Thread: Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Svein Y. W. <sv...@wi...> - 2006-08-23 12:56:11
|
Apparently fs_inode is NULL. In your case it's called from line 305 in
ntfs.dent.c.
I notice there's a check for fs_inode != NULL in the call to fs_inode_free
at line 97. There should probably be a similar check at line 305. Such a
check should at least eliminate your current crash.
Regards,
Svein Willassen
> -----Original Message-----
> From: sle...@li... [mailto:sleuthkit-
> use...@li...] On Behalf Of Simson Garfinkel
> Sent: 23. august 2006 14:41
> To: sle...@li...
> Subject: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>
> I have an image to generates a crash in the ntfs_dent_idxentry()
> function.
>
> Here is the stack trace:
>
> (gdb) where
> #0 fs_inode_free (fs_inode=0x0) at fs_inode.c:96
> #1 0x000000000042adf7 in ntfs_dent_idxentry (ntfs=0x566400,
> dinfo=0x7fffffffdda0, idxe=0x1e57040, size=4032, len=31813712, flags=7,
> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:288
> #2 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
> dinfo=0x7fffffffdda0, inum=31817728, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
> at ntfs_dent.c:818
> #3 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
> dinfo=0x7fffffffdda0, idxe=0x15787e8, size=4032, len=22513656, flags=7,
> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
> #4 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
> dinfo=0x7fffffffdda0, inum=22515712, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
> at ntfs_dent.c:818
> #5 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
> dinfo=0x7fffffffdda0, idxe=0x1573458, size=4032, len=22492264, flags=7,
> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
> #6 0x000000000042c142 in ntfs_dent_walk_lcl (fs=0x566400,
> dinfo=0x7fffffffdda0, inum=4203824, flags=7, action=0x402530
> <dent_act>, ptr=0x0)
> at ntfs_dent.c:863
> #7 0x000000000042b3ad in ntfs_dent_walk (fs=0x566400, inum=5,
> flags=7, action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:464
> #8 0x0000000000402ae2 in do_vol (img=0x564000, start=32256) at
> iwalk.cpp:170
> #9 0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180,
> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
> #10 0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
> last=4, flags=10, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:
> 1013
> #11 0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
> boring test comment") at iwalk.cpp:229
> #12 0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
> iwalk.cpp:294
> (gdb)
>
> And here is the code itself:
>
> /* fs_inode_free - destroy generic inode structure */
>
> void
> fs_inode_free(FS_INODE * fs_inode)
> {
> FS_NAME *fs_name, *fs_name2;
>
> => if (fs_inode->direct_addr)
> free((char *) fs_inode->direct_addr);
> fs_inode->direct_addr = NULL;
>
> if (fs_inode->indir_addr)
> free((char *) fs_inode->indir_addr);
> fs_inode->indir_addr = NULL;
>
>
> Any ideas?
>
> This is TSK 2.05
|
|
From: Svein Y. W. <sv...@wi...> - 2006-08-23 13:02:34
|
Pardon; those line numbers came from my modified version. The call to
fs_inode_free is at line 288:
/* we know deleted entries with an inode of 0 are not legit
because
* that is the MFT value. Free it so it does not confuse
* people with invalid data
*/
if (fs_dent->inode == 0) {
fs_inode_free(fs_dent->fsi); <----
fs_dent->fsi = NULL;
}
Svein
> -----Original Message-----
> From: sle...@li... [mailto:sleuthkit-
> use...@li...] On Behalf Of Svein Yngvar Willassen
> Sent: 23. august 2006 14:56
> To: sle...@li...
> Subject: Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>
> Apparently fs_inode is NULL. In your case it's called from line 305 in
> ntfs.dent.c.
>
> I notice there's a check for fs_inode != NULL in the call to fs_inode_free
> at line 97. There should probably be a similar check at line 305. Such a
> check should at least eliminate your current crash.
>
> Regards,
>
> Svein Willassen
>
>
> > -----Original Message-----
> > From: sle...@li... [mailto:sleuthkit-
> > use...@li...] On Behalf Of Simson Garfinkel
> > Sent: 23. august 2006 14:41
> > To: sle...@li...
> > Subject: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
> >
> > I have an image to generates a crash in the ntfs_dent_idxentry()
> > function.
> >
> > Here is the stack trace:
> >
> > (gdb) where
> > #0 fs_inode_free (fs_inode=0x0) at fs_inode.c:96
> > #1 0x000000000042adf7 in ntfs_dent_idxentry (ntfs=0x566400,
> > dinfo=0x7fffffffdda0, idxe=0x1e57040, size=4032, len=31813712, flags=7,
> > action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:288
> > #2 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
> > dinfo=0x7fffffffdda0, inum=31817728, flags=7, action=0x402530
> > <dent_act>, ptr=0x0)
> > at ntfs_dent.c:818
> > #3 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
> > dinfo=0x7fffffffdda0, idxe=0x15787e8, size=4032, len=22513656, flags=7,
> > action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
> > #4 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
> > dinfo=0x7fffffffdda0, inum=22515712, flags=7, action=0x402530
> > <dent_act>, ptr=0x0)
> > at ntfs_dent.c:818
> > #5 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
> > dinfo=0x7fffffffdda0, idxe=0x1573458, size=4032, len=22492264, flags=7,
> > action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
> > #6 0x000000000042c142 in ntfs_dent_walk_lcl (fs=0x566400,
> > dinfo=0x7fffffffdda0, inum=4203824, flags=7, action=0x402530
> > <dent_act>, ptr=0x0)
> > at ntfs_dent.c:863
> > #7 0x000000000042b3ad in ntfs_dent_walk (fs=0x566400, inum=5,
> > flags=7, action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:464
> > #8 0x0000000000402ae2 in do_vol (img=0x564000, start=32256) at
> > iwalk.cpp:170
> > #9 0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180,
> > flag=0, ptr=0x44a304 "") at iwalk.cpp:195
> > #10 0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
> > last=4, flags=10, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:
> > 1013
> > #11 0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
> > boring test comment") at iwalk.cpp:229
> > #12 0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
> > iwalk.cpp:294
> > (gdb)
> >
> > And here is the code itself:
> >
> > /* fs_inode_free - destroy generic inode structure */
> >
> > void
> > fs_inode_free(FS_INODE * fs_inode)
> > {
> > FS_NAME *fs_name, *fs_name2;
> >
> > => if (fs_inode->direct_addr)
> > free((char *) fs_inode->direct_addr);
> > fs_inode->direct_addr = NULL;
> >
> > if (fs_inode->indir_addr)
> > free((char *) fs_inode->indir_addr);
> > fs_inode->indir_addr = NULL;
> >
> >
> > Any ideas?
> >
> > This is TSK 2.05
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
|
From: Simson G. <si...@ac...> - 2006-08-23 13:13:26
Attachments:
smime.p7s
|
Okay. Here is the correct code, starting at line 287:
/* we know deleted entries with an inode of 0 are not
legit because
* that is the MFT value. Free it so it does not confuse
* people with invalid data
*/
if (fs_dent->inode == 0) {
+ if(fs_dent->fsi != NULL){
fs_inode_free(fs_dent->fsi);
fs_dent->fsi = NULL;
+ }
}
(I also patched fs_inode_free() to just return if it got a NUL. Now I
understand that it's getting a NULL because 0 is a special MFT value.)
On Aug 23, 2006, at 6:02 AM, Svein Yngvar Willassen wrote:
> Pardon; those line numbers came from my modified version. The call to
> fs_inode_free is at line 288:
>
> /* we know deleted entries with an inode of 0 are not legit
> because
> * that is the MFT value. Free it so it does not confuse
> * people with invalid data
> */
> if (fs_dent->inode == 0) {
> fs_inode_free(fs_dent->fsi); <----
> fs_dent->fsi = NULL;
> }
>
> Svein
>
>
>> -----Original Message-----
>> From: sle...@li...
>> [mailto:sleuthkit-
>> use...@li...] On Behalf Of Svein Yngvar
>> Willassen
>> Sent: 23. august 2006 14:56
>> To: sle...@li...
>> Subject: Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>>
>> Apparently fs_inode is NULL. In your case it's called from line
>> 305 in
>> ntfs.dent.c.
>>
>> I notice there's a check for fs_inode != NULL in the call to
>> fs_inode_free
>> at line 97. There should probably be a similar check at line
>> 305. Such a
>> check should at least eliminate your current crash.
>>
>> Regards,
>>
>> Svein Willassen
>>
>>
>>> -----Original Message-----
>>> From: sle...@li...
>>> [mailto:sleuthkit-
>>> use...@li...] On Behalf Of Simson Garfinkel
>>> Sent: 23. august 2006 14:41
>>> To: sle...@li...
>>> Subject: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>>>
>>> I have an image to generates a crash in the ntfs_dent_idxentry()
>>> function.
>>>
>>> Here is the stack trace:
>>>
>>> (gdb) where
>>> #0 fs_inode_free (fs_inode=0x0) at fs_inode.c:96
>>> #1 0x000000000042adf7 in ntfs_dent_idxentry (ntfs=0x566400,
>>> dinfo=0x7fffffffdda0, idxe=0x1e57040, size=4032, len=31813712,
>>> flags=7,
>>> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:288
>>> #2 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
>>> dinfo=0x7fffffffdda0, inum=31817728, flags=7, action=0x402530
>>> <dent_act>, ptr=0x0)
>>> at ntfs_dent.c:818
>>> #3 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
>>> dinfo=0x7fffffffdda0, idxe=0x15787e8, size=4032, len=22513656,
>>> flags=7,
>>> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
>>> #4 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
>>> dinfo=0x7fffffffdda0, inum=22515712, flags=7, action=0x402530
>>> <dent_act>, ptr=0x0)
>>> at ntfs_dent.c:818
>>> #5 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
>>> dinfo=0x7fffffffdda0, idxe=0x1573458, size=4032, len=22492264,
>>> flags=7,
>>> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
>>> #6 0x000000000042c142 in ntfs_dent_walk_lcl (fs=0x566400,
>>> dinfo=0x7fffffffdda0, inum=4203824, flags=7, action=0x402530
>>> <dent_act>, ptr=0x0)
>>> at ntfs_dent.c:863
>>> #7 0x000000000042b3ad in ntfs_dent_walk (fs=0x566400, inum=5,
>>> flags=7, action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:464
>>> #8 0x0000000000402ae2 in do_vol (img=0x564000, start=32256) at
>>> iwalk.cpp:170
>>> #9 0x0000000000402b7c in mm_act (mm=0x564080, pnum=2,
>>> part=0x563180,
>>> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
>>> #10 0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
>>> last=4, flags=10, action=0x402b30 <mm_act>, ptr=0x44a304 "") at
>>> dos.c:
>>> 1013
>>> #11 0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
>>> boring test comment") at iwalk.cpp:229
>>> #12 0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
>>> iwalk.cpp:294
>>> (gdb)
>>>
>>> And here is the code itself:
>>>
>>> /* fs_inode_free - destroy generic inode structure */
>>>
>>> void
>>> fs_inode_free(FS_INODE * fs_inode)
>>> {
>>> FS_NAME *fs_name, *fs_name2;
>>>
>>> => if (fs_inode->direct_addr)
>>> free((char *) fs_inode->direct_addr);
>>> fs_inode->direct_addr = NULL;
>>>
>>> if (fs_inode->indir_addr)
>>> free((char *) fs_inode->indir_addr);
>>> fs_inode->indir_addr = NULL;
>>>
>>>
>>> Any ideas?
>>>
>>> This is TSK 2.05
>>
>>
>> ---------------------------------------------------------------------
>> ----
>> Using Tomcat but need to do more? Need to support web services,
>> security?
>> Get stuff done quickly with pre-integrated technology to make your
>> job
>> easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
>> Geronimo
>> http://sel.as-us.falkag.net/sel?
>> cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>
>
>
> ----------------------------------------------------------------------
> ---
> Using Tomcat but need to do more? Need to support web services,
> security?
> Get stuff done quickly with pre-integrated technology to make your
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> http://sel.as-us.falkag.net/sel?
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
|
|
From: Brian C. <ca...@sl...> - 2006-08-23 13:40:17
|
I'm not sure when this bug was introduced, but it didn't exist a couple
of versions ago. Anyway, a couple of other users reported it a few
weeks ago and it is fixed in the next release, which should be at the
end of this week or early next week.
thanks,
brian
Simson Garfinkel wrote:
> Okay. Here is the correct code, starting at line 287:
>
> /* we know deleted entries with an inode of 0 are not legit
> because
> * that is the MFT value. Free it so it does not confuse
> * people with invalid data
> */
> if (fs_dent->inode == 0) {
> + if(fs_dent->fsi != NULL){
> fs_inode_free(fs_dent->fsi);
> fs_dent->fsi = NULL;
> + }
> }
>
> (I also patched fs_inode_free() to just return if it got a NUL. Now I
> understand that it's getting a NULL because 0 is a special MFT value.)
>
> On Aug 23, 2006, at 6:02 AM, Svein Yngvar Willassen wrote:
>
>> Pardon; those line numbers came from my modified version. The call to
>> fs_inode_free is at line 288:
>>
>> /* we know deleted entries with an inode of 0 are not legit
>> because
>> * that is the MFT value. Free it so it does not confuse
>> * people with invalid data
>> */
>> if (fs_dent->inode == 0) {
>> fs_inode_free(fs_dent->fsi); <----
>> fs_dent->fsi = NULL;
>> }
>>
>> Svein
>>
>>
>>> -----Original Message-----
>>> From: sle...@li... [mailto:sleuthkit-
>>> use...@li...] On Behalf Of Svein Yngvar Willassen
>>> Sent: 23. august 2006 14:56
>>> To: sle...@li...
>>> Subject: Re: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>>>
>>> Apparently fs_inode is NULL. In your case it's called from line 305 in
>>> ntfs.dent.c.
>>>
>>> I notice there's a check for fs_inode != NULL in the call to
>>> fs_inode_free
>>> at line 97. There should probably be a similar check at line 305.
>>> Such a
>>> check should at least eliminate your current crash.
>>>
>>> Regards,
>>>
>>> Svein Willassen
>>>
>>>
>>>> -----Original Message-----
>>>> From: sle...@li... [mailto:sleuthkit-
>>>> use...@li...] On Behalf Of Simson Garfinkel
>>>> Sent: 23. august 2006 14:41
>>>> To: sle...@li...
>>>> Subject: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>>>>
>>>> I have an image to generates a crash in the ntfs_dent_idxentry()
>>>> function.
>>>>
>>>> Here is the stack trace:
>>>>
>>>> (gdb) where
>>>> #0 fs_inode_free (fs_inode=0x0) at fs_inode.c:96
>>>> #1 0x000000000042adf7 in ntfs_dent_idxentry (ntfs=0x566400,
>>>> dinfo=0x7fffffffdda0, idxe=0x1e57040, size=4032, len=31813712, flags=7,
>>>> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:288
>>>> #2 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
>>>> dinfo=0x7fffffffdda0, inum=31817728, flags=7, action=0x402530
>>>> <dent_act>, ptr=0x0)
>>>> at ntfs_dent.c:818
>>>> #3 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
>>>> dinfo=0x7fffffffdda0, idxe=0x15787e8, size=4032, len=22513656, flags=7,
>>>> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
>>>> #4 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
>>>> dinfo=0x7fffffffdda0, inum=22515712, flags=7, action=0x402530
>>>> <dent_act>, ptr=0x0)
>>>> at ntfs_dent.c:818
>>>> #5 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
>>>> dinfo=0x7fffffffdda0, idxe=0x1573458, size=4032, len=22492264, flags=7,
>>>> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
>>>> #6 0x000000000042c142 in ntfs_dent_walk_lcl (fs=0x566400,
>>>> dinfo=0x7fffffffdda0, inum=4203824, flags=7, action=0x402530
>>>> <dent_act>, ptr=0x0)
>>>> at ntfs_dent.c:863
>>>> #7 0x000000000042b3ad in ntfs_dent_walk (fs=0x566400, inum=5,
>>>> flags=7, action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:464
>>>> #8 0x0000000000402ae2 in do_vol (img=0x564000, start=32256) at
>>>> iwalk.cpp:170
>>>> #9 0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180,
>>>> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
>>>> #10 0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
>>>> last=4, flags=10, action=0x402b30 <mm_act>, ptr=0x44a304 "") at dos.c:
>>>> 1013
>>>> #11 0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
>>>> boring test comment") at iwalk.cpp:229
>>>> #12 0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
>>>> iwalk.cpp:294
>>>> (gdb)
>>>>
>>>> And here is the code itself:
>>>>
>>>> /* fs_inode_free - destroy generic inode structure */
>>>>
>>>> void
>>>> fs_inode_free(FS_INODE * fs_inode)
>>>> {
>>>> FS_NAME *fs_name, *fs_name2;
>>>>
>>>> => if (fs_inode->direct_addr)
>>>> free((char *) fs_inode->direct_addr);
>>>> fs_inode->direct_addr = NULL;
>>>>
>>>> if (fs_inode->indir_addr)
>>>> free((char *) fs_inode->indir_addr);
>>>> fs_inode->indir_addr = NULL;
>>>>
>>>>
>>>> Any ideas?
>>>>
>>>> This is TSK 2.05
|
|
From: Simson G. <si...@ac...> - 2006-08-23 13:01:30
Attachments:
smime.p7s
|
Thanks. Line 305 in which file?
You are right --- the "quick patch" is:
if(fs_inode==NULL) return;
However, there's clearly a deeper bug somewhere...
On Aug 23, 2006, at 5:55 AM, Svein Yngvar Willassen wrote:
> Apparently fs_inode is NULL. In your case it's called from line 305 in
> ntfs.dent.c.
>
> I notice there's a check for fs_inode != NULL in the call to
> fs_inode_free
> at line 97. There should probably be a similar check at line 305.
> Such a
> check should at least eliminate your current crash.
>
> Regards,
>
> Svein Willassen
>
>
>> -----Original Message-----
>> From: sle...@li...
>> [mailto:sleuthkit-
>> use...@li...] On Behalf Of Simson Garfinkel
>> Sent: 23. august 2006 14:41
>> To: sle...@li...
>> Subject: [sleuthkit-users] crash in fs_inode.c:96 TSK 2.05
>>
>> I have an image to generates a crash in the ntfs_dent_idxentry()
>> function.
>>
>> Here is the stack trace:
>>
>> (gdb) where
>> #0 fs_inode_free (fs_inode=0x0) at fs_inode.c:96
>> #1 0x000000000042adf7 in ntfs_dent_idxentry (ntfs=0x566400,
>> dinfo=0x7fffffffdda0, idxe=0x1e57040, size=4032, len=31813712,
>> flags=7,
>> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:288
>> #2 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
>> dinfo=0x7fffffffdda0, inum=31817728, flags=7, action=0x402530
>> <dent_act>, ptr=0x0)
>> at ntfs_dent.c:818
>> #3 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
>> dinfo=0x7fffffffdda0, idxe=0x15787e8, size=4032, len=22513656,
>> flags=7,
>> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
>> #4 0x000000000042bf5c in ntfs_dent_walk_lcl (fs=0x566400,
>> dinfo=0x7fffffffdda0, inum=22515712, flags=7, action=0x402530
>> <dent_act>, ptr=0x0)
>> at ntfs_dent.c:818
>> #5 0x000000000042af54 in ntfs_dent_idxentry (ntfs=0x566400,
>> dinfo=0x7fffffffdda0, idxe=0x1573458, size=4032, len=22492264,
>> flags=7,
>> action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:327
>> #6 0x000000000042c142 in ntfs_dent_walk_lcl (fs=0x566400,
>> dinfo=0x7fffffffdda0, inum=4203824, flags=7, action=0x402530
>> <dent_act>, ptr=0x0)
>> at ntfs_dent.c:863
>> #7 0x000000000042b3ad in ntfs_dent_walk (fs=0x566400, inum=5,
>> flags=7, action=0x402530 <dent_act>, ptr=0x0) at ntfs_dent.c:464
>> #8 0x0000000000402ae2 in do_vol (img=0x564000, start=32256) at
>> iwalk.cpp:170
>> #9 0x0000000000402b7c in mm_act (mm=0x564080, pnum=2, part=0x563180,
>> flag=0, ptr=0x44a304 "") at iwalk.cpp:195
>> #10 0x00000000004342e0 in dos_part_walk (mm=0x564080, start=0,
>> last=4, flags=10, action=0x402b30 <mm_act>, ptr=0x44a304 "") at
>> dos.c:
>> 1013
>> #11 0x0000000000402c5e in do_dimage (img=0x564000, desc=0x44a406 "my
>> boring test comment") at iwalk.cpp:229
>> #12 0x0000000000402e39 in main (argc=1, argv=0x7fffffffe988) at
>> iwalk.cpp:294
>> (gdb)
>>
>> And here is the code itself:
>>
>> /* fs_inode_free - destroy generic inode structure */
>>
>> void
>> fs_inode_free(FS_INODE * fs_inode)
>> {
>> FS_NAME *fs_name, *fs_name2;
>>
>> => if (fs_inode->direct_addr)
>> free((char *) fs_inode->direct_addr);
>> fs_inode->direct_addr = NULL;
>>
>> if (fs_inode->indir_addr)
>> free((char *) fs_inode->indir_addr);
>> fs_inode->indir_addr = NULL;
>>
>>
>> Any ideas?
>>
>> This is TSK 2.05
>
>
> ----------------------------------------------------------------------
> ---
> Using Tomcat but need to do more? Need to support web services,
> security?
> Get stuff done quickly with pre-integrated technology to make your
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> http://sel.as-us.falkag.net/sel?
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
|
Thanks for helping keep SourceForge clean.
X