sleuthkit-developers

[sleuthkit-developers] NTFS File System Seg Fault

[Al M. <alp...@gm...>]

Hello list,

I've been using sk for a while (it's great), and I've just started
using the excellent python bindings for the sleuthkit (from
www.pyflag.net). Anyway, when processing a disk image I ran across a
seg fault. Basically here is what is happened:

- I walked the file system
- I tried to extract all the files one by one by name
- When attempting to extract one I got a seg fault

I narrowed it down to the one file it was crashing on, say

/foo/bar/foobar/file

doing an ifind on this seg faults, as too does doing one on foobar;
doing an ifind on bar gives me an inode of zero. Obviously something
is not correct. The seg fault occurs in ifind_lib.c. In the pyflag
version it's line 235, but this might be slightly different in the
current sk source. The line in question is:

if ((fs_dent->fsi->mode & TSK_FS_INODE_MODE_FMT) == ...

It occurs because in this particular instance, fs_dent->fsi is null.

I would love to debug it myself, but I fear it would take far longer
than my employer would appreciate :P . I've managed to work around it
by using inodes instead of file names, so it's not a big deal for me
anymore, but thought I would raise it. Maybe just a check for a null
fsi and then returning a TS_WALK_ERROR would do? I can spend a bit
more time debugging it if you can provide me some pointers. It may
well just be a corrupt file system? Oh yeah it's an NTFS file system.
I've checked this against v2.06 and v2.09, both seg fault.

Thanks again, tsk is cool :)

Cheers,
Al

Re: [sleuthkit-developers] NTFS File System Seg Fault

[Brian C. <ca...@sl...>]

Al,

Thanks for reporting this. It was also reported to me a few weeks  
back and I fixed it (I need to get a new release out).  THe simple  
fix is to add this above where you had the problem:


     else if (fs_dent->fsi == NULL) {
         return TSK_WALK_STOP;
     }

thanks,
brian


On Sep 6, 2007, at 12:10 AM, Al MailingList wrote:

> Hello list,
>
> I've been using sk for a while (it's great), and I've just started
> using the excellent python bindings for the sleuthkit (from
> www.pyflag.net). Anyway, when processing a disk image I ran across a
> seg fault. Basically here is what is happened:
>
> - I walked the file system
> - I tried to extract all the files one by one by name
> - When attempting to extract one I got a seg fault
>
> I narrowed it down to the one file it was crashing on, say
>
> /foo/bar/foobar/file
>
> doing an ifind on this seg faults, as too does doing one on foobar;
> doing an ifind on bar gives me an inode of zero. Obviously something
> is not correct. The seg fault occurs in ifind_lib.c. In the pyflag
> version it's line 235, but this might be slightly different in the
> current sk source. The line in question is:
>
> if ((fs_dent->fsi->mode & TSK_FS_INODE_MODE_FMT) == ...
>
> It occurs because in this particular instance, fs_dent->fsi is null.
>
> I would love to debug it myself, but I fear it would take far longer
> than my employer would appreciate :P . I've managed to work around it
> by using inodes instead of file names, so it's not a big deal for me
> anymore, but thought I would raise it. Maybe just a check for a null
> fsi and then returning a TS_WALK_ERROR would do? I can spend a bit
> more time debugging it if you can provide me some pointers. It may
> well just be a corrupt file system? Oh yeah it's an NTFS file system.
> I've checked this against v2.06 and v2.09, both seg fault.
>
> Thanks again, tsk is cool :)
>
> Cheers,
> Al
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a  
> browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers