Re: [sleuthkit-developers] NTFS File System Seg Fault
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] NTFS File System Seg Fault
|
From: Brian C. <ca...@sl...> - 2007-09-06 20:36:11
|
Al,
Thanks for reporting this. It was also reported to me a few weeks
back and I fixed it (I need to get a new release out). THe simple
fix is to add this above where you had the problem:
else if (fs_dent->fsi == NULL) {
return TSK_WALK_STOP;
}
thanks,
brian
On Sep 6, 2007, at 12:10 AM, Al MailingList wrote:
> Hello list,
>
> I've been using sk for a while (it's great), and I've just started
> using the excellent python bindings for the sleuthkit (from
> www.pyflag.net). Anyway, when processing a disk image I ran across a
> seg fault. Basically here is what is happened:
>
> - I walked the file system
> - I tried to extract all the files one by one by name
> - When attempting to extract one I got a seg fault
>
> I narrowed it down to the one file it was crashing on, say
>
> /foo/bar/foobar/file
>
> doing an ifind on this seg faults, as too does doing one on foobar;
> doing an ifind on bar gives me an inode of zero. Obviously something
> is not correct. The seg fault occurs in ifind_lib.c. In the pyflag
> version it's line 235, but this might be slightly different in the
> current sk source. The line in question is:
>
> if ((fs_dent->fsi->mode & TSK_FS_INODE_MODE_FMT) == ...
>
> It occurs because in this particular instance, fs_dent->fsi is null.
>
> I would love to debug it myself, but I fear it would take far longer
> than my employer would appreciate :P . I've managed to work around it
> by using inodes instead of file names, so it's not a big deal for me
> anymore, but thought I would raise it. Maybe just a check for a null
> fsi and then returning a TS_WALK_ERROR would do? I can spend a bit
> more time debugging it if you can provide me some pointers. It may
> well just be a corrupt file system? Oh yeah it's an NTFS file system.
> I've checked this against v2.06 and v2.09, both seg fault.
>
> Thanks again, tsk is cool :)
>
> Cheers,
> Al
>
> ----------------------------------------------------------------------
> ---
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a
> browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
|
