Context Navigation

source: trunk/lib/regfi.c @ 162

Last change on this file since 162 was 162, checked in by tim, 14 years ago
added UTF-16LE support for value names
Property svn:keywords set to `Id`
File size: 84.6 KB

Rev	Line
[30]	1	/*
	2	* Branched from Samba project Subversion repository, version #7470:
[84]	3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
[30]	4	*
[134]	5	* Windows NT (and later) registry parsing library
[30]	6	*
[132]	7	* Copyright (C) 2005-2009 Timothy D. Morgan
[30]	8	* Copyright (C) 2005 Gerald (Jerry) Carter
	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License as published by
[111]	12	* the Free Software Foundation; version 3 of the License.
[30]	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program; if not, write to the Free Software
[161]	21	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
[30]	22	*
	23	* $Id: regfi.c 162 2009-12-07 20:12:13Z tim $
	24	*/
	25
[147]	26	#include "regfi.h"
[30]	27
	28
[32]	29	/* Registry types mapping */
[78]	30	const unsigned int regfi_num_reg_types = 12;
	31	static const char* regfi_type_names[] =
[65]	32	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	33	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	34
[161]	35	const char* regfi_encoding_names[] =
	36	{"US-ASCII//TRANSLIT", "UTF-8//TRANSLIT", "UTF-16LE//TRANSLIT"};
[32]	37
[135]	38
	39	/******************************************************************************
	40	******************************************************************************/
[138]	41	void regfi_add_message(REGFI_FILE* file, uint16 msg_type, const char* fmt, ...)
[135]	42	{
[136]	43	/* XXX: This function is not particularly efficient,
[135]	44	* but then it is mostly used during errors.
	45	*/
[136]	46	uint32 buf_size, buf_used;
	47	char* new_msg;
	48	va_list args;
[135]	49
[138]	50	if((file->msg_mask & msg_type) != 0)
	51	{
	52	if(file->last_message == NULL)
	53	buf_used = 0;
	54	else
	55	buf_used = strlen(file->last_message);
	56
	57	buf_size = buf_used+strlen(fmt)+160;
	58	new_msg = realloc(file->last_message, buf_size);
	59	if(new_msg == NULL)
	60	/* XXX: should we report this? */
	61	return;
[135]	62
[138]	63	switch (msg_type)
	64	{
	65	case REGFI_MSG_INFO:
	66	strcpy(new_msg+buf_used, "INFO: ");
	67	buf_used += 6;
	68	break;
	69	case REGFI_MSG_WARN:
	70	strcpy(new_msg+buf_used, "WARN: ");
	71	buf_used += 6;
	72	break;
	73	case REGFI_MSG_ERROR:
	74	strcpy(new_msg+buf_used, "ERROR: ");
	75	buf_used += 7;
	76	break;
	77	}
[136]	78
[138]	79	va_start(args, fmt);
	80	vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
	81	va_end(args);
	82	strncat(new_msg, "\n", buf_size-1);
	83
	84	file->last_message = new_msg;
	85	}
[135]	86	}
	87
	88
	89	/******************************************************************************
	90	******************************************************************************/
[136]	91	char* regfi_get_messages(REGFI_FILE* file)
[135]	92	{
	93	char* ret_val = file->last_message;
	94	file->last_message = NULL;
	95
	96	return ret_val;
	97	}
	98
	99
[138]	100	void regfi_set_message_mask(REGFI_FILE* file, uint16 mask)
	101	{
	102	file->msg_mask = mask;
	103	}
	104
	105
[161]	106	/******************************************************************************
	107	* Returns NULL for an invalid e
	108	*****************************************************************************/
	109	static const char* regfi_encoding_int2str(REGFI_ENCODING e)
	110	{
	111	if(e < REGFI_NUM_ENCODINGS)
	112	return regfi_encoding_names[e];
	113
	114	return NULL;
	115	}
	116
	117
	118	/******************************************************************************
	119	* Returns NULL for an invalid val
	120	*****************************************************************************/
[78]	121	const char* regfi_type_val2str(unsigned int val)
[32]	122	{
[61]	123	if(val == REG_KEY)
	124	return "KEY";
	125
[78]	126	if(val >= regfi_num_reg_types)
[61]	127	return NULL;
	128
[78]	129	return regfi_type_names[val];
[32]	130	}
	131
	132
[161]	133	/******************************************************************************
	134	* Returns -1 on error
	135	*****************************************************************************/
[78]	136	int regfi_type_str2val(const char* str)
[32]	137	{
	138	int i;
	139
[61]	140	if(strcmp("KEY", str) == 0)
	141	return REG_KEY;
[32]	142
[78]	143	for(i=0; i < regfi_num_reg_types; i++)
	144	if (strcmp(regfi_type_names[i], str) == 0)
[61]	145	return i;
	146
	147	if(strcmp("DWORD_LE", str) == 0)
	148	return REG_DWORD_LE;
	149
	150	return -1;
[32]	151	}
	152
	153
[135]	154	/* Security descriptor formatting functions */
[53]	155
[78]	156	const char* regfi_ace_type2str(uint8 type)
[53]	157	{
	158	static const char* map[7]
	159	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	160	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	161	if(type < 7)
	162	return map[type];
	163	else
	164	/* XXX: would be nice to return the unknown integer value.
	165	* However, as it is a const string, it can't be free()ed later on,
	166	* so that would need to change.
	167	*/
	168	return "UNKNOWN";
	169	}
	170
	171
[76]	172	/* XXX: need a better reference on the meaning of each flag. */
	173	/* For more info, see:
	174	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	175	*/
[78]	176	char* regfi_ace_flags2str(uint8 flags)
[53]	177	{
[76]	178	static const char* flag_map[32] =
[87]	179	{ "OI", /* Object Inherit */
	180	"CI", /* Container Inherit */
	181	"NP", /* Non-Propagate */
	182	"IO", /* Inherit Only */
	183	"IA", /* Inherited ACE */
[76]	184	NULL,
	185	NULL,
	186	NULL,
	187	};
[53]	188
[76]	189	char* ret_val = malloc(35*sizeof(char));
	190	char* fo = ret_val;
	191	uint32 i;
	192	uint8 f;
	193
	194	if(ret_val == NULL)
[53]	195	return NULL;
	196
[76]	197	fo[0] = '\0';
[53]	198	if (!flags)
[76]	199	return ret_val;
[53]	200
[76]	201	for(i=0; i < 8; i++)
	202	{
	203	f = (1<<i);
	204	if((flags & f) && (flag_map[i] != NULL))
	205	{
	206	strcpy(fo, flag_map[i]);
	207	fo += strlen(flag_map[i]);
	208	*(fo++) = ' ';
	209	flags ^= f;
	210	}
[53]	211	}
[76]	212
	213	/* Any remaining unknown flags are added at the end in hex. */
	214	if(flags != 0)
	215	sprintf(fo, "0x%.2X ", flags);
	216
	217	/* Chop off the last space if we've written anything to ret_val */
	218	if(fo != ret_val)
	219	fo[-1] = '\0';
	220
	221	return ret_val;
[53]	222	}
	223
	224
[78]	225	char* regfi_ace_perms2str(uint32 perms)
[53]	226	{
[76]	227	uint32 i, p;
	228	/* This is more than is needed by a fair margin. */
	229	char* ret_val = malloc(350*sizeof(char));
	230	char* r = ret_val;
	231
	232	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	233	* For more information, see:
	234	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	235	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	236	*/
	237	static const char* perm_map[32] =
	238	{/* object-specific permissions (registry keys, in this case) */
	239	"QRY_VAL", /* KEY_QUERY_VALUE */
	240	"SET_VAL", /* KEY_SET_VALUE */
	241	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	242	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	243	"NOTIFY", /* KEY_NOTIFY */
	244	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	245	NULL,
	246	NULL,
	247	"WOW64_64", /* KEY_WOW64_64KEY */
	248	"WOW64_32", /* KEY_WOW64_32KEY */
	249	NULL,
	250	NULL,
	251	NULL,
	252	NULL,
	253	NULL,
	254	NULL,
	255	/* standard access rights */
	256	"DELETE", /* DELETE */
	257	"R_CONT", /* READ_CONTROL */
	258	"W_DAC", /* WRITE_DAC */
	259	"W_OWNER", /* WRITE_OWNER */
	260	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	261	NULL,
	262	NULL,
	263	NULL,
	264	/* other generic */
	265	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	266	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	267	NULL,
	268	NULL,
	269	"GEN_A", /* GENERIC_ALL */
	270	"GEN_X", /* GENERIC_EXECUTE */
	271	"GEN_W", /* GENERIC_WRITE */
	272	"GEN_R", /* GENERIC_READ */
	273	};
	274
	275
[53]	276	if(ret_val == NULL)
	277	return NULL;
	278
[76]	279	r[0] = '\0';
	280	for(i=0; i < 32; i++)
	281	{
	282	p = (1<<i);
	283	if((perms & p) && (perm_map[i] != NULL))
	284	{
	285	strcpy(r, perm_map[i]);
	286	r += strlen(perm_map[i]);
	287	*(r++) = ' ';
	288	perms ^= p;
	289	}
	290	}
	291
	292	/* Any remaining unknown permission bits are added at the end in hex. */
	293	if(perms != 0)
	294	sprintf(r, "0x%.8X ", perms);
[53]	295
[76]	296	/* Chop off the last space if we've written anything to ret_val */
	297	if(r != ret_val)
	298	r[-1] = '\0';
	299
[53]	300	return ret_val;
	301	}
	302
	303
[134]	304	char* regfi_sid2str(WINSEC_DOM_SID* sid)
[53]	305	{
[134]	306	uint32 i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
[53]	307	uint32 left = size;
	308	uint8 comps = sid->num_auths;
	309	char* ret_val = malloc(size);
	310
	311	if(ret_val == NULL)
	312	return NULL;
	313
[134]	314	if(comps > WINSEC_MAX_SUBAUTHS)
	315	comps = WINSEC_MAX_SUBAUTHS;
[53]	316
	317	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	318
	319	for (i = 0; i < comps; i++)
	320	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	321
	322	return ret_val;
	323	}
	324
	325
[134]	326	char* regfi_get_acl(WINSEC_ACL* acl)
[53]	327	{
	328	uint32 i, extra, size = 0;
	329	const char* type_str;
	330	char* flags_str;
	331	char* perms_str;
	332	char* sid_str;
[61]	333	char* ace_delim = "";
[53]	334	char* ret_val = NULL;
[61]	335	char* tmp_val = NULL;
	336	bool failed = false;
[53]	337	char field_delim = ':';
	338
[61]	339	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	340	{
[134]	341	sid_str = regfi_sid2str(acl->aces[i]->trustee);
	342	type_str = regfi_ace_type2str(acl->aces[i]->type);
	343	perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
	344	flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
[53]	345
[61]	346	if(flags_str != NULL && perms_str != NULL
	347	&& type_str != NULL && sid_str != NULL)
	348	{
	349	/* XXX: this is slow */
	350	extra = strlen(sid_str) + strlen(type_str)
[136]	351	+ strlen(perms_str) + strlen(flags_str) + 5;
[61]	352	tmp_val = realloc(ret_val, size+extra);
[53]	353
[61]	354	if(tmp_val == NULL)
	355	{
	356	free(ret_val);
[136]	357	ret_val = NULL;
[61]	358	failed = true;
	359	}
	360	else
	361	{
	362	ret_val = tmp_val;
[148]	363	size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
	364	ace_delim,sid_str,
	365	field_delim,type_str,
	366	field_delim,perms_str,
	367	field_delim,flags_str);
[61]	368	ace_delim = "\|";
	369	}
	370	}
	371	else
	372	failed = true;
	373
	374	if(sid_str != NULL)
	375	free(sid_str);
	376	if(sid_str != NULL)
	377	free(perms_str);
	378	if(sid_str != NULL)
	379	free(flags_str);
[53]	380	}
	381
	382	return ret_val;
	383	}
	384
	385
[134]	386	char* regfi_get_sacl(WINSEC_DESC *sec_desc)
[53]	387	{
	388	if (sec_desc->sacl)
[78]	389	return regfi_get_acl(sec_desc->sacl);
[53]	390	else
	391	return NULL;
	392	}
	393
	394
[134]	395	char* regfi_get_dacl(WINSEC_DESC *sec_desc)
[53]	396	{
	397	if (sec_desc->dacl)
[78]	398	return regfi_get_acl(sec_desc->dacl);
[53]	399	else
	400	return NULL;
	401	}
	402
	403
[134]	404	char* regfi_get_owner(WINSEC_DESC *sec_desc)
[53]	405	{
[78]	406	return regfi_sid2str(sec_desc->owner_sid);
[53]	407	}
	408
	409
[134]	410	char* regfi_get_group(WINSEC_DESC *sec_desc)
[53]	411	{
[78]	412	return regfi_sid2str(sec_desc->grp_sid);
[53]	413	}
	414
	415
[101]	416	/*****************************************************************************
	417	* This function is just like read(2), except that it continues to
	418	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
	419	* regfi_read will attempt to read length bytes from fd and write them to buf.
	420	*
	421	* On success, 0 is returned. Upon failure, an errno code is returned.
	422	*
	423	* The number of bytes successfully read is returned through the length
	424	* parameter by reference. If both the return value and length parameter are
	425	* returned as 0, then EOF was encountered immediately
	426	*****************************************************************************/
	427	uint32 regfi_read(int fd, uint8* buf, uint32* length)
	428	{
	429	uint32 rsize = 0;
	430	uint32 rret = 0;
	431
	432	do
	433	{
	434	rret = read(fd, buf + rsize, *length - rsize);
	435	if(rret > 0)
	436	rsize += rret;
	437	}while(*length - rsize > 0
	438	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	439
	440	*length = rsize;
	441	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	442	return errno;
	443
	444	return 0;
	445	}
	446
	447
	448	/*****************************************************************************
	449	*
	450	*****************************************************************************/
[111]	451	bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
	452	uint32* cell_length, bool* unalloc)
[101]	453	{
	454	uint32 length;
	455	int32 raw_length;
	456	uint8 tmp[4];
	457
	458	if(lseek(fd, offset, SEEK_SET) == -1)
	459	return false;
	460
	461	length = 4;
	462	if((regfi_read(fd, tmp, &length) != 0) \|\| length != 4)
	463	return false;
	464	raw_length = IVALS(tmp, 0);
	465
	466	if(raw_length < 0)
	467	{
	468	(cell_length) = raw_length(-1);
	469	(*unalloc) = false;
	470	}
	471	else
	472	{
	473	(*cell_length) = raw_length;
	474	(*unalloc) = true;
	475	}
	476
[103]	477	if(*cell_length - 4 < hdr_len)
	478	return false;
	479
	480	if(hdr_len > 0)
	481	{
	482	length = hdr_len;
	483	if((regfi_read(fd, hdr, &length) != 0) \|\| length != hdr_len)
	484	return false;
	485	}
	486
[101]	487	return true;
	488	}
	489
	490
[157]	491	/******************************************************************************
[106]	492	* Given an offset and an hbin, is the offset within that hbin?
	493	* The offset is a virtual file offset.
[157]	494	******************************************************************************/
[146]	495	static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32 voffset)
[30]	496	{
[106]	497	if(!hbin)
[31]	498	return false;
[106]	499
[145]	500	if((voffset > hbin->first_hbin_off)
	501	&& (voffset < (hbin->first_hbin_off + hbin->block_size)))
[31]	502	return true;
[30]	503
[31]	504	return false;
[30]	505	}
	506
	507
[106]	508
[157]	509	/******************************************************************************
	510	* Provide a physical offset and receive the correpsonding HBIN
[106]	511	* block for it. NULL if one doesn't exist.
[157]	512	******************************************************************************/
	513	const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32 offset)
[30]	514	{
[157]	515	return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset);
[30]	516	}
	517
	518
[157]	519	/******************************************************************************
	520	* Calculate the largest possible cell size given a physical offset.
	521	* Largest size is based on the HBIN the offset is currently a member of.
	522	* Returns negative values on error.
	523	* (Since cells can only be ~2^31 in size, this works out.)
	524	******************************************************************************/
	525	int32 regfi_calc_maxsize(REGFI_FILE* file, uint32 offset)
	526	{
	527	const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset);
	528	if(hbin == NULL)
	529	return -1;
[139]	530
[157]	531	return (hbin->block_size + hbin->file_off) - offset;
	532	}
	533
	534
[139]	535	/******************************************************************************
	536	******************************************************************************/
	537	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32 offset,
	538	uint32 num_keys, uint32 max_size,
	539	bool strict)
[127]	540	{
[135]	541	REGFI_SUBKEY_LIST* ret_val;
[134]	542
[139]	543	ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
	544	REGFI_MAX_SUBKEY_DEPTH);
[143]	545	if(ret_val == NULL)
	546	{
	547	regfi_add_message(file, REGFI_MSG_WARN, "Failed to load subkey list at"
	548	" offset 0x%.8X.", offset);
	549	return NULL;
	550	}
[139]	551
	552	if(num_keys != ret_val->num_keys)
	553	{
	554	/* Not sure which should be authoritative, the number from the
	555	* NK record, or the number in the subkey list. Just emit a warning for
	556	* now if they don't match.
	557	*/
	558	regfi_add_message(file, REGFI_MSG_WARN, "Number of subkeys listed in parent"
	559	" (%d) did not match number found in subkey list/tree (%d)"
	560	" while parsing subkey list/tree at offset 0x%.8X.",
	561	num_keys, ret_val->num_keys, offset);
	562	}
	563
	564	return ret_val;
	565	}
	566
	567
	568	/******************************************************************************
	569	******************************************************************************/
	570	REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32 offset,
	571	uint32 max_size, bool strict,
	572	uint8 depth_left)
	573	{
	574	REGFI_SUBKEY_LIST* ret_val;
	575	REGFI_SUBKEY_LIST** sublists;
[157]	576	uint32 i, num_sublists, off;
	577	int32 sublist_maxsize;
[139]	578
	579	if(depth_left == 0)
	580	{
	581	regfi_add_message(file, REGFI_MSG_WARN, "Maximum depth reached"
	582	" while parsing subkey list/tree at offset 0x%.8X.",
	583	offset);
[127]	584	return NULL;
[139]	585	}
[134]	586
[139]	587	ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
[134]	588	if(ret_val == NULL)
	589	return NULL;
[139]	590
	591	if(ret_val->recursive_type)
[127]	592	{
[139]	593	num_sublists = ret_val->num_children;
[150]	594	sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists
[139]	595	* sizeof(REGFI_SUBKEY_LIST*));
	596	for(i=0; i < num_sublists; i++)
[127]	597	{
[139]	598	off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
[157]	599
	600	sublist_maxsize = regfi_calc_maxsize(file, off);
	601	if(sublist_maxsize < 0)
[139]	602	sublists[i] = NULL;
	603	else
[157]	604	sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize,
	605	strict, depth_left-1);
[127]	606	}
[150]	607	talloc_free(ret_val);
[134]	608
[139]	609	return regfi_merge_subkeylists(num_sublists, sublists, strict);
[127]	610	}
[30]	611
[127]	612	return ret_val;
	613	}
	614
	615
[139]	616	/******************************************************************************
	617	******************************************************************************/
	618	REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32 offset,
	619	uint32 max_size, bool strict)
[30]	620	{
[135]	621	REGFI_SUBKEY_LIST* ret_val;
[150]	622	uint32 i, cell_length, length, elem_size, read_len;
	623	uint8* elements = NULL;
[127]	624	uint8 buf[REGFI_SUBKEY_LIST_MIN_LEN];
[104]	625	bool unalloc;
[139]	626	bool recursive_type;
[30]	627
[127]	628	if(!regfi_parse_cell(file->fd, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
[104]	629	&cell_length, &unalloc))
[139]	630	{
	631	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while "
	632	"parsing subkey-list at offset 0x%.8X.", offset);
[104]	633	return NULL;
[139]	634	}
[30]	635
[116]	636	if(cell_length > max_size)
	637	{
[139]	638	regfi_add_message(file, REGFI_MSG_WARN, "Cell size longer than max_size"
	639	" while parsing subkey-list at offset 0x%.8X.", offset);
[116]	640	if(strict)
	641	return NULL;
	642	cell_length = max_size & 0xFFFFFFF8;
	643	}
[30]	644
[139]	645	recursive_type = false;
[127]	646	if(buf[0] == 'r' && buf[1] == 'i')
[104]	647	{
[139]	648	recursive_type = true;
	649	elem_size = sizeof(uint32);
[104]	650	}
[139]	651	else if(buf[0] == 'l' && buf[1] == 'i')
[134]	652	elem_size = sizeof(uint32);
	653	else if((buf[0] == 'l') && (buf[1] == 'f' \|\| buf[1] == 'h'))
[135]	654	elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
[134]	655	else
	656	{
[139]	657	regfi_add_message(file, REGFI_MSG_ERROR, "Unknown magic number"
	658	" (0x%.2X, 0x%.2X) encountered while parsing"
	659	" subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
[134]	660	return NULL;
	661	}
	662
[150]	663	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[127]	664	if(ret_val == NULL)
	665	return NULL;
	666
	667	ret_val->offset = offset;
	668	ret_val->cell_size = cell_length;
[104]	669	ret_val->magic[0] = buf[0];
	670	ret_val->magic[1] = buf[1];
[139]	671	ret_val->recursive_type = recursive_type;
	672	ret_val->num_children = SVAL(buf, 0x2);
[101]	673
[139]	674	if(!recursive_type)
	675	ret_val->num_keys = ret_val->num_children;
[101]	676
[139]	677	length = elem_size*ret_val->num_children;
	678	if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32) < length)
[134]	679	{
[139]	680	regfi_add_message(file, REGFI_MSG_WARN, "Number of elements too large for"
	681	" cell while parsing subkey-list at offset 0x%.8X.",
	682	offset);
	683	if(strict)
[150]	684	goto fail;
[139]	685	length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32);
[134]	686	}
[30]	687
[150]	688	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	689	ret_val->num_children);
[127]	690	if(ret_val->elements == NULL)
[150]	691	goto fail;
[30]	692
[150]	693	elements = (uint8*)malloc(length);
[139]	694	if(elements == NULL)
[150]	695	goto fail;
[30]	696
[150]	697	read_len = length;
	698	if(regfi_read(file->fd, elements, &read_len) != 0 \|\| read_len != length)
	699	goto fail;
[30]	700
[139]	701	if(elem_size == sizeof(uint32))
[104]	702	{
[139]	703	for (i=0; i < ret_val->num_children; i++)
[134]	704	{
[139]	705	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
[134]	706	ret_val->elements[i].hash = 0;
	707	}
[104]	708	}
[134]	709	else
	710	{
[139]	711	for (i=0; i < ret_val->num_children; i++)
[134]	712	{
[139]	713	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
	714	ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
[134]	715	}
	716	}
[139]	717	free(elements);
[30]	718
[104]	719	return ret_val;
[150]	720
	721	fail:
	722	if(elements != NULL)
	723	free(elements);
	724	talloc_free(ret_val);
	725	return NULL;
[30]	726	}
	727
	728
[139]	729	/*******************************************************************
	730	*******************************************************************/
	731	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists,
	732	REGFI_SUBKEY_LIST** lists,
	733	bool strict)
	734	{
	735	uint32 i,j,k;
	736	REGFI_SUBKEY_LIST* ret_val;
[102]	737
[139]	738	if(lists == NULL)
	739	return NULL;
[150]	740	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[139]	741
	742	if(ret_val == NULL)
	743	return NULL;
	744
	745	/* Obtain total number of elements */
	746	ret_val->num_keys = 0;
	747	for(i=0; i < num_lists; i++)
	748	{
	749	if(lists[i] != NULL)
	750	ret_val->num_keys += lists[i]->num_children;
	751	}
	752	ret_val->num_children = ret_val->num_keys;
	753
	754	if(ret_val->num_keys > 0)
	755	{
[150]	756	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	757	ret_val->num_keys);
[139]	758	k=0;
	759
	760	if(ret_val->elements != NULL)
	761	{
	762	for(i=0; i < num_lists; i++)
	763	{
	764	if(lists[i] != NULL)
	765	{
	766	for(j=0; j < lists[i]->num_keys; j++)
	767	{
[150]	768	ret_val->elements[k].hash = lists[i]->elements[j].hash;
	769	ret_val->elements[k++].offset = lists[i]->elements[j].offset;
[139]	770	}
	771	}
	772	}
	773	}
	774	}
	775
	776	for(i=0; i < num_lists; i++)
	777	regfi_subkeylist_free(lists[i]);
	778	free(lists);
	779
	780	return ret_val;
	781	}
	782
	783
[147]	784	/******************************************************************************
	785	*
	786	******************************************************************************/
	787	REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32 offset, uint32 max_size,
	788	bool strict)
[30]	789	{
[135]	790	REGFI_SK_REC* ret_val;
[147]	791	uint8* sec_desc_buf = NULL;
[102]	792	uint32 cell_length, length;
	793	uint8 sk_header[REGFI_SK_MIN_LENGTH];
	794	bool unalloc = false;
[30]	795
[102]	796	if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
	797	&cell_length, &unalloc))
[137]	798	{
[138]	799	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse SK record cell"
[137]	800	" at offset 0x%.8X.", offset);
[102]	801	return NULL;
[137]	802	}
[102]	803
	804	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
[137]	805	{
[138]	806	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	807	" SK record at offset 0x%.8X.", offset);
[102]	808	return NULL;
[137]	809	}
	810
[147]	811	ret_val = talloc(NULL, REGFI_SK_REC);
[102]	812	if(ret_val == NULL)
	813	return NULL;
[30]	814
[102]	815	ret_val->offset = offset;
[116]	816	/* XXX: Is there a way to be more conservative (shorter) with
	817	* cell length when cell is unallocated?
[111]	818	*/
[102]	819	ret_val->cell_size = cell_length;
[30]	820
[102]	821	if(ret_val->cell_size > max_size)
	822	ret_val->cell_size = max_size & 0xFFFFFFF8;
	823	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
[157]	824	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[102]	825	{
[138]	826	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size found while"
	827	" parsing SK record at offset 0x%.8X.", offset);
[147]	828	goto fail;
[102]	829	}
[30]	830
[102]	831	ret_val->magic[0] = sk_header[0];
	832	ret_val->magic[1] = sk_header[1];
[30]	833
[102]	834	ret_val->unknown_tag = SVAL(sk_header, 0x2);
	835	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
	836	ret_val->next_sk_off = IVAL(sk_header, 0x8);
	837	ret_val->ref_count = IVAL(sk_header, 0xC);
	838	ret_val->desc_size = IVAL(sk_header, 0x10);
[30]	839
[157]	840	if((ret_val->prev_sk_off & 0x00000007) != 0
	841	\|\| (ret_val->next_sk_off & 0x00000007) != 0)
[140]	842	{
	843	regfi_add_message(file, REGFI_MSG_WARN, "SK record's next/previous offsets"
	844	" are not a multiple of 8 while parsing SK record at"
	845	" offset 0x%.8X.", offset);
[147]	846	goto fail;
[140]	847	}
	848
[102]	849	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
	850	{
[140]	851	regfi_add_message(file, REGFI_MSG_WARN, "Security descriptor too large for"
[138]	852	" cell while parsing SK record at offset 0x%.8X.",
	853	offset);
[147]	854	goto fail;
[102]	855	}
[30]	856
[147]	857	sec_desc_buf = (uint8*)malloc(ret_val->desc_size);
	858	if(sec_desc_buf == NULL)
	859	goto fail;
[102]	860
[134]	861	length = ret_val->desc_size;
	862	if(regfi_read(file->fd, sec_desc_buf, &length) != 0
	863	\|\| length != ret_val->desc_size)
	864	{
[138]	865	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read security"
	866	" descriptor while parsing SK record at offset 0x%.8X.",
	867	offset);
[147]	868	goto fail;
[134]	869	}
[102]	870
[147]	871	if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
	872	ret_val->desc_size)))
[134]	873	{
[138]	874	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to parse security"
	875	" descriptor while parsing SK record at offset 0x%.8X.",
	876	offset);
[147]	877	goto fail;
[134]	878	}
[147]	879
[134]	880	free(sec_desc_buf);
[147]	881	return ret_val;
[134]	882
[147]	883	fail:
	884	if(sec_desc_buf != NULL)
	885	free(sec_desc_buf);
	886	talloc_free(ret_val);
	887	return NULL;
[30]	888	}
	889
	890
[145]	891	REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32 offset,
	892	uint32 num_values, bool strict)
[111]	893	{
[145]	894	REGFI_VALUE_LIST* ret_val;
[111]	895	uint32 i, cell_length, length, read_len;
	896	bool unalloc;
[30]	897
[111]	898	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]	899	{
[138]	900	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read cell header"
[137]	901	" while parsing value list at offset 0x%.8X.", offset);
[111]	902	return NULL;
[137]	903	}
[111]	904
[157]	905	if((cell_length & 0x00000007) != 0)
[111]	906	{
[145]	907	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not a multiple of 8"
	908	" while parsing value list at offset 0x%.8X.", offset);
[111]	909	if(strict)
	910	return NULL;
	911	cell_length = cell_length & 0xFFFFFFF8;
	912	}
[145]	913
[111]	914	if((num_values * sizeof(uint32)) > cell_length-sizeof(uint32))
[137]	915	{
[140]	916	regfi_add_message(file, REGFI_MSG_WARN, "Too many values found"
[137]	917	" while parsing value list at offset 0x%.8X.", offset);
[145]	918	if(strict)
	919	return NULL;
	920	num_values = cell_length/sizeof(uint32) - sizeof(uint32);
[137]	921	}
[111]	922
	923	read_len = num_values*sizeof(uint32);
[150]	924	ret_val = talloc(NULL, REGFI_VALUE_LIST);
[111]	925	if(ret_val == NULL)
	926	return NULL;
	927
[150]	928	ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len);
[145]	929	if(ret_val->elements == NULL)
	930	{
[150]	931	talloc_free(ret_val);
[145]	932	return NULL;
	933	}
	934	ret_val->num_values = num_values;
	935
[111]	936	length = read_len;
[145]	937	if((regfi_read(file->fd, (uint8*)ret_val->elements, &length) != 0)
	938	\|\| length != read_len)
[111]	939	{
[138]	940	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read value pointers"
[137]	941	" while parsing value list at offset 0x%.8X.", offset);
[150]	942	talloc_free(ret_val);
[111]	943	return NULL;
	944	}
	945
	946	for(i=0; i < num_values; i++)
	947	{
	948	/* Fix endianness */
[145]	949	ret_val->elements[i] = IVAL(&ret_val->elements[i], 0);
[111]	950
	951	/* Validate the first num_values values to ensure they make sense */
	952	if(strict)
	953	{
[145]	954	/* XXX: Need to revisit this file length check when we start dealing
	955	* with partial files. */
	956	if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length)
[157]	957	\|\| ((ret_val->elements[i] & 0x00000007) != 0))
[111]	958	{
[145]	959	regfi_add_message(file, REGFI_MSG_WARN, "Invalid value pointer"
[138]	960	" (0x%.8X) found while parsing value list at offset"
[145]	961	" 0x%.8X.", ret_val->elements[i], offset);
[150]	962	talloc_free(ret_val);
[111]	963	return NULL;
	964	}
	965	}
	966	}
	967
	968	return ret_val;
	969	}
	970
	971
	972
[103]	973	/******************************************************************************
	974	******************************************************************************/
[162]	975	REGFI_VK_REC* regfi_load_value(REGFI_FILE* file, uint32 offset,
	976	REGFI_ENCODING output_encoding, bool strict)
[30]	977	{
[145]	978	REGFI_VK_REC* ret_val = NULL;
[162]	979	int32 max_size, tmp_size;
	980	REGFI_ENCODING from_encoding;
[30]	981
[157]	982	max_size = regfi_calc_maxsize(file, offset);
	983	if(max_size < 0)
[103]	984	return NULL;
[145]	985
[157]	986	ret_val = regfi_parse_vk(file, offset, max_size, strict);
[103]	987	if(ret_val == NULL)
	988	return NULL;
[145]	989
[162]	990	from_encoding = (ret_val->flags & REGFI_VK_FLAG_ASCIINAME)
	991	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[151]	992
[162]	993	if(from_encoding == output_encoding)
	994	{
	995	ret_val->valuename_raw = talloc_realloc(ret_val, ret_val->valuename_raw,
	996	uint8, ret_val->name_length+1);
	997	ret_val->valuename_raw[ret_val->name_length] = '\0';
	998	ret_val->valuename = (char*)ret_val->valuename_raw;
	999	}
	1000	else
	1001	{
	1002	ret_val->valuename = talloc_array(ret_val, char, ret_val->name_length+1);
	1003	if(ret_val->valuename == NULL)
	1004	{
	1005	regfi_free_value(ret_val);
	1006	return NULL;
	1007	}
	1008
	1009	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
	1010	regfi_encoding_int2str(output_encoding),
	1011	ret_val->valuename_raw, ret_val->valuename,
	1012	ret_val->name_length, ret_val->name_length+1);
	1013	if(tmp_size < 0)
	1014	{
	1015	regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
	1016	" valuename to encoding %s. Error message: %s",
	1017	regfi_encoding_int2str(output_encoding),
	1018	strerror(-tmp_size));
	1019	talloc_free(ret_val->valuename);
	1020	ret_val->valuename = NULL;
	1021	}
	1022	}
	1023
[103]	1024	return ret_val;
[30]	1025	}
	1026
	1027
[145]	1028	/******************************************************************************
	1029	* If !strict, the list may contain NULLs, VK records may point to NULL.
	1030	******************************************************************************/
	1031	REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32 offset,
[146]	1032	uint32 num_values, uint32 max_size,
[145]	1033	bool strict)
	1034	{
	1035	uint32 usable_num_values;
[30]	1036
[145]	1037	if((num_values+1) * sizeof(uint32) > max_size)
	1038	{
	1039	regfi_add_message(file, REGFI_MSG_WARN, "Number of values indicated by"
	1040	" parent key (%d) would cause cell to straddle HBIN"
	1041	" boundary while loading value list at offset"
	1042	" 0x%.8X.", num_values, offset);
	1043	if(strict)
	1044	return NULL;
	1045	usable_num_values = max_size/sizeof(uint32) - sizeof(uint32);
	1046	}
	1047	else
	1048	usable_num_values = num_values;
	1049
	1050	return regfi_parse_valuelist(file, offset, usable_num_values, strict);
	1051	}
	1052
	1053
	1054
[146]	1055	/******************************************************************************
	1056	*
	1057	******************************************************************************/
[161]	1058	REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32 offset,
	1059	REGFI_ENCODING output_encoding, bool strict)
[30]	1060	{
[135]	1061	REGFI_NK_REC* nk;
[157]	1062	uint32 off;
[161]	1063	int32 max_size, tmp_size;
	1064	REGFI_ENCODING from_encoding;
[99]	1065
[157]	1066	max_size = regfi_calc_maxsize(file, offset);
	1067	if (max_size < 0)
[105]	1068	return NULL;
[30]	1069
[31]	1070	/* get the initial nk record */
[157]	1071	if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL)
[135]	1072	{
[138]	1073	regfi_add_message(file, REGFI_MSG_ERROR, "Could not load NK record at"
[137]	1074	" offset 0x%.8X.", offset);
[99]	1075	return NULL;
[135]	1076	}
[30]	1077
[161]	1078	from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME)
	1079	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
	1080
	1081	if(from_encoding == output_encoding)
	1082	{
	1083	nk->keyname_raw = talloc_realloc(nk, nk->keyname_raw, uint8, nk->name_length+1);
	1084	nk->keyname_raw[nk->name_length] = '\0';
	1085	nk->keyname = (char*)nk->keyname_raw;
	1086	}
	1087	else
	1088	{
	1089	nk->keyname = talloc_array(nk, char, nk->name_length+1);
	1090	if(nk->keyname == NULL)
	1091	{
	1092	regfi_free_key(nk);
	1093	return NULL;
	1094	}
	1095
	1096	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
	1097	regfi_encoding_int2str(output_encoding),
	1098	nk->keyname_raw, nk->keyname,
	1099	nk->name_length, nk->name_length+1);
	1100	if(tmp_size < 0)
	1101	{
	1102	regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
	1103	" keyname to encoding %s. Error message: %s",
	1104	regfi_encoding_int2str(output_encoding),
	1105	strerror(-tmp_size));
	1106	talloc_free(nk->keyname);
	1107	nk->keyname = NULL;
	1108	}
	1109	}
	1110
	1111
[146]	1112	/* get value list */
[135]	1113	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[32]	1114	{
[157]	1115	off = nk->values_off + REGFI_REGF_SIZE;
	1116	max_size = regfi_calc_maxsize(file, off);
	1117	if(max_size < 0)
[32]	1118	{
[105]	1119	if(strict)
[32]	1120	{
[150]	1121	regfi_free_key(nk);
[99]	1122	return NULL;
[31]	1123	}
[105]	1124	else
	1125	nk->values = NULL;
[133]	1126
[31]	1127	}
[105]	1128	else
[103]	1129	{
[157]	1130	nk->values = regfi_load_valuelist(file, off, nk->num_values,
	1131	max_size, true);
[145]	1132	if(nk->values == NULL)
[105]	1133	{
[145]	1134	regfi_add_message(file, REGFI_MSG_WARN, "Could not load value list"
	1135	" for NK record at offset 0x%.8X.", offset);
	1136	if(strict)
	1137	{
[150]	1138	regfi_free_key(nk);
[145]	1139	return NULL;
	1140	}
[105]	1141	}
[150]	1142	talloc_steal(nk, nk->values);
[103]	1143	}
[31]	1144	}
[105]	1145
[146]	1146	/* now get subkey list */
[135]	1147	if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
[32]	1148	{
[157]	1149	off = nk->subkeys_off + REGFI_REGF_SIZE;
	1150	max_size = regfi_calc_maxsize(file, off);
	1151	if(max_size < 0)
[32]	1152	{
[105]	1153	if(strict)
[32]	1154	{
[150]	1155	regfi_free_key(nk);
[99]	1156	return NULL;
[31]	1157	}
[105]	1158	else
	1159	nk->subkeys = NULL;
[31]	1160	}
[105]	1161	else
[104]	1162	{
[134]	1163	nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
[157]	1164	max_size, true);
[134]	1165
[105]	1166	if(nk->subkeys == NULL)
	1167	{
[140]	1168	regfi_add_message(file, REGFI_MSG_WARN, "Could not load subkey list"
	1169	" while parsing NK record at offset 0x%.8X.", offset);
[105]	1170	nk->num_subkeys = 0;
	1171	}
[150]	1172	talloc_steal(nk, nk->subkeys);
[104]	1173	}
[31]	1174	}
[30]	1175
[99]	1176	return nk;
[30]	1177	}
	1178
[32]	1179
[102]	1180	/******************************************************************************
	1181	******************************************************************************/
[146]	1182	const REGFI_SK_REC* regfi_load_sk(REGFI_FILE* file, uint32 offset, bool strict)
	1183	{
	1184	REGFI_SK_REC* ret_val = NULL;
[157]	1185	int32 max_size;
[147]	1186	void* failure_ptr = NULL;
	1187
[146]	1188	/* First look if we have already parsed it */
	1189	ret_val = (REGFI_SK_REC*)lru_cache_find(file->sk_cache, &offset, 4);
	1190
	1191	/* Bail out if we have previously cached a parse failure at this offset. */
	1192	if(ret_val == (void*)REGFI_OFFSET_NONE)
	1193	return NULL;
	1194
	1195	if(ret_val == NULL)
	1196	{
[157]	1197	max_size = regfi_calc_maxsize(file, offset);
	1198	if(max_size < 0)
[146]	1199	return NULL;
	1200
[157]	1201	ret_val = regfi_parse_sk(file, offset, max_size, strict);
[146]	1202	if(ret_val == NULL)
	1203	{ /* Cache the parse failure and bail out. */
[147]	1204	failure_ptr = talloc(NULL, uint32_t);
	1205	if(failure_ptr == NULL)
	1206	return NULL;
	1207	(uint32_t)failure_ptr = REGFI_OFFSET_NONE;
	1208	lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
[146]	1209	return NULL;
	1210	}
	1211
	1212	lru_cache_update(file->sk_cache, &offset, 4, ret_val);
	1213	}
	1214
	1215	return ret_val;
	1216	}
	1217
	1218
	1219
	1220	/******************************************************************************
	1221	******************************************************************************/
[161]	1222	REGFI_NK_REC* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin,
	1223	REGFI_ENCODING output_encoding)
[30]	1224	{
[135]	1225	REGFI_NK_REC* nk = NULL;
[158]	1226	uint32 cell_length;
	1227	uint32 cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
	1228	uint32 hbin_end = hbin->file_off+hbin->block_size;
	1229	bool unalloc;
[30]	1230
[158]	1231	while(cur_offset < hbin_end)
[32]	1232	{
[158]	1233	if(!regfi_parse_cell(file->fd, cur_offset, NULL, 0, &cell_length, &unalloc))
	1234	{
	1235	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell at offset"
	1236	" 0x%.8X while searching for root key.", cur_offset);
	1237	return NULL;
	1238	}
[102]	1239
[158]	1240	if(!unalloc)
[102]	1241	{
[161]	1242	nk = regfi_load_key(file, cur_offset, output_encoding, true);
[102]	1243	if(nk != NULL)
	1244	{
[161]	1245	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1246	return nk;
[102]	1247	}
[31]	1248	}
[30]	1249
[158]	1250	cur_offset += cell_length;
[31]	1251	}
[32]	1252
[158]	1253	return NULL;
[30]	1254	}
	1255
	1256
	1257	/*******************************************************************
[97]	1258	* Open the registry file and then read in the REGF block to get the
	1259	* first hbin offset.
	1260	*******************************************************************/
[135]	1261	REGFI_FILE* regfi_open(const char* filename)
[30]	1262	{
[137]	1263	struct stat sbuf;
[135]	1264	REGFI_FILE* rb;
	1265	REGFI_HBIN* hbin = NULL;
[146]	1266	uint32 hbin_off, file_length, cache_secret;
[97]	1267	int fd;
[110]	1268	bool rla;
[30]	1269
[97]	1270	/* open an existing file */
[143]	1271	if ((fd = open(filename, REGFI_OPEN_FLAGS)) == -1)
[97]	1272	{
[143]	1273	/* fprintf(stderr, "regfi_open: failure to open %s (%s)\n", filename, strerror(errno));*/
[31]	1274	return NULL;
	1275	}
[99]	1276
[137]	1277	/* Determine file length. Must be at least big enough
	1278	* for the header and one hbin.
	1279	*/
	1280	if (fstat(fd, &sbuf) == -1)
	1281	return NULL;
	1282	file_length = sbuf.st_size;
	1283	if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
	1284	return NULL;
	1285
[31]	1286	/* read in an existing file */
[97]	1287	if ((rb = regfi_parse_regf(fd, true)) == NULL)
	1288	{
[143]	1289	/* fprintf(stderr, "regfi_open: Failed to read initial REGF block\n"); */
[97]	1290	close(fd);
[31]	1291	return NULL;
	1292	}
[137]	1293	rb->file_length = file_length;
	1294
[99]	1295	rb->hbins = range_list_new();
[110]	1296	if(rb->hbins == NULL)
[99]	1297	{
[143]	1298	/* fprintf(stderr, "regfi_open: Failed to create HBIN list.\n"); */
[99]	1299	close(fd);
[150]	1300	talloc_free(rb);
[99]	1301	return NULL;
	1302	}
[150]	1303	talloc_steal(rb, rb->hbins);
	1304
[106]	1305	rla = true;
[135]	1306	hbin_off = REGFI_REGF_SIZE;
[110]	1307	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1308	while(hbin && rla)
	1309	{
[137]	1310	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[148]	1311	if(rla)
	1312	talloc_steal(rb->hbins, hbin);
[106]	1313	hbin_off = hbin->file_off + hbin->block_size;
[110]	1314	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1315	}
	1316
[146]	1317	/* This secret isn't very secret, but we don't need a good one. This
	1318	* secret is just designed to prevent someone from trying to blow our
	1319	* caching and make things slow.
	1320	*/
	1321	cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16);
	1322
	1323	/* Cache an unlimited number of SK records. Typically there are very few. */
[150]	1324	rb->sk_cache = lru_cache_create_ctx(rb, 0, cache_secret, true);
[146]	1325
[138]	1326	/* Default message mask */
	1327	rb->msg_mask = REGFI_MSG_ERROR\|REGFI_MSG_WARN;
	1328
[31]	1329	/* success */
	1330	return rb;
[30]	1331	}
	1332
	1333
[148]	1334	/******************************************************************************
	1335	******************************************************************************/
[146]	1336	int regfi_close(REGFI_FILE *file)
[30]	1337	{
[31]	1338	int fd;
[30]	1339
[31]	1340	/* nothing to do if there is no open file */
[99]	1341	if ((file == NULL) \|\| (file->fd == -1))
	1342	return 0;
[30]	1343
[31]	1344	fd = file->fd;
	1345	file->fd = -1;
[148]	1346
[99]	1347	range_list_free(file->hbins);
[106]	1348
[146]	1349	if(file->sk_cache != NULL)
	1350	lru_cache_destroy(file->sk_cache);
[148]	1351
[150]	1352	talloc_free(file);
[106]	1353	return close(fd);
[30]	1354	}
	1355
	1356
[80]	1357	/******************************************************************************
[158]	1358	* First checks the offset given by the file header, then checks the
	1359	* rest of the file if that fails.
[148]	1360	******************************************************************************/
[161]	1361	REGFI_NK_REC* regfi_rootkey(REGFI_FILE* file, REGFI_ENCODING output_encoding)
[30]	1362	{
[135]	1363	REGFI_NK_REC* nk = NULL;
[146]	1364	REGFI_HBIN* hbin;
	1365	uint32 root_offset, i, num_hbins;
[99]	1366
	1367	if(!file)
[31]	1368	return NULL;
[99]	1369
[158]	1370	root_offset = file->root_cell+REGFI_REGF_SIZE;
[161]	1371	nk = regfi_load_key(file, root_offset, output_encoding, true);
[158]	1372	if(nk != NULL)
	1373	{
[161]	1374	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1375	return nk;
	1376	}
	1377
	1378	regfi_add_message(file, REGFI_MSG_WARN, "File header indicated root key at"
	1379	" location 0x%.8X, but no root key found."
	1380	" Searching rest of file...", root_offset);
	1381
	1382	/* If the file header gives bad info, scan through the file one HBIN
	1383	* block at a time looking for an NK record with a root key type.
[146]	1384	*/
[107]	1385	num_hbins = range_list_size(file->hbins);
[158]	1386	for(i=0; i < num_hbins && nk == NULL; i++)
[99]	1387	{
[135]	1388	hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
[161]	1389	nk = regfi_find_root_nk(file, hbin, output_encoding);
[31]	1390	}
[30]	1391
[80]	1392	return nk;
[30]	1393	}
	1394
	1395
[80]	1396	/******************************************************************************
	1397	*****************************************************************************/
[150]	1398	void regfi_free_key(REGFI_NK_REC* nk)
[30]	1399	{
[127]	1400	regfi_subkeylist_free(nk->subkeys);
[150]	1401	talloc_free(nk);
	1402	}
[127]	1403
[80]	1404
[150]	1405	/******************************************************************************
	1406	*****************************************************************************/
	1407	void regfi_free_value(REGFI_VK_REC* vk)
	1408	{
	1409	talloc_free(vk);
[80]	1410	}
	1411
	1412
	1413	/******************************************************************************
	1414	*****************************************************************************/
[135]	1415	void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list)
[127]	1416	{
	1417	if(list != NULL)
	1418	{
[150]	1419	talloc_free(list);
[127]	1420	}
	1421	}
	1422
	1423
	1424	/******************************************************************************
	1425	*****************************************************************************/
[161]	1426	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file,
	1427	REGFI_ENCODING output_encoding)
[80]	1428	{
[135]	1429	REGFI_NK_REC* root;
[161]	1430	REGFI_ITERATOR* ret_val;
	1431
	1432	if(output_encoding != REGFI_ENCODING_UTF8
	1433	&& output_encoding != REGFI_ENCODING_ASCII)
	1434	{
	1435	regfi_add_message(file, REGFI_MSG_ERROR, "Invalid output_encoding supplied"
	1436	" in creation of regfi iterator.");
	1437	return NULL;
	1438	}
	1439
	1440	ret_val = talloc(NULL, REGFI_ITERATOR);
[80]	1441	if(ret_val == NULL)
	1442	return NULL;
	1443
[161]	1444	root = regfi_rootkey(file, output_encoding);
[80]	1445	if(root == NULL)
	1446	{
[150]	1447	talloc_free(ret_val);
[80]	1448	return NULL;
	1449	}
	1450
[135]	1451	ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
[80]	1452	if(ret_val->key_positions == NULL)
	1453	{
[150]	1454	talloc_free(ret_val);
[80]	1455	return NULL;
	1456	}
[150]	1457	talloc_steal(ret_val, ret_val->key_positions);
[80]	1458
[159]	1459	ret_val->f = file;
[80]	1460	ret_val->cur_key = root;
	1461	ret_val->cur_subkey = 0;
	1462	ret_val->cur_value = 0;
[161]	1463	ret_val->string_encoding = output_encoding;
	1464
[80]	1465	return ret_val;
	1466	}
	1467
	1468
	1469	/******************************************************************************
	1470	*****************************************************************************/
	1471	void regfi_iterator_free(REGFI_ITERATOR* i)
	1472	{
[150]	1473	talloc_free(i);
[80]	1474	}
	1475
	1476
	1477
	1478	/******************************************************************************
	1479	*****************************************************************************/
	1480	/* XXX: some way of indicating reason for failure should be added. */
	1481	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1482	{
[135]	1483	REGFI_NK_REC* subkey;
[80]	1484	REGFI_ITER_POSITION* pos;
	1485
[150]	1486	pos = talloc(i->key_positions, REGFI_ITER_POSITION);
[80]	1487	if(pos == NULL)
	1488	return false;
	1489
[135]	1490	subkey = (REGFI_NK_REC*)regfi_iterator_cur_subkey(i);
[80]	1491	if(subkey == NULL)
	1492	{
[150]	1493	talloc_free(pos);
[80]	1494	return false;
	1495	}
	1496
	1497	pos->nk = i->cur_key;
	1498	pos->cur_subkey = i->cur_subkey;
	1499	if(!void_stack_push(i->key_positions, pos))
	1500	{
[150]	1501	talloc_free(pos);
	1502	regfi_free_key(subkey);
[80]	1503	return false;
	1504	}
[150]	1505	talloc_steal(i, subkey);
[80]	1506
	1507	i->cur_key = subkey;
	1508	i->cur_subkey = 0;
	1509	i->cur_value = 0;
	1510
	1511	return true;
	1512	}
	1513
	1514
	1515	/******************************************************************************
	1516	*****************************************************************************/
	1517	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1518	{
	1519	REGFI_ITER_POSITION* pos;
	1520
	1521	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1522	if(pos == NULL)
	1523	return false;
	1524
[150]	1525	regfi_free_key(i->cur_key);
[80]	1526	i->cur_key = pos->nk;
	1527	i->cur_subkey = pos->cur_subkey;
	1528	i->cur_value = 0;
[150]	1529	talloc_free(pos);
[80]	1530
	1531	return true;
	1532	}
	1533
	1534
	1535	/******************************************************************************
	1536	*****************************************************************************/
	1537	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1538	{
	1539	while(regfi_iterator_up(i))
	1540	continue;
	1541
	1542	return true;
	1543	}
	1544
	1545
	1546	/******************************************************************************
	1547	*****************************************************************************/
	1548	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
	1549	{
[135]	1550	REGFI_NK_REC* subkey;
[80]	1551	bool found = false;
	1552	uint32 old_subkey = i->cur_subkey;
[133]	1553
[80]	1554	if(subkey_name == NULL)
	1555	return false;
	1556
	1557	/* XXX: this alloc/free of each sub key might be a bit excessive */
[135]	1558	subkey = (REGFI_NK_REC*)regfi_iterator_first_subkey(i);
[80]	1559	while((subkey != NULL) && (found == false))
	1560	{
	1561	if(subkey->keyname != NULL
	1562	&& strcasecmp(subkey->keyname, subkey_name) == 0)
	1563	found = true;
[82]	1564	else
	1565	{
[150]	1566	regfi_free_key(subkey);
[135]	1567	subkey = (REGFI_NK_REC*)regfi_iterator_next_subkey(i);
[82]	1568	}
[80]	1569	}
	1570
	1571	if(found == false)
	1572	{
	1573	i->cur_subkey = old_subkey;
	1574	return false;
	1575	}
	1576
[150]	1577	regfi_free_key(subkey);
[80]	1578	return true;
	1579	}
	1580
	1581
	1582	/******************************************************************************
	1583	*****************************************************************************/
	1584	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1585	{
	1586	uint32 x;
	1587	if(path == NULL)
	1588	return false;
	1589
	1590	for(x=0;
	1591	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1592	&& regfi_iterator_down(i));
	1593	x++)
	1594	{ continue; }
	1595
	1596	if(path[x] == NULL)
	1597	return true;
	1598
	1599	/* XXX: is this the right number of times? */
	1600	for(; x > 0; x--)
	1601	regfi_iterator_up(i);
	1602
	1603	return false;
	1604	}
	1605
	1606
	1607	/******************************************************************************
	1608	*****************************************************************************/
[135]	1609	const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1610	{
	1611	return i->cur_key;
	1612	}
	1613
	1614
	1615	/******************************************************************************
	1616	*****************************************************************************/
[135]	1617	const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i)
[109]	1618	{
[146]	1619	if(i->cur_key == NULL \|\| i->cur_key->sk_off == REGFI_OFFSET_NONE)
[109]	1620	return NULL;
	1621
[146]	1622	return regfi_load_sk(i->f, i->cur_key->sk_off + REGFI_REGF_SIZE, true);
[109]	1623	}
	1624
	1625
	1626	/******************************************************************************
	1627	*****************************************************************************/
[150]	1628	REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1629	{
	1630	i->cur_subkey = 0;
	1631	return regfi_iterator_cur_subkey(i);
	1632	}
	1633
	1634
	1635	/******************************************************************************
	1636	*****************************************************************************/
[150]	1637	REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1638	{
	1639	uint32 nk_offset;
	1640
[31]	1641	/* see if there is anything left to report */
[135]	1642	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGFI_OFFSET_NONE)
[80]	1643	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
[31]	1644	return NULL;
[30]	1645
[139]	1646	nk_offset = i->cur_key->subkeys->elements[i->cur_subkey].offset;
[133]	1647
[161]	1648	return regfi_load_key(i->f, nk_offset+REGFI_REGF_SIZE, i->string_encoding,
	1649	true);
[30]	1650	}
[80]	1651
	1652
	1653	/******************************************************************************
	1654	*****************************************************************************/
	1655	/* XXX: some way of indicating reason for failure should be added. */
[150]	1656	REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1657	{
[150]	1658	REGFI_NK_REC* subkey;
[80]	1659
	1660	i->cur_subkey++;
	1661	subkey = regfi_iterator_cur_subkey(i);
	1662
	1663	if(subkey == NULL)
	1664	i->cur_subkey--;
	1665
	1666	return subkey;
	1667	}
	1668
	1669
	1670	/******************************************************************************
	1671	*****************************************************************************/
	1672	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
	1673	{
[150]	1674	REGFI_VK_REC* cur;
[80]	1675	bool found = false;
	1676
	1677	/* XXX: cur->valuename can be NULL in the registry.
	1678	* Should we allow for a way to search for that?
	1679	*/
	1680	if(value_name == NULL)
	1681	return false;
	1682
	1683	cur = regfi_iterator_first_value(i);
	1684	while((cur != NULL) && (found == false))
	1685	{
	1686	if((cur->valuename != NULL)
	1687	&& (strcasecmp(cur->valuename, value_name) == 0))
	1688	found = true;
[95]	1689	else
[150]	1690	{
	1691	regfi_free_value(cur);
[95]	1692	cur = regfi_iterator_next_value(i);
[150]	1693	}
[80]	1694	}
	1695
[94]	1696	return found;
[80]	1697	}
	1698
	1699
	1700	/******************************************************************************
	1701	*****************************************************************************/
[150]	1702	REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1703	{
	1704	i->cur_value = 0;
	1705	return regfi_iterator_cur_value(i);
	1706	}
	1707
	1708
	1709	/******************************************************************************
	1710	*****************************************************************************/
[150]	1711	REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	1712	{
[150]	1713	REGFI_VK_REC* ret_val = NULL;
[145]	1714	uint32 voffset;
[80]	1715
[145]	1716	if(i->cur_key->values != NULL && i->cur_key->values->elements != NULL)
	1717	{
	1718	if(i->cur_value < i->cur_key->values->num_values)
	1719	{
	1720	voffset = i->cur_key->values->elements[i->cur_value];
[162]	1721	ret_val = regfi_load_value(i->f, voffset+REGFI_REGF_SIZE,
	1722	i->string_encoding, true);
[145]	1723	}
	1724	}
	1725
[80]	1726	return ret_val;
	1727	}
	1728
	1729
	1730	/******************************************************************************
	1731	*****************************************************************************/
[150]	1732	REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	1733	{
[150]	1734	REGFI_VK_REC* ret_val;
[80]	1735
	1736	i->cur_value++;
	1737	ret_val = regfi_iterator_cur_value(i);
	1738	if(ret_val == NULL)
	1739	i->cur_value--;
	1740
	1741	return ret_val;
	1742	}
[97]	1743
	1744
[159]	1745	/******************************************************************************
	1746	*****************************************************************************/
[160]	1747	REGFI_CLASSNAME* regfi_iterator_fetch_classname(REGFI_ITERATOR* i,
	1748	const REGFI_NK_REC* key)
	1749	{
	1750	REGFI_CLASSNAME* ret_val;
	1751	uint8* raw;
	1752	char* interpreted;
	1753	uint32 offset;
	1754	int32 conv_size, max_size;
	1755	uint16 parse_length;
	1756
	1757	if(key->classname_off == REGFI_OFFSET_NONE \|\| key->classname_length == 0)
	1758	return NULL;
	1759
	1760	offset = key->classname_off + REGFI_REGF_SIZE;
	1761	max_size = regfi_calc_maxsize(i->f, offset);
	1762	if(max_size <= 0)
	1763	return NULL;
	1764
	1765	parse_length = key->classname_length;
	1766	raw = regfi_parse_classname(i->f, offset, &parse_length, max_size, true);
	1767
	1768	if(raw == NULL)
	1769	{
	1770	regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse class"
	1771	" name at offset 0x%.8X for key record at offset 0x%.8X.",
	1772	offset, key->offset);
	1773	return NULL;
	1774	}
	1775
	1776	ret_val = talloc(NULL, REGFI_CLASSNAME);
	1777	if(ret_val == NULL)
	1778	return NULL;
	1779
	1780	ret_val->raw = raw;
	1781	ret_val->size = parse_length;
	1782	talloc_steal(ret_val, raw);
	1783
	1784	interpreted = talloc_array(NULL, char, parse_length);
	1785
[161]	1786	conv_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	1787	regfi_encoding_int2str(i->string_encoding),
[160]	1788	raw, interpreted,
	1789	parse_length, parse_length);
	1790	if(conv_size < 0)
	1791	{
	1792	regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred while"
	1793	" converting classname to charset %s. Error message: %s",
	1794	i->string_encoding, strerror(-conv_size));
	1795	talloc_free(interpreted);
	1796	ret_val->interpreted = NULL;
	1797	}
	1798	else
	1799	{
	1800	interpreted = talloc_realloc(NULL, interpreted, char, conv_size);
	1801	ret_val->interpreted = interpreted;
	1802	talloc_steal(ret_val, interpreted);
	1803	}
	1804
	1805	return ret_val;
	1806	}
	1807
	1808
	1809	/******************************************************************************
	1810	*****************************************************************************/
[159]	1811	REGFI_DATA* regfi_iterator_fetch_data(REGFI_ITERATOR* i,
	1812	const REGFI_VK_REC* value)
	1813	{
	1814	REGFI_DATA* ret_val = NULL;
	1815	REGFI_BUFFER raw_data;
	1816
	1817	if(value->data_size != 0)
	1818	{
	1819	raw_data = regfi_load_data(i->f, value->data_off, value->data_size,
	1820	value->data_in_offset, true);
	1821	if(raw_data.buf == NULL)
	1822	{
	1823	regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse data record"
	1824	" while parsing VK record at offset 0x%.8X.",
	1825	value->offset);
	1826	}
	1827	else
	1828	{
	1829	ret_val = regfi_buffer_to_data(raw_data);
	1830
	1831	if(ret_val == NULL)
	1832	{
	1833	regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred in converting"
	1834	" data buffer to data structure while interpreting "
	1835	"data for VK record at offset 0x%.8X.",
	1836	value->offset);
	1837	talloc_free(raw_data.buf);
	1838	return NULL;
	1839	}
	1840
	1841	if(!regfi_interpret_data(i->f, i->string_encoding, value->type, ret_val))
	1842	{
	1843	regfi_add_message(i->f, REGFI_MSG_INFO, "Error occurred while"
	1844	" interpreting data for VK record at offset 0x%.8X.",
	1845	value->offset);
	1846	}
	1847	}
	1848	}
	1849
	1850	return ret_val;
	1851	}
	1852
	1853
	1854	/******************************************************************************
	1855	*****************************************************************************/
[160]	1856	void regfi_free_classname(REGFI_CLASSNAME* classname)
	1857	{
	1858	talloc_free(classname);
	1859	}
	1860
	1861	/******************************************************************************
	1862	*****************************************************************************/
[159]	1863	void regfi_free_data(REGFI_DATA* data)
	1864	{
	1865	talloc_free(data);
	1866	}
	1867
	1868
	1869	/******************************************************************************
	1870	*****************************************************************************/
	1871	REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data)
	1872	{
	1873	REGFI_DATA* ret_val;
	1874
	1875	if(raw_data.buf == NULL)
	1876	return NULL;
	1877
	1878	ret_val = talloc(NULL, REGFI_DATA);
	1879	if(ret_val == NULL)
	1880	return NULL;
	1881
	1882	talloc_steal(ret_val, raw_data.buf);
	1883	ret_val->raw = raw_data.buf;
	1884	ret_val->size = raw_data.len;
	1885	ret_val->interpreted_size = 0;
	1886	ret_val->interpreted.qword = 0;
	1887
	1888	return ret_val;
	1889	}
	1890
	1891
	1892	/******************************************************************************
	1893	*****************************************************************************/
[161]	1894	bool regfi_interpret_data(REGFI_FILE* file, REGFI_ENCODING string_encoding,
[159]	1895	uint32 type, REGFI_DATA* data)
	1896	{
	1897	uint8** tmp_array;
	1898	uint8* tmp_str;
	1899	int32 tmp_size;
	1900	uint32 i, j, array_size;
	1901
	1902	if(data == NULL)
	1903	return false;
	1904
	1905	switch (type)
	1906	{
	1907	case REG_SZ:
	1908	case REG_EXPAND_SZ:
	1909	/* REG_LINK is a symbolic link, stored as a unicode string. */
	1910	case REG_LINK:
	1911	tmp_str = talloc_array(NULL, uint8, data->size);
	1912	if(tmp_str == NULL)
	1913	{
	1914	data->interpreted.string = NULL;
	1915	data->interpreted_size = 0;
	1916	return false;
	1917	}
	1918
[161]	1919	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	1920	regfi_encoding_int2str(string_encoding),
[159]	1921	data->raw, (char*)tmp_str,
	1922	data->size, data->size);
	1923	if(tmp_size < 0)
	1924	{
	1925	regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
	1926	" converting data of type %d to %s. Error message: %s",
	1927	type, string_encoding, strerror(-tmp_size));
	1928	talloc_free(tmp_str);
	1929	data->interpreted.string = NULL;
	1930	data->interpreted_size = 0;
	1931	return false;
	1932	}
	1933
	1934	tmp_str = talloc_realloc(NULL, tmp_str, uint8, tmp_size);
	1935	data->interpreted.string = tmp_str;
	1936	data->interpreted_size = tmp_size;
	1937	talloc_steal(data, tmp_str);
	1938	break;
	1939
	1940	case REG_DWORD:
	1941	if(data->size < 4)
	1942	{
	1943	data->interpreted.dword = 0;
	1944	data->interpreted_size = 0;
	1945	return false;
	1946	}
	1947	data->interpreted.dword = IVAL(data->raw, 0);
	1948	data->interpreted_size = 4;
	1949	break;
	1950
	1951	case REG_DWORD_BE:
	1952	if(data->size < 4)
	1953	{
	1954	data->interpreted.dword_be = 0;
	1955	data->interpreted_size = 0;
	1956	return false;
	1957	}
	1958	data->interpreted.dword_be = RIVAL(data->raw, 0);
	1959	data->interpreted_size = 4;
	1960	break;
	1961
	1962	case REG_QWORD:
	1963	if(data->size < 8)
	1964	{
	1965	data->interpreted.qword = 0;
	1966	data->interpreted_size = 0;
	1967	return false;
	1968	}
	1969	data->interpreted.qword =
	1970	(uint64)IVAL(data->raw, 0) + (((uint64)IVAL(data->raw, 4))<<32);
	1971	data->interpreted_size = 8;
	1972	break;
	1973
	1974	case REG_MULTI_SZ:
	1975	tmp_str = talloc_array(NULL, uint8, data->size);
	1976	if(tmp_str == NULL)
	1977	{
	1978	data->interpreted.multiple_string = NULL;
	1979	data->interpreted_size = 0;
	1980	return false;
	1981	}
	1982
	1983	/* Attempt to convert entire string from UTF-16LE to output encoding,
	1984	* then parse and quote fields individually.
	1985	*/
[161]	1986	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	1987	regfi_encoding_int2str(string_encoding),
[159]	1988	data->raw, (char*)tmp_str,
	1989	data->size, data->size);
	1990	if(tmp_size < 0)
	1991	{
	1992	regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
	1993	" converting data of type %d to %s. Error message: %s",
	1994	type, string_encoding, strerror(-tmp_size));
	1995	talloc_free(tmp_str);
	1996	data->interpreted.multiple_string = NULL;
	1997	data->interpreted_size = 0;
	1998	return false;
	1999	}
	2000
	2001	array_size = tmp_size+1;
	2002	tmp_array = talloc_array(NULL, uint8*, array_size);
	2003	if(tmp_array == NULL)
	2004	{
	2005	talloc_free(tmp_str);
	2006	data->interpreted.string = NULL;
	2007	data->interpreted_size = 0;
	2008	return false;
	2009	}
	2010
	2011	tmp_array[0] = tmp_str;
	2012	for(i=0,j=1; i < tmp_size && j < array_size-1; i++)
	2013	{
	2014	if(tmp_str[i] == '\0' && (i+1 < tmp_size))
	2015	tmp_array[j++] = tmp_str+i+1;
	2016	}
	2017	tmp_array[j] = NULL;
	2018	tmp_array = talloc_realloc(NULL, tmp_array, uint8*, j+1);
	2019	data->interpreted.multiple_string = tmp_array;
	2020	/* XXX: how meaningful is this? should we store number of strings instead? */
	2021	data->interpreted_size = tmp_size;
	2022	talloc_steal(tmp_array, tmp_str);
	2023	talloc_steal(data, tmp_array);
	2024	break;
	2025
	2026	/* XXX: Dont know how to interpret these yet, just treat as binary */
	2027	case REG_NONE:
	2028	data->interpreted.none = data->raw;
	2029	data->interpreted_size = data->size;
	2030	break;
	2031
	2032	case REG_RESOURCE_LIST:
	2033	data->interpreted.resource_list = data->raw;
	2034	data->interpreted_size = data->size;
	2035	break;
	2036
	2037	case REG_FULL_RESOURCE_DESCRIPTOR:
	2038	data->interpreted.full_resource_descriptor = data->raw;
	2039	data->interpreted_size = data->size;
	2040	break;
	2041
	2042	case REG_RESOURCE_REQUIREMENTS_LIST:
	2043	data->interpreted.resource_requirements_list = data->raw;
	2044	data->interpreted_size = data->size;
	2045	break;
	2046
	2047	case REG_BINARY:
	2048	data->interpreted.binary = data->raw;
	2049	data->interpreted_size = data->size;
	2050	break;
	2051
	2052	default:
	2053	data->interpreted.qword = 0;
	2054	data->interpreted_size = 0;
	2055	return false;
	2056	}
	2057
	2058	data->type = type;
	2059	return true;
	2060	}
	2061
	2062
[97]	2063	/*******************************************************************
[159]	2064	* Convert from UTF-16LE to specified character set.
	2065	* On error, returns a negative errno code.
	2066	*******************************************************************/
[161]	2067	int32 regfi_conv_charset(const char* input_charset, const char* output_charset,
[159]	2068	uint8* input, char* output,
	2069	uint32 input_len, uint32 output_max)
	2070	{
	2071	iconv_t conv_desc;
	2072	char* inbuf = (char*)input;
	2073	char* outbuf = output;
	2074	size_t in_len = (size_t)input_len;
	2075	size_t out_len = (size_t)(output_max-1);
	2076	int ret;
	2077
[161]	2078	/* XXX: Consider creating a couple of conversion descriptors earlier,
	2079	* storing them on an iterator so they don't have to be recreated
	2080	* each time.
	2081	*/
	2082
[159]	2083	/* Set up conversion descriptor. */
[161]	2084	conv_desc = iconv_open(output_charset, input_charset);
[159]	2085
	2086	ret = iconv(conv_desc, &inbuf, &in_len, &outbuf, &out_len);
	2087	if(ret == -1)
	2088	{
	2089	iconv_close(conv_desc);
	2090	return -errno;
	2091	}
	2092	*outbuf = '\0';
	2093
	2094	iconv_close(conv_desc);
	2095	return output_max-out_len-1;
	2096	}
	2097
	2098
	2099
	2100	/*******************************************************************
[97]	2101	* Computes the checksum of the registry file header.
[159]	2102	* buffer must be at least the size of a regf header (4096 bytes).
[97]	2103	*******************************************************************/
	2104	static uint32 regfi_compute_header_checksum(uint8* buffer)
	2105	{
	2106	uint32 checksum, x;
	2107	int i;
	2108
	2109	/* XOR of all bytes 0x0000 - 0x01FB */
	2110
	2111	checksum = x = 0;
	2112
	2113	for ( i=0; i<0x01FB; i+=4 ) {
	2114	x = IVAL(buffer, i );
	2115	checksum ^= x;
	2116	}
	2117
	2118	return checksum;
	2119	}
	2120
	2121
	2122	/*******************************************************************
[116]	2123	* XXX: Add way to return more detailed error information.
[97]	2124	*******************************************************************/
[135]	2125	REGFI_FILE* regfi_parse_regf(int fd, bool strict)
[97]	2126	{
[135]	2127	uint8 file_header[REGFI_REGF_SIZE];
[102]	2128	uint32 length;
[135]	2129	REGFI_FILE* ret_val;
[97]	2130
[150]	2131	ret_val = talloc(NULL, REGFI_FILE);
[97]	2132	if(ret_val == NULL)
	2133	return NULL;
	2134
	2135	ret_val->fd = fd;
[150]	2136	ret_val->sk_cache = NULL;
	2137	ret_val->last_message = NULL;
	2138	ret_val->hbins = NULL;
	2139
[135]	2140	length = REGFI_REGF_SIZE;
[150]	2141	if((regfi_read(fd, file_header, &length)) != 0 \|\| length != REGFI_REGF_SIZE)
	2142	goto fail;
	2143
[97]	2144	ret_val->checksum = IVAL(file_header, 0x1FC);
	2145	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	2146	if (strict && (ret_val->checksum != ret_val->computed_checksum))
[150]	2147	goto fail;
[97]	2148
[135]	2149	memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
[150]	2150	if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)
[97]	2151	{
[150]	2152	if(strict)
	2153	goto fail;
	2154	regfi_add_message(ret_val, REGFI_MSG_WARN, "Magic number mismatch "
	2155	"(%.2X %.2X %.2X %.2X) while parsing hive header",
[151]	2156	ret_val->magic[0], ret_val->magic[1],
[150]	2157	ret_val->magic[2], ret_val->magic[3]);
[97]	2158	}
[151]	2159	ret_val->sequence1 = IVAL(file_header, 0x4);
	2160	ret_val->sequence2 = IVAL(file_header, 0x8);
[97]	2161	ret_val->mtime.low = IVAL(file_header, 0xC);
	2162	ret_val->mtime.high = IVAL(file_header, 0x10);
[151]	2163	ret_val->major_version = IVAL(file_header, 0x14);
	2164	ret_val->minor_version = IVAL(file_header, 0x18);
	2165	ret_val->type = IVAL(file_header, 0x1C);
	2166	ret_val->format = IVAL(file_header, 0x20);
	2167	ret_val->root_cell = IVAL(file_header, 0x24);
[97]	2168	ret_val->last_block = IVAL(file_header, 0x28);
	2169
[151]	2170	ret_val->cluster = IVAL(file_header, 0x2C);
[97]	2171
[151]	2172	memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE);
	2173
	2174	/* XXX: Should we add a warning if these uuid parsers fail? Can they? */
	2175	ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16);
	2176	ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16);
	2177	ret_val->flags = IVAL(file_header, 0x90);
	2178	ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16);
	2179	ret_val->guid_signature = IVAL(file_header, 0xa4);
	2180
	2181	memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
	2182	memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
	2183
	2184	ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16);
	2185	ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16);
	2186	ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16);
[152]	2187	ret_val->boot_type = IVAL(file_header, 0xFF8);
	2188	ret_val->boot_recover = IVAL(file_header, 0xFFC);
[151]	2189
[97]	2190	return ret_val;
[150]	2191
	2192	fail:
	2193	talloc_free(ret_val);
	2194	return NULL;
[97]	2195	}
	2196
	2197
	2198
[148]	2199	/******************************************************************************
[97]	2200	* Given real file offset, read and parse the hbin at that location
[110]	2201	* along with it's associated cells.
[148]	2202	******************************************************************************/
[135]	2203	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32 offset, bool strict)
[97]	2204	{
[135]	2205	REGFI_HBIN *hbin;
	2206	uint8 hbin_header[REGFI_HBIN_HEADER_SIZE];
[110]	2207	uint32 length;
[99]	2208
	2209	if(offset >= file->file_length)
	2210	return NULL;
[97]	2211
	2212	if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]	2213	{
[138]	2214	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	2215	" while parsing hbin at offset 0x%.8X.", offset);
[97]	2216	return NULL;
[137]	2217	}
[97]	2218
[135]	2219	length = REGFI_HBIN_HEADER_SIZE;
[97]	2220	if((regfi_read(file->fd, hbin_header, &length) != 0)
[135]	2221	\|\| length != REGFI_HBIN_HEADER_SIZE)
[97]	2222	return NULL;
	2223
	2224	if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]	2225	{
[138]	2226	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	2227	" while parsing hbin at offset 0x%.8X.", offset);
[97]	2228	return NULL;
[137]	2229	}
[97]	2230
[148]	2231	hbin = talloc(NULL, REGFI_HBIN);
	2232	if(hbin == NULL)
[99]	2233	return NULL;
	2234	hbin->file_off = offset;
	2235
[97]	2236	memcpy(hbin->magic, hbin_header, 4);
	2237	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]	2238	{
[138]	2239	regfi_add_message(file, REGFI_MSG_INFO, "Magic number mismatch "
	2240	"(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
	2241	" 0x%.8X.", hbin->magic[0], hbin->magic[1],
	2242	hbin->magic[2], hbin->magic[3], offset);
[148]	2243	talloc_free(hbin);
[97]	2244	return NULL;
[99]	2245	}
[97]	2246
	2247	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	2248	hbin->block_size = IVAL(hbin_header, 0x8);
	2249	/* this should be the same thing as hbin->block_size but just in case */
	2250	hbin->next_block = IVAL(hbin_header, 0x1C);
	2251
	2252
	2253	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	2254	* the end of the file.
	2255	*/
[116]	2256	/* XXX: This may need to be relaxed for dealing with
	2257	* partial or corrupt files.
	2258	*/
[97]	2259	if((offset + hbin->block_size > file->file_length)
	2260	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]	2261	{
[138]	2262	regfi_add_message(file, REGFI_MSG_ERROR, "The hbin offset is not aligned"
[137]	2263	" or runs off the end of the file"
	2264	" while parsing hbin at offset 0x%.8X.", offset);
[148]	2265	talloc_free(hbin);
[97]	2266	return NULL;
[99]	2267	}
[97]	2268
	2269	return hbin;
	2270	}
	2271
	2272
[126]	2273	/*******************************************************************
	2274	*******************************************************************/
[135]	2275	REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32 offset,
[158]	2276	uint32 max_size, bool strict)
[99]	2277	{
	2278	uint8 nk_header[REGFI_NK_MIN_LENGTH];
[135]	2279	REGFI_NK_REC* ret_val;
[131]	2280	uint32 length,cell_length;
[101]	2281	bool unalloc = false;
[99]	2282
[101]	2283	if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
	2284	&cell_length, &unalloc))
[137]	2285	{
[138]	2286	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2287	" while parsing NK record at offset 0x%.8X.", offset);
	2288	return NULL;
	2289	}
	2290
[99]	2291	/* A bit of validation before bothering to allocate memory */
[101]	2292	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
[135]	2293	{
[138]	2294	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	2295	" NK record at offset 0x%.8X.", offset);
[99]	2296	return NULL;
[135]	2297	}
[99]	2298
[150]	2299	ret_val = talloc(NULL, REGFI_NK_REC);
[99]	2300	if(ret_val == NULL)
[135]	2301	{
[138]	2302	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to allocate memory while"
[137]	2303	" parsing NK record at offset 0x%.8X.", offset);
[99]	2304	return NULL;
[135]	2305	}
[99]	2306
[150]	2307	ret_val->values = NULL;
	2308	ret_val->subkeys = NULL;
[99]	2309	ret_val->offset = offset;
[101]	2310	ret_val->cell_size = cell_length;
	2311
[99]	2312	if(ret_val->cell_size > max_size)
	2313	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2314	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
[157]	2315	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[99]	2316	{
[140]	2317	regfi_add_message(file, REGFI_MSG_WARN, "A length check failed while"
[138]	2318	" parsing NK record at offset 0x%.8X.", offset);
[150]	2319	talloc_free(ret_val);
[99]	2320	return NULL;
	2321	}
	2322
[101]	2323	ret_val->magic[0] = nk_header[0x0];
	2324	ret_val->magic[1] = nk_header[0x1];
[161]	2325	ret_val->flags = SVAL(nk_header, 0x2);
[152]	2326
[161]	2327	if((ret_val->flags & ~REGFI_NK_KNOWN_FLAGS) != 0)
[99]	2328	{
[152]	2329	regfi_add_message(file, REGFI_MSG_WARN, "Unknown key flags (0x%.4X) while"
[138]	2330	" parsing NK record at offset 0x%.8X.",
[161]	2331	(ret_val->flags & ~REGFI_NK_KNOWN_FLAGS), offset);
[99]	2332	}
[101]	2333
	2334	ret_val->mtime.low = IVAL(nk_header, 0x4);
	2335	ret_val->mtime.high = IVAL(nk_header, 0x8);
[116]	2336	/* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
	2337	* or later than Jan 1, 2290, we consider this a bad key. This helps
	2338	* weed out some false positives during deleted data recovery.
	2339	*/
	2340	if(unalloc
	2341	&& ((ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
	2342	&& ret_val->mtime.low < REGFI_MTIME_MIN_LOW)
	2343	\|\| (ret_val->mtime.high > REGFI_MTIME_MAX_HIGH
	2344	&& ret_val->mtime.low > REGFI_MTIME_MAX_LOW)))
	2345	return NULL;
	2346
[101]	2347	ret_val->unknown1 = IVAL(nk_header, 0xC);
	2348	ret_val->parent_off = IVAL(nk_header, 0x10);
	2349	ret_val->num_subkeys = IVAL(nk_header, 0x14);
	2350	ret_val->unknown2 = IVAL(nk_header, 0x18);
	2351	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
	2352	ret_val->unknown3 = IVAL(nk_header, 0x20);
	2353	ret_val->num_values = IVAL(nk_header, 0x24);
	2354	ret_val->values_off = IVAL(nk_header, 0x28);
	2355	ret_val->sk_off = IVAL(nk_header, 0x2C);
	2356	ret_val->classname_off = IVAL(nk_header, 0x30);
[99]	2357
[101]	2358	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
	2359	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
	2360	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
	2361	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
	2362	ret_val->unk_index = IVAL(nk_header, 0x44);
[99]	2363
[101]	2364	ret_val->name_length = SVAL(nk_header, 0x48);
	2365	ret_val->classname_length = SVAL(nk_header, 0x4A);
[161]	2366	ret_val->keyname = NULL;
[99]	2367
	2368	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]	2369	{
	2370	if(strict)
	2371	{
[138]	2372	regfi_add_message(file, REGFI_MSG_ERROR, "Contents too large for cell"
[137]	2373	" while parsing NK record at offset 0x%.8X.", offset);
[150]	2374	talloc_free(ret_val);
[101]	2375	return NULL;
	2376	}
	2377	else
	2378	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
	2379	}
	2380	else if (unalloc)
	2381	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
	2382	/* Round up to the next multiple of 8 */
	2383	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	2384	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	2385	length+=8;
[99]	2386
[101]	2387	/* If cell_size is still greater, truncate. */
	2388	if(length < ret_val->cell_size)
	2389	ret_val->cell_size = length;
	2390	}
	2391
[161]	2392	ret_val->keyname_raw = talloc_array(ret_val, uint8, ret_val->name_length);
	2393	if(ret_val->keyname_raw == NULL)
[99]	2394	{
[150]	2395	talloc_free(ret_val);
[99]	2396	return NULL;
	2397	}
	2398
	2399	/* Don't need to seek, should be at the right offset */
	2400	length = ret_val->name_length;
[161]	2401	if((regfi_read(file->fd, (uint8*)ret_val->keyname_raw, &length) != 0)
[99]	2402	\|\| length != ret_val->name_length)
	2403	{
[138]	2404	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read key name"
[137]	2405	" while parsing NK record at offset 0x%.8X.", offset);
[150]	2406	talloc_free(ret_val);
[99]	2407	return NULL;
	2408	}
	2409
[126]	2410	return ret_val;
	2411	}
	2412
	2413
[160]	2414	uint8* regfi_parse_classname(REGFI_FILE* file, uint32 offset,
	2415	uint16* name_length, uint32 max_size, bool strict)
[126]	2416	{
[160]	2417	uint8* ret_val = NULL;
[126]	2418	uint32 length;
	2419	uint32 cell_length;
	2420	bool unalloc = false;
	2421
[135]	2422	if(*name_length > 0 && offset != REGFI_OFFSET_NONE
[157]	2423	&& (offset & 0x00000007) == 0)
[131]	2424	{
[126]	2425	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]	2426	{
[138]	2427	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2428	" while parsing class name at offset 0x%.8X.", offset);
[126]	2429	return NULL;
[137]	2430	}
[126]	2431
[157]	2432	if((cell_length & 0x0000007) != 0)
[137]	2433	{
[138]	2434	regfi_add_message(file, REGFI_MSG_ERROR, "Cell length not a multiple of 8"
[137]	2435	" while parsing class name at offset 0x%.8X.", offset);
[131]	2436	return NULL;
[137]	2437	}
	2438
[131]	2439	if(cell_length > max_size)
[125]	2440	{
[138]	2441	regfi_add_message(file, REGFI_MSG_WARN, "Cell stretches past hbin "
	2442	"boundary while parsing class name at offset 0x%.8X.",
	2443	offset);
[126]	2444	if(strict)
	2445	return NULL;
[131]	2446	cell_length = max_size;
[126]	2447	}
[131]	2448
	2449	if((cell_length - 4) < *name_length)
	2450	{
[138]	2451	regfi_add_message(file, REGFI_MSG_WARN, "Class name is larger than"
	2452	" cell_length while parsing class name at offset"
	2453	" 0x%.8X.", offset);
[131]	2454	if(strict)
	2455	return NULL;
	2456	*name_length = cell_length - 4;
	2457	}
[126]	2458
[160]	2459	ret_val = talloc_array(NULL, uint8, *name_length);
[126]	2460	if(ret_val != NULL)
	2461	{
	2462	length = *name_length;
[160]	2463	if((regfi_read(file->fd, ret_val, &length) != 0)
[126]	2464	\|\| length != *name_length)
[125]	2465	{
[138]	2466	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read class name"
[137]	2467	" while parsing class name at offset 0x%.8X.", offset);
[150]	2468	talloc_free(ret_val);
[126]	2469	return NULL;
[125]	2470	}
	2471	}
	2472	}
	2473
[99]	2474	return ret_val;
	2475	}
	2476
	2477
[152]	2478	/******************************************************************************
	2479	*******************************************************************************/
[135]	2480	REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32 offset,
[145]	2481	uint32 max_size, bool strict)
[97]	2482	{
[135]	2483	REGFI_VK_REC* ret_val;
[101]	2484	uint8 vk_header[REGFI_VK_MIN_LENGTH];
	2485	uint32 raw_data_size, length, cell_length;
	2486	bool unalloc = false;
[97]	2487
[101]	2488	if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
	2489	&cell_length, &unalloc))
[137]	2490	{
[138]	2491	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2492	" while parsing VK record at offset 0x%.8X.", offset);
[101]	2493	return NULL;
[137]	2494	}
[111]	2495
[150]	2496	ret_val = talloc(NULL, REGFI_VK_REC);
[101]	2497	if(ret_val == NULL)
	2498	return NULL;
	2499
	2500	ret_val->offset = offset;
	2501	ret_val->cell_size = cell_length;
[150]	2502	ret_val->data = NULL;
	2503	ret_val->valuename = NULL;
[162]	2504	ret_val->valuename_raw = NULL;
[150]	2505
[101]	2506	if(ret_val->cell_size > max_size)
	2507	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2508	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
[157]	2509	\|\| (ret_val->cell_size & 0x00000007) != 0)
[97]	2510	{
[138]	2511	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size encountered"
[137]	2512	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2513	talloc_free(ret_val);
[101]	2514	return NULL;
	2515	}
[97]	2516
[101]	2517	ret_val->magic[0] = vk_header[0x0];
	2518	ret_val->magic[1] = vk_header[0x1];
	2519	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
	2520	{
[124]	2521	/* XXX: This does not account for deleted keys under Win2K which
	2522	* often have this (and the name length) overwritten with
	2523	* 0xFFFF.
	2524	*/
[138]	2525	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch"
[137]	2526	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2527	talloc_free(ret_val);
[101]	2528	return NULL;
	2529	}
	2530
	2531	ret_val->name_length = SVAL(vk_header, 0x2);
	2532	raw_data_size = IVAL(vk_header, 0x4);
[135]	2533	ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
[157]	2534	/* The data is typically stored in the offset if the size <= 4,
	2535	* in which case this flag is set.
	2536	*/
[135]	2537	ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
[101]	2538	ret_val->data_off = IVAL(vk_header, 0x8);
	2539	ret_val->type = IVAL(vk_header, 0xC);
[162]	2540	ret_val->flags = SVAL(vk_header, 0x10);
[101]	2541	ret_val->unknown1 = SVAL(vk_header, 0x12);
	2542
[162]	2543	if(ret_val->name_length > 0)
[101]	2544	{
[113]	2545	if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
[101]	2546	{
[138]	2547	regfi_add_message(file, REGFI_MSG_WARN, "Name too long for remaining cell"
	2548	" space while parsing VK record at offset 0x%.8X.",
	2549	offset);
[101]	2550	if(strict)
	2551	{
[150]	2552	talloc_free(ret_val);
[101]	2553	return NULL;
	2554	}
	2555	else
[113]	2556	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
[101]	2557	}
	2558
	2559	/* Round up to the next multiple of 8 */
[113]	2560	cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
	2561	if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
	2562	cell_length+=8;
[101]	2563
[162]	2564	ret_val->valuename_raw = talloc_array(ret_val, uint8, ret_val->name_length);
	2565	if(ret_val->valuename_raw == NULL)
[101]	2566	{
[150]	2567	talloc_free(ret_val);
[101]	2568	return NULL;
	2569	}
[113]	2570
[101]	2571	length = ret_val->name_length;
[162]	2572	if((regfi_read(file->fd, (uint8*)ret_val->valuename_raw, &length) != 0)
[101]	2573	\|\| length != ret_val->name_length)
	2574	{
[138]	2575	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read value name"
[137]	2576	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2577	talloc_free(ret_val);
[101]	2578	return NULL;
	2579	}
	2580	}
	2581	else
[113]	2582	cell_length = REGFI_VK_MIN_LENGTH + 4;
[101]	2583
	2584	if(unalloc)
	2585	{
	2586	/* If cell_size is still greater, truncate. */
[113]	2587	if(cell_length < ret_val->cell_size)
	2588	ret_val->cell_size = cell_length;
[101]	2589	}
	2590
	2591	return ret_val;
[97]	2592	}
[101]	2593
	2594
[152]	2595	/******************************************************************************
[157]	2596	*
	2597	******************************************************************************/
[159]	2598	REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32 voffset,
[157]	2599	uint32 length, bool data_in_offset,
	2600	bool strict)
[101]	2601	{
[151]	2602	REGFI_BUFFER ret_val;
[157]	2603	uint32 cell_length, offset;
	2604	int32 max_size;
[101]	2605	bool unalloc;
[151]	2606
[159]	2607	/* Microsoft's documentation indicates that "available memory" is
	2608	* the limit on value sizes. Annoying. We limit it to 1M which
	2609	* should rarely be exceeded, unless the file is corrupt or
	2610	* malicious. For more info, see:
	2611	* http://msdn2.microsoft.com/en-us/library/ms724872.aspx
	2612	*/
[160]	2613	/* XXX: add way to skip this check at user discression. */
	2614	if(length > REGFI_VK_MAX_DATA_LENGTH)
[159]	2615	{
[160]	2616	regfi_add_message(file, REGFI_MSG_WARN, "Value data size %d larger than "
	2617	"%d, truncating...", length, REGFI_VK_MAX_DATA_LENGTH);
	2618	length = REGFI_VK_MAX_DATA_LENGTH;
[159]	2619	}
	2620
[145]	2621	if(data_in_offset)
[157]	2622	return regfi_parse_little_data(file, voffset, length, strict);
	2623	else
[101]	2624	{
[157]	2625	offset = voffset + REGFI_REGF_SIZE;
	2626	max_size = regfi_calc_maxsize(file, offset);
	2627	if(max_size < 0)
[137]	2628	{
[157]	2629	regfi_add_message(file, REGFI_MSG_WARN, "Could not find HBIN for data"
	2630	" at offset 0x%.8X.", offset);
[151]	2631	goto fail;
[137]	2632	}
[157]	2633
[101]	2634	if(!regfi_parse_cell(file->fd, offset, NULL, 0,
	2635	&cell_length, &unalloc))
[137]	2636	{
[138]	2637	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[137]	2638	" parsing data record at offset 0x%.8X.", offset);
[151]	2639	goto fail;
[137]	2640	}
[111]	2641
[157]	2642	if((cell_length & 0x00000007) != 0)
[137]	2643	{
[138]	2644	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not multiple of 8"
[137]	2645	" while parsing data record at offset 0x%.8X.",
	2646	offset);
[151]	2647	goto fail;
[137]	2648	}
[101]	2649
[131]	2650	if(cell_length > max_size)
	2651	{
[145]	2652	regfi_add_message(file, REGFI_MSG_WARN, "Cell extends past HBIN boundary"
	2653	" while parsing data record at offset 0x%.8X.",
[137]	2654	offset);
[157]	2655	goto fail;
[131]	2656	}
	2657
[101]	2658	if(cell_length - 4 < length)
	2659	{
[155]	2660	/* XXX: All big data records thus far have been 16 bytes long.
	2661	* Should we check for this precise size instead of just
	2662	* relying upon the above check?
	2663	*/
[152]	2664	if (file->major_version >= 1 && file->minor_version >= 5)
	2665	{
	2666	/* Attempt to parse a big data record */
[157]	2667	return regfi_load_big_data(file, offset, length, cell_length,
	2668	NULL, strict);
[152]	2669	}
[101]	2670	else
[152]	2671	{
	2672	regfi_add_message(file, REGFI_MSG_WARN, "Data length (0x%.8X) larger than"
	2673	" remaining cell length (0x%.8X)"
	2674	" while parsing data record at offset 0x%.8X.",
	2675	length, cell_length - 4, offset);
	2676	if(strict)
	2677	goto fail;
	2678	else
	2679	length = cell_length - 4;
	2680	}
[101]	2681	}
	2682
[157]	2683	ret_val = regfi_parse_data(file, offset, length, strict);
[101]	2684	}
	2685
	2686	return ret_val;
[151]	2687
	2688	fail:
	2689	ret_val.buf = NULL;
	2690	ret_val.len = 0;
	2691	return ret_val;
[101]	2692	}
[110]	2693
	2694
[152]	2695	/******************************************************************************
[157]	2696	* Parses the common case data records stored in a single cell.
	2697	******************************************************************************/
	2698	REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32 offset,
	2699	uint32 length, bool strict)
	2700	{
	2701	REGFI_BUFFER ret_val;
	2702	uint32 read_length;
	2703
	2704	ret_val.buf = NULL;
	2705	ret_val.len = 0;
	2706
	2707	if(lseek(file->fd, offset+4, SEEK_SET) == -1)
	2708	{
	2709	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek while "
	2710	"reading data at offset 0x%.8X.", offset);
	2711	return ret_val;
	2712	}
	2713
[159]	2714	if((ret_val.buf = talloc_array(NULL, uint8, length)) == NULL)
[157]	2715	return ret_val;
	2716	ret_val.len = length;
	2717
	2718	read_length = length;
	2719	if((regfi_read(file->fd, ret_val.buf, &read_length) != 0)
	2720	\|\| read_length != length)
	2721	{
	2722	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read data block while"
	2723	" parsing data record at offset 0x%.8X.", offset);
	2724	talloc_free(ret_val.buf);
	2725	ret_val.buf = NULL;
	2726	ret_val.buf = 0;
	2727	}
	2728
	2729	return ret_val;
	2730	}
	2731
	2732
	2733
	2734	/******************************************************************************
	2735	*
	2736	******************************************************************************/
	2737	REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32 voffset,
	2738	uint32 length, bool strict)
	2739	{
	2740	REGFI_BUFFER ret_val;
	2741	uint8 i;
	2742
	2743	ret_val.buf = NULL;
	2744	ret_val.len = 0;
	2745
	2746	if(length > 4)
	2747	{
	2748	regfi_add_message(file, REGFI_MSG_ERROR, "Data in offset but length > 4"
	2749	" while parsing data record. (voffset=0x%.8X, length=%d)",
	2750	voffset, length);
	2751	return ret_val;
	2752	}
	2753
[159]	2754	if((ret_val.buf = talloc_array(NULL, uint8, length)) == NULL)
[157]	2755	return ret_val;
	2756	ret_val.len = length;
	2757
	2758	for(i = 0; i < length; i++)
	2759	ret_val.buf[i] = (uint8)((voffset >> i*8) & 0xFF);
	2760
	2761	return ret_val;
	2762	}
	2763
	2764	/******************************************************************************
[152]	2765	*******************************************************************************/
[157]	2766	REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32 offset,
	2767	uint32 max_size, bool strict)
[152]	2768	{
	2769	REGFI_BUFFER ret_val;
[157]	2770	uint32 cell_length;
[152]	2771	bool unalloc;
[157]	2772
	2773	/* XXX: do something with unalloc? */
	2774	ret_val.buf = (uint8*)talloc_array(NULL, uint8, REGFI_BIG_DATA_MIN_LENGTH);
	2775	if(ret_val.buf == NULL)
[152]	2776	goto fail;
	2777
[157]	2778	if(REGFI_BIG_DATA_MIN_LENGTH > max_size)
	2779	{
	2780	regfi_add_message(file, REGFI_MSG_WARN, "Big data header exceeded max_size "
	2781	"while parsing big data header at offset 0x%.8X.",offset);
	2782	goto fail;
	2783	}
	2784
	2785	if(!regfi_parse_cell(file->fd, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH,
[152]	2786	&cell_length, &unalloc))
	2787	{
	2788	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[157]	2789	" parsing big data header at offset 0x%.8X.", offset);
[152]	2790	goto fail;
	2791	}
[157]	2792
	2793	if((ret_val.buf[0] != 'd') \|\| (ret_val.buf[1] != 'b'))
[152]	2794	{
	2795	regfi_add_message(file, REGFI_MSG_WARN, "Unknown magic number"
	2796	" (0x%.2X, 0x%.2X) encountered while parsing"
[157]	2797	" big data header at offset 0x%.8X.",
	2798	ret_val.buf[0], ret_val.buf[1], offset);
[152]	2799	goto fail;
	2800	}
	2801
[157]	2802	ret_val.len = REGFI_BIG_DATA_MIN_LENGTH;
	2803	return ret_val;
	2804
	2805	fail:
	2806	if(ret_val.buf != NULL)
	2807	{
	2808	talloc_free(ret_val.buf);
	2809	ret_val.buf = NULL;
	2810	}
	2811	ret_val.len = 0;
	2812	return ret_val;
	2813	}
	2814
	2815
	2816
	2817	/******************************************************************************
	2818	*
	2819	******************************************************************************/
	2820	uint32* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32 offset,
	2821	uint16 num_chunks, bool strict)
	2822	{
	2823	uint32* ret_val;
	2824	uint32 indirect_length;
	2825	int32 max_size;
	2826	uint16 i;
	2827	bool unalloc;
	2828
	2829	/* XXX: do something with unalloc? */
	2830
	2831	max_size = regfi_calc_maxsize(file, offset);
	2832	if((max_size < 0) \|\| (num_chunks*sizeof(uint32) + 4 > max_size))
	2833	return NULL;
	2834
	2835	ret_val = (uint32*)talloc_array(NULL, uint32, num_chunks);
	2836	if(ret_val == NULL)
[152]	2837	goto fail;
	2838
[157]	2839	if(!regfi_parse_cell(file->fd, offset, (uint8*)ret_val,
[152]	2840	num_chunks*sizeof(uint32),
	2841	&indirect_length, &unalloc))
	2842	{
	2843	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
	2844	" parsing big data indirect record at offset 0x%.8X.",
	2845	offset);
	2846	goto fail;
	2847	}
[157]	2848
	2849	/* Convert pointers to proper endianess, verify they are aligned. */
	2850	for(i=0; i<num_chunks; i++)
[152]	2851	{
[157]	2852	ret_val[i] = IVAL(ret_val, i*sizeof(uint32));
	2853	if((ret_val[i] & 0x00000007) != 0)
	2854	goto fail;
[152]	2855	}
[157]	2856
	2857	return ret_val;
[152]	2858
[157]	2859	fail:
	2860	if(ret_val != NULL)
	2861	talloc_free(ret_val);
	2862	return NULL;
	2863	}
	2864
	2865
	2866	/******************************************************************************
	2867	* Arguments:
	2868	* file --
	2869	* offsets -- list of virtual offsets.
	2870	* num_chunks --
	2871	* strict --
	2872	*
	2873	* Returns:
	2874	* A range_list with physical offsets and complete lengths
	2875	* (including cell headers) of associated cells.
	2876	* No data in range_list elements.
	2877	******************************************************************************/
	2878	range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32* offsets,
	2879	uint16 num_chunks, bool strict)
	2880	{
	2881	uint32 cell_length, chunk_offset, data_left;
	2882	range_list* ret_val;
	2883	uint16 i;
	2884	bool unalloc;
	2885
	2886	/* XXX: do something with unalloc? */
	2887	ret_val = range_list_new();
	2888	if(ret_val == NULL)
	2889	goto fail;
	2890
[152]	2891	for(i=0; (i<num_chunks) && (data_left>0); i++)
	2892	{
[157]	2893	chunk_offset = offsets[i]+REGFI_REGF_SIZE;
	2894	if(!regfi_parse_cell(file->fd, chunk_offset, NULL, 0,
	2895	&cell_length, &unalloc))
[152]	2896	{
	2897	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
	2898	" parsing big data chunk at offset 0x%.8X.",
	2899	chunk_offset);
[157]	2900	goto fail;
[152]	2901	}
	2902
[157]	2903	if(!range_list_add(ret_val, chunk_offset, cell_length, NULL))
	2904	goto fail;
	2905	}
	2906
	2907	return ret_val;
	2908
	2909	fail:
	2910	if(ret_val != NULL)
	2911	range_list_free(ret_val);
	2912	return NULL;
	2913	}
	2914
	2915
	2916	/******************************************************************************
	2917	*******************************************************************************/
	2918	REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file,
	2919	uint32 offset, uint32 data_length,
	2920	uint32 cell_length, range_list* used_ranges,
	2921	bool strict)
	2922	{
	2923	REGFI_BUFFER ret_val;
	2924	uint16 num_chunks, i;
	2925	uint32 read_length, data_left, tmp_len, indirect_offset;
	2926	uint32* indirect_ptrs = NULL;
	2927	REGFI_BUFFER bd_header;
	2928	range_list* bd_cells = NULL;
	2929	const range_list_element* cell_info;
	2930
	2931	ret_val.buf = NULL;
	2932
	2933	/* XXX: Add better error/warning messages */
	2934
	2935	bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict);
	2936	if(bd_header.buf == NULL)
	2937	goto fail;
	2938
	2939	/* Keep track of used space for use by reglookup-recover */
	2940	if(used_ranges != NULL)
	2941	if(!range_list_add(used_ranges, offset, cell_length, NULL))
	2942	goto fail;
	2943
	2944	num_chunks = SVAL(bd_header.buf, 0x2);
	2945	indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE;
	2946	talloc_free(bd_header.buf);
	2947
	2948	indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset,
	2949	num_chunks, strict);
	2950	if(indirect_ptrs == NULL)
	2951	goto fail;
	2952
	2953	if(used_ranges != NULL)
	2954	if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL))
	2955	goto fail;
	2956
	2957	if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL)
	2958	goto fail;
	2959	data_left = data_length;
	2960
	2961	bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict);
	2962	if(bd_cells == NULL)
	2963	goto fail;
	2964
	2965	talloc_free(indirect_ptrs);
	2966	indirect_ptrs = NULL;
	2967
	2968	for(i=0; (i<num_chunks) && (data_left>0); i++)
	2969	{
	2970	cell_info = range_list_get(bd_cells, i);
	2971	if(cell_info == NULL)
	2972	goto fail;
	2973
	2974	/* XXX: This should be "cell_info->length-4" to account for the 4 byte cell
[154]	2975	* length. However, it has been observed that some (all?) chunks
	2976	* have an additional 4 bytes of 0 at the end of their cells that
	2977	* isn't part of the data, so we're trimming that off too.
[157]	2978	* Perhaps it's just an 8 byte alignment requirement...
[154]	2979	*/
[157]	2980	if(cell_info->length - 8 >= data_left)
	2981	{
	2982	if(i+1 != num_chunks)
	2983	{
	2984	regfi_add_message(file, REGFI_MSG_WARN, "Left over chunks detected "
	2985	"while constructing big data at offset 0x%.8X "
	2986	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	2987	}
[152]	2988	read_length = data_left;
[157]	2989	}
[152]	2990	else
[157]	2991	read_length = cell_info->length - 8;
[152]	2992
[157]	2993
	2994	if(read_length > regfi_calc_maxsize(file, cell_info->offset))
	2995	{
	2996	regfi_add_message(file, REGFI_MSG_WARN, "A chunk exceeded the maxsize "
	2997	"while constructing big data at offset 0x%.8X "
	2998	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	2999	goto fail;
	3000	}
	3001
	3002	if(lseek(file->fd, cell_info->offset+sizeof(uint32), SEEK_SET) == -1)
	3003	{
	3004	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek to chunk while "
	3005	"constructing big data at offset 0x%.8X "
	3006	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	3007	goto fail;
	3008	}
	3009
	3010	tmp_len = read_length;
[152]	3011	if(regfi_read(file->fd, ret_val.buf+(data_length-data_left),
[157]	3012	&read_length) != 0 \|\| (read_length != tmp_len))
[152]	3013	{
	3014	regfi_add_message(file, REGFI_MSG_WARN, "Could not read data chunk while"
[157]	3015	" constructing big data at offset 0x%.8X"
	3016	" (chunk offset 0x%.8X).", offset, cell_info->offset);
	3017	goto fail;
[152]	3018	}
	3019
[157]	3020	if(used_ranges != NULL)
	3021	if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL))
	3022	goto fail;
	3023
[152]	3024	data_left -= read_length;
	3025	}
[157]	3026	range_list_free(bd_cells);
	3027
[152]	3028	ret_val.len = data_length-data_left;
	3029	return ret_val;
	3030
	3031	fail:
[157]	3032	if(ret_val.buf != NULL)
	3033	talloc_free(ret_val.buf);
	3034	if(indirect_ptrs != NULL)
	3035	talloc_free(indirect_ptrs);
	3036	if(bd_cells != NULL)
	3037	range_list_free(bd_cells);
[152]	3038	ret_val.buf = NULL;
	3039	ret_val.len = 0;
	3040	return ret_val;
	3041	}
	3042
	3043
[135]	3044	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
[110]	3045	{
	3046	range_list* ret_val;
[135]	3047	REGFI_HBIN* hbin;
[110]	3048	const range_list_element* hbins_elem;
	3049	uint32 i, num_hbins, curr_off, cell_len;
	3050	bool is_unalloc;
	3051
	3052	ret_val = range_list_new();
	3053	if(ret_val == NULL)
	3054	return NULL;
	3055
	3056	num_hbins = range_list_size(file->hbins);
	3057	for(i=0; i<num_hbins; i++)
	3058	{
	3059	hbins_elem = range_list_get(file->hbins, i);
	3060	if(hbins_elem == NULL)
	3061	break;
[135]	3062	hbin = (REGFI_HBIN*)hbins_elem->data;
[110]	3063
[135]	3064	curr_off = REGFI_HBIN_HEADER_SIZE;
[110]	3065	while(curr_off < hbin->block_size)
	3066	{
	3067	if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
	3068	&cell_len, &is_unalloc))
	3069	break;
	3070
[157]	3071	if((cell_len == 0) \|\| ((cell_len & 0x00000007) != 0))
[140]	3072	{
	3073	regfi_add_message(file, REGFI_MSG_ERROR, "Bad cell length encountered"
	3074	" while parsing unallocated cells at offset 0x%.8X.",
	3075	hbin->file_off+curr_off);
[110]	3076	break;
[140]	3077	}
	3078
[110]	3079	/* for some reason the record_size of the last record in
	3080	an hbin block can extend past the end of the block
	3081	even though the record fits within the remaining
	3082	space....aaarrrgggghhhhhh */
	3083	if(curr_off + cell_len >= hbin->block_size)
	3084	cell_len = hbin->block_size - curr_off;
	3085
	3086	if(is_unalloc)
	3087	range_list_add(ret_val, hbin->file_off+curr_off,
	3088	cell_len, NULL);
	3089
	3090	curr_off = curr_off+cell_len;
	3091	}
	3092	}
	3093
	3094	return ret_val;
	3095	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: