Context Navigation

source: trunk/lib/regfi.c @ 158

Last change on this file since 158 was 158, checked in by tim, 14 years ago

simplified root key search

moved classname parsing up to regfi_load_key

Property svn:keywords set to Id

File size: 72.2 KB

Rev	Line
[30]	1	/*
	2	* Branched from Samba project Subversion repository, version #7470:
[84]	3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
[30]	4	*
[134]	5	* Windows NT (and later) registry parsing library
[30]	6	*
[132]	7	* Copyright (C) 2005-2009 Timothy D. Morgan
[30]	8	* Copyright (C) 2005 Gerald (Jerry) Carter
	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License as published by
[111]	12	* the Free Software Foundation; version 3 of the License.
[30]	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program; if not, write to the Free Software
	21	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	22	*
	23	* $Id: regfi.c 158 2009-11-24 04:06:51Z tim $
	24	*/
	25
[147]	26	#include "regfi.h"
[30]	27
	28
[32]	29	/* Registry types mapping */
[78]	30	const unsigned int regfi_num_reg_types = 12;
	31	static const char* regfi_type_names[] =
[65]	32	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	33	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	34
[32]	35
[135]	36
	37	/******************************************************************************
	38	******************************************************************************/
[138]	39	void regfi_add_message(REGFI_FILE* file, uint16 msg_type, const char* fmt, ...)
[135]	40	{
[136]	41	/* XXX: This function is not particularly efficient,
[135]	42	* but then it is mostly used during errors.
	43	*/
[136]	44	uint32 buf_size, buf_used;
	45	char* new_msg;
	46	va_list args;
[135]	47
[138]	48	if((file->msg_mask & msg_type) != 0)
	49	{
	50	if(file->last_message == NULL)
	51	buf_used = 0;
	52	else
	53	buf_used = strlen(file->last_message);
	54
	55	buf_size = buf_used+strlen(fmt)+160;
	56	new_msg = realloc(file->last_message, buf_size);
	57	if(new_msg == NULL)
	58	/* XXX: should we report this? */
	59	return;
[135]	60
[138]	61	switch (msg_type)
	62	{
	63	case REGFI_MSG_INFO:
	64	strcpy(new_msg+buf_used, "INFO: ");
	65	buf_used += 6;
	66	break;
	67	case REGFI_MSG_WARN:
	68	strcpy(new_msg+buf_used, "WARN: ");
	69	buf_used += 6;
	70	break;
	71	case REGFI_MSG_ERROR:
	72	strcpy(new_msg+buf_used, "ERROR: ");
	73	buf_used += 7;
	74	break;
	75	}
[136]	76
[138]	77	va_start(args, fmt);
	78	vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
	79	va_end(args);
	80	strncat(new_msg, "\n", buf_size-1);
	81
	82	file->last_message = new_msg;
	83	}
[135]	84	}
	85
	86
	87	/******************************************************************************
	88	******************************************************************************/
[136]	89	char* regfi_get_messages(REGFI_FILE* file)
[135]	90	{
	91	char* ret_val = file->last_message;
	92	file->last_message = NULL;
	93
	94	return ret_val;
	95	}
	96
	97
[138]	98	void regfi_set_message_mask(REGFI_FILE* file, uint16 mask)
	99	{
	100	file->msg_mask = mask;
	101	}
	102
	103
[32]	104	/* Returns NULL on error */
[78]	105	const char* regfi_type_val2str(unsigned int val)
[32]	106	{
[61]	107	if(val == REG_KEY)
	108	return "KEY";
	109
[78]	110	if(val >= regfi_num_reg_types)
[61]	111	return NULL;
	112
[78]	113	return regfi_type_names[val];
[32]	114	}
	115
	116
[61]	117	/* Returns -1 on error */
[78]	118	int regfi_type_str2val(const char* str)
[32]	119	{
	120	int i;
	121
[61]	122	if(strcmp("KEY", str) == 0)
	123	return REG_KEY;
[32]	124
[78]	125	for(i=0; i < regfi_num_reg_types; i++)
	126	if (strcmp(regfi_type_names[i], str) == 0)
[61]	127	return i;
	128
	129	if(strcmp("DWORD_LE", str) == 0)
	130	return REG_DWORD_LE;
	131
	132	return -1;
[32]	133	}
	134
	135
[135]	136	/* Security descriptor formatting functions */
[53]	137
[78]	138	const char* regfi_ace_type2str(uint8 type)
[53]	139	{
	140	static const char* map[7]
	141	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	142	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	143	if(type < 7)
	144	return map[type];
	145	else
	146	/* XXX: would be nice to return the unknown integer value.
	147	* However, as it is a const string, it can't be free()ed later on,
	148	* so that would need to change.
	149	*/
	150	return "UNKNOWN";
	151	}
	152
	153
[76]	154	/* XXX: need a better reference on the meaning of each flag. */
	155	/* For more info, see:
	156	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	157	*/
[78]	158	char* regfi_ace_flags2str(uint8 flags)
[53]	159	{
[76]	160	static const char* flag_map[32] =
[87]	161	{ "OI", /* Object Inherit */
	162	"CI", /* Container Inherit */
	163	"NP", /* Non-Propagate */
	164	"IO", /* Inherit Only */
	165	"IA", /* Inherited ACE */
[76]	166	NULL,
	167	NULL,
	168	NULL,
	169	};
[53]	170
[76]	171	char* ret_val = malloc(35*sizeof(char));
	172	char* fo = ret_val;
	173	uint32 i;
	174	uint8 f;
	175
	176	if(ret_val == NULL)
[53]	177	return NULL;
	178
[76]	179	fo[0] = '\0';
[53]	180	if (!flags)
[76]	181	return ret_val;
[53]	182
[76]	183	for(i=0; i < 8; i++)
	184	{
	185	f = (1<<i);
	186	if((flags & f) && (flag_map[i] != NULL))
	187	{
	188	strcpy(fo, flag_map[i]);
	189	fo += strlen(flag_map[i]);
	190	*(fo++) = ' ';
	191	flags ^= f;
	192	}
[53]	193	}
[76]	194
	195	/* Any remaining unknown flags are added at the end in hex. */
	196	if(flags != 0)
	197	sprintf(fo, "0x%.2X ", flags);
	198
	199	/* Chop off the last space if we've written anything to ret_val */
	200	if(fo != ret_val)
	201	fo[-1] = '\0';
	202
	203	return ret_val;
[53]	204	}
	205
	206
[78]	207	char* regfi_ace_perms2str(uint32 perms)
[53]	208	{
[76]	209	uint32 i, p;
	210	/* This is more than is needed by a fair margin. */
	211	char* ret_val = malloc(350*sizeof(char));
	212	char* r = ret_val;
	213
	214	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	215	* For more information, see:
	216	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	217	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	218	*/
	219	static const char* perm_map[32] =
	220	{/* object-specific permissions (registry keys, in this case) */
	221	"QRY_VAL", /* KEY_QUERY_VALUE */
	222	"SET_VAL", /* KEY_SET_VALUE */
	223	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	224	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	225	"NOTIFY", /* KEY_NOTIFY */
	226	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	227	NULL,
	228	NULL,
	229	"WOW64_64", /* KEY_WOW64_64KEY */
	230	"WOW64_32", /* KEY_WOW64_32KEY */
	231	NULL,
	232	NULL,
	233	NULL,
	234	NULL,
	235	NULL,
	236	NULL,
	237	/* standard access rights */
	238	"DELETE", /* DELETE */
	239	"R_CONT", /* READ_CONTROL */
	240	"W_DAC", /* WRITE_DAC */
	241	"W_OWNER", /* WRITE_OWNER */
	242	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	243	NULL,
	244	NULL,
	245	NULL,
	246	/* other generic */
	247	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	248	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	249	NULL,
	250	NULL,
	251	"GEN_A", /* GENERIC_ALL */
	252	"GEN_X", /* GENERIC_EXECUTE */
	253	"GEN_W", /* GENERIC_WRITE */
	254	"GEN_R", /* GENERIC_READ */
	255	};
	256
	257
[53]	258	if(ret_val == NULL)
	259	return NULL;
	260
[76]	261	r[0] = '\0';
	262	for(i=0; i < 32; i++)
	263	{
	264	p = (1<<i);
	265	if((perms & p) && (perm_map[i] != NULL))
	266	{
	267	strcpy(r, perm_map[i]);
	268	r += strlen(perm_map[i]);
	269	*(r++) = ' ';
	270	perms ^= p;
	271	}
	272	}
	273
	274	/* Any remaining unknown permission bits are added at the end in hex. */
	275	if(perms != 0)
	276	sprintf(r, "0x%.8X ", perms);
[53]	277
[76]	278	/* Chop off the last space if we've written anything to ret_val */
	279	if(r != ret_val)
	280	r[-1] = '\0';
	281
[53]	282	return ret_val;
	283	}
	284
	285
[134]	286	char* regfi_sid2str(WINSEC_DOM_SID* sid)
[53]	287	{
[134]	288	uint32 i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
[53]	289	uint32 left = size;
	290	uint8 comps = sid->num_auths;
	291	char* ret_val = malloc(size);
	292
	293	if(ret_val == NULL)
	294	return NULL;
	295
[134]	296	if(comps > WINSEC_MAX_SUBAUTHS)
	297	comps = WINSEC_MAX_SUBAUTHS;
[53]	298
	299	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	300
	301	for (i = 0; i < comps; i++)
	302	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	303
	304	return ret_val;
	305	}
	306
	307
[134]	308	char* regfi_get_acl(WINSEC_ACL* acl)
[53]	309	{
	310	uint32 i, extra, size = 0;
	311	const char* type_str;
	312	char* flags_str;
	313	char* perms_str;
	314	char* sid_str;
[61]	315	char* ace_delim = "";
[53]	316	char* ret_val = NULL;
[61]	317	char* tmp_val = NULL;
	318	bool failed = false;
[53]	319	char field_delim = ':';
	320
[61]	321	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	322	{
[134]	323	sid_str = regfi_sid2str(acl->aces[i]->trustee);
	324	type_str = regfi_ace_type2str(acl->aces[i]->type);
	325	perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
	326	flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
[53]	327
[61]	328	if(flags_str != NULL && perms_str != NULL
	329	&& type_str != NULL && sid_str != NULL)
	330	{
	331	/* XXX: this is slow */
	332	extra = strlen(sid_str) + strlen(type_str)
[136]	333	+ strlen(perms_str) + strlen(flags_str) + 5;
[61]	334	tmp_val = realloc(ret_val, size+extra);
[53]	335
[61]	336	if(tmp_val == NULL)
	337	{
	338	free(ret_val);
[136]	339	ret_val = NULL;
[61]	340	failed = true;
	341	}
	342	else
	343	{
	344	ret_val = tmp_val;
[148]	345	size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
	346	ace_delim,sid_str,
	347	field_delim,type_str,
	348	field_delim,perms_str,
	349	field_delim,flags_str);
[61]	350	ace_delim = "\|";
	351	}
	352	}
	353	else
	354	failed = true;
	355
	356	if(sid_str != NULL)
	357	free(sid_str);
	358	if(sid_str != NULL)
	359	free(perms_str);
	360	if(sid_str != NULL)
	361	free(flags_str);
[53]	362	}
	363
	364	return ret_val;
	365	}
	366
	367
[134]	368	char* regfi_get_sacl(WINSEC_DESC *sec_desc)
[53]	369	{
	370	if (sec_desc->sacl)
[78]	371	return regfi_get_acl(sec_desc->sacl);
[53]	372	else
	373	return NULL;
	374	}
	375
	376
[134]	377	char* regfi_get_dacl(WINSEC_DESC *sec_desc)
[53]	378	{
	379	if (sec_desc->dacl)
[78]	380	return regfi_get_acl(sec_desc->dacl);
[53]	381	else
	382	return NULL;
	383	}
	384
	385
[134]	386	char* regfi_get_owner(WINSEC_DESC *sec_desc)
[53]	387	{
[78]	388	return regfi_sid2str(sec_desc->owner_sid);
[53]	389	}
	390
	391
[134]	392	char* regfi_get_group(WINSEC_DESC *sec_desc)
[53]	393	{
[78]	394	return regfi_sid2str(sec_desc->grp_sid);
[53]	395	}
	396
	397
[101]	398	/*****************************************************************************
	399	* This function is just like read(2), except that it continues to
	400	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
	401	* regfi_read will attempt to read length bytes from fd and write them to buf.
	402	*
	403	* On success, 0 is returned. Upon failure, an errno code is returned.
	404	*
	405	* The number of bytes successfully read is returned through the length
	406	* parameter by reference. If both the return value and length parameter are
	407	* returned as 0, then EOF was encountered immediately
	408	*****************************************************************************/
	409	uint32 regfi_read(int fd, uint8* buf, uint32* length)
	410	{
	411	uint32 rsize = 0;
	412	uint32 rret = 0;
	413
	414	do
	415	{
	416	rret = read(fd, buf + rsize, *length - rsize);
	417	if(rret > 0)
	418	rsize += rret;
	419	}while(*length - rsize > 0
	420	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	421
	422	*length = rsize;
	423	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	424	return errno;
	425
	426	return 0;
	427	}
	428
	429
	430	/*****************************************************************************
	431	*
	432	*****************************************************************************/
[111]	433	bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
	434	uint32* cell_length, bool* unalloc)
[101]	435	{
	436	uint32 length;
	437	int32 raw_length;
	438	uint8 tmp[4];
	439
	440	if(lseek(fd, offset, SEEK_SET) == -1)
	441	return false;
	442
	443	length = 4;
	444	if((regfi_read(fd, tmp, &length) != 0) \|\| length != 4)
	445	return false;
	446	raw_length = IVALS(tmp, 0);
	447
	448	if(raw_length < 0)
	449	{
	450	(cell_length) = raw_length(-1);
	451	(*unalloc) = false;
	452	}
	453	else
	454	{
	455	(*cell_length) = raw_length;
	456	(*unalloc) = true;
	457	}
	458
[103]	459	if(*cell_length - 4 < hdr_len)
	460	return false;
	461
	462	if(hdr_len > 0)
	463	{
	464	length = hdr_len;
	465	if((regfi_read(fd, hdr, &length) != 0) \|\| length != hdr_len)
	466	return false;
	467	}
	468
[101]	469	return true;
	470	}
	471
	472
[157]	473	/******************************************************************************
[106]	474	* Given an offset and an hbin, is the offset within that hbin?
	475	* The offset is a virtual file offset.
[157]	476	******************************************************************************/
[146]	477	static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32 voffset)
[30]	478	{
[106]	479	if(!hbin)
[31]	480	return false;
[106]	481
[145]	482	if((voffset > hbin->first_hbin_off)
	483	&& (voffset < (hbin->first_hbin_off + hbin->block_size)))
[31]	484	return true;
[30]	485
[31]	486	return false;
[30]	487	}
	488
	489
[106]	490
[157]	491	/******************************************************************************
	492	* Provide a physical offset and receive the correpsonding HBIN
[106]	493	* block for it. NULL if one doesn't exist.
[157]	494	******************************************************************************/
	495	const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32 offset)
[30]	496	{
[157]	497	return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset);
[30]	498	}
	499
	500
[157]	501	/******************************************************************************
	502	* Calculate the largest possible cell size given a physical offset.
	503	* Largest size is based on the HBIN the offset is currently a member of.
	504	* Returns negative values on error.
	505	* (Since cells can only be ~2^31 in size, this works out.)
	506	******************************************************************************/
	507	int32 regfi_calc_maxsize(REGFI_FILE* file, uint32 offset)
	508	{
	509	const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset);
	510	if(hbin == NULL)
	511	return -1;
[139]	512
[157]	513	return (hbin->block_size + hbin->file_off) - offset;
	514	}
	515
	516
[139]	517	/******************************************************************************
	518	******************************************************************************/
	519	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32 offset,
	520	uint32 num_keys, uint32 max_size,
	521	bool strict)
[127]	522	{
[135]	523	REGFI_SUBKEY_LIST* ret_val;
[134]	524
[139]	525	ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
	526	REGFI_MAX_SUBKEY_DEPTH);
[143]	527	if(ret_val == NULL)
	528	{
	529	regfi_add_message(file, REGFI_MSG_WARN, "Failed to load subkey list at"
	530	" offset 0x%.8X.", offset);
	531	return NULL;
	532	}
[139]	533
	534	if(num_keys != ret_val->num_keys)
	535	{
	536	/* Not sure which should be authoritative, the number from the
	537	* NK record, or the number in the subkey list. Just emit a warning for
	538	* now if they don't match.
	539	*/
	540	regfi_add_message(file, REGFI_MSG_WARN, "Number of subkeys listed in parent"
	541	" (%d) did not match number found in subkey list/tree (%d)"
	542	" while parsing subkey list/tree at offset 0x%.8X.",
	543	num_keys, ret_val->num_keys, offset);
	544	}
	545
	546	return ret_val;
	547	}
	548
	549
	550	/******************************************************************************
	551	******************************************************************************/
	552	REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32 offset,
	553	uint32 max_size, bool strict,
	554	uint8 depth_left)
	555	{
	556	REGFI_SUBKEY_LIST* ret_val;
	557	REGFI_SUBKEY_LIST** sublists;
[157]	558	uint32 i, num_sublists, off;
	559	int32 sublist_maxsize;
[139]	560
	561	if(depth_left == 0)
	562	{
	563	regfi_add_message(file, REGFI_MSG_WARN, "Maximum depth reached"
	564	" while parsing subkey list/tree at offset 0x%.8X.",
	565	offset);
[127]	566	return NULL;
[139]	567	}
[134]	568
[139]	569	ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
[134]	570	if(ret_val == NULL)
	571	return NULL;
[139]	572
	573	if(ret_val->recursive_type)
[127]	574	{
[139]	575	num_sublists = ret_val->num_children;
[150]	576	sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists
[139]	577	* sizeof(REGFI_SUBKEY_LIST*));
	578	for(i=0; i < num_sublists; i++)
[127]	579	{
[139]	580	off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
[157]	581
	582	sublist_maxsize = regfi_calc_maxsize(file, off);
	583	if(sublist_maxsize < 0)
[139]	584	sublists[i] = NULL;
	585	else
[157]	586	sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize,
	587	strict, depth_left-1);
[127]	588	}
[150]	589	talloc_free(ret_val);
[134]	590
[139]	591	return regfi_merge_subkeylists(num_sublists, sublists, strict);
[127]	592	}
[30]	593
[127]	594	return ret_val;
	595	}
	596
	597
[139]	598	/******************************************************************************
	599	******************************************************************************/
	600	REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32 offset,
	601	uint32 max_size, bool strict)
[30]	602	{
[135]	603	REGFI_SUBKEY_LIST* ret_val;
[150]	604	uint32 i, cell_length, length, elem_size, read_len;
	605	uint8* elements = NULL;
[127]	606	uint8 buf[REGFI_SUBKEY_LIST_MIN_LEN];
[104]	607	bool unalloc;
[139]	608	bool recursive_type;
[30]	609
[127]	610	if(!regfi_parse_cell(file->fd, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
[104]	611	&cell_length, &unalloc))
[139]	612	{
	613	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while "
	614	"parsing subkey-list at offset 0x%.8X.", offset);
[104]	615	return NULL;
[139]	616	}
[30]	617
[116]	618	if(cell_length > max_size)
	619	{
[139]	620	regfi_add_message(file, REGFI_MSG_WARN, "Cell size longer than max_size"
	621	" while parsing subkey-list at offset 0x%.8X.", offset);
[116]	622	if(strict)
	623	return NULL;
	624	cell_length = max_size & 0xFFFFFFF8;
	625	}
[30]	626
[139]	627	recursive_type = false;
[127]	628	if(buf[0] == 'r' && buf[1] == 'i')
[104]	629	{
[139]	630	recursive_type = true;
	631	elem_size = sizeof(uint32);
[104]	632	}
[139]	633	else if(buf[0] == 'l' && buf[1] == 'i')
[134]	634	elem_size = sizeof(uint32);
	635	else if((buf[0] == 'l') && (buf[1] == 'f' \|\| buf[1] == 'h'))
[135]	636	elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
[134]	637	else
	638	{
[139]	639	regfi_add_message(file, REGFI_MSG_ERROR, "Unknown magic number"
	640	" (0x%.2X, 0x%.2X) encountered while parsing"
	641	" subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
[134]	642	return NULL;
	643	}
	644
[150]	645	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[127]	646	if(ret_val == NULL)
	647	return NULL;
	648
	649	ret_val->offset = offset;
	650	ret_val->cell_size = cell_length;
[104]	651	ret_val->magic[0] = buf[0];
	652	ret_val->magic[1] = buf[1];
[139]	653	ret_val->recursive_type = recursive_type;
	654	ret_val->num_children = SVAL(buf, 0x2);
[101]	655
[139]	656	if(!recursive_type)
	657	ret_val->num_keys = ret_val->num_children;
[101]	658
[139]	659	length = elem_size*ret_val->num_children;
	660	if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32) < length)
[134]	661	{
[139]	662	regfi_add_message(file, REGFI_MSG_WARN, "Number of elements too large for"
	663	" cell while parsing subkey-list at offset 0x%.8X.",
	664	offset);
	665	if(strict)
[150]	666	goto fail;
[139]	667	length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32);
[134]	668	}
[30]	669
[150]	670	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	671	ret_val->num_children);
[127]	672	if(ret_val->elements == NULL)
[150]	673	goto fail;
[30]	674
[150]	675	elements = (uint8*)malloc(length);
[139]	676	if(elements == NULL)
[150]	677	goto fail;
[30]	678
[150]	679	read_len = length;
	680	if(regfi_read(file->fd, elements, &read_len) != 0 \|\| read_len != length)
	681	goto fail;
[30]	682
[139]	683	if(elem_size == sizeof(uint32))
[104]	684	{
[139]	685	for (i=0; i < ret_val->num_children; i++)
[134]	686	{
[139]	687	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
[134]	688	ret_val->elements[i].hash = 0;
	689	}
[104]	690	}
[134]	691	else
	692	{
[139]	693	for (i=0; i < ret_val->num_children; i++)
[134]	694	{
[139]	695	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
	696	ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
[134]	697	}
	698	}
[139]	699	free(elements);
[30]	700
[104]	701	return ret_val;
[150]	702
	703	fail:
	704	if(elements != NULL)
	705	free(elements);
	706	talloc_free(ret_val);
	707	return NULL;
[30]	708	}
	709
	710
[139]	711	/*******************************************************************
	712	*******************************************************************/
	713	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists,
	714	REGFI_SUBKEY_LIST** lists,
	715	bool strict)
	716	{
	717	uint32 i,j,k;
	718	REGFI_SUBKEY_LIST* ret_val;
[102]	719
[139]	720	if(lists == NULL)
	721	return NULL;
[150]	722	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[139]	723
	724	if(ret_val == NULL)
	725	return NULL;
	726
	727	/* Obtain total number of elements */
	728	ret_val->num_keys = 0;
	729	for(i=0; i < num_lists; i++)
	730	{
	731	if(lists[i] != NULL)
	732	ret_val->num_keys += lists[i]->num_children;
	733	}
	734	ret_val->num_children = ret_val->num_keys;
	735
	736	if(ret_val->num_keys > 0)
	737	{
[150]	738	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	739	ret_val->num_keys);
[139]	740	k=0;
	741
	742	if(ret_val->elements != NULL)
	743	{
	744	for(i=0; i < num_lists; i++)
	745	{
	746	if(lists[i] != NULL)
	747	{
	748	for(j=0; j < lists[i]->num_keys; j++)
	749	{
[150]	750	ret_val->elements[k].hash = lists[i]->elements[j].hash;
	751	ret_val->elements[k++].offset = lists[i]->elements[j].offset;
[139]	752	}
	753	}
	754	}
	755	}
	756	}
	757
	758	for(i=0; i < num_lists; i++)
	759	regfi_subkeylist_free(lists[i]);
	760	free(lists);
	761
	762	return ret_val;
	763	}
	764
	765
[147]	766	/******************************************************************************
	767	*
	768	******************************************************************************/
	769	REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32 offset, uint32 max_size,
	770	bool strict)
[30]	771	{
[135]	772	REGFI_SK_REC* ret_val;
[147]	773	uint8* sec_desc_buf = NULL;
[102]	774	uint32 cell_length, length;
	775	uint8 sk_header[REGFI_SK_MIN_LENGTH];
	776	bool unalloc = false;
[30]	777
[102]	778	if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
	779	&cell_length, &unalloc))
[137]	780	{
[138]	781	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse SK record cell"
[137]	782	" at offset 0x%.8X.", offset);
[102]	783	return NULL;
[137]	784	}
[102]	785
	786	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
[137]	787	{
[138]	788	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	789	" SK record at offset 0x%.8X.", offset);
[102]	790	return NULL;
[137]	791	}
	792
[147]	793	ret_val = talloc(NULL, REGFI_SK_REC);
[102]	794	if(ret_val == NULL)
	795	return NULL;
[30]	796
[102]	797	ret_val->offset = offset;
[116]	798	/* XXX: Is there a way to be more conservative (shorter) with
	799	* cell length when cell is unallocated?
[111]	800	*/
[102]	801	ret_val->cell_size = cell_length;
[30]	802
[102]	803	if(ret_val->cell_size > max_size)
	804	ret_val->cell_size = max_size & 0xFFFFFFF8;
	805	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
[157]	806	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[102]	807	{
[138]	808	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size found while"
	809	" parsing SK record at offset 0x%.8X.", offset);
[147]	810	goto fail;
[102]	811	}
[30]	812
[102]	813	ret_val->magic[0] = sk_header[0];
	814	ret_val->magic[1] = sk_header[1];
[30]	815
[102]	816	ret_val->unknown_tag = SVAL(sk_header, 0x2);
	817	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
	818	ret_val->next_sk_off = IVAL(sk_header, 0x8);
	819	ret_val->ref_count = IVAL(sk_header, 0xC);
	820	ret_val->desc_size = IVAL(sk_header, 0x10);
[30]	821
[157]	822	if((ret_val->prev_sk_off & 0x00000007) != 0
	823	\|\| (ret_val->next_sk_off & 0x00000007) != 0)
[140]	824	{
	825	regfi_add_message(file, REGFI_MSG_WARN, "SK record's next/previous offsets"
	826	" are not a multiple of 8 while parsing SK record at"
	827	" offset 0x%.8X.", offset);
[147]	828	goto fail;
[140]	829	}
	830
[102]	831	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
	832	{
[140]	833	regfi_add_message(file, REGFI_MSG_WARN, "Security descriptor too large for"
[138]	834	" cell while parsing SK record at offset 0x%.8X.",
	835	offset);
[147]	836	goto fail;
[102]	837	}
[30]	838
[147]	839	sec_desc_buf = (uint8*)malloc(ret_val->desc_size);
	840	if(sec_desc_buf == NULL)
	841	goto fail;
[102]	842
[134]	843	length = ret_val->desc_size;
	844	if(regfi_read(file->fd, sec_desc_buf, &length) != 0
	845	\|\| length != ret_val->desc_size)
	846	{
[138]	847	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read security"
	848	" descriptor while parsing SK record at offset 0x%.8X.",
	849	offset);
[147]	850	goto fail;
[134]	851	}
[102]	852
[147]	853	if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
	854	ret_val->desc_size)))
[134]	855	{
[138]	856	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to parse security"
	857	" descriptor while parsing SK record at offset 0x%.8X.",
	858	offset);
[147]	859	goto fail;
[134]	860	}
[147]	861
[134]	862	free(sec_desc_buf);
[147]	863	return ret_val;
[134]	864
[147]	865	fail:
	866	if(sec_desc_buf != NULL)
	867	free(sec_desc_buf);
	868	talloc_free(ret_val);
	869	return NULL;
[30]	870	}
	871
	872
[145]	873	REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32 offset,
	874	uint32 num_values, bool strict)
[111]	875	{
[145]	876	REGFI_VALUE_LIST* ret_val;
[111]	877	uint32 i, cell_length, length, read_len;
	878	bool unalloc;
[30]	879
[111]	880	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]	881	{
[138]	882	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read cell header"
[137]	883	" while parsing value list at offset 0x%.8X.", offset);
[111]	884	return NULL;
[137]	885	}
[111]	886
[157]	887	if((cell_length & 0x00000007) != 0)
[111]	888	{
[145]	889	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not a multiple of 8"
	890	" while parsing value list at offset 0x%.8X.", offset);
[111]	891	if(strict)
	892	return NULL;
	893	cell_length = cell_length & 0xFFFFFFF8;
	894	}
[145]	895
[111]	896	if((num_values * sizeof(uint32)) > cell_length-sizeof(uint32))
[137]	897	{
[140]	898	regfi_add_message(file, REGFI_MSG_WARN, "Too many values found"
[137]	899	" while parsing value list at offset 0x%.8X.", offset);
[145]	900	if(strict)
	901	return NULL;
	902	num_values = cell_length/sizeof(uint32) - sizeof(uint32);
[137]	903	}
[111]	904
	905	read_len = num_values*sizeof(uint32);
[150]	906	ret_val = talloc(NULL, REGFI_VALUE_LIST);
[111]	907	if(ret_val == NULL)
	908	return NULL;
	909
[150]	910	ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len);
[145]	911	if(ret_val->elements == NULL)
	912	{
[150]	913	talloc_free(ret_val);
[145]	914	return NULL;
	915	}
	916	ret_val->num_values = num_values;
	917
[111]	918	length = read_len;
[145]	919	if((regfi_read(file->fd, (uint8*)ret_val->elements, &length) != 0)
	920	\|\| length != read_len)
[111]	921	{
[138]	922	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read value pointers"
[137]	923	" while parsing value list at offset 0x%.8X.", offset);
[150]	924	talloc_free(ret_val);
[111]	925	return NULL;
	926	}
	927
	928	for(i=0; i < num_values; i++)
	929	{
	930	/* Fix endianness */
[145]	931	ret_val->elements[i] = IVAL(&ret_val->elements[i], 0);
[111]	932
	933	/* Validate the first num_values values to ensure they make sense */
	934	if(strict)
	935	{
[145]	936	/* XXX: Need to revisit this file length check when we start dealing
	937	* with partial files. */
	938	if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length)
[157]	939	\|\| ((ret_val->elements[i] & 0x00000007) != 0))
[111]	940	{
[145]	941	regfi_add_message(file, REGFI_MSG_WARN, "Invalid value pointer"
[138]	942	" (0x%.8X) found while parsing value list at offset"
[145]	943	" 0x%.8X.", ret_val->elements[i], offset);
[150]	944	talloc_free(ret_val);
[111]	945	return NULL;
	946	}
	947	}
	948	}
	949
	950	return ret_val;
	951	}
	952
	953
	954
[103]	955	/******************************************************************************
	956	******************************************************************************/
[150]	957	REGFI_VK_REC* regfi_load_value(REGFI_FILE* file, uint32 offset, bool strict)
[30]	958	{
[145]	959	REGFI_VK_REC* ret_val = NULL;
[151]	960	REGFI_BUFFER data;
[157]	961	int32 max_size;
[30]	962
[157]	963	max_size = regfi_calc_maxsize(file, offset);
	964	if(max_size < 0)
[103]	965	return NULL;
[145]	966
[157]	967	ret_val = regfi_parse_vk(file, offset, max_size, strict);
[103]	968	if(ret_val == NULL)
	969	return NULL;
[145]	970
	971	if(ret_val->data_size == 0)
	972	ret_val->data = NULL;
	973	else
[32]	974	{
[157]	975	data = regfi_load_data(file, ret_val->data_off, ret_val->data_size,
	976	ret_val->data_in_offset, strict);
	977	ret_val->data = data.buf;
	978	ret_val->data_size = data.len;
[151]	979
[145]	980	if(ret_val->data == NULL)
	981	{
	982	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse data record"
[151]	983	" while parsing VK record at offset 0x%.8X.",
[152]	984	ret_val->offset, ret_val->valuename);
[145]	985	}
[150]	986	else
	987	talloc_steal(ret_val, ret_val->data);
[31]	988	}
[30]	989
[103]	990	return ret_val;
[30]	991	}
	992
	993
[145]	994	/******************************************************************************
	995	* If !strict, the list may contain NULLs, VK records may point to NULL.
	996	******************************************************************************/
	997	REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32 offset,
[146]	998	uint32 num_values, uint32 max_size,
[145]	999	bool strict)
	1000	{
	1001	uint32 usable_num_values;
[30]	1002
[145]	1003	if((num_values+1) * sizeof(uint32) > max_size)
	1004	{
	1005	regfi_add_message(file, REGFI_MSG_WARN, "Number of values indicated by"
	1006	" parent key (%d) would cause cell to straddle HBIN"
	1007	" boundary while loading value list at offset"
	1008	" 0x%.8X.", num_values, offset);
	1009	if(strict)
	1010	return NULL;
	1011	usable_num_values = max_size/sizeof(uint32) - sizeof(uint32);
	1012	}
	1013	else
	1014	usable_num_values = num_values;
	1015
	1016	return regfi_parse_valuelist(file, offset, usable_num_values, strict);
	1017	}
	1018
	1019
	1020
[146]	1021	/******************************************************************************
	1022	*
	1023	******************************************************************************/
[135]	1024	REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32 offset, bool strict)
[30]	1025	{
[135]	1026	REGFI_NK_REC* nk;
[157]	1027	uint32 off;
	1028	int32 max_size;
[99]	1029
[157]	1030	max_size = regfi_calc_maxsize(file, offset);
	1031	if (max_size < 0)
[105]	1032	return NULL;
[30]	1033
[31]	1034	/* get the initial nk record */
[157]	1035	if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL)
[135]	1036	{
[138]	1037	regfi_add_message(file, REGFI_MSG_ERROR, "Could not load NK record at"
[137]	1038	" offset 0x%.8X.", offset);
[99]	1039	return NULL;
[135]	1040	}
[30]	1041
[146]	1042	/* get value list */
[135]	1043	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[32]	1044	{
[157]	1045	off = nk->values_off + REGFI_REGF_SIZE;
	1046	max_size = regfi_calc_maxsize(file, off);
	1047	if(max_size < 0)
[32]	1048	{
[105]	1049	if(strict)
[32]	1050	{
[150]	1051	regfi_free_key(nk);
[99]	1052	return NULL;
[31]	1053	}
[105]	1054	else
	1055	nk->values = NULL;
[133]	1056
[31]	1057	}
[105]	1058	else
[103]	1059	{
[157]	1060	nk->values = regfi_load_valuelist(file, off, nk->num_values,
	1061	max_size, true);
[145]	1062	if(nk->values == NULL)
[105]	1063	{
[145]	1064	regfi_add_message(file, REGFI_MSG_WARN, "Could not load value list"
	1065	" for NK record at offset 0x%.8X.", offset);
	1066	if(strict)
	1067	{
[150]	1068	regfi_free_key(nk);
[145]	1069	return NULL;
	1070	}
[105]	1071	}
[150]	1072	talloc_steal(nk, nk->values);
[103]	1073	}
[31]	1074	}
[105]	1075
[146]	1076	/* now get subkey list */
[135]	1077	if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
[32]	1078	{
[157]	1079	off = nk->subkeys_off + REGFI_REGF_SIZE;
	1080	max_size = regfi_calc_maxsize(file, off);
	1081	if(max_size < 0)
[32]	1082	{
[105]	1083	if(strict)
[32]	1084	{
[150]	1085	regfi_free_key(nk);
[99]	1086	return NULL;
[31]	1087	}
[105]	1088	else
	1089	nk->subkeys = NULL;
[31]	1090	}
[105]	1091	else
[104]	1092	{
[134]	1093	nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
[157]	1094	max_size, true);
[134]	1095
[105]	1096	if(nk->subkeys == NULL)
	1097	{
[140]	1098	regfi_add_message(file, REGFI_MSG_WARN, "Could not load subkey list"
	1099	" while parsing NK record at offset 0x%.8X.", offset);
[105]	1100	nk->num_subkeys = 0;
	1101	}
[150]	1102	talloc_steal(nk, nk->subkeys);
[104]	1103	}
[31]	1104	}
[30]	1105
[158]	1106	/* Get classname if it exists */
	1107	if(nk->classname_off != REGFI_OFFSET_NONE)
	1108	{
	1109	off = nk->classname_off + REGFI_REGF_SIZE;
	1110	max_size = regfi_calc_maxsize(file, off);
	1111	if(max_size >= 0)
	1112	{
	1113	nk->classname
	1114	= regfi_parse_classname(file, off, &nk->classname_length,
	1115	max_size, strict);
	1116	}
	1117	else
	1118	{
	1119	nk->classname = NULL;
	1120	regfi_add_message(file, REGFI_MSG_WARN, "Could not find hbin for class"
	1121	" name while parsing NK record at offset 0x%.8X.",
	1122	offset);
	1123	}
	1124
	1125	if(nk->classname == NULL)
	1126	{
	1127	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse class"
	1128	" name while parsing NK record at offset 0x%.8X.",
	1129	offset);
	1130	}
	1131	else
	1132	talloc_steal(nk, nk->classname);
	1133	}
	1134
[99]	1135	return nk;
[30]	1136	}
	1137
[32]	1138
[102]	1139	/******************************************************************************
	1140	******************************************************************************/
[146]	1141	const REGFI_SK_REC* regfi_load_sk(REGFI_FILE* file, uint32 offset, bool strict)
	1142	{
	1143	REGFI_SK_REC* ret_val = NULL;
[157]	1144	int32 max_size;
[147]	1145	void* failure_ptr = NULL;
	1146
[146]	1147	/* First look if we have already parsed it */
	1148	ret_val = (REGFI_SK_REC*)lru_cache_find(file->sk_cache, &offset, 4);
	1149
	1150	/* Bail out if we have previously cached a parse failure at this offset. */
	1151	if(ret_val == (void*)REGFI_OFFSET_NONE)
	1152	return NULL;
	1153
	1154	if(ret_val == NULL)
	1155	{
[157]	1156	max_size = regfi_calc_maxsize(file, offset);
	1157	if(max_size < 0)
[146]	1158	return NULL;
	1159
[157]	1160	ret_val = regfi_parse_sk(file, offset, max_size, strict);
[146]	1161	if(ret_val == NULL)
	1162	{ /* Cache the parse failure and bail out. */
[147]	1163	failure_ptr = talloc(NULL, uint32_t);
	1164	if(failure_ptr == NULL)
	1165	return NULL;
	1166	(uint32_t)failure_ptr = REGFI_OFFSET_NONE;
	1167	lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
[146]	1168	return NULL;
	1169	}
	1170
	1171	lru_cache_update(file->sk_cache, &offset, 4, ret_val);
	1172	}
	1173
	1174	return ret_val;
	1175	}
	1176
	1177
	1178
	1179	/******************************************************************************
	1180	******************************************************************************/
[158]	1181	REGFI_NK_REC* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin)
[30]	1182	{
[135]	1183	REGFI_NK_REC* nk = NULL;
[158]	1184	uint32 cell_length;
	1185	uint32 cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
	1186	uint32 hbin_end = hbin->file_off+hbin->block_size;
	1187	bool unalloc;
[30]	1188
[158]	1189	while(cur_offset < hbin_end)
[32]	1190	{
[158]	1191	fprintf(stderr, "DEBUG: trying cell offset 0x%.8X\n", cur_offset);
	1192	if(!regfi_parse_cell(file->fd, cur_offset, NULL, 0, &cell_length, &unalloc))
	1193	{
	1194	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell at offset"
	1195	" 0x%.8X while searching for root key.", cur_offset);
	1196	return NULL;
	1197	}
[102]	1198
[158]	1199	if(!unalloc)
[102]	1200	{
[158]	1201	nk = regfi_load_key(file, cur_offset, true);
[102]	1202	if(nk != NULL)
	1203	{
[152]	1204	if(nk->key_type & REGFI_NK_FLAG_ROOT)
[158]	1205	return nk;
[102]	1206	}
[31]	1207	}
[30]	1208
[158]	1209	cur_offset += cell_length;
[31]	1210	}
[32]	1211
[158]	1212	return NULL;
[30]	1213	}
	1214
	1215
	1216	/*******************************************************************
[97]	1217	* Open the registry file and then read in the REGF block to get the
	1218	* first hbin offset.
	1219	*******************************************************************/
[135]	1220	REGFI_FILE* regfi_open(const char* filename)
[30]	1221	{
[137]	1222	struct stat sbuf;
[135]	1223	REGFI_FILE* rb;
	1224	REGFI_HBIN* hbin = NULL;
[146]	1225	uint32 hbin_off, file_length, cache_secret;
[97]	1226	int fd;
[110]	1227	bool rla;
[30]	1228
[97]	1229	/* open an existing file */
[143]	1230	if ((fd = open(filename, REGFI_OPEN_FLAGS)) == -1)
[97]	1231	{
[143]	1232	/* fprintf(stderr, "regfi_open: failure to open %s (%s)\n", filename, strerror(errno));*/
[31]	1233	return NULL;
	1234	}
[99]	1235
[137]	1236	/* Determine file length. Must be at least big enough
	1237	* for the header and one hbin.
	1238	*/
	1239	if (fstat(fd, &sbuf) == -1)
	1240	return NULL;
	1241	file_length = sbuf.st_size;
	1242	if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
	1243	return NULL;
	1244
[31]	1245	/* read in an existing file */
[97]	1246	if ((rb = regfi_parse_regf(fd, true)) == NULL)
	1247	{
[143]	1248	/* fprintf(stderr, "regfi_open: Failed to read initial REGF block\n"); */
[97]	1249	close(fd);
[31]	1250	return NULL;
	1251	}
[137]	1252	rb->file_length = file_length;
	1253
[99]	1254	rb->hbins = range_list_new();
[110]	1255	if(rb->hbins == NULL)
[99]	1256	{
[143]	1257	/* fprintf(stderr, "regfi_open: Failed to create HBIN list.\n"); */
[99]	1258	close(fd);
[150]	1259	talloc_free(rb);
[99]	1260	return NULL;
	1261	}
[150]	1262	talloc_steal(rb, rb->hbins);
	1263
[106]	1264	rla = true;
[135]	1265	hbin_off = REGFI_REGF_SIZE;
[110]	1266	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1267	while(hbin && rla)
	1268	{
[137]	1269	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[148]	1270	if(rla)
	1271	talloc_steal(rb->hbins, hbin);
[106]	1272	hbin_off = hbin->file_off + hbin->block_size;
[110]	1273	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1274	}
	1275
[146]	1276	/* This secret isn't very secret, but we don't need a good one. This
	1277	* secret is just designed to prevent someone from trying to blow our
	1278	* caching and make things slow.
	1279	*/
	1280	cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16);
	1281
	1282	/* Cache an unlimited number of SK records. Typically there are very few. */
[150]	1283	rb->sk_cache = lru_cache_create_ctx(rb, 0, cache_secret, true);
[146]	1284
[138]	1285	/* Default message mask */
	1286	rb->msg_mask = REGFI_MSG_ERROR\|REGFI_MSG_WARN;
	1287
[31]	1288	/* success */
	1289	return rb;
[30]	1290	}
	1291
	1292
[148]	1293	/******************************************************************************
	1294	******************************************************************************/
[146]	1295	int regfi_close(REGFI_FILE *file)
[30]	1296	{
[31]	1297	int fd;
[30]	1298
[31]	1299	/* nothing to do if there is no open file */
[99]	1300	if ((file == NULL) \|\| (file->fd == -1))
	1301	return 0;
[30]	1302
[31]	1303	fd = file->fd;
	1304	file->fd = -1;
[148]	1305
[99]	1306	range_list_free(file->hbins);
[106]	1307
[146]	1308	if(file->sk_cache != NULL)
	1309	lru_cache_destroy(file->sk_cache);
[148]	1310
[150]	1311	talloc_free(file);
[106]	1312	return close(fd);
[30]	1313	}
	1314
	1315
[80]	1316	/******************************************************************************
[158]	1317	* First checks the offset given by the file header, then checks the
	1318	* rest of the file if that fails.
[148]	1319	******************************************************************************/
[135]	1320	REGFI_NK_REC* regfi_rootkey(REGFI_FILE *file)
[30]	1321	{
[135]	1322	REGFI_NK_REC* nk = NULL;
[146]	1323	REGFI_HBIN* hbin;
	1324	uint32 root_offset, i, num_hbins;
[99]	1325
	1326	if(!file)
[31]	1327	return NULL;
[99]	1328
[158]	1329	root_offset = file->root_cell+REGFI_REGF_SIZE;
	1330	nk = regfi_load_key(file, root_offset, true);
	1331	if(nk != NULL)
	1332	{
	1333	if(nk->key_type & REGFI_NK_FLAG_ROOT)
	1334	return nk;
	1335	}
	1336
	1337	regfi_add_message(file, REGFI_MSG_WARN, "File header indicated root key at"
	1338	" location 0x%.8X, but no root key found."
	1339	" Searching rest of file...", root_offset);
	1340
	1341	/* If the file header gives bad info, scan through the file one HBIN
	1342	* block at a time looking for an NK record with a root key type.
[146]	1343	*/
[107]	1344	num_hbins = range_list_size(file->hbins);
[158]	1345	for(i=0; i < num_hbins && nk == NULL; i++)
[99]	1346	{
[135]	1347	hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
[158]	1348	nk = regfi_find_root_nk(file, hbin);
[31]	1349	}
[30]	1350
[80]	1351	return nk;
[30]	1352	}
	1353
	1354
[80]	1355	/******************************************************************************
	1356	*****************************************************************************/
[150]	1357	void regfi_free_key(REGFI_NK_REC* nk)
[30]	1358	{
[127]	1359	regfi_subkeylist_free(nk->subkeys);
[150]	1360	talloc_free(nk);
	1361	}
[127]	1362
[80]	1363
[150]	1364	/******************************************************************************
	1365	*****************************************************************************/
	1366	void regfi_free_value(REGFI_VK_REC* vk)
	1367	{
	1368	talloc_free(vk);
[80]	1369	}
	1370
	1371
	1372	/******************************************************************************
	1373	*****************************************************************************/
[135]	1374	void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list)
[127]	1375	{
	1376	if(list != NULL)
	1377	{
[150]	1378	talloc_free(list);
[127]	1379	}
	1380	}
	1381
	1382
	1383	/******************************************************************************
	1384	*****************************************************************************/
[135]	1385	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* fh)
[80]	1386	{
[135]	1387	REGFI_NK_REC* root;
[150]	1388	REGFI_ITERATOR* ret_val = talloc(NULL, REGFI_ITERATOR);
[80]	1389	if(ret_val == NULL)
	1390	return NULL;
	1391
[81]	1392	root = regfi_rootkey(fh);
[80]	1393	if(root == NULL)
	1394	{
[150]	1395	talloc_free(ret_val);
[80]	1396	return NULL;
	1397	}
	1398
[135]	1399	ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
[80]	1400	if(ret_val->key_positions == NULL)
	1401	{
[150]	1402	talloc_free(ret_val);
[80]	1403	return NULL;
	1404	}
[150]	1405	talloc_steal(ret_val, ret_val->key_positions);
[80]	1406
	1407	ret_val->f = fh;
	1408	ret_val->cur_key = root;
	1409	ret_val->cur_subkey = 0;
	1410	ret_val->cur_value = 0;
	1411
	1412	return ret_val;
	1413	}
	1414
	1415
	1416	/******************************************************************************
	1417	*****************************************************************************/
	1418	void regfi_iterator_free(REGFI_ITERATOR* i)
	1419	{
[150]	1420	talloc_free(i);
[80]	1421	}
	1422
	1423
	1424
	1425	/******************************************************************************
	1426	*****************************************************************************/
	1427	/* XXX: some way of indicating reason for failure should be added. */
	1428	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1429	{
[135]	1430	REGFI_NK_REC* subkey;
[80]	1431	REGFI_ITER_POSITION* pos;
	1432
[150]	1433	pos = talloc(i->key_positions, REGFI_ITER_POSITION);
[80]	1434	if(pos == NULL)
	1435	return false;
	1436
[135]	1437	subkey = (REGFI_NK_REC*)regfi_iterator_cur_subkey(i);
[80]	1438	if(subkey == NULL)
	1439	{
[150]	1440	talloc_free(pos);
[80]	1441	return false;
	1442	}
	1443
	1444	pos->nk = i->cur_key;
	1445	pos->cur_subkey = i->cur_subkey;
	1446	if(!void_stack_push(i->key_positions, pos))
	1447	{
[150]	1448	talloc_free(pos);
	1449	regfi_free_key(subkey);
[80]	1450	return false;
	1451	}
[150]	1452	talloc_steal(i, subkey);
[80]	1453
	1454	i->cur_key = subkey;
	1455	i->cur_subkey = 0;
	1456	i->cur_value = 0;
	1457
	1458	return true;
	1459	}
	1460
	1461
	1462	/******************************************************************************
	1463	*****************************************************************************/
	1464	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1465	{
	1466	REGFI_ITER_POSITION* pos;
	1467
	1468	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1469	if(pos == NULL)
	1470	return false;
	1471
[150]	1472	regfi_free_key(i->cur_key);
[80]	1473	i->cur_key = pos->nk;
	1474	i->cur_subkey = pos->cur_subkey;
	1475	i->cur_value = 0;
[150]	1476	talloc_free(pos);
[80]	1477
	1478	return true;
	1479	}
	1480
	1481
	1482	/******************************************************************************
	1483	*****************************************************************************/
	1484	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1485	{
	1486	while(regfi_iterator_up(i))
	1487	continue;
	1488
	1489	return true;
	1490	}
	1491
	1492
	1493	/******************************************************************************
	1494	*****************************************************************************/
	1495	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
	1496	{
[135]	1497	REGFI_NK_REC* subkey;
[80]	1498	bool found = false;
	1499	uint32 old_subkey = i->cur_subkey;
[133]	1500
[80]	1501	if(subkey_name == NULL)
	1502	return false;
	1503
	1504	/* XXX: this alloc/free of each sub key might be a bit excessive */
[135]	1505	subkey = (REGFI_NK_REC*)regfi_iterator_first_subkey(i);
[80]	1506	while((subkey != NULL) && (found == false))
	1507	{
	1508	if(subkey->keyname != NULL
	1509	&& strcasecmp(subkey->keyname, subkey_name) == 0)
	1510	found = true;
[82]	1511	else
	1512	{
[150]	1513	regfi_free_key(subkey);
[135]	1514	subkey = (REGFI_NK_REC*)regfi_iterator_next_subkey(i);
[82]	1515	}
[80]	1516	}
	1517
	1518	if(found == false)
	1519	{
	1520	i->cur_subkey = old_subkey;
	1521	return false;
	1522	}
	1523
[150]	1524	regfi_free_key(subkey);
[80]	1525	return true;
	1526	}
	1527
	1528
	1529	/******************************************************************************
	1530	*****************************************************************************/
	1531	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1532	{
	1533	uint32 x;
	1534	if(path == NULL)
	1535	return false;
	1536
	1537	for(x=0;
	1538	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1539	&& regfi_iterator_down(i));
	1540	x++)
	1541	{ continue; }
	1542
	1543	if(path[x] == NULL)
	1544	return true;
	1545
	1546	/* XXX: is this the right number of times? */
	1547	for(; x > 0; x--)
	1548	regfi_iterator_up(i);
	1549
	1550	return false;
	1551	}
	1552
	1553
	1554	/******************************************************************************
	1555	*****************************************************************************/
[135]	1556	const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1557	{
	1558	return i->cur_key;
	1559	}
	1560
	1561
	1562	/******************************************************************************
	1563	*****************************************************************************/
[135]	1564	const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i)
[109]	1565	{
[146]	1566	if(i->cur_key == NULL \|\| i->cur_key->sk_off == REGFI_OFFSET_NONE)
[109]	1567	return NULL;
	1568
[146]	1569	return regfi_load_sk(i->f, i->cur_key->sk_off + REGFI_REGF_SIZE, true);
[109]	1570	}
	1571
	1572
	1573	/******************************************************************************
	1574	*****************************************************************************/
[150]	1575	REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1576	{
	1577	i->cur_subkey = 0;
	1578	return regfi_iterator_cur_subkey(i);
	1579	}
	1580
	1581
	1582	/******************************************************************************
	1583	*****************************************************************************/
[150]	1584	REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1585	{
	1586	uint32 nk_offset;
	1587
[31]	1588	/* see if there is anything left to report */
[135]	1589	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGFI_OFFSET_NONE)
[80]	1590	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
[31]	1591	return NULL;
[30]	1592
[139]	1593	nk_offset = i->cur_key->subkeys->elements[i->cur_subkey].offset;
[133]	1594
[135]	1595	return regfi_load_key(i->f, nk_offset+REGFI_REGF_SIZE, true);
[30]	1596	}
[80]	1597
	1598
	1599	/******************************************************************************
	1600	*****************************************************************************/
	1601	/* XXX: some way of indicating reason for failure should be added. */
[150]	1602	REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1603	{
[150]	1604	REGFI_NK_REC* subkey;
[80]	1605
	1606	i->cur_subkey++;
	1607	subkey = regfi_iterator_cur_subkey(i);
	1608
	1609	if(subkey == NULL)
	1610	i->cur_subkey--;
	1611
	1612	return subkey;
	1613	}
	1614
	1615
	1616	/******************************************************************************
	1617	*****************************************************************************/
	1618	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
	1619	{
[150]	1620	REGFI_VK_REC* cur;
[80]	1621	bool found = false;
	1622
	1623	/* XXX: cur->valuename can be NULL in the registry.
	1624	* Should we allow for a way to search for that?
	1625	*/
	1626	if(value_name == NULL)
	1627	return false;
	1628
	1629	cur = regfi_iterator_first_value(i);
	1630	while((cur != NULL) && (found == false))
	1631	{
	1632	if((cur->valuename != NULL)
	1633	&& (strcasecmp(cur->valuename, value_name) == 0))
	1634	found = true;
[95]	1635	else
[150]	1636	{
	1637	regfi_free_value(cur);
[95]	1638	cur = regfi_iterator_next_value(i);
[150]	1639	}
[80]	1640	}
	1641
[94]	1642	return found;
[80]	1643	}
	1644
	1645
	1646	/******************************************************************************
	1647	*****************************************************************************/
[150]	1648	REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1649	{
	1650	i->cur_value = 0;
	1651	return regfi_iterator_cur_value(i);
	1652	}
	1653
	1654
	1655	/******************************************************************************
	1656	*****************************************************************************/
[150]	1657	REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	1658	{
[150]	1659	REGFI_VK_REC* ret_val = NULL;
[145]	1660	uint32 voffset;
[80]	1661
[145]	1662	if(i->cur_key->values != NULL && i->cur_key->values->elements != NULL)
	1663	{
	1664	if(i->cur_value < i->cur_key->values->num_values)
	1665	{
	1666	voffset = i->cur_key->values->elements[i->cur_value];
	1667	ret_val = regfi_load_value(i->f, voffset+REGFI_REGF_SIZE, true);
	1668	}
	1669	}
	1670
[80]	1671	return ret_val;
	1672	}
	1673
	1674
	1675	/******************************************************************************
	1676	*****************************************************************************/
[150]	1677	REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	1678	{
[150]	1679	REGFI_VK_REC* ret_val;
[80]	1680
	1681	i->cur_value++;
	1682	ret_val = regfi_iterator_cur_value(i);
	1683	if(ret_val == NULL)
	1684	i->cur_value--;
	1685
	1686	return ret_val;
	1687	}
[97]	1688
	1689
	1690	/*******************************************************************
	1691	* Computes the checksum of the registry file header.
	1692	* buffer must be at least the size of an regf header (4096 bytes).
	1693	*******************************************************************/
	1694	static uint32 regfi_compute_header_checksum(uint8* buffer)
	1695	{
	1696	uint32 checksum, x;
	1697	int i;
	1698
	1699	/* XOR of all bytes 0x0000 - 0x01FB */
	1700
	1701	checksum = x = 0;
	1702
	1703	for ( i=0; i<0x01FB; i+=4 ) {
	1704	x = IVAL(buffer, i );
	1705	checksum ^= x;
	1706	}
	1707
	1708	return checksum;
	1709	}
	1710
	1711
	1712	/*******************************************************************
[116]	1713	* XXX: Add way to return more detailed error information.
[97]	1714	*******************************************************************/
[135]	1715	REGFI_FILE* regfi_parse_regf(int fd, bool strict)
[97]	1716	{
[135]	1717	uint8 file_header[REGFI_REGF_SIZE];
[102]	1718	uint32 length;
[135]	1719	REGFI_FILE* ret_val;
[97]	1720
[150]	1721	ret_val = talloc(NULL, REGFI_FILE);
[97]	1722	if(ret_val == NULL)
	1723	return NULL;
	1724
	1725	ret_val->fd = fd;
[150]	1726	ret_val->sk_cache = NULL;
	1727	ret_val->last_message = NULL;
	1728	ret_val->hbins = NULL;
	1729
[135]	1730	length = REGFI_REGF_SIZE;
[150]	1731	if((regfi_read(fd, file_header, &length)) != 0 \|\| length != REGFI_REGF_SIZE)
	1732	goto fail;
	1733
[97]	1734	ret_val->checksum = IVAL(file_header, 0x1FC);
	1735	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	1736	if (strict && (ret_val->checksum != ret_val->computed_checksum))
[150]	1737	goto fail;
[97]	1738
[135]	1739	memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
[150]	1740	if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)
[97]	1741	{
[150]	1742	if(strict)
	1743	goto fail;
	1744	regfi_add_message(ret_val, REGFI_MSG_WARN, "Magic number mismatch "
	1745	"(%.2X %.2X %.2X %.2X) while parsing hive header",
[151]	1746	ret_val->magic[0], ret_val->magic[1],
[150]	1747	ret_val->magic[2], ret_val->magic[3]);
[97]	1748	}
[151]	1749	ret_val->sequence1 = IVAL(file_header, 0x4);
	1750	ret_val->sequence2 = IVAL(file_header, 0x8);
[97]	1751	ret_val->mtime.low = IVAL(file_header, 0xC);
	1752	ret_val->mtime.high = IVAL(file_header, 0x10);
[151]	1753	ret_val->major_version = IVAL(file_header, 0x14);
	1754	ret_val->minor_version = IVAL(file_header, 0x18);
	1755	ret_val->type = IVAL(file_header, 0x1C);
	1756	ret_val->format = IVAL(file_header, 0x20);
	1757	ret_val->root_cell = IVAL(file_header, 0x24);
[97]	1758	ret_val->last_block = IVAL(file_header, 0x28);
	1759
[151]	1760	ret_val->cluster = IVAL(file_header, 0x2C);
[97]	1761
[151]	1762	memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE);
	1763
	1764	/* XXX: Should we add a warning if these uuid parsers fail? Can they? */
	1765	ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16);
	1766	ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16);
	1767	ret_val->flags = IVAL(file_header, 0x90);
	1768	ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16);
	1769	ret_val->guid_signature = IVAL(file_header, 0xa4);
	1770
	1771	memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
	1772	memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
	1773
	1774	ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16);
	1775	ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16);
	1776	ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16);
[152]	1777	ret_val->boot_type = IVAL(file_header, 0xFF8);
	1778	ret_val->boot_recover = IVAL(file_header, 0xFFC);
[151]	1779
[97]	1780	return ret_val;
[150]	1781
	1782	fail:
	1783	talloc_free(ret_val);
	1784	return NULL;
[97]	1785	}
	1786
	1787
	1788
[148]	1789	/******************************************************************************
[97]	1790	* Given real file offset, read and parse the hbin at that location
[110]	1791	* along with it's associated cells.
[148]	1792	******************************************************************************/
[135]	1793	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32 offset, bool strict)
[97]	1794	{
[135]	1795	REGFI_HBIN *hbin;
	1796	uint8 hbin_header[REGFI_HBIN_HEADER_SIZE];
[110]	1797	uint32 length;
[99]	1798
	1799	if(offset >= file->file_length)
	1800	return NULL;
[97]	1801
	1802	if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]	1803	{
[138]	1804	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	1805	" while parsing hbin at offset 0x%.8X.", offset);
[97]	1806	return NULL;
[137]	1807	}
[97]	1808
[135]	1809	length = REGFI_HBIN_HEADER_SIZE;
[97]	1810	if((regfi_read(file->fd, hbin_header, &length) != 0)
[135]	1811	\|\| length != REGFI_HBIN_HEADER_SIZE)
[97]	1812	return NULL;
	1813
	1814	if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]	1815	{
[138]	1816	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	1817	" while parsing hbin at offset 0x%.8X.", offset);
[97]	1818	return NULL;
[137]	1819	}
[97]	1820
[148]	1821	hbin = talloc(NULL, REGFI_HBIN);
	1822	if(hbin == NULL)
[99]	1823	return NULL;
	1824	hbin->file_off = offset;
	1825
[97]	1826	memcpy(hbin->magic, hbin_header, 4);
	1827	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]	1828	{
[138]	1829	regfi_add_message(file, REGFI_MSG_INFO, "Magic number mismatch "
	1830	"(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
	1831	" 0x%.8X.", hbin->magic[0], hbin->magic[1],
	1832	hbin->magic[2], hbin->magic[3], offset);
[148]	1833	talloc_free(hbin);
[97]	1834	return NULL;
[99]	1835	}
[97]	1836
	1837	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	1838	hbin->block_size = IVAL(hbin_header, 0x8);
	1839	/* this should be the same thing as hbin->block_size but just in case */
	1840	hbin->next_block = IVAL(hbin_header, 0x1C);
	1841
	1842
	1843	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	1844	* the end of the file.
	1845	*/
[116]	1846	/* XXX: This may need to be relaxed for dealing with
	1847	* partial or corrupt files.
	1848	*/
[97]	1849	if((offset + hbin->block_size > file->file_length)
	1850	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]	1851	{
[138]	1852	regfi_add_message(file, REGFI_MSG_ERROR, "The hbin offset is not aligned"
[137]	1853	" or runs off the end of the file"
	1854	" while parsing hbin at offset 0x%.8X.", offset);
[148]	1855	talloc_free(hbin);
[97]	1856	return NULL;
[99]	1857	}
[97]	1858
	1859	return hbin;
	1860	}
	1861
	1862
[126]	1863	/*******************************************************************
	1864	*******************************************************************/
[135]	1865	REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32 offset,
[158]	1866	uint32 max_size, bool strict)
[99]	1867	{
	1868	uint8 nk_header[REGFI_NK_MIN_LENGTH];
[135]	1869	REGFI_NK_REC* ret_val;
[131]	1870	uint32 length,cell_length;
[101]	1871	bool unalloc = false;
[99]	1872
[101]	1873	if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
	1874	&cell_length, &unalloc))
[137]	1875	{
[138]	1876	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	1877	" while parsing NK record at offset 0x%.8X.", offset);
	1878	return NULL;
	1879	}
	1880
[99]	1881	/* A bit of validation before bothering to allocate memory */
[101]	1882	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
[135]	1883	{
[138]	1884	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	1885	" NK record at offset 0x%.8X.", offset);
[99]	1886	return NULL;
[135]	1887	}
[99]	1888
[150]	1889	ret_val = talloc(NULL, REGFI_NK_REC);
[99]	1890	if(ret_val == NULL)
[135]	1891	{
[138]	1892	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to allocate memory while"
[137]	1893	" parsing NK record at offset 0x%.8X.", offset);
[99]	1894	return NULL;
[135]	1895	}
[99]	1896
[150]	1897	ret_val->values = NULL;
	1898	ret_val->subkeys = NULL;
[99]	1899	ret_val->offset = offset;
[101]	1900	ret_val->cell_size = cell_length;
	1901
[99]	1902	if(ret_val->cell_size > max_size)
	1903	ret_val->cell_size = max_size & 0xFFFFFFF8;
	1904	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
[157]	1905	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[99]	1906	{
[140]	1907	regfi_add_message(file, REGFI_MSG_WARN, "A length check failed while"
[138]	1908	" parsing NK record at offset 0x%.8X.", offset);
[150]	1909	talloc_free(ret_val);
[99]	1910	return NULL;
	1911	}
	1912
[101]	1913	ret_val->magic[0] = nk_header[0x0];
	1914	ret_val->magic[1] = nk_header[0x1];
	1915	ret_val->key_type = SVAL(nk_header, 0x2);
[152]	1916
	1917	if((ret_val->key_type & ~REGFI_NK_KNOWN_FLAGS) != 0)
[99]	1918	{
[152]	1919	regfi_add_message(file, REGFI_MSG_WARN, "Unknown key flags (0x%.4X) while"
[138]	1920	" parsing NK record at offset 0x%.8X.",
[152]	1921	(ret_val->key_type & ~REGFI_NK_KNOWN_FLAGS), offset);
[99]	1922	}
[101]	1923
	1924	ret_val->mtime.low = IVAL(nk_header, 0x4);
	1925	ret_val->mtime.high = IVAL(nk_header, 0x8);
[116]	1926	/* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
	1927	* or later than Jan 1, 2290, we consider this a bad key. This helps
	1928	* weed out some false positives during deleted data recovery.
	1929	*/
	1930	if(unalloc
	1931	&& ((ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
	1932	&& ret_val->mtime.low < REGFI_MTIME_MIN_LOW)
	1933	\|\| (ret_val->mtime.high > REGFI_MTIME_MAX_HIGH
	1934	&& ret_val->mtime.low > REGFI_MTIME_MAX_LOW)))
	1935	return NULL;
	1936
[101]	1937	ret_val->unknown1 = IVAL(nk_header, 0xC);
	1938	ret_val->parent_off = IVAL(nk_header, 0x10);
	1939	ret_val->num_subkeys = IVAL(nk_header, 0x14);
	1940	ret_val->unknown2 = IVAL(nk_header, 0x18);
	1941	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
	1942	ret_val->unknown3 = IVAL(nk_header, 0x20);
	1943	ret_val->num_values = IVAL(nk_header, 0x24);
	1944	ret_val->values_off = IVAL(nk_header, 0x28);
	1945	ret_val->sk_off = IVAL(nk_header, 0x2C);
	1946	ret_val->classname_off = IVAL(nk_header, 0x30);
[99]	1947
[101]	1948	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
	1949	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
	1950	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
	1951	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
	1952	ret_val->unk_index = IVAL(nk_header, 0x44);
[99]	1953
[101]	1954	ret_val->name_length = SVAL(nk_header, 0x48);
	1955	ret_val->classname_length = SVAL(nk_header, 0x4A);
[99]	1956
	1957	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]	1958	{
	1959	if(strict)
	1960	{
[138]	1961	regfi_add_message(file, REGFI_MSG_ERROR, "Contents too large for cell"
[137]	1962	" while parsing NK record at offset 0x%.8X.", offset);
[150]	1963	talloc_free(ret_val);
[101]	1964	return NULL;
	1965	}
	1966	else
	1967	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
	1968	}
	1969	else if (unalloc)
	1970	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
	1971	/* Round up to the next multiple of 8 */
	1972	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	1973	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	1974	length+=8;
[99]	1975
[101]	1976	/* If cell_size is still greater, truncate. */
	1977	if(length < ret_val->cell_size)
	1978	ret_val->cell_size = length;
	1979	}
	1980
[150]	1981	ret_val->keyname = talloc_array(ret_val, char, ret_val->name_length+1);
[99]	1982	if(ret_val->keyname == NULL)
	1983	{
[150]	1984	talloc_free(ret_val);
[99]	1985	return NULL;
	1986	}
	1987
	1988	/* Don't need to seek, should be at the right offset */
	1989	length = ret_val->name_length;
[101]	1990	if((regfi_read(file->fd, (uint8*)ret_val->keyname, &length) != 0)
[99]	1991	\|\| length != ret_val->name_length)
	1992	{
[138]	1993	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read key name"
[137]	1994	" while parsing NK record at offset 0x%.8X.", offset);
[150]	1995	talloc_free(ret_val);
[99]	1996	return NULL;
	1997	}
	1998	ret_val->keyname[ret_val->name_length] = '\0';
	1999
[126]	2000	return ret_val;
	2001	}
	2002
	2003
[135]	2004	char* regfi_parse_classname(REGFI_FILE* file, uint32 offset,
[131]	2005	uint16* name_length, uint32 max_size, bool strict)
[126]	2006	{
	2007	char* ret_val = NULL;
	2008	uint32 length;
	2009	uint32 cell_length;
	2010	bool unalloc = false;
	2011
[135]	2012	if(*name_length > 0 && offset != REGFI_OFFSET_NONE
[157]	2013	&& (offset & 0x00000007) == 0)
[131]	2014	{
[126]	2015	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]	2016	{
[138]	2017	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2018	" while parsing class name at offset 0x%.8X.", offset);
[126]	2019	return NULL;
[137]	2020	}
[126]	2021
[157]	2022	if((cell_length & 0x0000007) != 0)
[137]	2023	{
[138]	2024	regfi_add_message(file, REGFI_MSG_ERROR, "Cell length not a multiple of 8"
[137]	2025	" while parsing class name at offset 0x%.8X.", offset);
[131]	2026	return NULL;
[137]	2027	}
	2028
[131]	2029	if(cell_length > max_size)
[125]	2030	{
[138]	2031	regfi_add_message(file, REGFI_MSG_WARN, "Cell stretches past hbin "
	2032	"boundary while parsing class name at offset 0x%.8X.",
	2033	offset);
[126]	2034	if(strict)
	2035	return NULL;
[131]	2036	cell_length = max_size;
[126]	2037	}
[131]	2038
	2039	if((cell_length - 4) < *name_length)
	2040	{
[138]	2041	regfi_add_message(file, REGFI_MSG_WARN, "Class name is larger than"
	2042	" cell_length while parsing class name at offset"
	2043	" 0x%.8X.", offset);
[131]	2044	if(strict)
	2045	return NULL;
	2046	*name_length = cell_length - 4;
	2047	}
[126]	2048
[150]	2049	ret_val = talloc_array(NULL, char, *name_length);
[126]	2050	if(ret_val != NULL)
	2051	{
	2052	length = *name_length;
	2053	if((regfi_read(file->fd, (uint8*)ret_val, &length) != 0)
	2054	\|\| length != *name_length)
[125]	2055	{
[138]	2056	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read class name"
[137]	2057	" while parsing class name at offset 0x%.8X.", offset);
[150]	2058	talloc_free(ret_val);
[126]	2059	return NULL;
[125]	2060	}
	2061	}
	2062	}
	2063
[99]	2064	return ret_val;
	2065	}
	2066
	2067
[152]	2068	/******************************************************************************
	2069	*******************************************************************************/
[135]	2070	REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32 offset,
[145]	2071	uint32 max_size, bool strict)
[97]	2072	{
[135]	2073	REGFI_VK_REC* ret_val;
[101]	2074	uint8 vk_header[REGFI_VK_MIN_LENGTH];
	2075	uint32 raw_data_size, length, cell_length;
	2076	bool unalloc = false;
[97]	2077
[101]	2078	if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
	2079	&cell_length, &unalloc))
[137]	2080	{
[138]	2081	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2082	" while parsing VK record at offset 0x%.8X.", offset);
[101]	2083	return NULL;
[137]	2084	}
[111]	2085
[150]	2086	ret_val = talloc(NULL, REGFI_VK_REC);
[101]	2087	if(ret_val == NULL)
	2088	return NULL;
	2089
	2090	ret_val->offset = offset;
	2091	ret_val->cell_size = cell_length;
[150]	2092	ret_val->data = NULL;
	2093	ret_val->valuename = NULL;
	2094
[101]	2095	if(ret_val->cell_size > max_size)
	2096	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2097	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
[157]	2098	\|\| (ret_val->cell_size & 0x00000007) != 0)
[97]	2099	{
[138]	2100	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size encountered"
[137]	2101	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2102	talloc_free(ret_val);
[101]	2103	return NULL;
	2104	}
[97]	2105
[101]	2106	ret_val->magic[0] = vk_header[0x0];
	2107	ret_val->magic[1] = vk_header[0x1];
	2108	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
	2109	{
[124]	2110	/* XXX: This does not account for deleted keys under Win2K which
	2111	* often have this (and the name length) overwritten with
	2112	* 0xFFFF.
	2113	*/
[138]	2114	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch"
[137]	2115	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2116	talloc_free(ret_val);
[101]	2117	return NULL;
	2118	}
	2119
	2120	ret_val->name_length = SVAL(vk_header, 0x2);
	2121	raw_data_size = IVAL(vk_header, 0x4);
[135]	2122	ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
[157]	2123	/* The data is typically stored in the offset if the size <= 4,
	2124	* in which case this flag is set.
	2125	*/
[135]	2126	ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
[101]	2127	ret_val->data_off = IVAL(vk_header, 0x8);
	2128	ret_val->type = IVAL(vk_header, 0xC);
	2129	ret_val->flag = SVAL(vk_header, 0x10);
	2130	ret_val->unknown1 = SVAL(vk_header, 0x12);
	2131
[135]	2132	if(ret_val->flag & REGFI_VK_FLAG_NAME_PRESENT)
[101]	2133	{
[113]	2134	if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
[101]	2135	{
[138]	2136	regfi_add_message(file, REGFI_MSG_WARN, "Name too long for remaining cell"
	2137	" space while parsing VK record at offset 0x%.8X.",
	2138	offset);
[101]	2139	if(strict)
	2140	{
[150]	2141	talloc_free(ret_val);
[101]	2142	return NULL;
	2143	}
	2144	else
[113]	2145	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
[101]	2146	}
	2147
	2148	/* Round up to the next multiple of 8 */
[113]	2149	cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
	2150	if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
	2151	cell_length+=8;
[101]	2152
[150]	2153	ret_val->valuename = talloc_array(ret_val, char, ret_val->name_length+1);
[101]	2154	if(ret_val->valuename == NULL)
	2155	{
[150]	2156	talloc_free(ret_val);
[101]	2157	return NULL;
	2158	}
[113]	2159
[101]	2160	length = ret_val->name_length;
	2161	if((regfi_read(file->fd, (uint8*)ret_val->valuename, &length) != 0)
	2162	\|\| length != ret_val->name_length)
	2163	{
[138]	2164	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read value name"
[137]	2165	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2166	talloc_free(ret_val);
[101]	2167	return NULL;
	2168	}
	2169	ret_val->valuename[ret_val->name_length] = '\0';
[133]	2170
[101]	2171	}
	2172	else
[113]	2173	cell_length = REGFI_VK_MIN_LENGTH + 4;
[101]	2174
	2175	if(unalloc)
	2176	{
	2177	/* If cell_size is still greater, truncate. */
[113]	2178	if(cell_length < ret_val->cell_size)
	2179	ret_val->cell_size = cell_length;
[101]	2180	}
	2181
	2182	return ret_val;
[97]	2183	}
[101]	2184
	2185
[152]	2186	/******************************************************************************
[157]	2187	*
	2188	******************************************************************************/
	2189	REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32 voffset,
	2190	uint32 length, bool data_in_offset,
	2191	bool strict)
[101]	2192	{
[151]	2193	REGFI_BUFFER ret_val;
[157]	2194	uint32 cell_length, offset;
	2195	int32 max_size;
[101]	2196	bool unalloc;
[151]	2197
[145]	2198	if(data_in_offset)
[157]	2199	return regfi_parse_little_data(file, voffset, length, strict);
	2200	else
[101]	2201	{
[157]	2202	offset = voffset + REGFI_REGF_SIZE;
	2203	max_size = regfi_calc_maxsize(file, offset);
	2204	if(max_size < 0)
[137]	2205	{
[157]	2206	regfi_add_message(file, REGFI_MSG_WARN, "Could not find HBIN for data"
	2207	" at offset 0x%.8X.", offset);
[151]	2208	goto fail;
[137]	2209	}
[157]	2210
[101]	2211	if(!regfi_parse_cell(file->fd, offset, NULL, 0,
	2212	&cell_length, &unalloc))
[137]	2213	{
[138]	2214	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[137]	2215	" parsing data record at offset 0x%.8X.", offset);
[151]	2216	goto fail;
[137]	2217	}
[111]	2218
[157]	2219	if((cell_length & 0x00000007) != 0)
[137]	2220	{
[138]	2221	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not multiple of 8"
[137]	2222	" while parsing data record at offset 0x%.8X.",
	2223	offset);
[151]	2224	goto fail;
[137]	2225	}
[101]	2226
[131]	2227	if(cell_length > max_size)
	2228	{
[145]	2229	regfi_add_message(file, REGFI_MSG_WARN, "Cell extends past HBIN boundary"
	2230	" while parsing data record at offset 0x%.8X.",
[137]	2231	offset);
[157]	2232	goto fail;
[131]	2233	}
	2234
[101]	2235	if(cell_length - 4 < length)
	2236	{
[155]	2237	/* XXX: All big data records thus far have been 16 bytes long.
	2238	* Should we check for this precise size instead of just
	2239	* relying upon the above check?
	2240	*/
[152]	2241	if (file->major_version >= 1 && file->minor_version >= 5)
	2242	{
	2243	/* Attempt to parse a big data record */
[157]	2244	return regfi_load_big_data(file, offset, length, cell_length,
	2245	NULL, strict);
[152]	2246	}
[101]	2247	else
[152]	2248	{
	2249	regfi_add_message(file, REGFI_MSG_WARN, "Data length (0x%.8X) larger than"
	2250	" remaining cell length (0x%.8X)"
	2251	" while parsing data record at offset 0x%.8X.",
	2252	length, cell_length - 4, offset);
	2253	if(strict)
	2254	goto fail;
	2255	else
	2256	length = cell_length - 4;
	2257	}
[101]	2258	}
	2259
[157]	2260	ret_val = regfi_parse_data(file, offset, length, strict);
[101]	2261	}
	2262
	2263	return ret_val;
[151]	2264
	2265	fail:
	2266	ret_val.buf = NULL;
	2267	ret_val.len = 0;
	2268	return ret_val;
[101]	2269	}
[110]	2270
	2271
[152]	2272	/******************************************************************************
[157]	2273	* Parses the common case data records stored in a single cell.
	2274	******************************************************************************/
	2275	REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32 offset,
	2276	uint32 length, bool strict)
	2277	{
	2278	REGFI_BUFFER ret_val;
	2279	uint32 read_length;
	2280
	2281	ret_val.buf = NULL;
	2282	ret_val.len = 0;
	2283
	2284	if(lseek(file->fd, offset+4, SEEK_SET) == -1)
	2285	{
	2286	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek while "
	2287	"reading data at offset 0x%.8X.", offset);
	2288	return ret_val;
	2289	}
	2290
	2291	if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
	2292	return ret_val;
	2293	ret_val.len = length;
	2294
	2295	read_length = length;
	2296	if((regfi_read(file->fd, ret_val.buf, &read_length) != 0)
	2297	\|\| read_length != length)
	2298	{
	2299	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read data block while"
	2300	" parsing data record at offset 0x%.8X.", offset);
	2301	talloc_free(ret_val.buf);
	2302	ret_val.buf = NULL;
	2303	ret_val.buf = 0;
	2304	}
	2305
	2306	return ret_val;
	2307	}
	2308
	2309
	2310
	2311	/******************************************************************************
	2312	*
	2313	******************************************************************************/
	2314	REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32 voffset,
	2315	uint32 length, bool strict)
	2316	{
	2317	REGFI_BUFFER ret_val;
	2318	uint8 i;
	2319
	2320	ret_val.buf = NULL;
	2321	ret_val.len = 0;
	2322
	2323	if(length > 4)
	2324	{
	2325	regfi_add_message(file, REGFI_MSG_ERROR, "Data in offset but length > 4"
	2326	" while parsing data record. (voffset=0x%.8X, length=%d)",
	2327	voffset, length);
	2328	return ret_val;
	2329	}
	2330
	2331	if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
	2332	return ret_val;
	2333	ret_val.len = length;
	2334
	2335	for(i = 0; i < length; i++)
	2336	ret_val.buf[i] = (uint8)((voffset >> i*8) & 0xFF);
	2337
	2338	return ret_val;
	2339	}
	2340
	2341	/******************************************************************************
[152]	2342	*******************************************************************************/
[157]	2343	REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32 offset,
	2344	uint32 max_size, bool strict)
[152]	2345	{
	2346	REGFI_BUFFER ret_val;
[157]	2347	uint32 cell_length;
[152]	2348	bool unalloc;
[157]	2349
	2350	/* XXX: do something with unalloc? */
	2351	ret_val.buf = (uint8*)talloc_array(NULL, uint8, REGFI_BIG_DATA_MIN_LENGTH);
	2352	if(ret_val.buf == NULL)
[152]	2353	goto fail;
	2354
[157]	2355	if(REGFI_BIG_DATA_MIN_LENGTH > max_size)
	2356	{
	2357	regfi_add_message(file, REGFI_MSG_WARN, "Big data header exceeded max_size "
	2358	"while parsing big data header at offset 0x%.8X.",offset);
	2359	goto fail;
	2360	}
	2361
	2362	if(!regfi_parse_cell(file->fd, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH,
[152]	2363	&cell_length, &unalloc))
	2364	{
	2365	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[157]	2366	" parsing big data header at offset 0x%.8X.", offset);
[152]	2367	goto fail;
	2368	}
[157]	2369
	2370	if((ret_val.buf[0] != 'd') \|\| (ret_val.buf[1] != 'b'))
[152]	2371	{
	2372	regfi_add_message(file, REGFI_MSG_WARN, "Unknown magic number"
	2373	" (0x%.2X, 0x%.2X) encountered while parsing"
[157]	2374	" big data header at offset 0x%.8X.",
	2375	ret_val.buf[0], ret_val.buf[1], offset);
[152]	2376	goto fail;
	2377	}
	2378
[157]	2379	ret_val.len = REGFI_BIG_DATA_MIN_LENGTH;
	2380	return ret_val;
	2381
	2382	fail:
	2383	if(ret_val.buf != NULL)
	2384	{
	2385	talloc_free(ret_val.buf);
	2386	ret_val.buf = NULL;
	2387	}
	2388	ret_val.len = 0;
	2389	return ret_val;
	2390	}
	2391
	2392
	2393
	2394	/******************************************************************************
	2395	*
	2396	******************************************************************************/
	2397	uint32* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32 offset,
	2398	uint16 num_chunks, bool strict)
	2399	{
	2400	uint32* ret_val;
	2401	uint32 indirect_length;
	2402	int32 max_size;
	2403	uint16 i;
	2404	bool unalloc;
	2405
	2406	/* XXX: do something with unalloc? */
	2407
	2408	max_size = regfi_calc_maxsize(file, offset);
	2409	if((max_size < 0) \|\| (num_chunks*sizeof(uint32) + 4 > max_size))
	2410	return NULL;
	2411
	2412	ret_val = (uint32*)talloc_array(NULL, uint32, num_chunks);
	2413	if(ret_val == NULL)
[152]	2414	goto fail;
	2415
[157]	2416	if(!regfi_parse_cell(file->fd, offset, (uint8*)ret_val,
[152]	2417	num_chunks*sizeof(uint32),
	2418	&indirect_length, &unalloc))
	2419	{
	2420	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
	2421	" parsing big data indirect record at offset 0x%.8X.",
	2422	offset);
	2423	goto fail;
	2424	}
[157]	2425
	2426	/* Convert pointers to proper endianess, verify they are aligned. */
	2427	for(i=0; i<num_chunks; i++)
[152]	2428	{
[157]	2429	ret_val[i] = IVAL(ret_val, i*sizeof(uint32));
	2430	if((ret_val[i] & 0x00000007) != 0)
	2431	goto fail;
[152]	2432	}
[157]	2433
	2434	return ret_val;
[152]	2435
[157]	2436	fail:
	2437	if(ret_val != NULL)
	2438	talloc_free(ret_val);
	2439	return NULL;
	2440	}
	2441
	2442
	2443	/******************************************************************************
	2444	* Arguments:
	2445	* file --
	2446	* offsets -- list of virtual offsets.
	2447	* num_chunks --
	2448	* strict --
	2449	*
	2450	* Returns:
	2451	* A range_list with physical offsets and complete lengths
	2452	* (including cell headers) of associated cells.
	2453	* No data in range_list elements.
	2454	******************************************************************************/
	2455	range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32* offsets,
	2456	uint16 num_chunks, bool strict)
	2457	{
	2458	uint32 cell_length, chunk_offset, data_left;
	2459	range_list* ret_val;
	2460	uint16 i;
	2461	bool unalloc;
	2462
	2463	/* XXX: do something with unalloc? */
	2464	ret_val = range_list_new();
	2465	if(ret_val == NULL)
	2466	goto fail;
	2467
[152]	2468	for(i=0; (i<num_chunks) && (data_left>0); i++)
	2469	{
[157]	2470	chunk_offset = offsets[i]+REGFI_REGF_SIZE;
	2471	if(!regfi_parse_cell(file->fd, chunk_offset, NULL, 0,
	2472	&cell_length, &unalloc))
[152]	2473	{
	2474	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
	2475	" parsing big data chunk at offset 0x%.8X.",
	2476	chunk_offset);
[157]	2477	goto fail;
[152]	2478	}
	2479
[157]	2480	if(!range_list_add(ret_val, chunk_offset, cell_length, NULL))
	2481	goto fail;
	2482	}
	2483
	2484	return ret_val;
	2485
	2486	fail:
	2487	if(ret_val != NULL)
	2488	range_list_free(ret_val);
	2489	return NULL;
	2490	}
	2491
	2492
	2493	/******************************************************************************
	2494	*******************************************************************************/
	2495	REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file,
	2496	uint32 offset, uint32 data_length,
	2497	uint32 cell_length, range_list* used_ranges,
	2498	bool strict)
	2499	{
	2500	REGFI_BUFFER ret_val;
	2501	uint16 num_chunks, i;
	2502	uint32 read_length, data_left, tmp_len, indirect_offset;
	2503	uint32* indirect_ptrs = NULL;
	2504	REGFI_BUFFER bd_header;
	2505	range_list* bd_cells = NULL;
	2506	const range_list_element* cell_info;
	2507
	2508	ret_val.buf = NULL;
	2509
	2510	/* XXX: Add better error/warning messages */
	2511
	2512	bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict);
	2513	if(bd_header.buf == NULL)
	2514	goto fail;
	2515
	2516	/* Keep track of used space for use by reglookup-recover */
	2517	if(used_ranges != NULL)
	2518	if(!range_list_add(used_ranges, offset, cell_length, NULL))
	2519	goto fail;
	2520
	2521	num_chunks = SVAL(bd_header.buf, 0x2);
	2522	indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE;
	2523	talloc_free(bd_header.buf);
	2524
	2525	indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset,
	2526	num_chunks, strict);
	2527	if(indirect_ptrs == NULL)
	2528	goto fail;
	2529
	2530	if(used_ranges != NULL)
	2531	if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL))
	2532	goto fail;
	2533
	2534	if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL)
	2535	goto fail;
	2536	data_left = data_length;
	2537
	2538	bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict);
	2539	if(bd_cells == NULL)
	2540	goto fail;
	2541
	2542	talloc_free(indirect_ptrs);
	2543	indirect_ptrs = NULL;
	2544
	2545	for(i=0; (i<num_chunks) && (data_left>0); i++)
	2546	{
	2547	cell_info = range_list_get(bd_cells, i);
	2548	if(cell_info == NULL)
	2549	goto fail;
	2550
	2551	/* XXX: This should be "cell_info->length-4" to account for the 4 byte cell
[154]	2552	* length. However, it has been observed that some (all?) chunks
	2553	* have an additional 4 bytes of 0 at the end of their cells that
	2554	* isn't part of the data, so we're trimming that off too.
[157]	2555	* Perhaps it's just an 8 byte alignment requirement...
[154]	2556	*/
[157]	2557	if(cell_info->length - 8 >= data_left)
	2558	{
	2559	if(i+1 != num_chunks)
	2560	{
	2561	regfi_add_message(file, REGFI_MSG_WARN, "Left over chunks detected "
	2562	"while constructing big data at offset 0x%.8X "
	2563	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	2564	}
[152]	2565	read_length = data_left;
[157]	2566	}
[152]	2567	else
[157]	2568	read_length = cell_info->length - 8;
[152]	2569
[157]	2570
	2571	if(read_length > regfi_calc_maxsize(file, cell_info->offset))
	2572	{
	2573	regfi_add_message(file, REGFI_MSG_WARN, "A chunk exceeded the maxsize "
	2574	"while constructing big data at offset 0x%.8X "
	2575	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	2576	goto fail;
	2577	}
	2578
	2579	if(lseek(file->fd, cell_info->offset+sizeof(uint32), SEEK_SET) == -1)
	2580	{
	2581	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek to chunk while "
	2582	"constructing big data at offset 0x%.8X "
	2583	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	2584	goto fail;
	2585	}
	2586
	2587	tmp_len = read_length;
[152]	2588	if(regfi_read(file->fd, ret_val.buf+(data_length-data_left),
[157]	2589	&read_length) != 0 \|\| (read_length != tmp_len))
[152]	2590	{
	2591	regfi_add_message(file, REGFI_MSG_WARN, "Could not read data chunk while"
[157]	2592	" constructing big data at offset 0x%.8X"
	2593	" (chunk offset 0x%.8X).", offset, cell_info->offset);
	2594	goto fail;
[152]	2595	}
	2596
[157]	2597	if(used_ranges != NULL)
	2598	if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL))
	2599	goto fail;
	2600
[152]	2601	data_left -= read_length;
	2602	}
[157]	2603	range_list_free(bd_cells);
	2604
[152]	2605	ret_val.len = data_length-data_left;
	2606	return ret_val;
	2607
	2608	fail:
[157]	2609	if(ret_val.buf != NULL)
	2610	talloc_free(ret_val.buf);
	2611	if(indirect_ptrs != NULL)
	2612	talloc_free(indirect_ptrs);
	2613	if(bd_cells != NULL)
	2614	range_list_free(bd_cells);
[152]	2615	ret_val.buf = NULL;
	2616	ret_val.len = 0;
	2617	return ret_val;
	2618	}
	2619
	2620
[135]	2621	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
[110]	2622	{
	2623	range_list* ret_val;
[135]	2624	REGFI_HBIN* hbin;
[110]	2625	const range_list_element* hbins_elem;
	2626	uint32 i, num_hbins, curr_off, cell_len;
	2627	bool is_unalloc;
	2628
	2629	ret_val = range_list_new();
	2630	if(ret_val == NULL)
	2631	return NULL;
	2632
	2633	num_hbins = range_list_size(file->hbins);
	2634	for(i=0; i<num_hbins; i++)
	2635	{
	2636	hbins_elem = range_list_get(file->hbins, i);
	2637	if(hbins_elem == NULL)
	2638	break;
[135]	2639	hbin = (REGFI_HBIN*)hbins_elem->data;
[110]	2640
[135]	2641	curr_off = REGFI_HBIN_HEADER_SIZE;
[110]	2642	while(curr_off < hbin->block_size)
	2643	{
	2644	if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
	2645	&cell_len, &is_unalloc))
	2646	break;
	2647
[157]	2648	if((cell_len == 0) \|\| ((cell_len & 0x00000007) != 0))
[140]	2649	{
	2650	regfi_add_message(file, REGFI_MSG_ERROR, "Bad cell length encountered"
	2651	" while parsing unallocated cells at offset 0x%.8X.",
	2652	hbin->file_off+curr_off);
[110]	2653	break;
[140]	2654	}
	2655
[110]	2656	/* for some reason the record_size of the last record in
	2657	an hbin block can extend past the end of the block
	2658	even though the record fits within the remaining
	2659	space....aaarrrgggghhhhhh */
	2660	if(curr_off + cell_len >= hbin->block_size)
	2661	cell_len = hbin->block_size - curr_off;
	2662
	2663	if(is_unalloc)
	2664	range_list_add(ret_val, hbin->file_off+curr_off,
	2665	cell_len, NULL);
	2666
	2667	curr_off = curr_off+cell_len;
	2668	}
	2669	}
	2670
	2671	return ret_val;
	2672	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: