Context Navigation

source: trunk/lib/regfi.c @ 165

Last change on this file since 165 was 165, checked in by tim, 14 years ago
added misc comments
Property svn:keywords set to `Id`
File size: 85.8 KB

Rev	Line
[30]	1	/*
	2	* Branched from Samba project Subversion repository, version #7470:
[84]	3	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
[30]	4	*
[134]	5	* Windows NT (and later) registry parsing library
[30]	6	*
[132]	7	* Copyright (C) 2005-2009 Timothy D. Morgan
[30]	8	* Copyright (C) 2005 Gerald (Jerry) Carter
	9	*
	10	* This program is free software; you can redistribute it and/or modify
	11	* it under the terms of the GNU General Public License as published by
[111]	12	* the Free Software Foundation; version 3 of the License.
[30]	13	*
	14	* This program is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	17	* GNU General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU General Public License
	20	* along with this program; if not, write to the Free Software
[161]	21	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
[30]	22	*
	23	* $Id: regfi.c 165 2009-12-12 03:13:27Z tim $
	24	*/
	25
[147]	26	#include "regfi.h"
[30]	27
	28
[32]	29	/* Registry types mapping */
[78]	30	const unsigned int regfi_num_reg_types = 12;
	31	static const char* regfi_type_names[] =
[65]	32	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	33	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	34
[161]	35	const char* regfi_encoding_names[] =
	36	{"US-ASCII//TRANSLIT", "UTF-8//TRANSLIT", "UTF-16LE//TRANSLIT"};
[32]	37
[135]	38
	39	/******************************************************************************
	40	******************************************************************************/
[138]	41	void regfi_add_message(REGFI_FILE* file, uint16 msg_type, const char* fmt, ...)
[135]	42	{
[136]	43	/* XXX: This function is not particularly efficient,
[135]	44	* but then it is mostly used during errors.
	45	*/
[136]	46	uint32 buf_size, buf_used;
	47	char* new_msg;
	48	va_list args;
[135]	49
[138]	50	if((file->msg_mask & msg_type) != 0)
	51	{
	52	if(file->last_message == NULL)
	53	buf_used = 0;
	54	else
	55	buf_used = strlen(file->last_message);
	56
	57	buf_size = buf_used+strlen(fmt)+160;
	58	new_msg = realloc(file->last_message, buf_size);
	59	if(new_msg == NULL)
	60	/* XXX: should we report this? */
	61	return;
[135]	62
[138]	63	switch (msg_type)
	64	{
	65	case REGFI_MSG_INFO:
	66	strcpy(new_msg+buf_used, "INFO: ");
	67	buf_used += 6;
	68	break;
	69	case REGFI_MSG_WARN:
	70	strcpy(new_msg+buf_used, "WARN: ");
	71	buf_used += 6;
	72	break;
	73	case REGFI_MSG_ERROR:
	74	strcpy(new_msg+buf_used, "ERROR: ");
	75	buf_used += 7;
	76	break;
	77	}
[136]	78
[138]	79	va_start(args, fmt);
	80	vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
	81	va_end(args);
	82	strncat(new_msg, "\n", buf_size-1);
	83
	84	file->last_message = new_msg;
	85	}
[135]	86	}
	87
	88
	89	/******************************************************************************
	90	******************************************************************************/
[136]	91	char* regfi_get_messages(REGFI_FILE* file)
[135]	92	{
	93	char* ret_val = file->last_message;
	94	file->last_message = NULL;
	95
	96	return ret_val;
	97	}
	98
	99
[138]	100	void regfi_set_message_mask(REGFI_FILE* file, uint16 mask)
	101	{
	102	file->msg_mask = mask;
	103	}
	104
	105
[161]	106	/******************************************************************************
	107	* Returns NULL for an invalid e
	108	*****************************************************************************/
	109	static const char* regfi_encoding_int2str(REGFI_ENCODING e)
	110	{
	111	if(e < REGFI_NUM_ENCODINGS)
	112	return regfi_encoding_names[e];
	113
	114	return NULL;
	115	}
	116
	117
	118	/******************************************************************************
	119	* Returns NULL for an invalid val
	120	*****************************************************************************/
[78]	121	const char* regfi_type_val2str(unsigned int val)
[32]	122	{
[61]	123	if(val == REG_KEY)
	124	return "KEY";
	125
[78]	126	if(val >= regfi_num_reg_types)
[61]	127	return NULL;
	128
[78]	129	return regfi_type_names[val];
[32]	130	}
	131
	132
[161]	133	/******************************************************************************
	134	* Returns -1 on error
	135	*****************************************************************************/
[78]	136	int regfi_type_str2val(const char* str)
[32]	137	{
	138	int i;
	139
[61]	140	if(strcmp("KEY", str) == 0)
	141	return REG_KEY;
[32]	142
[78]	143	for(i=0; i < regfi_num_reg_types; i++)
	144	if (strcmp(regfi_type_names[i], str) == 0)
[61]	145	return i;
	146
	147	if(strcmp("DWORD_LE", str) == 0)
	148	return REG_DWORD_LE;
	149
	150	return -1;
[32]	151	}
	152
	153
[135]	154	/* Security descriptor formatting functions */
[53]	155
[78]	156	const char* regfi_ace_type2str(uint8 type)
[53]	157	{
	158	static const char* map[7]
	159	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	160	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	161	if(type < 7)
	162	return map[type];
	163	else
	164	/* XXX: would be nice to return the unknown integer value.
	165	* However, as it is a const string, it can't be free()ed later on,
	166	* so that would need to change.
	167	*/
	168	return "UNKNOWN";
	169	}
	170
	171
[76]	172	/* XXX: need a better reference on the meaning of each flag. */
	173	/* For more info, see:
	174	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	175	*/
[78]	176	char* regfi_ace_flags2str(uint8 flags)
[53]	177	{
[76]	178	static const char* flag_map[32] =
[87]	179	{ "OI", /* Object Inherit */
	180	"CI", /* Container Inherit */
	181	"NP", /* Non-Propagate */
	182	"IO", /* Inherit Only */
	183	"IA", /* Inherited ACE */
[76]	184	NULL,
	185	NULL,
	186	NULL,
	187	};
[53]	188
[76]	189	char* ret_val = malloc(35*sizeof(char));
	190	char* fo = ret_val;
	191	uint32 i;
	192	uint8 f;
	193
	194	if(ret_val == NULL)
[53]	195	return NULL;
	196
[76]	197	fo[0] = '\0';
[53]	198	if (!flags)
[76]	199	return ret_val;
[53]	200
[76]	201	for(i=0; i < 8; i++)
	202	{
	203	f = (1<<i);
	204	if((flags & f) && (flag_map[i] != NULL))
	205	{
	206	strcpy(fo, flag_map[i]);
	207	fo += strlen(flag_map[i]);
	208	*(fo++) = ' ';
	209	flags ^= f;
	210	}
[53]	211	}
[76]	212
	213	/* Any remaining unknown flags are added at the end in hex. */
	214	if(flags != 0)
	215	sprintf(fo, "0x%.2X ", flags);
	216
	217	/* Chop off the last space if we've written anything to ret_val */
	218	if(fo != ret_val)
	219	fo[-1] = '\0';
	220
	221	return ret_val;
[53]	222	}
	223
	224
[78]	225	char* regfi_ace_perms2str(uint32 perms)
[53]	226	{
[76]	227	uint32 i, p;
	228	/* This is more than is needed by a fair margin. */
	229	char* ret_val = malloc(350*sizeof(char));
	230	char* r = ret_val;
	231
	232	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	233	* For more information, see:
	234	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	235	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	236	*/
	237	static const char* perm_map[32] =
	238	{/* object-specific permissions (registry keys, in this case) */
	239	"QRY_VAL", /* KEY_QUERY_VALUE */
	240	"SET_VAL", /* KEY_SET_VALUE */
	241	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	242	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	243	"NOTIFY", /* KEY_NOTIFY */
	244	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	245	NULL,
	246	NULL,
	247	"WOW64_64", /* KEY_WOW64_64KEY */
	248	"WOW64_32", /* KEY_WOW64_32KEY */
	249	NULL,
	250	NULL,
	251	NULL,
	252	NULL,
	253	NULL,
	254	NULL,
	255	/* standard access rights */
	256	"DELETE", /* DELETE */
	257	"R_CONT", /* READ_CONTROL */
	258	"W_DAC", /* WRITE_DAC */
	259	"W_OWNER", /* WRITE_OWNER */
	260	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	261	NULL,
	262	NULL,
	263	NULL,
	264	/* other generic */
	265	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	266	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	267	NULL,
	268	NULL,
	269	"GEN_A", /* GENERIC_ALL */
	270	"GEN_X", /* GENERIC_EXECUTE */
	271	"GEN_W", /* GENERIC_WRITE */
	272	"GEN_R", /* GENERIC_READ */
	273	};
	274
	275
[53]	276	if(ret_val == NULL)
	277	return NULL;
	278
[76]	279	r[0] = '\0';
	280	for(i=0; i < 32; i++)
	281	{
	282	p = (1<<i);
	283	if((perms & p) && (perm_map[i] != NULL))
	284	{
	285	strcpy(r, perm_map[i]);
	286	r += strlen(perm_map[i]);
	287	*(r++) = ' ';
	288	perms ^= p;
	289	}
	290	}
	291
	292	/* Any remaining unknown permission bits are added at the end in hex. */
	293	if(perms != 0)
	294	sprintf(r, "0x%.8X ", perms);
[53]	295
[76]	296	/* Chop off the last space if we've written anything to ret_val */
	297	if(r != ret_val)
	298	r[-1] = '\0';
	299
[53]	300	return ret_val;
	301	}
	302
	303
[134]	304	char* regfi_sid2str(WINSEC_DOM_SID* sid)
[53]	305	{
[134]	306	uint32 i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
[53]	307	uint32 left = size;
	308	uint8 comps = sid->num_auths;
	309	char* ret_val = malloc(size);
	310
	311	if(ret_val == NULL)
	312	return NULL;
	313
[134]	314	if(comps > WINSEC_MAX_SUBAUTHS)
	315	comps = WINSEC_MAX_SUBAUTHS;
[53]	316
	317	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	318
	319	for (i = 0; i < comps; i++)
	320	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	321
	322	return ret_val;
	323	}
	324
	325
[134]	326	char* regfi_get_acl(WINSEC_ACL* acl)
[53]	327	{
	328	uint32 i, extra, size = 0;
	329	const char* type_str;
	330	char* flags_str;
	331	char* perms_str;
	332	char* sid_str;
[61]	333	char* ace_delim = "";
[53]	334	char* ret_val = NULL;
[61]	335	char* tmp_val = NULL;
	336	bool failed = false;
[53]	337	char field_delim = ':';
	338
[61]	339	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	340	{
[134]	341	sid_str = regfi_sid2str(acl->aces[i]->trustee);
	342	type_str = regfi_ace_type2str(acl->aces[i]->type);
	343	perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
	344	flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
[53]	345
[61]	346	if(flags_str != NULL && perms_str != NULL
	347	&& type_str != NULL && sid_str != NULL)
	348	{
	349	/* XXX: this is slow */
	350	extra = strlen(sid_str) + strlen(type_str)
[136]	351	+ strlen(perms_str) + strlen(flags_str) + 5;
[61]	352	tmp_val = realloc(ret_val, size+extra);
[53]	353
[61]	354	if(tmp_val == NULL)
	355	{
	356	free(ret_val);
[136]	357	ret_val = NULL;
[61]	358	failed = true;
	359	}
	360	else
	361	{
	362	ret_val = tmp_val;
[148]	363	size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
	364	ace_delim,sid_str,
	365	field_delim,type_str,
	366	field_delim,perms_str,
	367	field_delim,flags_str);
[61]	368	ace_delim = "\|";
	369	}
	370	}
	371	else
	372	failed = true;
	373
	374	if(sid_str != NULL)
	375	free(sid_str);
	376	if(sid_str != NULL)
	377	free(perms_str);
	378	if(sid_str != NULL)
	379	free(flags_str);
[53]	380	}
	381
	382	return ret_val;
	383	}
	384
	385
[134]	386	char* regfi_get_sacl(WINSEC_DESC *sec_desc)
[53]	387	{
	388	if (sec_desc->sacl)
[78]	389	return regfi_get_acl(sec_desc->sacl);
[53]	390	else
	391	return NULL;
	392	}
	393
	394
[134]	395	char* regfi_get_dacl(WINSEC_DESC *sec_desc)
[53]	396	{
	397	if (sec_desc->dacl)
[78]	398	return regfi_get_acl(sec_desc->dacl);
[53]	399	else
	400	return NULL;
	401	}
	402
	403
[134]	404	char* regfi_get_owner(WINSEC_DESC *sec_desc)
[53]	405	{
[78]	406	return regfi_sid2str(sec_desc->owner_sid);
[53]	407	}
	408
	409
[134]	410	char* regfi_get_group(WINSEC_DESC *sec_desc)
[53]	411	{
[78]	412	return regfi_sid2str(sec_desc->grp_sid);
[53]	413	}
	414
	415
[101]	416	/*****************************************************************************
	417	* This function is just like read(2), except that it continues to
	418	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
	419	* regfi_read will attempt to read length bytes from fd and write them to buf.
	420	*
	421	* On success, 0 is returned. Upon failure, an errno code is returned.
	422	*
	423	* The number of bytes successfully read is returned through the length
	424	* parameter by reference. If both the return value and length parameter are
	425	* returned as 0, then EOF was encountered immediately
	426	*****************************************************************************/
	427	uint32 regfi_read(int fd, uint8* buf, uint32* length)
	428	{
	429	uint32 rsize = 0;
	430	uint32 rret = 0;
	431
	432	do
	433	{
	434	rret = read(fd, buf + rsize, *length - rsize);
	435	if(rret > 0)
	436	rsize += rret;
	437	}while(*length - rsize > 0
	438	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	439
	440	*length = rsize;
	441	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	442	return errno;
	443
	444	return 0;
	445	}
	446
	447
	448	/*****************************************************************************
	449	*
	450	*****************************************************************************/
[111]	451	bool regfi_parse_cell(int fd, uint32 offset, uint8* hdr, uint32 hdr_len,
	452	uint32* cell_length, bool* unalloc)
[101]	453	{
	454	uint32 length;
	455	int32 raw_length;
	456	uint8 tmp[4];
	457
	458	if(lseek(fd, offset, SEEK_SET) == -1)
	459	return false;
	460
	461	length = 4;
	462	if((regfi_read(fd, tmp, &length) != 0) \|\| length != 4)
	463	return false;
	464	raw_length = IVALS(tmp, 0);
	465
	466	if(raw_length < 0)
	467	{
	468	(cell_length) = raw_length(-1);
	469	(*unalloc) = false;
	470	}
	471	else
	472	{
	473	(*cell_length) = raw_length;
	474	(*unalloc) = true;
	475	}
	476
[103]	477	if(*cell_length - 4 < hdr_len)
	478	return false;
	479
	480	if(hdr_len > 0)
	481	{
	482	length = hdr_len;
	483	if((regfi_read(fd, hdr, &length) != 0) \|\| length != hdr_len)
	484	return false;
	485	}
	486
[101]	487	return true;
	488	}
	489
	490
[157]	491	/******************************************************************************
[106]	492	* Given an offset and an hbin, is the offset within that hbin?
	493	* The offset is a virtual file offset.
[157]	494	******************************************************************************/
[146]	495	static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32 voffset)
[30]	496	{
[106]	497	if(!hbin)
[31]	498	return false;
[106]	499
[145]	500	if((voffset > hbin->first_hbin_off)
	501	&& (voffset < (hbin->first_hbin_off + hbin->block_size)))
[31]	502	return true;
[30]	503
[31]	504	return false;
[30]	505	}
	506
	507
[106]	508
[157]	509	/******************************************************************************
	510	* Provide a physical offset and receive the correpsonding HBIN
[106]	511	* block for it. NULL if one doesn't exist.
[157]	512	******************************************************************************/
	513	const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32 offset)
[30]	514	{
[157]	515	return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset);
[30]	516	}
	517
	518
[157]	519	/******************************************************************************
	520	* Calculate the largest possible cell size given a physical offset.
	521	* Largest size is based on the HBIN the offset is currently a member of.
	522	* Returns negative values on error.
	523	* (Since cells can only be ~2^31 in size, this works out.)
	524	******************************************************************************/
	525	int32 regfi_calc_maxsize(REGFI_FILE* file, uint32 offset)
	526	{
	527	const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset);
	528	if(hbin == NULL)
	529	return -1;
[139]	530
[157]	531	return (hbin->block_size + hbin->file_off) - offset;
	532	}
	533
	534
[139]	535	/******************************************************************************
	536	******************************************************************************/
	537	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32 offset,
	538	uint32 num_keys, uint32 max_size,
	539	bool strict)
[127]	540	{
[135]	541	REGFI_SUBKEY_LIST* ret_val;
[134]	542
[139]	543	ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
	544	REGFI_MAX_SUBKEY_DEPTH);
[143]	545	if(ret_val == NULL)
	546	{
	547	regfi_add_message(file, REGFI_MSG_WARN, "Failed to load subkey list at"
	548	" offset 0x%.8X.", offset);
	549	return NULL;
	550	}
[139]	551
	552	if(num_keys != ret_val->num_keys)
	553	{
	554	/* Not sure which should be authoritative, the number from the
	555	* NK record, or the number in the subkey list. Just emit a warning for
	556	* now if they don't match.
	557	*/
	558	regfi_add_message(file, REGFI_MSG_WARN, "Number of subkeys listed in parent"
	559	" (%d) did not match number found in subkey list/tree (%d)"
	560	" while parsing subkey list/tree at offset 0x%.8X.",
	561	num_keys, ret_val->num_keys, offset);
	562	}
	563
	564	return ret_val;
	565	}
	566
	567
	568	/******************************************************************************
	569	******************************************************************************/
	570	REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32 offset,
	571	uint32 max_size, bool strict,
	572	uint8 depth_left)
	573	{
	574	REGFI_SUBKEY_LIST* ret_val;
	575	REGFI_SUBKEY_LIST** sublists;
[157]	576	uint32 i, num_sublists, off;
	577	int32 sublist_maxsize;
[139]	578
	579	if(depth_left == 0)
	580	{
	581	regfi_add_message(file, REGFI_MSG_WARN, "Maximum depth reached"
	582	" while parsing subkey list/tree at offset 0x%.8X.",
	583	offset);
[127]	584	return NULL;
[139]	585	}
[134]	586
[139]	587	ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
[134]	588	if(ret_val == NULL)
	589	return NULL;
[139]	590
	591	if(ret_val->recursive_type)
[127]	592	{
[139]	593	num_sublists = ret_val->num_children;
[150]	594	sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists
[139]	595	* sizeof(REGFI_SUBKEY_LIST*));
	596	for(i=0; i < num_sublists; i++)
[127]	597	{
[139]	598	off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
[157]	599
	600	sublist_maxsize = regfi_calc_maxsize(file, off);
	601	if(sublist_maxsize < 0)
[139]	602	sublists[i] = NULL;
	603	else
[157]	604	sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize,
	605	strict, depth_left-1);
[127]	606	}
[150]	607	talloc_free(ret_val);
[134]	608
[139]	609	return regfi_merge_subkeylists(num_sublists, sublists, strict);
[127]	610	}
[30]	611
[127]	612	return ret_val;
	613	}
	614
	615
[139]	616	/******************************************************************************
	617	******************************************************************************/
	618	REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32 offset,
	619	uint32 max_size, bool strict)
[30]	620	{
[135]	621	REGFI_SUBKEY_LIST* ret_val;
[150]	622	uint32 i, cell_length, length, elem_size, read_len;
	623	uint8* elements = NULL;
[127]	624	uint8 buf[REGFI_SUBKEY_LIST_MIN_LEN];
[104]	625	bool unalloc;
[139]	626	bool recursive_type;
[30]	627
[127]	628	if(!regfi_parse_cell(file->fd, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
[104]	629	&cell_length, &unalloc))
[139]	630	{
	631	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while "
	632	"parsing subkey-list at offset 0x%.8X.", offset);
[104]	633	return NULL;
[139]	634	}
[30]	635
[116]	636	if(cell_length > max_size)
	637	{
[139]	638	regfi_add_message(file, REGFI_MSG_WARN, "Cell size longer than max_size"
	639	" while parsing subkey-list at offset 0x%.8X.", offset);
[116]	640	if(strict)
	641	return NULL;
	642	cell_length = max_size & 0xFFFFFFF8;
	643	}
[30]	644
[139]	645	recursive_type = false;
[127]	646	if(buf[0] == 'r' && buf[1] == 'i')
[104]	647	{
[139]	648	recursive_type = true;
	649	elem_size = sizeof(uint32);
[104]	650	}
[139]	651	else if(buf[0] == 'l' && buf[1] == 'i')
[134]	652	elem_size = sizeof(uint32);
	653	else if((buf[0] == 'l') && (buf[1] == 'f' \|\| buf[1] == 'h'))
[135]	654	elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
[134]	655	else
	656	{
[139]	657	regfi_add_message(file, REGFI_MSG_ERROR, "Unknown magic number"
	658	" (0x%.2X, 0x%.2X) encountered while parsing"
	659	" subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
[134]	660	return NULL;
	661	}
	662
[150]	663	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[127]	664	if(ret_val == NULL)
	665	return NULL;
	666
	667	ret_val->offset = offset;
	668	ret_val->cell_size = cell_length;
[104]	669	ret_val->magic[0] = buf[0];
	670	ret_val->magic[1] = buf[1];
[139]	671	ret_val->recursive_type = recursive_type;
	672	ret_val->num_children = SVAL(buf, 0x2);
[101]	673
[139]	674	if(!recursive_type)
	675	ret_val->num_keys = ret_val->num_children;
[101]	676
[139]	677	length = elem_size*ret_val->num_children;
	678	if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32) < length)
[134]	679	{
[139]	680	regfi_add_message(file, REGFI_MSG_WARN, "Number of elements too large for"
	681	" cell while parsing subkey-list at offset 0x%.8X.",
	682	offset);
	683	if(strict)
[150]	684	goto fail;
[139]	685	length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32);
[134]	686	}
[30]	687
[150]	688	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	689	ret_val->num_children);
[127]	690	if(ret_val->elements == NULL)
[150]	691	goto fail;
[30]	692
[150]	693	elements = (uint8*)malloc(length);
[139]	694	if(elements == NULL)
[150]	695	goto fail;
[30]	696
[150]	697	read_len = length;
	698	if(regfi_read(file->fd, elements, &read_len) != 0 \|\| read_len != length)
	699	goto fail;
[30]	700
[139]	701	if(elem_size == sizeof(uint32))
[104]	702	{
[139]	703	for (i=0; i < ret_val->num_children; i++)
[134]	704	{
[139]	705	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
[134]	706	ret_val->elements[i].hash = 0;
	707	}
[104]	708	}
[134]	709	else
	710	{
[139]	711	for (i=0; i < ret_val->num_children; i++)
[134]	712	{
[139]	713	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
	714	ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
[134]	715	}
	716	}
[139]	717	free(elements);
[30]	718
[104]	719	return ret_val;
[150]	720
	721	fail:
	722	if(elements != NULL)
	723	free(elements);
	724	talloc_free(ret_val);
	725	return NULL;
[30]	726	}
	727
	728
[139]	729	/*******************************************************************
	730	*******************************************************************/
	731	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16 num_lists,
	732	REGFI_SUBKEY_LIST** lists,
	733	bool strict)
	734	{
	735	uint32 i,j,k;
	736	REGFI_SUBKEY_LIST* ret_val;
[102]	737
[139]	738	if(lists == NULL)
	739	return NULL;
[150]	740	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[139]	741
	742	if(ret_val == NULL)
	743	return NULL;
	744
	745	/* Obtain total number of elements */
	746	ret_val->num_keys = 0;
	747	for(i=0; i < num_lists; i++)
	748	{
	749	if(lists[i] != NULL)
	750	ret_val->num_keys += lists[i]->num_children;
	751	}
	752	ret_val->num_children = ret_val->num_keys;
	753
	754	if(ret_val->num_keys > 0)
	755	{
[150]	756	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	757	ret_val->num_keys);
[139]	758	k=0;
	759
	760	if(ret_val->elements != NULL)
	761	{
	762	for(i=0; i < num_lists; i++)
	763	{
	764	if(lists[i] != NULL)
	765	{
	766	for(j=0; j < lists[i]->num_keys; j++)
	767	{
[150]	768	ret_val->elements[k].hash = lists[i]->elements[j].hash;
	769	ret_val->elements[k++].offset = lists[i]->elements[j].offset;
[139]	770	}
	771	}
	772	}
	773	}
	774	}
	775
	776	for(i=0; i < num_lists; i++)
	777	regfi_subkeylist_free(lists[i]);
	778	free(lists);
	779
	780	return ret_val;
	781	}
	782
	783
[147]	784	/******************************************************************************
	785	*
	786	******************************************************************************/
	787	REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32 offset, uint32 max_size,
	788	bool strict)
[30]	789	{
[135]	790	REGFI_SK_REC* ret_val;
[147]	791	uint8* sec_desc_buf = NULL;
[102]	792	uint32 cell_length, length;
	793	uint8 sk_header[REGFI_SK_MIN_LENGTH];
	794	bool unalloc = false;
[30]	795
[102]	796	if(!regfi_parse_cell(file->fd, offset, sk_header, REGFI_SK_MIN_LENGTH,
	797	&cell_length, &unalloc))
[137]	798	{
[138]	799	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse SK record cell"
[137]	800	" at offset 0x%.8X.", offset);
[102]	801	return NULL;
[137]	802	}
[102]	803
	804	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
[137]	805	{
[138]	806	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	807	" SK record at offset 0x%.8X.", offset);
[102]	808	return NULL;
[137]	809	}
	810
[147]	811	ret_val = talloc(NULL, REGFI_SK_REC);
[102]	812	if(ret_val == NULL)
	813	return NULL;
[30]	814
[102]	815	ret_val->offset = offset;
[116]	816	/* XXX: Is there a way to be more conservative (shorter) with
	817	* cell length when cell is unallocated?
[111]	818	*/
[102]	819	ret_val->cell_size = cell_length;
[30]	820
[102]	821	if(ret_val->cell_size > max_size)
	822	ret_val->cell_size = max_size & 0xFFFFFFF8;
	823	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
[157]	824	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[102]	825	{
[138]	826	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size found while"
	827	" parsing SK record at offset 0x%.8X.", offset);
[147]	828	goto fail;
[102]	829	}
[30]	830
[102]	831	ret_val->magic[0] = sk_header[0];
	832	ret_val->magic[1] = sk_header[1];
[30]	833
[102]	834	ret_val->unknown_tag = SVAL(sk_header, 0x2);
	835	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
	836	ret_val->next_sk_off = IVAL(sk_header, 0x8);
	837	ret_val->ref_count = IVAL(sk_header, 0xC);
	838	ret_val->desc_size = IVAL(sk_header, 0x10);
[30]	839
[157]	840	if((ret_val->prev_sk_off & 0x00000007) != 0
	841	\|\| (ret_val->next_sk_off & 0x00000007) != 0)
[140]	842	{
	843	regfi_add_message(file, REGFI_MSG_WARN, "SK record's next/previous offsets"
	844	" are not a multiple of 8 while parsing SK record at"
	845	" offset 0x%.8X.", offset);
[147]	846	goto fail;
[140]	847	}
	848
[102]	849	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
	850	{
[140]	851	regfi_add_message(file, REGFI_MSG_WARN, "Security descriptor too large for"
[138]	852	" cell while parsing SK record at offset 0x%.8X.",
	853	offset);
[147]	854	goto fail;
[102]	855	}
[30]	856
[147]	857	sec_desc_buf = (uint8*)malloc(ret_val->desc_size);
	858	if(sec_desc_buf == NULL)
	859	goto fail;
[102]	860
[134]	861	length = ret_val->desc_size;
	862	if(regfi_read(file->fd, sec_desc_buf, &length) != 0
	863	\|\| length != ret_val->desc_size)
	864	{
[138]	865	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read security"
	866	" descriptor while parsing SK record at offset 0x%.8X.",
	867	offset);
[147]	868	goto fail;
[134]	869	}
[102]	870
[147]	871	if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
	872	ret_val->desc_size)))
[134]	873	{
[138]	874	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to parse security"
	875	" descriptor while parsing SK record at offset 0x%.8X.",
	876	offset);
[147]	877	goto fail;
[134]	878	}
[147]	879
[134]	880	free(sec_desc_buf);
[147]	881	return ret_val;
[134]	882
[147]	883	fail:
	884	if(sec_desc_buf != NULL)
	885	free(sec_desc_buf);
	886	talloc_free(ret_val);
	887	return NULL;
[30]	888	}
	889
	890
[145]	891	REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32 offset,
	892	uint32 num_values, bool strict)
[111]	893	{
[145]	894	REGFI_VALUE_LIST* ret_val;
[111]	895	uint32 i, cell_length, length, read_len;
	896	bool unalloc;
[30]	897
[111]	898	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]	899	{
[138]	900	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read cell header"
[137]	901	" while parsing value list at offset 0x%.8X.", offset);
[111]	902	return NULL;
[137]	903	}
[111]	904
[157]	905	if((cell_length & 0x00000007) != 0)
[111]	906	{
[145]	907	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not a multiple of 8"
	908	" while parsing value list at offset 0x%.8X.", offset);
[111]	909	if(strict)
	910	return NULL;
	911	cell_length = cell_length & 0xFFFFFFF8;
	912	}
[145]	913
[111]	914	if((num_values * sizeof(uint32)) > cell_length-sizeof(uint32))
[137]	915	{
[140]	916	regfi_add_message(file, REGFI_MSG_WARN, "Too many values found"
[137]	917	" while parsing value list at offset 0x%.8X.", offset);
[145]	918	if(strict)
	919	return NULL;
	920	num_values = cell_length/sizeof(uint32) - sizeof(uint32);
[137]	921	}
[111]	922
	923	read_len = num_values*sizeof(uint32);
[150]	924	ret_val = talloc(NULL, REGFI_VALUE_LIST);
[111]	925	if(ret_val == NULL)
	926	return NULL;
	927
[150]	928	ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len);
[145]	929	if(ret_val->elements == NULL)
	930	{
[150]	931	talloc_free(ret_val);
[145]	932	return NULL;
	933	}
	934	ret_val->num_values = num_values;
	935
[111]	936	length = read_len;
[145]	937	if((regfi_read(file->fd, (uint8*)ret_val->elements, &length) != 0)
	938	\|\| length != read_len)
[111]	939	{
[138]	940	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read value pointers"
[137]	941	" while parsing value list at offset 0x%.8X.", offset);
[150]	942	talloc_free(ret_val);
[111]	943	return NULL;
	944	}
	945
	946	for(i=0; i < num_values; i++)
	947	{
	948	/* Fix endianness */
[145]	949	ret_val->elements[i] = IVAL(&ret_val->elements[i], 0);
[111]	950
	951	/* Validate the first num_values values to ensure they make sense */
	952	if(strict)
	953	{
[145]	954	/* XXX: Need to revisit this file length check when we start dealing
	955	* with partial files. */
	956	if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length)
[157]	957	\|\| ((ret_val->elements[i] & 0x00000007) != 0))
[111]	958	{
[145]	959	regfi_add_message(file, REGFI_MSG_WARN, "Invalid value pointer"
[138]	960	" (0x%.8X) found while parsing value list at offset"
[145]	961	" 0x%.8X.", ret_val->elements[i], offset);
[150]	962	talloc_free(ret_val);
[111]	963	return NULL;
	964	}
	965	}
	966	}
	967
	968	return ret_val;
	969	}
	970
	971
	972
[103]	973	/******************************************************************************
	974	******************************************************************************/
[162]	975	REGFI_VK_REC* regfi_load_value(REGFI_FILE* file, uint32 offset,
	976	REGFI_ENCODING output_encoding, bool strict)
[30]	977	{
[145]	978	REGFI_VK_REC* ret_val = NULL;
[162]	979	int32 max_size, tmp_size;
	980	REGFI_ENCODING from_encoding;
[30]	981
[157]	982	max_size = regfi_calc_maxsize(file, offset);
	983	if(max_size < 0)
[103]	984	return NULL;
[145]	985
[157]	986	ret_val = regfi_parse_vk(file, offset, max_size, strict);
[103]	987	if(ret_val == NULL)
	988	return NULL;
[145]	989
[165]	990	/* XXX: Registry value names are supposedly limited to 16383 characters
	991	* according to:
	992	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
	993	* Might want to emit a warning if this is exceeded.
	994	* It is expected that "characters" could be variable width.
	995	* Also, it may be useful to use this information to limit false positives
	996	* when recovering deleted VK records.
	997	*/
	998
[162]	999	from_encoding = (ret_val->flags & REGFI_VK_FLAG_ASCIINAME)
	1000	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[151]	1001
[162]	1002	if(from_encoding == output_encoding)
	1003	{
	1004	ret_val->valuename_raw = talloc_realloc(ret_val, ret_val->valuename_raw,
	1005	uint8, ret_val->name_length+1);
	1006	ret_val->valuename_raw[ret_val->name_length] = '\0';
	1007	ret_val->valuename = (char*)ret_val->valuename_raw;
	1008	}
	1009	else
	1010	{
	1011	ret_val->valuename = talloc_array(ret_val, char, ret_val->name_length+1);
	1012	if(ret_val->valuename == NULL)
	1013	{
	1014	regfi_free_value(ret_val);
	1015	return NULL;
	1016	}
	1017
	1018	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
	1019	regfi_encoding_int2str(output_encoding),
	1020	ret_val->valuename_raw, ret_val->valuename,
	1021	ret_val->name_length, ret_val->name_length+1);
	1022	if(tmp_size < 0)
	1023	{
	1024	regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
	1025	" valuename to encoding %s. Error message: %s",
	1026	regfi_encoding_int2str(output_encoding),
	1027	strerror(-tmp_size));
	1028	talloc_free(ret_val->valuename);
	1029	ret_val->valuename = NULL;
	1030	}
	1031	}
	1032
[103]	1033	return ret_val;
[30]	1034	}
	1035
	1036
[145]	1037	/******************************************************************************
	1038	* If !strict, the list may contain NULLs, VK records may point to NULL.
	1039	******************************************************************************/
	1040	REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32 offset,
[146]	1041	uint32 num_values, uint32 max_size,
[145]	1042	bool strict)
	1043	{
	1044	uint32 usable_num_values;
[30]	1045
[145]	1046	if((num_values+1) * sizeof(uint32) > max_size)
	1047	{
	1048	regfi_add_message(file, REGFI_MSG_WARN, "Number of values indicated by"
	1049	" parent key (%d) would cause cell to straddle HBIN"
	1050	" boundary while loading value list at offset"
	1051	" 0x%.8X.", num_values, offset);
	1052	if(strict)
	1053	return NULL;
	1054	usable_num_values = max_size/sizeof(uint32) - sizeof(uint32);
	1055	}
	1056	else
	1057	usable_num_values = num_values;
	1058
	1059	return regfi_parse_valuelist(file, offset, usable_num_values, strict);
	1060	}
	1061
	1062
	1063
[146]	1064	/******************************************************************************
	1065	*
	1066	******************************************************************************/
[161]	1067	REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32 offset,
	1068	REGFI_ENCODING output_encoding, bool strict)
[30]	1069	{
[135]	1070	REGFI_NK_REC* nk;
[157]	1071	uint32 off;
[161]	1072	int32 max_size, tmp_size;
	1073	REGFI_ENCODING from_encoding;
[99]	1074
[157]	1075	max_size = regfi_calc_maxsize(file, offset);
	1076	if (max_size < 0)
[105]	1077	return NULL;
[30]	1078
[31]	1079	/* get the initial nk record */
[157]	1080	if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL)
[135]	1081	{
[138]	1082	regfi_add_message(file, REGFI_MSG_ERROR, "Could not load NK record at"
[137]	1083	" offset 0x%.8X.", offset);
[99]	1084	return NULL;
[135]	1085	}
[30]	1086
[165]	1087	/* XXX: Registry key names are supposedly limited to 255 characters according to:
	1088	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
	1089	* Might want to emit a warning if this is exceeded.
	1090	* It is expected that "characters" could be variable width.
	1091	* Also, it may be useful to use this information to limit false positives
	1092	* when recovering deleted NK records.
	1093	*/
[161]	1094	from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME)
	1095	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
	1096
	1097	if(from_encoding == output_encoding)
	1098	{
	1099	nk->keyname_raw = talloc_realloc(nk, nk->keyname_raw, uint8, nk->name_length+1);
	1100	nk->keyname_raw[nk->name_length] = '\0';
	1101	nk->keyname = (char*)nk->keyname_raw;
	1102	}
	1103	else
	1104	{
	1105	nk->keyname = talloc_array(nk, char, nk->name_length+1);
	1106	if(nk->keyname == NULL)
	1107	{
	1108	regfi_free_key(nk);
	1109	return NULL;
	1110	}
	1111
	1112	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
	1113	regfi_encoding_int2str(output_encoding),
	1114	nk->keyname_raw, nk->keyname,
	1115	nk->name_length, nk->name_length+1);
	1116	if(tmp_size < 0)
	1117	{
	1118	regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
	1119	" keyname to encoding %s. Error message: %s",
	1120	regfi_encoding_int2str(output_encoding),
	1121	strerror(-tmp_size));
	1122	talloc_free(nk->keyname);
	1123	nk->keyname = NULL;
	1124	}
	1125	}
	1126
	1127
[146]	1128	/* get value list */
[135]	1129	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[32]	1130	{
[157]	1131	off = nk->values_off + REGFI_REGF_SIZE;
	1132	max_size = regfi_calc_maxsize(file, off);
	1133	if(max_size < 0)
[32]	1134	{
[105]	1135	if(strict)
[32]	1136	{
[150]	1137	regfi_free_key(nk);
[99]	1138	return NULL;
[31]	1139	}
[105]	1140	else
	1141	nk->values = NULL;
[133]	1142
[31]	1143	}
[105]	1144	else
[103]	1145	{
[157]	1146	nk->values = regfi_load_valuelist(file, off, nk->num_values,
	1147	max_size, true);
[145]	1148	if(nk->values == NULL)
[105]	1149	{
[145]	1150	regfi_add_message(file, REGFI_MSG_WARN, "Could not load value list"
	1151	" for NK record at offset 0x%.8X.", offset);
	1152	if(strict)
	1153	{
[150]	1154	regfi_free_key(nk);
[145]	1155	return NULL;
	1156	}
[105]	1157	}
[150]	1158	talloc_steal(nk, nk->values);
[103]	1159	}
[31]	1160	}
[105]	1161
[146]	1162	/* now get subkey list */
[135]	1163	if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
[32]	1164	{
[157]	1165	off = nk->subkeys_off + REGFI_REGF_SIZE;
	1166	max_size = regfi_calc_maxsize(file, off);
	1167	if(max_size < 0)
[32]	1168	{
[105]	1169	if(strict)
[32]	1170	{
[150]	1171	regfi_free_key(nk);
[99]	1172	return NULL;
[31]	1173	}
[105]	1174	else
	1175	nk->subkeys = NULL;
[31]	1176	}
[105]	1177	else
[104]	1178	{
[134]	1179	nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
[157]	1180	max_size, true);
[134]	1181
[105]	1182	if(nk->subkeys == NULL)
	1183	{
[140]	1184	regfi_add_message(file, REGFI_MSG_WARN, "Could not load subkey list"
	1185	" while parsing NK record at offset 0x%.8X.", offset);
[105]	1186	nk->num_subkeys = 0;
	1187	}
[150]	1188	talloc_steal(nk, nk->subkeys);
[104]	1189	}
[31]	1190	}
[30]	1191
[99]	1192	return nk;
[30]	1193	}
	1194
[32]	1195
[102]	1196	/******************************************************************************
	1197	******************************************************************************/
[146]	1198	const REGFI_SK_REC* regfi_load_sk(REGFI_FILE* file, uint32 offset, bool strict)
	1199	{
	1200	REGFI_SK_REC* ret_val = NULL;
[157]	1201	int32 max_size;
[147]	1202	void* failure_ptr = NULL;
	1203
[146]	1204	/* First look if we have already parsed it */
	1205	ret_val = (REGFI_SK_REC*)lru_cache_find(file->sk_cache, &offset, 4);
	1206
	1207	/* Bail out if we have previously cached a parse failure at this offset. */
	1208	if(ret_val == (void*)REGFI_OFFSET_NONE)
	1209	return NULL;
	1210
	1211	if(ret_val == NULL)
	1212	{
[157]	1213	max_size = regfi_calc_maxsize(file, offset);
	1214	if(max_size < 0)
[146]	1215	return NULL;
	1216
[157]	1217	ret_val = regfi_parse_sk(file, offset, max_size, strict);
[146]	1218	if(ret_val == NULL)
	1219	{ /* Cache the parse failure and bail out. */
[147]	1220	failure_ptr = talloc(NULL, uint32_t);
	1221	if(failure_ptr == NULL)
	1222	return NULL;
	1223	(uint32_t)failure_ptr = REGFI_OFFSET_NONE;
	1224	lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
[146]	1225	return NULL;
	1226	}
	1227
	1228	lru_cache_update(file->sk_cache, &offset, 4, ret_val);
	1229	}
	1230
	1231	return ret_val;
	1232	}
	1233
	1234
	1235
	1236	/******************************************************************************
	1237	******************************************************************************/
[161]	1238	REGFI_NK_REC* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin,
	1239	REGFI_ENCODING output_encoding)
[30]	1240	{
[135]	1241	REGFI_NK_REC* nk = NULL;
[158]	1242	uint32 cell_length;
	1243	uint32 cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
	1244	uint32 hbin_end = hbin->file_off+hbin->block_size;
	1245	bool unalloc;
[30]	1246
[158]	1247	while(cur_offset < hbin_end)
[32]	1248	{
[158]	1249	if(!regfi_parse_cell(file->fd, cur_offset, NULL, 0, &cell_length, &unalloc))
	1250	{
	1251	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell at offset"
	1252	" 0x%.8X while searching for root key.", cur_offset);
	1253	return NULL;
	1254	}
[102]	1255
[158]	1256	if(!unalloc)
[102]	1257	{
[161]	1258	nk = regfi_load_key(file, cur_offset, output_encoding, true);
[102]	1259	if(nk != NULL)
	1260	{
[161]	1261	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1262	return nk;
[102]	1263	}
[31]	1264	}
[30]	1265
[158]	1266	cur_offset += cell_length;
[31]	1267	}
[32]	1268
[158]	1269	return NULL;
[30]	1270	}
	1271
	1272
	1273	/*******************************************************************
[97]	1274	* Open the registry file and then read in the REGF block to get the
	1275	* first hbin offset.
	1276	*******************************************************************/
[135]	1277	REGFI_FILE* regfi_open(const char* filename)
[30]	1278	{
[137]	1279	struct stat sbuf;
[135]	1280	REGFI_FILE* rb;
	1281	REGFI_HBIN* hbin = NULL;
[146]	1282	uint32 hbin_off, file_length, cache_secret;
[97]	1283	int fd;
[110]	1284	bool rla;
[30]	1285
[97]	1286	/* open an existing file */
[143]	1287	if ((fd = open(filename, REGFI_OPEN_FLAGS)) == -1)
[97]	1288	{
[143]	1289	/* fprintf(stderr, "regfi_open: failure to open %s (%s)\n", filename, strerror(errno));*/
[31]	1290	return NULL;
	1291	}
[99]	1292
[137]	1293	/* Determine file length. Must be at least big enough
	1294	* for the header and one hbin.
	1295	*/
	1296	if (fstat(fd, &sbuf) == -1)
	1297	return NULL;
	1298	file_length = sbuf.st_size;
	1299	if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
	1300	return NULL;
	1301
[31]	1302	/* read in an existing file */
[97]	1303	if ((rb = regfi_parse_regf(fd, true)) == NULL)
	1304	{
[143]	1305	/* fprintf(stderr, "regfi_open: Failed to read initial REGF block\n"); */
[97]	1306	close(fd);
[31]	1307	return NULL;
	1308	}
[137]	1309	rb->file_length = file_length;
	1310
[99]	1311	rb->hbins = range_list_new();
[110]	1312	if(rb->hbins == NULL)
[99]	1313	{
[143]	1314	/* fprintf(stderr, "regfi_open: Failed to create HBIN list.\n"); */
[99]	1315	close(fd);
[150]	1316	talloc_free(rb);
[99]	1317	return NULL;
	1318	}
[150]	1319	talloc_steal(rb, rb->hbins);
	1320
[106]	1321	rla = true;
[135]	1322	hbin_off = REGFI_REGF_SIZE;
[110]	1323	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1324	while(hbin && rla)
	1325	{
[137]	1326	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[148]	1327	if(rla)
	1328	talloc_steal(rb->hbins, hbin);
[106]	1329	hbin_off = hbin->file_off + hbin->block_size;
[110]	1330	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1331	}
	1332
[146]	1333	/* This secret isn't very secret, but we don't need a good one. This
	1334	* secret is just designed to prevent someone from trying to blow our
	1335	* caching and make things slow.
	1336	*/
	1337	cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16);
	1338
	1339	/* Cache an unlimited number of SK records. Typically there are very few. */
[150]	1340	rb->sk_cache = lru_cache_create_ctx(rb, 0, cache_secret, true);
[146]	1341
[138]	1342	/* Default message mask */
	1343	rb->msg_mask = REGFI_MSG_ERROR\|REGFI_MSG_WARN;
	1344
[31]	1345	/* success */
	1346	return rb;
[30]	1347	}
	1348
	1349
[148]	1350	/******************************************************************************
	1351	******************************************************************************/
[146]	1352	int regfi_close(REGFI_FILE *file)
[30]	1353	{
[31]	1354	int fd;
[30]	1355
[31]	1356	/* nothing to do if there is no open file */
[99]	1357	if ((file == NULL) \|\| (file->fd == -1))
	1358	return 0;
[30]	1359
[31]	1360	fd = file->fd;
	1361	file->fd = -1;
[148]	1362
[99]	1363	range_list_free(file->hbins);
[106]	1364
[146]	1365	if(file->sk_cache != NULL)
	1366	lru_cache_destroy(file->sk_cache);
[148]	1367
[150]	1368	talloc_free(file);
[106]	1369	return close(fd);
[30]	1370	}
	1371
	1372
[80]	1373	/******************************************************************************
[158]	1374	* First checks the offset given by the file header, then checks the
	1375	* rest of the file if that fails.
[148]	1376	******************************************************************************/
[161]	1377	REGFI_NK_REC* regfi_rootkey(REGFI_FILE* file, REGFI_ENCODING output_encoding)
[30]	1378	{
[135]	1379	REGFI_NK_REC* nk = NULL;
[146]	1380	REGFI_HBIN* hbin;
	1381	uint32 root_offset, i, num_hbins;
[99]	1382
	1383	if(!file)
[31]	1384	return NULL;
[99]	1385
[158]	1386	root_offset = file->root_cell+REGFI_REGF_SIZE;
[161]	1387	nk = regfi_load_key(file, root_offset, output_encoding, true);
[158]	1388	if(nk != NULL)
	1389	{
[161]	1390	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1391	return nk;
	1392	}
	1393
	1394	regfi_add_message(file, REGFI_MSG_WARN, "File header indicated root key at"
	1395	" location 0x%.8X, but no root key found."
	1396	" Searching rest of file...", root_offset);
	1397
	1398	/* If the file header gives bad info, scan through the file one HBIN
	1399	* block at a time looking for an NK record with a root key type.
[146]	1400	*/
[107]	1401	num_hbins = range_list_size(file->hbins);
[158]	1402	for(i=0; i < num_hbins && nk == NULL; i++)
[99]	1403	{
[135]	1404	hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
[161]	1405	nk = regfi_find_root_nk(file, hbin, output_encoding);
[31]	1406	}
[30]	1407
[80]	1408	return nk;
[30]	1409	}
	1410
	1411
[80]	1412	/******************************************************************************
	1413	*****************************************************************************/
[150]	1414	void regfi_free_key(REGFI_NK_REC* nk)
[30]	1415	{
[127]	1416	regfi_subkeylist_free(nk->subkeys);
[150]	1417	talloc_free(nk);
	1418	}
[127]	1419
[80]	1420
[150]	1421	/******************************************************************************
	1422	*****************************************************************************/
	1423	void regfi_free_value(REGFI_VK_REC* vk)
	1424	{
	1425	talloc_free(vk);
[80]	1426	}
	1427
	1428
	1429	/******************************************************************************
	1430	*****************************************************************************/
[135]	1431	void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list)
[127]	1432	{
	1433	if(list != NULL)
	1434	{
[150]	1435	talloc_free(list);
[127]	1436	}
	1437	}
	1438
	1439
	1440	/******************************************************************************
	1441	*****************************************************************************/
[161]	1442	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file,
	1443	REGFI_ENCODING output_encoding)
[80]	1444	{
[135]	1445	REGFI_NK_REC* root;
[161]	1446	REGFI_ITERATOR* ret_val;
	1447
	1448	if(output_encoding != REGFI_ENCODING_UTF8
	1449	&& output_encoding != REGFI_ENCODING_ASCII)
	1450	{
	1451	regfi_add_message(file, REGFI_MSG_ERROR, "Invalid output_encoding supplied"
	1452	" in creation of regfi iterator.");
	1453	return NULL;
	1454	}
	1455
	1456	ret_val = talloc(NULL, REGFI_ITERATOR);
[80]	1457	if(ret_val == NULL)
	1458	return NULL;
	1459
[161]	1460	root = regfi_rootkey(file, output_encoding);
[80]	1461	if(root == NULL)
	1462	{
[150]	1463	talloc_free(ret_val);
[80]	1464	return NULL;
	1465	}
	1466
[135]	1467	ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
[80]	1468	if(ret_val->key_positions == NULL)
	1469	{
[150]	1470	talloc_free(ret_val);
[80]	1471	return NULL;
	1472	}
[150]	1473	talloc_steal(ret_val, ret_val->key_positions);
[80]	1474
[159]	1475	ret_val->f = file;
[80]	1476	ret_val->cur_key = root;
	1477	ret_val->cur_subkey = 0;
	1478	ret_val->cur_value = 0;
[161]	1479	ret_val->string_encoding = output_encoding;
	1480
[80]	1481	return ret_val;
	1482	}
	1483
	1484
	1485	/******************************************************************************
	1486	*****************************************************************************/
	1487	void regfi_iterator_free(REGFI_ITERATOR* i)
	1488	{
[150]	1489	talloc_free(i);
[80]	1490	}
	1491
	1492
	1493
	1494	/******************************************************************************
	1495	*****************************************************************************/
	1496	/* XXX: some way of indicating reason for failure should be added. */
	1497	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1498	{
[135]	1499	REGFI_NK_REC* subkey;
[80]	1500	REGFI_ITER_POSITION* pos;
	1501
[150]	1502	pos = talloc(i->key_positions, REGFI_ITER_POSITION);
[80]	1503	if(pos == NULL)
	1504	return false;
	1505
[135]	1506	subkey = (REGFI_NK_REC*)regfi_iterator_cur_subkey(i);
[80]	1507	if(subkey == NULL)
	1508	{
[150]	1509	talloc_free(pos);
[80]	1510	return false;
	1511	}
	1512
	1513	pos->nk = i->cur_key;
	1514	pos->cur_subkey = i->cur_subkey;
	1515	if(!void_stack_push(i->key_positions, pos))
	1516	{
[150]	1517	talloc_free(pos);
	1518	regfi_free_key(subkey);
[80]	1519	return false;
	1520	}
[150]	1521	talloc_steal(i, subkey);
[80]	1522
	1523	i->cur_key = subkey;
	1524	i->cur_subkey = 0;
	1525	i->cur_value = 0;
	1526
	1527	return true;
	1528	}
	1529
	1530
	1531	/******************************************************************************
	1532	*****************************************************************************/
	1533	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1534	{
	1535	REGFI_ITER_POSITION* pos;
	1536
	1537	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1538	if(pos == NULL)
	1539	return false;
	1540
[150]	1541	regfi_free_key(i->cur_key);
[80]	1542	i->cur_key = pos->nk;
	1543	i->cur_subkey = pos->cur_subkey;
	1544	i->cur_value = 0;
[150]	1545	talloc_free(pos);
[80]	1546
	1547	return true;
	1548	}
	1549
	1550
	1551	/******************************************************************************
	1552	*****************************************************************************/
	1553	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1554	{
	1555	while(regfi_iterator_up(i))
	1556	continue;
	1557
	1558	return true;
	1559	}
	1560
	1561
	1562	/******************************************************************************
	1563	*****************************************************************************/
	1564	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
	1565	{
[135]	1566	REGFI_NK_REC* subkey;
[80]	1567	bool found = false;
	1568	uint32 old_subkey = i->cur_subkey;
[133]	1569
[80]	1570	if(subkey_name == NULL)
	1571	return false;
	1572
	1573	/* XXX: this alloc/free of each sub key might be a bit excessive */
[135]	1574	subkey = (REGFI_NK_REC*)regfi_iterator_first_subkey(i);
[80]	1575	while((subkey != NULL) && (found == false))
	1576	{
	1577	if(subkey->keyname != NULL
	1578	&& strcasecmp(subkey->keyname, subkey_name) == 0)
	1579	found = true;
[82]	1580	else
	1581	{
[150]	1582	regfi_free_key(subkey);
[135]	1583	subkey = (REGFI_NK_REC*)regfi_iterator_next_subkey(i);
[82]	1584	}
[80]	1585	}
	1586
	1587	if(found == false)
	1588	{
	1589	i->cur_subkey = old_subkey;
	1590	return false;
	1591	}
	1592
[150]	1593	regfi_free_key(subkey);
[80]	1594	return true;
	1595	}
	1596
	1597
	1598	/******************************************************************************
	1599	*****************************************************************************/
	1600	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1601	{
	1602	uint32 x;
	1603	if(path == NULL)
	1604	return false;
	1605
	1606	for(x=0;
	1607	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1608	&& regfi_iterator_down(i));
	1609	x++)
	1610	{ continue; }
	1611
	1612	if(path[x] == NULL)
	1613	return true;
	1614
	1615	/* XXX: is this the right number of times? */
	1616	for(; x > 0; x--)
	1617	regfi_iterator_up(i);
	1618
	1619	return false;
	1620	}
	1621
	1622
	1623	/******************************************************************************
	1624	*****************************************************************************/
[135]	1625	const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1626	{
	1627	return i->cur_key;
	1628	}
	1629
	1630
	1631	/******************************************************************************
	1632	*****************************************************************************/
[135]	1633	const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i)
[109]	1634	{
[146]	1635	if(i->cur_key == NULL \|\| i->cur_key->sk_off == REGFI_OFFSET_NONE)
[109]	1636	return NULL;
	1637
[146]	1638	return regfi_load_sk(i->f, i->cur_key->sk_off + REGFI_REGF_SIZE, true);
[109]	1639	}
	1640
	1641
	1642	/******************************************************************************
	1643	*****************************************************************************/
[150]	1644	REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1645	{
	1646	i->cur_subkey = 0;
	1647	return regfi_iterator_cur_subkey(i);
	1648	}
	1649
	1650
	1651	/******************************************************************************
	1652	*****************************************************************************/
[150]	1653	REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1654	{
	1655	uint32 nk_offset;
	1656
[31]	1657	/* see if there is anything left to report */
[135]	1658	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGFI_OFFSET_NONE)
[80]	1659	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
[31]	1660	return NULL;
[30]	1661
[139]	1662	nk_offset = i->cur_key->subkeys->elements[i->cur_subkey].offset;
[133]	1663
[161]	1664	return regfi_load_key(i->f, nk_offset+REGFI_REGF_SIZE, i->string_encoding,
	1665	true);
[30]	1666	}
[80]	1667
	1668
	1669	/******************************************************************************
	1670	*****************************************************************************/
	1671	/* XXX: some way of indicating reason for failure should be added. */
[150]	1672	REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1673	{
[150]	1674	REGFI_NK_REC* subkey;
[80]	1675
	1676	i->cur_subkey++;
	1677	subkey = regfi_iterator_cur_subkey(i);
	1678
	1679	if(subkey == NULL)
	1680	i->cur_subkey--;
	1681
	1682	return subkey;
	1683	}
	1684
	1685
	1686	/******************************************************************************
	1687	*****************************************************************************/
	1688	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
	1689	{
[150]	1690	REGFI_VK_REC* cur;
[80]	1691	bool found = false;
	1692
	1693	/* XXX: cur->valuename can be NULL in the registry.
	1694	* Should we allow for a way to search for that?
	1695	*/
	1696	if(value_name == NULL)
	1697	return false;
	1698
	1699	cur = regfi_iterator_first_value(i);
	1700	while((cur != NULL) && (found == false))
	1701	{
	1702	if((cur->valuename != NULL)
	1703	&& (strcasecmp(cur->valuename, value_name) == 0))
	1704	found = true;
[95]	1705	else
[150]	1706	{
	1707	regfi_free_value(cur);
[95]	1708	cur = regfi_iterator_next_value(i);
[150]	1709	}
[80]	1710	}
	1711
[94]	1712	return found;
[80]	1713	}
	1714
	1715
	1716	/******************************************************************************
	1717	*****************************************************************************/
[150]	1718	REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1719	{
	1720	i->cur_value = 0;
	1721	return regfi_iterator_cur_value(i);
	1722	}
	1723
	1724
	1725	/******************************************************************************
	1726	*****************************************************************************/
[150]	1727	REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	1728	{
[150]	1729	REGFI_VK_REC* ret_val = NULL;
[145]	1730	uint32 voffset;
[80]	1731
[145]	1732	if(i->cur_key->values != NULL && i->cur_key->values->elements != NULL)
	1733	{
	1734	if(i->cur_value < i->cur_key->values->num_values)
	1735	{
	1736	voffset = i->cur_key->values->elements[i->cur_value];
[162]	1737	ret_val = regfi_load_value(i->f, voffset+REGFI_REGF_SIZE,
	1738	i->string_encoding, true);
[145]	1739	}
	1740	}
	1741
[80]	1742	return ret_val;
	1743	}
	1744
	1745
	1746	/******************************************************************************
	1747	*****************************************************************************/
[150]	1748	REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	1749	{
[150]	1750	REGFI_VK_REC* ret_val;
[80]	1751
	1752	i->cur_value++;
	1753	ret_val = regfi_iterator_cur_value(i);
	1754	if(ret_val == NULL)
	1755	i->cur_value--;
	1756
	1757	return ret_val;
	1758	}
[97]	1759
	1760
[159]	1761	/******************************************************************************
	1762	*****************************************************************************/
[160]	1763	REGFI_CLASSNAME* regfi_iterator_fetch_classname(REGFI_ITERATOR* i,
	1764	const REGFI_NK_REC* key)
	1765	{
	1766	REGFI_CLASSNAME* ret_val;
	1767	uint8* raw;
	1768	char* interpreted;
	1769	uint32 offset;
	1770	int32 conv_size, max_size;
	1771	uint16 parse_length;
	1772
	1773	if(key->classname_off == REGFI_OFFSET_NONE \|\| key->classname_length == 0)
	1774	return NULL;
	1775
	1776	offset = key->classname_off + REGFI_REGF_SIZE;
	1777	max_size = regfi_calc_maxsize(i->f, offset);
	1778	if(max_size <= 0)
	1779	return NULL;
	1780
	1781	parse_length = key->classname_length;
	1782	raw = regfi_parse_classname(i->f, offset, &parse_length, max_size, true);
	1783
	1784	if(raw == NULL)
	1785	{
	1786	regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse class"
	1787	" name at offset 0x%.8X for key record at offset 0x%.8X.",
	1788	offset, key->offset);
	1789	return NULL;
	1790	}
	1791
	1792	ret_val = talloc(NULL, REGFI_CLASSNAME);
	1793	if(ret_val == NULL)
	1794	return NULL;
	1795
	1796	ret_val->raw = raw;
	1797	ret_val->size = parse_length;
	1798	talloc_steal(ret_val, raw);
	1799
	1800	interpreted = talloc_array(NULL, char, parse_length);
	1801
[161]	1802	conv_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	1803	regfi_encoding_int2str(i->string_encoding),
[160]	1804	raw, interpreted,
	1805	parse_length, parse_length);
	1806	if(conv_size < 0)
	1807	{
	1808	regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred while"
	1809	" converting classname to charset %s. Error message: %s",
	1810	i->string_encoding, strerror(-conv_size));
	1811	talloc_free(interpreted);
	1812	ret_val->interpreted = NULL;
	1813	}
	1814	else
	1815	{
	1816	interpreted = talloc_realloc(NULL, interpreted, char, conv_size);
	1817	ret_val->interpreted = interpreted;
	1818	talloc_steal(ret_val, interpreted);
	1819	}
	1820
	1821	return ret_val;
	1822	}
	1823
	1824
	1825	/******************************************************************************
	1826	*****************************************************************************/
[159]	1827	REGFI_DATA* regfi_iterator_fetch_data(REGFI_ITERATOR* i,
	1828	const REGFI_VK_REC* value)
	1829	{
	1830	REGFI_DATA* ret_val = NULL;
	1831	REGFI_BUFFER raw_data;
	1832
	1833	if(value->data_size != 0)
	1834	{
	1835	raw_data = regfi_load_data(i->f, value->data_off, value->data_size,
	1836	value->data_in_offset, true);
	1837	if(raw_data.buf == NULL)
	1838	{
	1839	regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse data record"
	1840	" while parsing VK record at offset 0x%.8X.",
	1841	value->offset);
	1842	}
	1843	else
	1844	{
	1845	ret_val = regfi_buffer_to_data(raw_data);
	1846
	1847	if(ret_val == NULL)
	1848	{
	1849	regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred in converting"
	1850	" data buffer to data structure while interpreting "
	1851	"data for VK record at offset 0x%.8X.",
	1852	value->offset);
	1853	talloc_free(raw_data.buf);
	1854	return NULL;
	1855	}
	1856
	1857	if(!regfi_interpret_data(i->f, i->string_encoding, value->type, ret_val))
	1858	{
	1859	regfi_add_message(i->f, REGFI_MSG_INFO, "Error occurred while"
	1860	" interpreting data for VK record at offset 0x%.8X.",
	1861	value->offset);
	1862	}
	1863	}
	1864	}
	1865
	1866	return ret_val;
	1867	}
	1868
	1869
	1870	/******************************************************************************
	1871	*****************************************************************************/
[160]	1872	void regfi_free_classname(REGFI_CLASSNAME* classname)
	1873	{
	1874	talloc_free(classname);
	1875	}
	1876
	1877	/******************************************************************************
	1878	*****************************************************************************/
[159]	1879	void regfi_free_data(REGFI_DATA* data)
	1880	{
	1881	talloc_free(data);
	1882	}
	1883
	1884
	1885	/******************************************************************************
	1886	*****************************************************************************/
	1887	REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data)
	1888	{
	1889	REGFI_DATA* ret_val;
	1890
	1891	if(raw_data.buf == NULL)
	1892	return NULL;
	1893
	1894	ret_val = talloc(NULL, REGFI_DATA);
	1895	if(ret_val == NULL)
	1896	return NULL;
	1897
	1898	talloc_steal(ret_val, raw_data.buf);
	1899	ret_val->raw = raw_data.buf;
	1900	ret_val->size = raw_data.len;
	1901	ret_val->interpreted_size = 0;
	1902	ret_val->interpreted.qword = 0;
	1903
	1904	return ret_val;
	1905	}
	1906
	1907
	1908	/******************************************************************************
	1909	*****************************************************************************/
[161]	1910	bool regfi_interpret_data(REGFI_FILE* file, REGFI_ENCODING string_encoding,
[159]	1911	uint32 type, REGFI_DATA* data)
	1912	{
	1913	uint8** tmp_array;
	1914	uint8* tmp_str;
	1915	int32 tmp_size;
	1916	uint32 i, j, array_size;
	1917
	1918	if(data == NULL)
	1919	return false;
	1920
	1921	switch (type)
	1922	{
	1923	case REG_SZ:
	1924	case REG_EXPAND_SZ:
	1925	/* REG_LINK is a symbolic link, stored as a unicode string. */
	1926	case REG_LINK:
	1927	tmp_str = talloc_array(NULL, uint8, data->size);
	1928	if(tmp_str == NULL)
	1929	{
	1930	data->interpreted.string = NULL;
	1931	data->interpreted_size = 0;
	1932	return false;
	1933	}
	1934
[161]	1935	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	1936	regfi_encoding_int2str(string_encoding),
[159]	1937	data->raw, (char*)tmp_str,
	1938	data->size, data->size);
	1939	if(tmp_size < 0)
	1940	{
	1941	regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
	1942	" converting data of type %d to %s. Error message: %s",
	1943	type, string_encoding, strerror(-tmp_size));
	1944	talloc_free(tmp_str);
	1945	data->interpreted.string = NULL;
	1946	data->interpreted_size = 0;
	1947	return false;
	1948	}
	1949
	1950	tmp_str = talloc_realloc(NULL, tmp_str, uint8, tmp_size);
	1951	data->interpreted.string = tmp_str;
	1952	data->interpreted_size = tmp_size;
	1953	talloc_steal(data, tmp_str);
	1954	break;
	1955
	1956	case REG_DWORD:
	1957	if(data->size < 4)
	1958	{
	1959	data->interpreted.dword = 0;
	1960	data->interpreted_size = 0;
	1961	return false;
	1962	}
	1963	data->interpreted.dword = IVAL(data->raw, 0);
	1964	data->interpreted_size = 4;
	1965	break;
	1966
	1967	case REG_DWORD_BE:
	1968	if(data->size < 4)
	1969	{
	1970	data->interpreted.dword_be = 0;
	1971	data->interpreted_size = 0;
	1972	return false;
	1973	}
	1974	data->interpreted.dword_be = RIVAL(data->raw, 0);
	1975	data->interpreted_size = 4;
	1976	break;
	1977
	1978	case REG_QWORD:
	1979	if(data->size < 8)
	1980	{
	1981	data->interpreted.qword = 0;
	1982	data->interpreted_size = 0;
	1983	return false;
	1984	}
	1985	data->interpreted.qword =
	1986	(uint64)IVAL(data->raw, 0) + (((uint64)IVAL(data->raw, 4))<<32);
	1987	data->interpreted_size = 8;
	1988	break;
	1989
	1990	case REG_MULTI_SZ:
	1991	tmp_str = talloc_array(NULL, uint8, data->size);
	1992	if(tmp_str == NULL)
	1993	{
	1994	data->interpreted.multiple_string = NULL;
	1995	data->interpreted_size = 0;
	1996	return false;
	1997	}
	1998
	1999	/* Attempt to convert entire string from UTF-16LE to output encoding,
	2000	* then parse and quote fields individually.
	2001	*/
[161]	2002	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	2003	regfi_encoding_int2str(string_encoding),
[159]	2004	data->raw, (char*)tmp_str,
	2005	data->size, data->size);
	2006	if(tmp_size < 0)
	2007	{
	2008	regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
	2009	" converting data of type %d to %s. Error message: %s",
	2010	type, string_encoding, strerror(-tmp_size));
	2011	talloc_free(tmp_str);
	2012	data->interpreted.multiple_string = NULL;
	2013	data->interpreted_size = 0;
	2014	return false;
	2015	}
	2016
	2017	array_size = tmp_size+1;
	2018	tmp_array = talloc_array(NULL, uint8*, array_size);
	2019	if(tmp_array == NULL)
	2020	{
	2021	talloc_free(tmp_str);
	2022	data->interpreted.string = NULL;
	2023	data->interpreted_size = 0;
	2024	return false;
	2025	}
	2026
	2027	tmp_array[0] = tmp_str;
	2028	for(i=0,j=1; i < tmp_size && j < array_size-1; i++)
	2029	{
	2030	if(tmp_str[i] == '\0' && (i+1 < tmp_size))
	2031	tmp_array[j++] = tmp_str+i+1;
	2032	}
	2033	tmp_array[j] = NULL;
	2034	tmp_array = talloc_realloc(NULL, tmp_array, uint8*, j+1);
	2035	data->interpreted.multiple_string = tmp_array;
	2036	/* XXX: how meaningful is this? should we store number of strings instead? */
	2037	data->interpreted_size = tmp_size;
	2038	talloc_steal(tmp_array, tmp_str);
	2039	talloc_steal(data, tmp_array);
	2040	break;
	2041
	2042	/* XXX: Dont know how to interpret these yet, just treat as binary */
	2043	case REG_NONE:
	2044	data->interpreted.none = data->raw;
	2045	data->interpreted_size = data->size;
	2046	break;
	2047
	2048	case REG_RESOURCE_LIST:
	2049	data->interpreted.resource_list = data->raw;
	2050	data->interpreted_size = data->size;
	2051	break;
	2052
	2053	case REG_FULL_RESOURCE_DESCRIPTOR:
	2054	data->interpreted.full_resource_descriptor = data->raw;
	2055	data->interpreted_size = data->size;
	2056	break;
	2057
	2058	case REG_RESOURCE_REQUIREMENTS_LIST:
	2059	data->interpreted.resource_requirements_list = data->raw;
	2060	data->interpreted_size = data->size;
	2061	break;
	2062
	2063	case REG_BINARY:
	2064	data->interpreted.binary = data->raw;
	2065	data->interpreted_size = data->size;
	2066	break;
	2067
	2068	default:
	2069	data->interpreted.qword = 0;
	2070	data->interpreted_size = 0;
	2071	return false;
	2072	}
	2073
	2074	data->type = type;
	2075	return true;
	2076	}
	2077
	2078
[97]	2079	/*******************************************************************
[159]	2080	* Convert from UTF-16LE to specified character set.
	2081	* On error, returns a negative errno code.
	2082	*******************************************************************/
[161]	2083	int32 regfi_conv_charset(const char* input_charset, const char* output_charset,
[159]	2084	uint8* input, char* output,
	2085	uint32 input_len, uint32 output_max)
	2086	{
	2087	iconv_t conv_desc;
	2088	char* inbuf = (char*)input;
	2089	char* outbuf = output;
	2090	size_t in_len = (size_t)input_len;
	2091	size_t out_len = (size_t)(output_max-1);
	2092	int ret;
	2093
[161]	2094	/* XXX: Consider creating a couple of conversion descriptors earlier,
	2095	* storing them on an iterator so they don't have to be recreated
	2096	* each time.
	2097	*/
	2098
[159]	2099	/* Set up conversion descriptor. */
[161]	2100	conv_desc = iconv_open(output_charset, input_charset);
[159]	2101
	2102	ret = iconv(conv_desc, &inbuf, &in_len, &outbuf, &out_len);
	2103	if(ret == -1)
	2104	{
	2105	iconv_close(conv_desc);
	2106	return -errno;
	2107	}
	2108	*outbuf = '\0';
	2109
	2110	iconv_close(conv_desc);
	2111	return output_max-out_len-1;
	2112	}
	2113
	2114
	2115
	2116	/*******************************************************************
[97]	2117	* Computes the checksum of the registry file header.
[159]	2118	* buffer must be at least the size of a regf header (4096 bytes).
[97]	2119	*******************************************************************/
	2120	static uint32 regfi_compute_header_checksum(uint8* buffer)
	2121	{
	2122	uint32 checksum, x;
	2123	int i;
	2124
	2125	/* XOR of all bytes 0x0000 - 0x01FB */
	2126
	2127	checksum = x = 0;
	2128
	2129	for ( i=0; i<0x01FB; i+=4 ) {
	2130	x = IVAL(buffer, i );
	2131	checksum ^= x;
	2132	}
	2133
	2134	return checksum;
	2135	}
	2136
	2137
	2138	/*******************************************************************
[116]	2139	* XXX: Add way to return more detailed error information.
[97]	2140	*******************************************************************/
[135]	2141	REGFI_FILE* regfi_parse_regf(int fd, bool strict)
[97]	2142	{
[135]	2143	uint8 file_header[REGFI_REGF_SIZE];
[102]	2144	uint32 length;
[135]	2145	REGFI_FILE* ret_val;
[97]	2146
[150]	2147	ret_val = talloc(NULL, REGFI_FILE);
[97]	2148	if(ret_val == NULL)
	2149	return NULL;
	2150
	2151	ret_val->fd = fd;
[150]	2152	ret_val->sk_cache = NULL;
	2153	ret_val->last_message = NULL;
	2154	ret_val->hbins = NULL;
	2155
[135]	2156	length = REGFI_REGF_SIZE;
[150]	2157	if((regfi_read(fd, file_header, &length)) != 0 \|\| length != REGFI_REGF_SIZE)
	2158	goto fail;
	2159
[97]	2160	ret_val->checksum = IVAL(file_header, 0x1FC);
	2161	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	2162	if (strict && (ret_val->checksum != ret_val->computed_checksum))
[150]	2163	goto fail;
[97]	2164
[135]	2165	memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
[150]	2166	if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)
[97]	2167	{
[150]	2168	if(strict)
	2169	goto fail;
	2170	regfi_add_message(ret_val, REGFI_MSG_WARN, "Magic number mismatch "
	2171	"(%.2X %.2X %.2X %.2X) while parsing hive header",
[151]	2172	ret_val->magic[0], ret_val->magic[1],
[150]	2173	ret_val->magic[2], ret_val->magic[3]);
[97]	2174	}
[151]	2175	ret_val->sequence1 = IVAL(file_header, 0x4);
	2176	ret_val->sequence2 = IVAL(file_header, 0x8);
[97]	2177	ret_val->mtime.low = IVAL(file_header, 0xC);
	2178	ret_val->mtime.high = IVAL(file_header, 0x10);
[151]	2179	ret_val->major_version = IVAL(file_header, 0x14);
	2180	ret_val->minor_version = IVAL(file_header, 0x18);
	2181	ret_val->type = IVAL(file_header, 0x1C);
	2182	ret_val->format = IVAL(file_header, 0x20);
	2183	ret_val->root_cell = IVAL(file_header, 0x24);
[97]	2184	ret_val->last_block = IVAL(file_header, 0x28);
	2185
[151]	2186	ret_val->cluster = IVAL(file_header, 0x2C);
[97]	2187
[151]	2188	memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE);
	2189
	2190	/* XXX: Should we add a warning if these uuid parsers fail? Can they? */
	2191	ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16);
	2192	ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16);
	2193	ret_val->flags = IVAL(file_header, 0x90);
	2194	ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16);
	2195	ret_val->guid_signature = IVAL(file_header, 0xa4);
	2196
	2197	memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
	2198	memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
	2199
	2200	ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16);
	2201	ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16);
	2202	ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16);
[152]	2203	ret_val->boot_type = IVAL(file_header, 0xFF8);
	2204	ret_val->boot_recover = IVAL(file_header, 0xFFC);
[151]	2205
[97]	2206	return ret_val;
[150]	2207
	2208	fail:
	2209	talloc_free(ret_val);
	2210	return NULL;
[97]	2211	}
	2212
	2213
	2214
[148]	2215	/******************************************************************************
[97]	2216	* Given real file offset, read and parse the hbin at that location
[110]	2217	* along with it's associated cells.
[148]	2218	******************************************************************************/
[135]	2219	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32 offset, bool strict)
[97]	2220	{
[135]	2221	REGFI_HBIN *hbin;
	2222	uint8 hbin_header[REGFI_HBIN_HEADER_SIZE];
[110]	2223	uint32 length;
[99]	2224
	2225	if(offset >= file->file_length)
	2226	return NULL;
[97]	2227
	2228	if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]	2229	{
[138]	2230	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	2231	" while parsing hbin at offset 0x%.8X.", offset);
[97]	2232	return NULL;
[137]	2233	}
[97]	2234
[135]	2235	length = REGFI_HBIN_HEADER_SIZE;
[97]	2236	if((regfi_read(file->fd, hbin_header, &length) != 0)
[135]	2237	\|\| length != REGFI_HBIN_HEADER_SIZE)
[97]	2238	return NULL;
	2239
	2240	if(lseek(file->fd, offset, SEEK_SET) == -1)
[137]	2241	{
[138]	2242	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	2243	" while parsing hbin at offset 0x%.8X.", offset);
[97]	2244	return NULL;
[137]	2245	}
[97]	2246
[148]	2247	hbin = talloc(NULL, REGFI_HBIN);
	2248	if(hbin == NULL)
[99]	2249	return NULL;
	2250	hbin->file_off = offset;
	2251
[97]	2252	memcpy(hbin->magic, hbin_header, 4);
	2253	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]	2254	{
[138]	2255	regfi_add_message(file, REGFI_MSG_INFO, "Magic number mismatch "
	2256	"(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
	2257	" 0x%.8X.", hbin->magic[0], hbin->magic[1],
	2258	hbin->magic[2], hbin->magic[3], offset);
[148]	2259	talloc_free(hbin);
[97]	2260	return NULL;
[99]	2261	}
[97]	2262
	2263	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	2264	hbin->block_size = IVAL(hbin_header, 0x8);
	2265	/* this should be the same thing as hbin->block_size but just in case */
	2266	hbin->next_block = IVAL(hbin_header, 0x1C);
	2267
	2268
	2269	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	2270	* the end of the file.
	2271	*/
[116]	2272	/* XXX: This may need to be relaxed for dealing with
	2273	* partial or corrupt files.
	2274	*/
[97]	2275	if((offset + hbin->block_size > file->file_length)
	2276	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]	2277	{
[138]	2278	regfi_add_message(file, REGFI_MSG_ERROR, "The hbin offset is not aligned"
[137]	2279	" or runs off the end of the file"
	2280	" while parsing hbin at offset 0x%.8X.", offset);
[148]	2281	talloc_free(hbin);
[97]	2282	return NULL;
[99]	2283	}
[97]	2284
	2285	return hbin;
	2286	}
	2287
	2288
[126]	2289	/*******************************************************************
	2290	*******************************************************************/
[135]	2291	REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32 offset,
[158]	2292	uint32 max_size, bool strict)
[99]	2293	{
	2294	uint8 nk_header[REGFI_NK_MIN_LENGTH];
[135]	2295	REGFI_NK_REC* ret_val;
[131]	2296	uint32 length,cell_length;
[101]	2297	bool unalloc = false;
[99]	2298
[101]	2299	if(!regfi_parse_cell(file->fd, offset, nk_header, REGFI_NK_MIN_LENGTH,
	2300	&cell_length, &unalloc))
[137]	2301	{
[138]	2302	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2303	" while parsing NK record at offset 0x%.8X.", offset);
	2304	return NULL;
	2305	}
	2306
[99]	2307	/* A bit of validation before bothering to allocate memory */
[101]	2308	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
[135]	2309	{
[138]	2310	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	2311	" NK record at offset 0x%.8X.", offset);
[99]	2312	return NULL;
[135]	2313	}
[99]	2314
[150]	2315	ret_val = talloc(NULL, REGFI_NK_REC);
[99]	2316	if(ret_val == NULL)
[135]	2317	{
[138]	2318	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to allocate memory while"
[137]	2319	" parsing NK record at offset 0x%.8X.", offset);
[99]	2320	return NULL;
[135]	2321	}
[99]	2322
[150]	2323	ret_val->values = NULL;
	2324	ret_val->subkeys = NULL;
[99]	2325	ret_val->offset = offset;
[101]	2326	ret_val->cell_size = cell_length;
	2327
[99]	2328	if(ret_val->cell_size > max_size)
	2329	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2330	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
[157]	2331	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[99]	2332	{
[140]	2333	regfi_add_message(file, REGFI_MSG_WARN, "A length check failed while"
[138]	2334	" parsing NK record at offset 0x%.8X.", offset);
[150]	2335	talloc_free(ret_val);
[99]	2336	return NULL;
	2337	}
	2338
[101]	2339	ret_val->magic[0] = nk_header[0x0];
	2340	ret_val->magic[1] = nk_header[0x1];
[161]	2341	ret_val->flags = SVAL(nk_header, 0x2);
[152]	2342
[161]	2343	if((ret_val->flags & ~REGFI_NK_KNOWN_FLAGS) != 0)
[99]	2344	{
[152]	2345	regfi_add_message(file, REGFI_MSG_WARN, "Unknown key flags (0x%.4X) while"
[138]	2346	" parsing NK record at offset 0x%.8X.",
[161]	2347	(ret_val->flags & ~REGFI_NK_KNOWN_FLAGS), offset);
[99]	2348	}
[101]	2349
	2350	ret_val->mtime.low = IVAL(nk_header, 0x4);
	2351	ret_val->mtime.high = IVAL(nk_header, 0x8);
[116]	2352	/* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
	2353	* or later than Jan 1, 2290, we consider this a bad key. This helps
	2354	* weed out some false positives during deleted data recovery.
	2355	*/
	2356	if(unalloc
	2357	&& ((ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
	2358	&& ret_val->mtime.low < REGFI_MTIME_MIN_LOW)
	2359	\|\| (ret_val->mtime.high > REGFI_MTIME_MAX_HIGH
	2360	&& ret_val->mtime.low > REGFI_MTIME_MAX_LOW)))
	2361	return NULL;
	2362
[101]	2363	ret_val->unknown1 = IVAL(nk_header, 0xC);
	2364	ret_val->parent_off = IVAL(nk_header, 0x10);
	2365	ret_val->num_subkeys = IVAL(nk_header, 0x14);
	2366	ret_val->unknown2 = IVAL(nk_header, 0x18);
	2367	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
	2368	ret_val->unknown3 = IVAL(nk_header, 0x20);
	2369	ret_val->num_values = IVAL(nk_header, 0x24);
	2370	ret_val->values_off = IVAL(nk_header, 0x28);
	2371	ret_val->sk_off = IVAL(nk_header, 0x2C);
	2372	ret_val->classname_off = IVAL(nk_header, 0x30);
[99]	2373
[101]	2374	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
	2375	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
	2376	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
	2377	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
	2378	ret_val->unk_index = IVAL(nk_header, 0x44);
[99]	2379
[101]	2380	ret_val->name_length = SVAL(nk_header, 0x48);
	2381	ret_val->classname_length = SVAL(nk_header, 0x4A);
[161]	2382	ret_val->keyname = NULL;
[99]	2383
	2384	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]	2385	{
	2386	if(strict)
	2387	{
[138]	2388	regfi_add_message(file, REGFI_MSG_ERROR, "Contents too large for cell"
[137]	2389	" while parsing NK record at offset 0x%.8X.", offset);
[150]	2390	talloc_free(ret_val);
[101]	2391	return NULL;
	2392	}
	2393	else
	2394	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
	2395	}
	2396	else if (unalloc)
	2397	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
	2398	/* Round up to the next multiple of 8 */
	2399	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	2400	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	2401	length+=8;
[99]	2402
[101]	2403	/* If cell_size is still greater, truncate. */
	2404	if(length < ret_val->cell_size)
	2405	ret_val->cell_size = length;
	2406	}
	2407
[161]	2408	ret_val->keyname_raw = talloc_array(ret_val, uint8, ret_val->name_length);
	2409	if(ret_val->keyname_raw == NULL)
[99]	2410	{
[150]	2411	talloc_free(ret_val);
[99]	2412	return NULL;
	2413	}
	2414
	2415	/* Don't need to seek, should be at the right offset */
	2416	length = ret_val->name_length;
[161]	2417	if((regfi_read(file->fd, (uint8*)ret_val->keyname_raw, &length) != 0)
[99]	2418	\|\| length != ret_val->name_length)
	2419	{
[138]	2420	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read key name"
[137]	2421	" while parsing NK record at offset 0x%.8X.", offset);
[150]	2422	talloc_free(ret_val);
[99]	2423	return NULL;
	2424	}
	2425
[126]	2426	return ret_val;
	2427	}
	2428
	2429
[160]	2430	uint8* regfi_parse_classname(REGFI_FILE* file, uint32 offset,
	2431	uint16* name_length, uint32 max_size, bool strict)
[126]	2432	{
[160]	2433	uint8* ret_val = NULL;
[126]	2434	uint32 length;
	2435	uint32 cell_length;
	2436	bool unalloc = false;
	2437
[135]	2438	if(*name_length > 0 && offset != REGFI_OFFSET_NONE
[157]	2439	&& (offset & 0x00000007) == 0)
[131]	2440	{
[126]	2441	if(!regfi_parse_cell(file->fd, offset, NULL, 0, &cell_length, &unalloc))
[137]	2442	{
[138]	2443	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2444	" while parsing class name at offset 0x%.8X.", offset);
[126]	2445	return NULL;
[137]	2446	}
[126]	2447
[157]	2448	if((cell_length & 0x0000007) != 0)
[137]	2449	{
[138]	2450	regfi_add_message(file, REGFI_MSG_ERROR, "Cell length not a multiple of 8"
[137]	2451	" while parsing class name at offset 0x%.8X.", offset);
[131]	2452	return NULL;
[137]	2453	}
	2454
[131]	2455	if(cell_length > max_size)
[125]	2456	{
[138]	2457	regfi_add_message(file, REGFI_MSG_WARN, "Cell stretches past hbin "
	2458	"boundary while parsing class name at offset 0x%.8X.",
	2459	offset);
[126]	2460	if(strict)
	2461	return NULL;
[131]	2462	cell_length = max_size;
[126]	2463	}
[131]	2464
	2465	if((cell_length - 4) < *name_length)
	2466	{
[138]	2467	regfi_add_message(file, REGFI_MSG_WARN, "Class name is larger than"
	2468	" cell_length while parsing class name at offset"
	2469	" 0x%.8X.", offset);
[131]	2470	if(strict)
	2471	return NULL;
	2472	*name_length = cell_length - 4;
	2473	}
[126]	2474
[160]	2475	ret_val = talloc_array(NULL, uint8, *name_length);
[126]	2476	if(ret_val != NULL)
	2477	{
	2478	length = *name_length;
[160]	2479	if((regfi_read(file->fd, ret_val, &length) != 0)
[126]	2480	\|\| length != *name_length)
[125]	2481	{
[138]	2482	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read class name"
[137]	2483	" while parsing class name at offset 0x%.8X.", offset);
[150]	2484	talloc_free(ret_val);
[126]	2485	return NULL;
[125]	2486	}
	2487	}
	2488	}
	2489
[99]	2490	return ret_val;
	2491	}
	2492
	2493
[152]	2494	/******************************************************************************
	2495	*******************************************************************************/
[135]	2496	REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32 offset,
[145]	2497	uint32 max_size, bool strict)
[97]	2498	{
[135]	2499	REGFI_VK_REC* ret_val;
[101]	2500	uint8 vk_header[REGFI_VK_MIN_LENGTH];
	2501	uint32 raw_data_size, length, cell_length;
	2502	bool unalloc = false;
[97]	2503
[101]	2504	if(!regfi_parse_cell(file->fd, offset, vk_header, REGFI_VK_MIN_LENGTH,
	2505	&cell_length, &unalloc))
[137]	2506	{
[138]	2507	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2508	" while parsing VK record at offset 0x%.8X.", offset);
[101]	2509	return NULL;
[137]	2510	}
[111]	2511
[150]	2512	ret_val = talloc(NULL, REGFI_VK_REC);
[101]	2513	if(ret_val == NULL)
	2514	return NULL;
	2515
	2516	ret_val->offset = offset;
	2517	ret_val->cell_size = cell_length;
[150]	2518	ret_val->data = NULL;
	2519	ret_val->valuename = NULL;
[162]	2520	ret_val->valuename_raw = NULL;
[150]	2521
[101]	2522	if(ret_val->cell_size > max_size)
	2523	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2524	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
[157]	2525	\|\| (ret_val->cell_size & 0x00000007) != 0)
[97]	2526	{
[138]	2527	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size encountered"
[137]	2528	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2529	talloc_free(ret_val);
[101]	2530	return NULL;
	2531	}
[97]	2532
[101]	2533	ret_val->magic[0] = vk_header[0x0];
	2534	ret_val->magic[1] = vk_header[0x1];
	2535	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
	2536	{
[124]	2537	/* XXX: This does not account for deleted keys under Win2K which
	2538	* often have this (and the name length) overwritten with
	2539	* 0xFFFF.
	2540	*/
[138]	2541	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch"
[137]	2542	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2543	talloc_free(ret_val);
[101]	2544	return NULL;
	2545	}
	2546
	2547	ret_val->name_length = SVAL(vk_header, 0x2);
	2548	raw_data_size = IVAL(vk_header, 0x4);
[135]	2549	ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
[157]	2550	/* The data is typically stored in the offset if the size <= 4,
	2551	* in which case this flag is set.
	2552	*/
[135]	2553	ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
[101]	2554	ret_val->data_off = IVAL(vk_header, 0x8);
	2555	ret_val->type = IVAL(vk_header, 0xC);
[162]	2556	ret_val->flags = SVAL(vk_header, 0x10);
[101]	2557	ret_val->unknown1 = SVAL(vk_header, 0x12);
	2558
[162]	2559	if(ret_val->name_length > 0)
[101]	2560	{
[113]	2561	if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
[101]	2562	{
[138]	2563	regfi_add_message(file, REGFI_MSG_WARN, "Name too long for remaining cell"
	2564	" space while parsing VK record at offset 0x%.8X.",
	2565	offset);
[101]	2566	if(strict)
	2567	{
[150]	2568	talloc_free(ret_val);
[101]	2569	return NULL;
	2570	}
	2571	else
[113]	2572	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
[101]	2573	}
	2574
	2575	/* Round up to the next multiple of 8 */
[113]	2576	cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
	2577	if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
	2578	cell_length+=8;
[101]	2579
[162]	2580	ret_val->valuename_raw = talloc_array(ret_val, uint8, ret_val->name_length);
	2581	if(ret_val->valuename_raw == NULL)
[101]	2582	{
[150]	2583	talloc_free(ret_val);
[101]	2584	return NULL;
	2585	}
[113]	2586
[101]	2587	length = ret_val->name_length;
[162]	2588	if((regfi_read(file->fd, (uint8*)ret_val->valuename_raw, &length) != 0)
[101]	2589	\|\| length != ret_val->name_length)
	2590	{
[138]	2591	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read value name"
[137]	2592	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2593	talloc_free(ret_val);
[101]	2594	return NULL;
	2595	}
	2596	}
	2597	else
[113]	2598	cell_length = REGFI_VK_MIN_LENGTH + 4;
[101]	2599
	2600	if(unalloc)
	2601	{
	2602	/* If cell_size is still greater, truncate. */
[113]	2603	if(cell_length < ret_val->cell_size)
	2604	ret_val->cell_size = cell_length;
[101]	2605	}
	2606
	2607	return ret_val;
[97]	2608	}
[101]	2609
	2610
[152]	2611	/******************************************************************************
[157]	2612	*
	2613	******************************************************************************/
[159]	2614	REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32 voffset,
[157]	2615	uint32 length, bool data_in_offset,
	2616	bool strict)
[101]	2617	{
[151]	2618	REGFI_BUFFER ret_val;
[157]	2619	uint32 cell_length, offset;
	2620	int32 max_size;
[101]	2621	bool unalloc;
[151]	2622
[159]	2623	/* Microsoft's documentation indicates that "available memory" is
[165]	2624	* the limit on value sizes for the more recent registry format version.
	2625	* This is not only annoying, but it's probably also incorrect, since clearly
	2626	* value data sizes are limited to 2^31 (high bit used as a flag) and even
	2627	* with big data records, the apparent max size is:
	2628	* 16344 * 2^16 = 1071104040 (~1GB).
	2629	*
	2630	* We choose to limit it to 1M which was the limit in older versions and
	2631	* should rarely be exceeded unless the file is corrupt or malicious.
	2632	* For more info, see:
	2633	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
[159]	2634	*/
[160]	2635	/* XXX: add way to skip this check at user discression. */
	2636	if(length > REGFI_VK_MAX_DATA_LENGTH)
[159]	2637	{
[160]	2638	regfi_add_message(file, REGFI_MSG_WARN, "Value data size %d larger than "
	2639	"%d, truncating...", length, REGFI_VK_MAX_DATA_LENGTH);
	2640	length = REGFI_VK_MAX_DATA_LENGTH;
[159]	2641	}
	2642
[145]	2643	if(data_in_offset)
[157]	2644	return regfi_parse_little_data(file, voffset, length, strict);
	2645	else
[101]	2646	{
[157]	2647	offset = voffset + REGFI_REGF_SIZE;
	2648	max_size = regfi_calc_maxsize(file, offset);
	2649	if(max_size < 0)
[137]	2650	{
[157]	2651	regfi_add_message(file, REGFI_MSG_WARN, "Could not find HBIN for data"
	2652	" at offset 0x%.8X.", offset);
[151]	2653	goto fail;
[137]	2654	}
[157]	2655
[101]	2656	if(!regfi_parse_cell(file->fd, offset, NULL, 0,
	2657	&cell_length, &unalloc))
[137]	2658	{
[138]	2659	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[137]	2660	" parsing data record at offset 0x%.8X.", offset);
[151]	2661	goto fail;
[137]	2662	}
[111]	2663
[157]	2664	if((cell_length & 0x00000007) != 0)
[137]	2665	{
[138]	2666	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not multiple of 8"
[137]	2667	" while parsing data record at offset 0x%.8X.",
	2668	offset);
[151]	2669	goto fail;
[137]	2670	}
[101]	2671
[131]	2672	if(cell_length > max_size)
	2673	{
[145]	2674	regfi_add_message(file, REGFI_MSG_WARN, "Cell extends past HBIN boundary"
	2675	" while parsing data record at offset 0x%.8X.",
[137]	2676	offset);
[157]	2677	goto fail;
[131]	2678	}
	2679
[101]	2680	if(cell_length - 4 < length)
	2681	{
[155]	2682	/* XXX: All big data records thus far have been 16 bytes long.
	2683	* Should we check for this precise size instead of just
	2684	* relying upon the above check?
	2685	*/
[152]	2686	if (file->major_version >= 1 && file->minor_version >= 5)
	2687	{
	2688	/* Attempt to parse a big data record */
[157]	2689	return regfi_load_big_data(file, offset, length, cell_length,
	2690	NULL, strict);
[152]	2691	}
[101]	2692	else
[152]	2693	{
	2694	regfi_add_message(file, REGFI_MSG_WARN, "Data length (0x%.8X) larger than"
	2695	" remaining cell length (0x%.8X)"
	2696	" while parsing data record at offset 0x%.8X.",
	2697	length, cell_length - 4, offset);
	2698	if(strict)
	2699	goto fail;
	2700	else
	2701	length = cell_length - 4;
	2702	}
[101]	2703	}
	2704
[157]	2705	ret_val = regfi_parse_data(file, offset, length, strict);
[101]	2706	}
	2707
	2708	return ret_val;
[151]	2709
	2710	fail:
	2711	ret_val.buf = NULL;
	2712	ret_val.len = 0;
	2713	return ret_val;
[101]	2714	}
[110]	2715
	2716
[152]	2717	/******************************************************************************
[157]	2718	* Parses the common case data records stored in a single cell.
	2719	******************************************************************************/
	2720	REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32 offset,
	2721	uint32 length, bool strict)
	2722	{
	2723	REGFI_BUFFER ret_val;
	2724	uint32 read_length;
	2725
	2726	ret_val.buf = NULL;
	2727	ret_val.len = 0;
	2728
	2729	if(lseek(file->fd, offset+4, SEEK_SET) == -1)
	2730	{
	2731	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek while "
	2732	"reading data at offset 0x%.8X.", offset);
	2733	return ret_val;
	2734	}
	2735
[159]	2736	if((ret_val.buf = talloc_array(NULL, uint8, length)) == NULL)
[157]	2737	return ret_val;
	2738	ret_val.len = length;
	2739
	2740	read_length = length;
	2741	if((regfi_read(file->fd, ret_val.buf, &read_length) != 0)
	2742	\|\| read_length != length)
	2743	{
	2744	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read data block while"
	2745	" parsing data record at offset 0x%.8X.", offset);
	2746	talloc_free(ret_val.buf);
	2747	ret_val.buf = NULL;
	2748	ret_val.buf = 0;
	2749	}
	2750
	2751	return ret_val;
	2752	}
	2753
	2754
	2755
	2756	/******************************************************************************
	2757	*
	2758	******************************************************************************/
	2759	REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32 voffset,
	2760	uint32 length, bool strict)
	2761	{
	2762	REGFI_BUFFER ret_val;
	2763	uint8 i;
	2764
	2765	ret_val.buf = NULL;
	2766	ret_val.len = 0;
	2767
	2768	if(length > 4)
	2769	{
	2770	regfi_add_message(file, REGFI_MSG_ERROR, "Data in offset but length > 4"
	2771	" while parsing data record. (voffset=0x%.8X, length=%d)",
	2772	voffset, length);
	2773	return ret_val;
	2774	}
	2775
[159]	2776	if((ret_val.buf = talloc_array(NULL, uint8, length)) == NULL)
[157]	2777	return ret_val;
	2778	ret_val.len = length;
	2779
	2780	for(i = 0; i < length; i++)
	2781	ret_val.buf[i] = (uint8)((voffset >> i*8) & 0xFF);
	2782
	2783	return ret_val;
	2784	}
	2785
	2786	/******************************************************************************
[152]	2787	*******************************************************************************/
[157]	2788	REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32 offset,
	2789	uint32 max_size, bool strict)
[152]	2790	{
	2791	REGFI_BUFFER ret_val;
[157]	2792	uint32 cell_length;
[152]	2793	bool unalloc;
[157]	2794
	2795	/* XXX: do something with unalloc? */
	2796	ret_val.buf = (uint8*)talloc_array(NULL, uint8, REGFI_BIG_DATA_MIN_LENGTH);
	2797	if(ret_val.buf == NULL)
[152]	2798	goto fail;
	2799
[157]	2800	if(REGFI_BIG_DATA_MIN_LENGTH > max_size)
	2801	{
	2802	regfi_add_message(file, REGFI_MSG_WARN, "Big data header exceeded max_size "
	2803	"while parsing big data header at offset 0x%.8X.",offset);
	2804	goto fail;
	2805	}
	2806
	2807	if(!regfi_parse_cell(file->fd, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH,
[152]	2808	&cell_length, &unalloc))
	2809	{
	2810	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[157]	2811	" parsing big data header at offset 0x%.8X.", offset);
[152]	2812	goto fail;
	2813	}
[157]	2814
	2815	if((ret_val.buf[0] != 'd') \|\| (ret_val.buf[1] != 'b'))
[152]	2816	{
	2817	regfi_add_message(file, REGFI_MSG_WARN, "Unknown magic number"
	2818	" (0x%.2X, 0x%.2X) encountered while parsing"
[157]	2819	" big data header at offset 0x%.8X.",
	2820	ret_val.buf[0], ret_val.buf[1], offset);
[152]	2821	goto fail;
	2822	}
	2823
[157]	2824	ret_val.len = REGFI_BIG_DATA_MIN_LENGTH;
	2825	return ret_val;
	2826
	2827	fail:
	2828	if(ret_val.buf != NULL)
	2829	{
	2830	talloc_free(ret_val.buf);
	2831	ret_val.buf = NULL;
	2832	}
	2833	ret_val.len = 0;
	2834	return ret_val;
	2835	}
	2836
	2837
	2838
	2839	/******************************************************************************
	2840	*
	2841	******************************************************************************/
	2842	uint32* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32 offset,
	2843	uint16 num_chunks, bool strict)
	2844	{
	2845	uint32* ret_val;
	2846	uint32 indirect_length;
	2847	int32 max_size;
	2848	uint16 i;
	2849	bool unalloc;
	2850
	2851	/* XXX: do something with unalloc? */
	2852
	2853	max_size = regfi_calc_maxsize(file, offset);
	2854	if((max_size < 0) \|\| (num_chunks*sizeof(uint32) + 4 > max_size))
	2855	return NULL;
	2856
	2857	ret_val = (uint32*)talloc_array(NULL, uint32, num_chunks);
	2858	if(ret_val == NULL)
[152]	2859	goto fail;
	2860
[157]	2861	if(!regfi_parse_cell(file->fd, offset, (uint8*)ret_val,
[152]	2862	num_chunks*sizeof(uint32),
	2863	&indirect_length, &unalloc))
	2864	{
	2865	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
	2866	" parsing big data indirect record at offset 0x%.8X.",
	2867	offset);
	2868	goto fail;
	2869	}
[157]	2870
	2871	/* Convert pointers to proper endianess, verify they are aligned. */
	2872	for(i=0; i<num_chunks; i++)
[152]	2873	{
[157]	2874	ret_val[i] = IVAL(ret_val, i*sizeof(uint32));
	2875	if((ret_val[i] & 0x00000007) != 0)
	2876	goto fail;
[152]	2877	}
[157]	2878
	2879	return ret_val;
[152]	2880
[157]	2881	fail:
	2882	if(ret_val != NULL)
	2883	talloc_free(ret_val);
	2884	return NULL;
	2885	}
	2886
	2887
	2888	/******************************************************************************
	2889	* Arguments:
	2890	* file --
	2891	* offsets -- list of virtual offsets.
	2892	* num_chunks --
	2893	* strict --
	2894	*
	2895	* Returns:
	2896	* A range_list with physical offsets and complete lengths
	2897	* (including cell headers) of associated cells.
	2898	* No data in range_list elements.
	2899	******************************************************************************/
	2900	range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32* offsets,
	2901	uint16 num_chunks, bool strict)
	2902	{
	2903	uint32 cell_length, chunk_offset, data_left;
	2904	range_list* ret_val;
	2905	uint16 i;
	2906	bool unalloc;
	2907
	2908	/* XXX: do something with unalloc? */
	2909	ret_val = range_list_new();
	2910	if(ret_val == NULL)
	2911	goto fail;
	2912
[152]	2913	for(i=0; (i<num_chunks) && (data_left>0); i++)
	2914	{
[157]	2915	chunk_offset = offsets[i]+REGFI_REGF_SIZE;
	2916	if(!regfi_parse_cell(file->fd, chunk_offset, NULL, 0,
	2917	&cell_length, &unalloc))
[152]	2918	{
	2919	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
	2920	" parsing big data chunk at offset 0x%.8X.",
	2921	chunk_offset);
[157]	2922	goto fail;
[152]	2923	}
	2924
[157]	2925	if(!range_list_add(ret_val, chunk_offset, cell_length, NULL))
	2926	goto fail;
	2927	}
	2928
	2929	return ret_val;
	2930
	2931	fail:
	2932	if(ret_val != NULL)
	2933	range_list_free(ret_val);
	2934	return NULL;
	2935	}
	2936
	2937
	2938	/******************************************************************************
	2939	*******************************************************************************/
	2940	REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file,
	2941	uint32 offset, uint32 data_length,
	2942	uint32 cell_length, range_list* used_ranges,
	2943	bool strict)
	2944	{
	2945	REGFI_BUFFER ret_val;
	2946	uint16 num_chunks, i;
	2947	uint32 read_length, data_left, tmp_len, indirect_offset;
	2948	uint32* indirect_ptrs = NULL;
	2949	REGFI_BUFFER bd_header;
	2950	range_list* bd_cells = NULL;
	2951	const range_list_element* cell_info;
	2952
	2953	ret_val.buf = NULL;
	2954
	2955	/* XXX: Add better error/warning messages */
	2956
	2957	bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict);
	2958	if(bd_header.buf == NULL)
	2959	goto fail;
	2960
	2961	/* Keep track of used space for use by reglookup-recover */
	2962	if(used_ranges != NULL)
	2963	if(!range_list_add(used_ranges, offset, cell_length, NULL))
	2964	goto fail;
	2965
	2966	num_chunks = SVAL(bd_header.buf, 0x2);
	2967	indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE;
	2968	talloc_free(bd_header.buf);
	2969
	2970	indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset,
	2971	num_chunks, strict);
	2972	if(indirect_ptrs == NULL)
	2973	goto fail;
	2974
	2975	if(used_ranges != NULL)
	2976	if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL))
	2977	goto fail;
	2978
	2979	if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL)
	2980	goto fail;
	2981	data_left = data_length;
	2982
	2983	bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict);
	2984	if(bd_cells == NULL)
	2985	goto fail;
	2986
	2987	talloc_free(indirect_ptrs);
	2988	indirect_ptrs = NULL;
	2989
	2990	for(i=0; (i<num_chunks) && (data_left>0); i++)
	2991	{
	2992	cell_info = range_list_get(bd_cells, i);
	2993	if(cell_info == NULL)
	2994	goto fail;
	2995
	2996	/* XXX: This should be "cell_info->length-4" to account for the 4 byte cell
[154]	2997	* length. However, it has been observed that some (all?) chunks
	2998	* have an additional 4 bytes of 0 at the end of their cells that
	2999	* isn't part of the data, so we're trimming that off too.
[157]	3000	* Perhaps it's just an 8 byte alignment requirement...
[154]	3001	*/
[157]	3002	if(cell_info->length - 8 >= data_left)
	3003	{
	3004	if(i+1 != num_chunks)
	3005	{
	3006	regfi_add_message(file, REGFI_MSG_WARN, "Left over chunks detected "
	3007	"while constructing big data at offset 0x%.8X "
	3008	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	3009	}
[152]	3010	read_length = data_left;
[157]	3011	}
[152]	3012	else
[157]	3013	read_length = cell_info->length - 8;
[152]	3014
[157]	3015
	3016	if(read_length > regfi_calc_maxsize(file, cell_info->offset))
	3017	{
	3018	regfi_add_message(file, REGFI_MSG_WARN, "A chunk exceeded the maxsize "
	3019	"while constructing big data at offset 0x%.8X "
	3020	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	3021	goto fail;
	3022	}
	3023
	3024	if(lseek(file->fd, cell_info->offset+sizeof(uint32), SEEK_SET) == -1)
	3025	{
	3026	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek to chunk while "
	3027	"constructing big data at offset 0x%.8X "
	3028	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	3029	goto fail;
	3030	}
	3031
	3032	tmp_len = read_length;
[152]	3033	if(regfi_read(file->fd, ret_val.buf+(data_length-data_left),
[157]	3034	&read_length) != 0 \|\| (read_length != tmp_len))
[152]	3035	{
	3036	regfi_add_message(file, REGFI_MSG_WARN, "Could not read data chunk while"
[157]	3037	" constructing big data at offset 0x%.8X"
	3038	" (chunk offset 0x%.8X).", offset, cell_info->offset);
	3039	goto fail;
[152]	3040	}
	3041
[157]	3042	if(used_ranges != NULL)
	3043	if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL))
	3044	goto fail;
	3045
[152]	3046	data_left -= read_length;
	3047	}
[157]	3048	range_list_free(bd_cells);
	3049
[152]	3050	ret_val.len = data_length-data_left;
	3051	return ret_val;
	3052
	3053	fail:
[157]	3054	if(ret_val.buf != NULL)
	3055	talloc_free(ret_val.buf);
	3056	if(indirect_ptrs != NULL)
	3057	talloc_free(indirect_ptrs);
	3058	if(bd_cells != NULL)
	3059	range_list_free(bd_cells);
[152]	3060	ret_val.buf = NULL;
	3061	ret_val.len = 0;
	3062	return ret_val;
	3063	}
	3064
	3065
[135]	3066	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
[110]	3067	{
	3068	range_list* ret_val;
[135]	3069	REGFI_HBIN* hbin;
[110]	3070	const range_list_element* hbins_elem;
	3071	uint32 i, num_hbins, curr_off, cell_len;
	3072	bool is_unalloc;
	3073
	3074	ret_val = range_list_new();
	3075	if(ret_val == NULL)
	3076	return NULL;
	3077
	3078	num_hbins = range_list_size(file->hbins);
	3079	for(i=0; i<num_hbins; i++)
	3080	{
	3081	hbins_elem = range_list_get(file->hbins, i);
	3082	if(hbins_elem == NULL)
	3083	break;
[135]	3084	hbin = (REGFI_HBIN*)hbins_elem->data;
[110]	3085
[135]	3086	curr_off = REGFI_HBIN_HEADER_SIZE;
[110]	3087	while(curr_off < hbin->block_size)
	3088	{
	3089	if(!regfi_parse_cell(file->fd, hbin->file_off+curr_off, NULL, 0,
	3090	&cell_len, &is_unalloc))
	3091	break;
	3092
[157]	3093	if((cell_len == 0) \|\| ((cell_len & 0x00000007) != 0))
[140]	3094	{
	3095	regfi_add_message(file, REGFI_MSG_ERROR, "Bad cell length encountered"
	3096	" while parsing unallocated cells at offset 0x%.8X.",
	3097	hbin->file_off+curr_off);
[110]	3098	break;
[140]	3099	}
	3100
[110]	3101	/* for some reason the record_size of the last record in
	3102	an hbin block can extend past the end of the block
	3103	even though the record fits within the remaining
	3104	space....aaarrrgggghhhhhh */
	3105	if(curr_off + cell_len >= hbin->block_size)
	3106	cell_len = hbin->block_size - curr_off;
	3107
	3108	if(is_unalloc)
	3109	range_list_add(ret_val, hbin->file_off+curr_off,
	3110	cell_len, NULL);
	3111
	3112	curr_off = curr_off+cell_len;
	3113	}
	3114	}
	3115
	3116	return ret_val;
	3117	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: