>>>>          free((char *) fs_inode->direct_addr);
>>>>      fs_inode->direct_addr = NULL;
>>>>
>>>>      if (fs_inode->indir_addr)
>>>>          free((char *) fs_inode->indir_addr);
>>>>      fs_inode->indir_addr = NULL;
>>>>
>>>>
>>>> Any ideas?
>>>>
>>>> This is TSK 2.05