[sleuthkit-developers] sleuthkit bug in fs_data.c
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] sleuthkit bug in fs_data.c
|
From: David C. <da...@in...> - 2006-11-17 07:35:24
|
G'Day Brian, I believe I have found a bug in sleuthkit. in fs_data.c: fs_data_getnew_attr can create unused 'holes' in attr lists. At least two functions, fs_data_lookup and fs_data_lookup_noid do not jump the holes which can cause them to return early without finding the correct FS_DATA element to return. This does not seem to effect sleuthkit (though I havent done much testing), but it does effect pyflag. Probably because we live for longer and perform more walks etc than the sk tools. As such there is more opportunities for structure reuse and hence more chances to hit this bug. My solution for now is to change the loops in fs_data_lookup and fs_data_lookup_noid to jump the holes (patch attached), though another possibility is to modify fs_data_getnew_attr so that it does not create holes in the first place. This may be more complicated and undesirable though. My patch *only* fixes the loops in fs_data. A quick grep through the code reveals several more similar loops which could cause trouble (though through luck, they probably dont!). Let me know what you think or if you need a better description of the problem, I can fix up the rest for you and send another patch if you like. Thanks, David Collett |
