Context Navigation

source: trunk/lib/regfi.c @ 178

Last change on this file since 178 was 178, checked in by tim, 14 years ago

reworked I/O to use callback functions

fixed a bug in mtime validation and consolidated time formatting code

Property svn:keywords set to Id

File size: 90.0 KB

Rev	Line
[30]	1	/*
[169]	2	* Copyright (C) 2005-2010 Timothy D. Morgan
[30]	3	* Copyright (C) 2005 Gerald (Jerry) Carter
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License as published by
[111]	7	* the Free Software Foundation; version 3 of the License.
[30]	8	*
	9	* This program is distributed in the hope that it will be useful,
	10	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	* GNU General Public License for more details.
	13	*
	14	* You should have received a copy of the GNU General Public License
	15	* along with this program; if not, write to the Free Software
[161]	16	* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
[30]	17	*
	18	* $Id: regfi.c 178 2010-03-13 17:56:36Z tim $
	19	*/
	20
[169]	21	/**
	22	* @file
	23	*
	24	* Windows NT (and later) read-only registry library
	25	*
	26	* See @ref regfi.h for more information.
	27	*
	28	* Branched from Samba project Subversion repository, version #7470:
	29	* http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/source/registry/regfio.c?rev=7470&view=auto
	30	*
	31	* Since then, it has been heavily rewritten, simplified, and improved.
	32	*/
[168]	33
[147]	34	#include "regfi.h"
[30]	35
	36
[32]	37	/* Registry types mapping */
[78]	38	const unsigned int regfi_num_reg_types = 12;
	39	static const char* regfi_type_names[] =
[65]	40	{"NONE", "SZ", "EXPAND_SZ", "BINARY", "DWORD", "DWORD_BE", "LINK",
[72]	41	"MULTI_SZ", "RSRC_LIST", "RSRC_DESC", "RSRC_REQ_LIST", "QWORD"};
[30]	42
[161]	43	const char* regfi_encoding_names[] =
	44	{"US-ASCII//TRANSLIT", "UTF-8//TRANSLIT", "UTF-16LE//TRANSLIT"};
[32]	45
[135]	46
	47	/******************************************************************************
	48	******************************************************************************/
[168]	49	void regfi_add_message(REGFI_FILE* file, uint16_t msg_type, const char* fmt, ...)
[135]	50	{
[136]	51	/* XXX: This function is not particularly efficient,
[135]	52	* but then it is mostly used during errors.
	53	*/
[168]	54	uint32_t buf_size, buf_used;
[136]	55	char* new_msg;
	56	va_list args;
[135]	57
[138]	58	if((file->msg_mask & msg_type) != 0)
	59	{
	60	if(file->last_message == NULL)
	61	buf_used = 0;
	62	else
	63	buf_used = strlen(file->last_message);
	64
	65	buf_size = buf_used+strlen(fmt)+160;
	66	new_msg = realloc(file->last_message, buf_size);
	67	if(new_msg == NULL)
	68	/* XXX: should we report this? */
	69	return;
[135]	70
[138]	71	switch (msg_type)
	72	{
	73	case REGFI_MSG_INFO:
	74	strcpy(new_msg+buf_used, "INFO: ");
	75	buf_used += 6;
	76	break;
	77	case REGFI_MSG_WARN:
	78	strcpy(new_msg+buf_used, "WARN: ");
	79	buf_used += 6;
	80	break;
	81	case REGFI_MSG_ERROR:
	82	strcpy(new_msg+buf_used, "ERROR: ");
	83	buf_used += 7;
	84	break;
	85	}
[136]	86
[138]	87	va_start(args, fmt);
	88	vsnprintf(new_msg+buf_used, buf_size-buf_used, fmt, args);
	89	va_end(args);
	90	strncat(new_msg, "\n", buf_size-1);
	91
	92	file->last_message = new_msg;
	93	}
[135]	94	}
	95
	96
	97	/******************************************************************************
	98	******************************************************************************/
[136]	99	char* regfi_get_messages(REGFI_FILE* file)
[135]	100	{
	101	char* ret_val = file->last_message;
	102	file->last_message = NULL;
	103
	104	return ret_val;
	105	}
	106
	107
[168]	108	void regfi_set_message_mask(REGFI_FILE* file, uint16_t mask)
[138]	109	{
	110	file->msg_mask = mask;
	111	}
	112
	113
[161]	114	/******************************************************************************
	115	* Returns NULL for an invalid e
	116	*****************************************************************************/
	117	static const char* regfi_encoding_int2str(REGFI_ENCODING e)
	118	{
	119	if(e < REGFI_NUM_ENCODINGS)
	120	return regfi_encoding_names[e];
	121
	122	return NULL;
	123	}
	124
	125
	126	/******************************************************************************
	127	* Returns NULL for an invalid val
	128	*****************************************************************************/
[78]	129	const char* regfi_type_val2str(unsigned int val)
[32]	130	{
[61]	131	if(val == REG_KEY)
	132	return "KEY";
	133
[78]	134	if(val >= regfi_num_reg_types)
[61]	135	return NULL;
	136
[78]	137	return regfi_type_names[val];
[32]	138	}
	139
	140
[161]	141	/******************************************************************************
	142	* Returns -1 on error
	143	*****************************************************************************/
[78]	144	int regfi_type_str2val(const char* str)
[32]	145	{
	146	int i;
	147
[61]	148	if(strcmp("KEY", str) == 0)
	149	return REG_KEY;
[32]	150
[78]	151	for(i=0; i < regfi_num_reg_types; i++)
	152	if (strcmp(regfi_type_names[i], str) == 0)
[61]	153	return i;
	154
	155	if(strcmp("DWORD_LE", str) == 0)
	156	return REG_DWORD_LE;
	157
	158	return -1;
[32]	159	}
	160
	161
[135]	162	/* Security descriptor formatting functions */
[53]	163
[168]	164	const char* regfi_ace_type2str(uint8_t type)
[53]	165	{
	166	static const char* map[7]
	167	= {"ALLOW", "DENY", "AUDIT", "ALARM",
	168	"ALLOW CPD", "OBJ ALLOW", "OBJ DENY"};
	169	if(type < 7)
	170	return map[type];
	171	else
	172	/* XXX: would be nice to return the unknown integer value.
	173	* However, as it is a const string, it can't be free()ed later on,
	174	* so that would need to change.
	175	*/
	176	return "UNKNOWN";
	177	}
	178
	179
[76]	180	/* XXX: need a better reference on the meaning of each flag. */
	181	/* For more info, see:
	182	* http://msdn2.microsoft.com/en-us/library/aa772242.aspx
	183	*/
[168]	184	char* regfi_ace_flags2str(uint8_t flags)
[53]	185	{
[76]	186	static const char* flag_map[32] =
[87]	187	{ "OI", /* Object Inherit */
	188	"CI", /* Container Inherit */
	189	"NP", /* Non-Propagate */
	190	"IO", /* Inherit Only */
	191	"IA", /* Inherited ACE */
[76]	192	NULL,
	193	NULL,
	194	NULL,
	195	};
[53]	196
[76]	197	char* ret_val = malloc(35*sizeof(char));
	198	char* fo = ret_val;
[168]	199	uint32_t i;
	200	uint8_t f;
[76]	201
	202	if(ret_val == NULL)
[53]	203	return NULL;
	204
[76]	205	fo[0] = '\0';
[53]	206	if (!flags)
[76]	207	return ret_val;
[53]	208
[76]	209	for(i=0; i < 8; i++)
	210	{
	211	f = (1<<i);
	212	if((flags & f) && (flag_map[i] != NULL))
	213	{
	214	strcpy(fo, flag_map[i]);
	215	fo += strlen(flag_map[i]);
	216	*(fo++) = ' ';
	217	flags ^= f;
	218	}
[53]	219	}
[76]	220
	221	/* Any remaining unknown flags are added at the end in hex. */
	222	if(flags != 0)
	223	sprintf(fo, "0x%.2X ", flags);
	224
	225	/* Chop off the last space if we've written anything to ret_val */
	226	if(fo != ret_val)
	227	fo[-1] = '\0';
	228
	229	return ret_val;
[53]	230	}
	231
	232
[168]	233	char* regfi_ace_perms2str(uint32_t perms)
[53]	234	{
[168]	235	uint32_t i, p;
[76]	236	/* This is more than is needed by a fair margin. */
	237	char* ret_val = malloc(350*sizeof(char));
	238	char* r = ret_val;
	239
	240	/* Each represents one of 32 permissions bits. NULL is for undefined/reserved bits.
	241	* For more information, see:
	242	* http://msdn2.microsoft.com/en-gb/library/aa374892.aspx
	243	* http://msdn2.microsoft.com/en-gb/library/ms724878.aspx
	244	*/
	245	static const char* perm_map[32] =
	246	{/* object-specific permissions (registry keys, in this case) */
	247	"QRY_VAL", /* KEY_QUERY_VALUE */
	248	"SET_VAL", /* KEY_SET_VALUE */
	249	"CREATE_KEY", /* KEY_CREATE_SUB_KEY */
	250	"ENUM_KEYS", /* KEY_ENUMERATE_SUB_KEYS */
	251	"NOTIFY", /* KEY_NOTIFY */
	252	"CREATE_LNK", /* KEY_CREATE_LINK - Reserved for system use. */
	253	NULL,
	254	NULL,
	255	"WOW64_64", /* KEY_WOW64_64KEY */
	256	"WOW64_32", /* KEY_WOW64_32KEY */
	257	NULL,
	258	NULL,
	259	NULL,
	260	NULL,
	261	NULL,
	262	NULL,
	263	/* standard access rights */
	264	"DELETE", /* DELETE */
	265	"R_CONT", /* READ_CONTROL */
	266	"W_DAC", /* WRITE_DAC */
	267	"W_OWNER", /* WRITE_OWNER */
	268	"SYNC", /* SYNCHRONIZE - Shouldn't be set in registries */
	269	NULL,
	270	NULL,
	271	NULL,
	272	/* other generic */
	273	"SYS_SEC", /* ACCESS_SYSTEM_SECURITY */
	274	"MAX_ALLWD", /* MAXIMUM_ALLOWED */
	275	NULL,
	276	NULL,
	277	"GEN_A", /* GENERIC_ALL */
	278	"GEN_X", /* GENERIC_EXECUTE */
	279	"GEN_W", /* GENERIC_WRITE */
	280	"GEN_R", /* GENERIC_READ */
	281	};
	282
	283
[53]	284	if(ret_val == NULL)
	285	return NULL;
	286
[76]	287	r[0] = '\0';
	288	for(i=0; i < 32; i++)
	289	{
	290	p = (1<<i);
	291	if((perms & p) && (perm_map[i] != NULL))
	292	{
	293	strcpy(r, perm_map[i]);
	294	r += strlen(perm_map[i]);
	295	*(r++) = ' ';
	296	perms ^= p;
	297	}
	298	}
	299
	300	/* Any remaining unknown permission bits are added at the end in hex. */
	301	if(perms != 0)
	302	sprintf(r, "0x%.8X ", perms);
[53]	303
[76]	304	/* Chop off the last space if we've written anything to ret_val */
	305	if(r != ret_val)
	306	r[-1] = '\0';
	307
[53]	308	return ret_val;
	309	}
	310
	311
[134]	312	char* regfi_sid2str(WINSEC_DOM_SID* sid)
[53]	313	{
[168]	314	uint32_t i, size = WINSEC_MAX_SUBAUTHS*11 + 24;
	315	uint32_t left = size;
	316	uint8_t comps = sid->num_auths;
[53]	317	char* ret_val = malloc(size);
	318
	319	if(ret_val == NULL)
	320	return NULL;
	321
[134]	322	if(comps > WINSEC_MAX_SUBAUTHS)
	323	comps = WINSEC_MAX_SUBAUTHS;
[53]	324
	325	left -= sprintf(ret_val, "S-%u-%u", sid->sid_rev_num, sid->id_auth[5]);
	326
	327	for (i = 0; i < comps; i++)
	328	left -= snprintf(ret_val+(size-left), left, "-%u", sid->sub_auths[i]);
	329
	330	return ret_val;
	331	}
	332
	333
[134]	334	char* regfi_get_acl(WINSEC_ACL* acl)
[53]	335	{
[168]	336	uint32_t i, extra, size = 0;
[53]	337	const char* type_str;
	338	char* flags_str;
	339	char* perms_str;
	340	char* sid_str;
[61]	341	char* ace_delim = "";
[53]	342	char* ret_val = NULL;
[61]	343	char* tmp_val = NULL;
	344	bool failed = false;
[53]	345	char field_delim = ':';
	346
[61]	347	for (i = 0; i < acl->num_aces && !failed; i++)
[53]	348	{
[134]	349	sid_str = regfi_sid2str(acl->aces[i]->trustee);
	350	type_str = regfi_ace_type2str(acl->aces[i]->type);
	351	perms_str = regfi_ace_perms2str(acl->aces[i]->access_mask);
	352	flags_str = regfi_ace_flags2str(acl->aces[i]->flags);
[53]	353
[61]	354	if(flags_str != NULL && perms_str != NULL
	355	&& type_str != NULL && sid_str != NULL)
	356	{
	357	/* XXX: this is slow */
	358	extra = strlen(sid_str) + strlen(type_str)
[136]	359	+ strlen(perms_str) + strlen(flags_str) + 5;
[61]	360	tmp_val = realloc(ret_val, size+extra);
[53]	361
[61]	362	if(tmp_val == NULL)
	363	{
	364	free(ret_val);
[136]	365	ret_val = NULL;
[61]	366	failed = true;
	367	}
	368	else
	369	{
	370	ret_val = tmp_val;
[148]	371	size += sprintf(ret_val+size, "%s%s%c%s%c%s%c%s",
	372	ace_delim,sid_str,
	373	field_delim,type_str,
	374	field_delim,perms_str,
	375	field_delim,flags_str);
[61]	376	ace_delim = "\|";
	377	}
	378	}
	379	else
	380	failed = true;
	381
	382	if(sid_str != NULL)
	383	free(sid_str);
	384	if(sid_str != NULL)
	385	free(perms_str);
	386	if(sid_str != NULL)
	387	free(flags_str);
[53]	388	}
	389
	390	return ret_val;
	391	}
	392
	393
[134]	394	char* regfi_get_sacl(WINSEC_DESC *sec_desc)
[53]	395	{
	396	if (sec_desc->sacl)
[78]	397	return regfi_get_acl(sec_desc->sacl);
[53]	398	else
	399	return NULL;
	400	}
	401
	402
[134]	403	char* regfi_get_dacl(WINSEC_DESC *sec_desc)
[53]	404	{
	405	if (sec_desc->dacl)
[78]	406	return regfi_get_acl(sec_desc->dacl);
[53]	407	else
	408	return NULL;
	409	}
	410
	411
[134]	412	char* regfi_get_owner(WINSEC_DESC *sec_desc)
[53]	413	{
[78]	414	return regfi_sid2str(sec_desc->owner_sid);
[53]	415	}
	416
	417
[134]	418	char* regfi_get_group(WINSEC_DESC *sec_desc)
[53]	419	{
[78]	420	return regfi_sid2str(sec_desc->grp_sid);
[53]	421	}
	422
	423
[178]	424	off_t regfi_raw_seek(REGFI_RAW_FILE* self, off_t offset, int whence)
	425	{
	426	return lseek((int)self->state, offset, whence);
	427	}
	428
	429	ssize_t regfi_raw_read(REGFI_RAW_FILE* self, void* buf, size_t count)
	430	{
	431	return read((int)self->state, buf, count);
	432	}
	433
	434
[101]	435	/*****************************************************************************
[178]	436	* Convenience function to wrap up the ugly callback stuff
	437	*****************************************************************************/
	438	off_t regfi_seek(REGFI_RAW_FILE* file_cb, off_t offset, int whence)
	439	{
	440	return file_cb->seek(file_cb, offset, whence);
	441	}
	442
	443
	444	/*****************************************************************************
[101]	445	* This function is just like read(2), except that it continues to
	446	* re-try reading from the file descriptor if EINTR or EAGAIN is received.
[178]	447	* regfi_read will attempt to read length bytes from the file and write them to
	448	* buf.
[101]	449	*
	450	* On success, 0 is returned. Upon failure, an errno code is returned.
	451	*
	452	* The number of bytes successfully read is returned through the length
	453	* parameter by reference. If both the return value and length parameter are
	454	* returned as 0, then EOF was encountered immediately
	455	*****************************************************************************/
[178]	456	uint32_t regfi_read(REGFI_RAW_FILE* file_cb, uint8_t* buf, uint32_t* length)
[101]	457	{
[168]	458	uint32_t rsize = 0;
	459	uint32_t rret = 0;
[101]	460
	461	do
	462	{
[178]	463	rret = file_cb->read(file_cb, buf + rsize, *length - rsize);
[101]	464	if(rret > 0)
	465	rsize += rret;
	466	}while(*length - rsize > 0
	467	&& (rret > 0 \|\| (rret == -1 && (errno == EAGAIN \|\| errno == EINTR))));
	468
	469	*length = rsize;
	470	if (rret == -1 && errno != EINTR && errno != EAGAIN)
	471	return errno;
	472
	473	return 0;
	474	}
	475
	476
	477	/*****************************************************************************
	478	*
	479	*****************************************************************************/
[178]	480	bool regfi_parse_cell(REGFI_RAW_FILE* file_cb, uint32_t offset, uint8_t* hdr,
	481	uint32_t hdr_len, uint32_t* cell_length, bool* unalloc)
[101]	482	{
[168]	483	uint32_t length;
	484	int32_t raw_length;
	485	uint8_t tmp[4];
[101]	486
[178]	487	if(regfi_seek(file_cb, offset, SEEK_SET) == -1)
[101]	488	return false;
	489
	490	length = 4;
[178]	491	if((regfi_read(file_cb, tmp, &length) != 0) \|\| length != 4)
[101]	492	return false;
	493	raw_length = IVALS(tmp, 0);
	494
	495	if(raw_length < 0)
	496	{
	497	(cell_length) = raw_length(-1);
	498	(*unalloc) = false;
	499	}
	500	else
	501	{
	502	(*cell_length) = raw_length;
	503	(*unalloc) = true;
	504	}
	505
[103]	506	if(*cell_length - 4 < hdr_len)
	507	return false;
	508
	509	if(hdr_len > 0)
	510	{
	511	length = hdr_len;
[178]	512	if((regfi_read(file_cb, hdr, &length) != 0) \|\| length != hdr_len)
[103]	513	return false;
	514	}
	515
[101]	516	return true;
	517	}
	518
	519
[157]	520	/******************************************************************************
[106]	521	* Given an offset and an hbin, is the offset within that hbin?
	522	* The offset is a virtual file offset.
[157]	523	******************************************************************************/
[168]	524	static bool regfi_offset_in_hbin(const REGFI_HBIN* hbin, uint32_t voffset)
[30]	525	{
[106]	526	if(!hbin)
[31]	527	return false;
[106]	528
[145]	529	if((voffset > hbin->first_hbin_off)
	530	&& (voffset < (hbin->first_hbin_off + hbin->block_size)))
[31]	531	return true;
[30]	532
[31]	533	return false;
[30]	534	}
	535
	536
[106]	537
[157]	538	/******************************************************************************
	539	* Provide a physical offset and receive the correpsonding HBIN
[106]	540	* block for it. NULL if one doesn't exist.
[157]	541	******************************************************************************/
[168]	542	const REGFI_HBIN* regfi_lookup_hbin(REGFI_FILE* file, uint32_t offset)
[30]	543	{
[157]	544	return (const REGFI_HBIN*)range_list_find_data(file->hbins, offset);
[30]	545	}
	546
	547
[157]	548	/******************************************************************************
	549	* Calculate the largest possible cell size given a physical offset.
	550	* Largest size is based on the HBIN the offset is currently a member of.
	551	* Returns negative values on error.
	552	* (Since cells can only be ~2^31 in size, this works out.)
	553	******************************************************************************/
[168]	554	int32_t regfi_calc_maxsize(REGFI_FILE* file, uint32_t offset)
[157]	555	{
	556	const REGFI_HBIN* hbin = regfi_lookup_hbin(file, offset);
	557	if(hbin == NULL)
	558	return -1;
[139]	559
[157]	560	return (hbin->block_size + hbin->file_off) - offset;
	561	}
	562
	563
[139]	564	/******************************************************************************
	565	******************************************************************************/
[168]	566	REGFI_SUBKEY_LIST* regfi_load_subkeylist(REGFI_FILE* file, uint32_t offset,
	567	uint32_t num_keys, uint32_t max_size,
[139]	568	bool strict)
[127]	569	{
[135]	570	REGFI_SUBKEY_LIST* ret_val;
[134]	571
[139]	572	ret_val = regfi_load_subkeylist_aux(file, offset, max_size, strict,
	573	REGFI_MAX_SUBKEY_DEPTH);
[143]	574	if(ret_val == NULL)
	575	{
	576	regfi_add_message(file, REGFI_MSG_WARN, "Failed to load subkey list at"
	577	" offset 0x%.8X.", offset);
	578	return NULL;
	579	}
[139]	580
	581	if(num_keys != ret_val->num_keys)
	582	{
	583	/* Not sure which should be authoritative, the number from the
	584	* NK record, or the number in the subkey list. Just emit a warning for
	585	* now if they don't match.
	586	*/
	587	regfi_add_message(file, REGFI_MSG_WARN, "Number of subkeys listed in parent"
	588	" (%d) did not match number found in subkey list/tree (%d)"
	589	" while parsing subkey list/tree at offset 0x%.8X.",
	590	num_keys, ret_val->num_keys, offset);
	591	}
	592
	593	return ret_val;
	594	}
	595
	596
	597	/******************************************************************************
	598	******************************************************************************/
[168]	599	REGFI_SUBKEY_LIST* regfi_load_subkeylist_aux(REGFI_FILE* file, uint32_t offset,
	600	uint32_t max_size, bool strict,
	601	uint8_t depth_left)
[139]	602	{
	603	REGFI_SUBKEY_LIST* ret_val;
	604	REGFI_SUBKEY_LIST** sublists;
[168]	605	uint32_t i, num_sublists, off;
	606	int32_t sublist_maxsize;
[139]	607
	608	if(depth_left == 0)
	609	{
	610	regfi_add_message(file, REGFI_MSG_WARN, "Maximum depth reached"
	611	" while parsing subkey list/tree at offset 0x%.8X.",
	612	offset);
[127]	613	return NULL;
[139]	614	}
[134]	615
[139]	616	ret_val = regfi_parse_subkeylist(file, offset, max_size, strict);
[134]	617	if(ret_val == NULL)
	618	return NULL;
[139]	619
	620	if(ret_val->recursive_type)
[127]	621	{
[139]	622	num_sublists = ret_val->num_children;
[150]	623	sublists = (REGFI_SUBKEY_LIST**)malloc(num_sublists
[139]	624	* sizeof(REGFI_SUBKEY_LIST*));
	625	for(i=0; i < num_sublists; i++)
[127]	626	{
[139]	627	off = ret_val->elements[i].offset + REGFI_REGF_SIZE;
[157]	628
	629	sublist_maxsize = regfi_calc_maxsize(file, off);
	630	if(sublist_maxsize < 0)
[139]	631	sublists[i] = NULL;
	632	else
[157]	633	sublists[i] = regfi_load_subkeylist_aux(file, off, sublist_maxsize,
	634	strict, depth_left-1);
[127]	635	}
[150]	636	talloc_free(ret_val);
[134]	637
[139]	638	return regfi_merge_subkeylists(num_sublists, sublists, strict);
[127]	639	}
[30]	640
[127]	641	return ret_val;
	642	}
	643
	644
[139]	645	/******************************************************************************
	646	******************************************************************************/
[168]	647	REGFI_SUBKEY_LIST* regfi_parse_subkeylist(REGFI_FILE* file, uint32_t offset,
	648	uint32_t max_size, bool strict)
[30]	649	{
[135]	650	REGFI_SUBKEY_LIST* ret_val;
[168]	651	uint32_t i, cell_length, length, elem_size, read_len;
	652	uint8_t* elements = NULL;
	653	uint8_t buf[REGFI_SUBKEY_LIST_MIN_LEN];
[104]	654	bool unalloc;
[139]	655	bool recursive_type;
[30]	656
[178]	657	if(!regfi_parse_cell(file->cb, offset, buf, REGFI_SUBKEY_LIST_MIN_LEN,
[104]	658	&cell_length, &unalloc))
[139]	659	{
	660	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while "
	661	"parsing subkey-list at offset 0x%.8X.", offset);
[104]	662	return NULL;
[139]	663	}
[30]	664
[116]	665	if(cell_length > max_size)
	666	{
[139]	667	regfi_add_message(file, REGFI_MSG_WARN, "Cell size longer than max_size"
	668	" while parsing subkey-list at offset 0x%.8X.", offset);
[116]	669	if(strict)
	670	return NULL;
	671	cell_length = max_size & 0xFFFFFFF8;
	672	}
[30]	673
[139]	674	recursive_type = false;
[127]	675	if(buf[0] == 'r' && buf[1] == 'i')
[104]	676	{
[139]	677	recursive_type = true;
[168]	678	elem_size = sizeof(uint32_t);
[104]	679	}
[139]	680	else if(buf[0] == 'l' && buf[1] == 'i')
[168]	681	elem_size = sizeof(uint32_t);
[134]	682	else if((buf[0] == 'l') && (buf[1] == 'f' \|\| buf[1] == 'h'))
[135]	683	elem_size = sizeof(REGFI_SUBKEY_LIST_ELEM);
[134]	684	else
	685	{
[139]	686	regfi_add_message(file, REGFI_MSG_ERROR, "Unknown magic number"
	687	" (0x%.2X, 0x%.2X) encountered while parsing"
	688	" subkey-list at offset 0x%.8X.", buf[0], buf[1], offset);
[134]	689	return NULL;
	690	}
	691
[150]	692	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[127]	693	if(ret_val == NULL)
	694	return NULL;
	695
	696	ret_val->offset = offset;
	697	ret_val->cell_size = cell_length;
[104]	698	ret_val->magic[0] = buf[0];
	699	ret_val->magic[1] = buf[1];
[139]	700	ret_val->recursive_type = recursive_type;
	701	ret_val->num_children = SVAL(buf, 0x2);
[101]	702
[139]	703	if(!recursive_type)
	704	ret_val->num_keys = ret_val->num_children;
[101]	705
[139]	706	length = elem_size*ret_val->num_children;
[168]	707	if(cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t) < length)
[134]	708	{
[139]	709	regfi_add_message(file, REGFI_MSG_WARN, "Number of elements too large for"
	710	" cell while parsing subkey-list at offset 0x%.8X.",
	711	offset);
	712	if(strict)
[150]	713	goto fail;
[168]	714	length = cell_length - REGFI_SUBKEY_LIST_MIN_LEN - sizeof(uint32_t);
[134]	715	}
[30]	716
[150]	717	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	718	ret_val->num_children);
[127]	719	if(ret_val->elements == NULL)
[150]	720	goto fail;
[30]	721
[168]	722	elements = (uint8_t*)malloc(length);
[139]	723	if(elements == NULL)
[150]	724	goto fail;
[30]	725
[150]	726	read_len = length;
[178]	727	if(regfi_read(file->cb, elements, &read_len) != 0 \|\| read_len!=length)
[150]	728	goto fail;
[30]	729
[168]	730	if(elem_size == sizeof(uint32_t))
[104]	731	{
[139]	732	for (i=0; i < ret_val->num_children; i++)
[134]	733	{
[139]	734	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
[134]	735	ret_val->elements[i].hash = 0;
	736	}
[104]	737	}
[134]	738	else
	739	{
[139]	740	for (i=0; i < ret_val->num_children; i++)
[134]	741	{
[139]	742	ret_val->elements[i].offset = IVAL(elements, i*elem_size);
	743	ret_val->elements[i].hash = IVAL(elements, i*elem_size+4);
[134]	744	}
	745	}
[139]	746	free(elements);
[30]	747
[104]	748	return ret_val;
[150]	749
	750	fail:
	751	if(elements != NULL)
	752	free(elements);
	753	talloc_free(ret_val);
	754	return NULL;
[30]	755	}
	756
	757
[139]	758	/*******************************************************************
	759	*******************************************************************/
[168]	760	REGFI_SUBKEY_LIST* regfi_merge_subkeylists(uint16_t num_lists,
[139]	761	REGFI_SUBKEY_LIST** lists,
	762	bool strict)
	763	{
[168]	764	uint32_t i,j,k;
[139]	765	REGFI_SUBKEY_LIST* ret_val;
[102]	766
[139]	767	if(lists == NULL)
	768	return NULL;
[150]	769	ret_val = talloc(NULL, REGFI_SUBKEY_LIST);
[139]	770
	771	if(ret_val == NULL)
	772	return NULL;
	773
	774	/* Obtain total number of elements */
	775	ret_val->num_keys = 0;
	776	for(i=0; i < num_lists; i++)
	777	{
	778	if(lists[i] != NULL)
	779	ret_val->num_keys += lists[i]->num_children;
	780	}
	781	ret_val->num_children = ret_val->num_keys;
	782
	783	if(ret_val->num_keys > 0)
	784	{
[150]	785	ret_val->elements = talloc_array(ret_val, REGFI_SUBKEY_LIST_ELEM,
	786	ret_val->num_keys);
[139]	787	k=0;
	788
	789	if(ret_val->elements != NULL)
	790	{
	791	for(i=0; i < num_lists; i++)
	792	{
	793	if(lists[i] != NULL)
	794	{
	795	for(j=0; j < lists[i]->num_keys; j++)
	796	{
[150]	797	ret_val->elements[k].hash = lists[i]->elements[j].hash;
	798	ret_val->elements[k++].offset = lists[i]->elements[j].offset;
[139]	799	}
	800	}
	801	}
	802	}
	803	}
	804
	805	for(i=0; i < num_lists; i++)
	806	regfi_subkeylist_free(lists[i]);
	807	free(lists);
	808
	809	return ret_val;
	810	}
	811
	812
[147]	813	/******************************************************************************
	814	*
	815	******************************************************************************/
[168]	816	REGFI_SK_REC* regfi_parse_sk(REGFI_FILE* file, uint32_t offset, uint32_t max_size,
[147]	817	bool strict)
[30]	818	{
[135]	819	REGFI_SK_REC* ret_val;
[168]	820	uint8_t* sec_desc_buf = NULL;
	821	uint32_t cell_length, length;
	822	uint8_t sk_header[REGFI_SK_MIN_LENGTH];
[102]	823	bool unalloc = false;
[30]	824
[178]	825	if(!regfi_parse_cell(file->cb, offset, sk_header, REGFI_SK_MIN_LENGTH,
[102]	826	&cell_length, &unalloc))
[137]	827	{
[138]	828	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse SK record cell"
[137]	829	" at offset 0x%.8X.", offset);
[102]	830	return NULL;
[137]	831	}
[102]	832
	833	if(sk_header[0] != 's' \|\| sk_header[1] != 'k')
[137]	834	{
[138]	835	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	836	" SK record at offset 0x%.8X.", offset);
[102]	837	return NULL;
[137]	838	}
	839
[147]	840	ret_val = talloc(NULL, REGFI_SK_REC);
[102]	841	if(ret_val == NULL)
	842	return NULL;
[30]	843
[102]	844	ret_val->offset = offset;
[116]	845	/* XXX: Is there a way to be more conservative (shorter) with
	846	* cell length when cell is unallocated?
[111]	847	*/
[102]	848	ret_val->cell_size = cell_length;
[30]	849
[102]	850	if(ret_val->cell_size > max_size)
	851	ret_val->cell_size = max_size & 0xFFFFFFF8;
	852	if((ret_val->cell_size < REGFI_SK_MIN_LENGTH)
[157]	853	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[102]	854	{
[138]	855	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size found while"
	856	" parsing SK record at offset 0x%.8X.", offset);
[147]	857	goto fail;
[102]	858	}
[30]	859
[102]	860	ret_val->magic[0] = sk_header[0];
	861	ret_val->magic[1] = sk_header[1];
[30]	862
[102]	863	ret_val->unknown_tag = SVAL(sk_header, 0x2);
	864	ret_val->prev_sk_off = IVAL(sk_header, 0x4);
	865	ret_val->next_sk_off = IVAL(sk_header, 0x8);
	866	ret_val->ref_count = IVAL(sk_header, 0xC);
	867	ret_val->desc_size = IVAL(sk_header, 0x10);
[30]	868
[157]	869	if((ret_val->prev_sk_off & 0x00000007) != 0
	870	\|\| (ret_val->next_sk_off & 0x00000007) != 0)
[140]	871	{
	872	regfi_add_message(file, REGFI_MSG_WARN, "SK record's next/previous offsets"
	873	" are not a multiple of 8 while parsing SK record at"
	874	" offset 0x%.8X.", offset);
[147]	875	goto fail;
[140]	876	}
	877
[102]	878	if(ret_val->desc_size + REGFI_SK_MIN_LENGTH > ret_val->cell_size)
	879	{
[140]	880	regfi_add_message(file, REGFI_MSG_WARN, "Security descriptor too large for"
[138]	881	" cell while parsing SK record at offset 0x%.8X.",
	882	offset);
[147]	883	goto fail;
[102]	884	}
[30]	885
[168]	886	sec_desc_buf = (uint8_t*)malloc(ret_val->desc_size);
[147]	887	if(sec_desc_buf == NULL)
	888	goto fail;
[102]	889
[134]	890	length = ret_val->desc_size;
[178]	891	if(regfi_read(file->cb, sec_desc_buf, &length) != 0
[134]	892	\|\| length != ret_val->desc_size)
	893	{
[138]	894	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read security"
	895	" descriptor while parsing SK record at offset 0x%.8X.",
	896	offset);
[147]	897	goto fail;
[134]	898	}
[102]	899
[147]	900	if(!(ret_val->sec_desc = winsec_parse_desc(ret_val, sec_desc_buf,
	901	ret_val->desc_size)))
[134]	902	{
[138]	903	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to parse security"
	904	" descriptor while parsing SK record at offset 0x%.8X.",
	905	offset);
[147]	906	goto fail;
[134]	907	}
[147]	908
[134]	909	free(sec_desc_buf);
[147]	910	return ret_val;
[134]	911
[147]	912	fail:
	913	if(sec_desc_buf != NULL)
	914	free(sec_desc_buf);
	915	talloc_free(ret_val);
	916	return NULL;
[30]	917	}
	918
	919
[168]	920	REGFI_VALUE_LIST* regfi_parse_valuelist(REGFI_FILE* file, uint32_t offset,
	921	uint32_t num_values, bool strict)
[111]	922	{
[145]	923	REGFI_VALUE_LIST* ret_val;
[168]	924	uint32_t i, cell_length, length, read_len;
[111]	925	bool unalloc;
[30]	926
[178]	927	if(!regfi_parse_cell(file->cb, offset, NULL, 0, &cell_length, &unalloc))
[137]	928	{
[138]	929	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read cell header"
[137]	930	" while parsing value list at offset 0x%.8X.", offset);
[111]	931	return NULL;
[137]	932	}
[111]	933
[157]	934	if((cell_length & 0x00000007) != 0)
[111]	935	{
[145]	936	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not a multiple of 8"
	937	" while parsing value list at offset 0x%.8X.", offset);
[111]	938	if(strict)
	939	return NULL;
	940	cell_length = cell_length & 0xFFFFFFF8;
	941	}
[145]	942
[168]	943	if((num_values * sizeof(uint32_t)) > cell_length-sizeof(uint32_t))
[137]	944	{
[140]	945	regfi_add_message(file, REGFI_MSG_WARN, "Too many values found"
[137]	946	" while parsing value list at offset 0x%.8X.", offset);
[145]	947	if(strict)
	948	return NULL;
[168]	949	num_values = cell_length/sizeof(uint32_t) - sizeof(uint32_t);
[137]	950	}
[111]	951
[168]	952	read_len = num_values*sizeof(uint32_t);
[150]	953	ret_val = talloc(NULL, REGFI_VALUE_LIST);
[111]	954	if(ret_val == NULL)
	955	return NULL;
	956
[150]	957	ret_val->elements = (REGFI_VALUE_LIST_ELEM*)talloc_size(ret_val, read_len);
[145]	958	if(ret_val->elements == NULL)
	959	{
[150]	960	talloc_free(ret_val);
[145]	961	return NULL;
	962	}
	963	ret_val->num_values = num_values;
	964
[111]	965	length = read_len;
[178]	966	if((regfi_read(file->cb, (uint8_t*)ret_val->elements, &length) != 0)
[145]	967	\|\| length != read_len)
[111]	968	{
[138]	969	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read value pointers"
[137]	970	" while parsing value list at offset 0x%.8X.", offset);
[150]	971	talloc_free(ret_val);
[111]	972	return NULL;
	973	}
	974
	975	for(i=0; i < num_values; i++)
	976	{
	977	/* Fix endianness */
[145]	978	ret_val->elements[i] = IVAL(&ret_val->elements[i], 0);
[111]	979
	980	/* Validate the first num_values values to ensure they make sense */
	981	if(strict)
	982	{
[145]	983	/* XXX: Need to revisit this file length check when we start dealing
	984	* with partial files. */
	985	if((ret_val->elements[i] + REGFI_REGF_SIZE > file->file_length)
[157]	986	\|\| ((ret_val->elements[i] & 0x00000007) != 0))
[111]	987	{
[145]	988	regfi_add_message(file, REGFI_MSG_WARN, "Invalid value pointer"
[138]	989	" (0x%.8X) found while parsing value list at offset"
[145]	990	" 0x%.8X.", ret_val->elements[i], offset);
[150]	991	talloc_free(ret_val);
[111]	992	return NULL;
	993	}
	994	}
	995	}
	996
	997	return ret_val;
	998	}
	999
	1000
[172]	1001	void regfi_interpret_valuename(REGFI_FILE* file, REGFI_VK_REC* vk,
[162]	1002	REGFI_ENCODING output_encoding, bool strict)
[30]	1003	{
[165]	1004	/* XXX: Registry value names are supposedly limited to 16383 characters
	1005	* according to:
	1006	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
	1007	* Might want to emit a warning if this is exceeded.
	1008	* It is expected that "characters" could be variable width.
	1009	* Also, it may be useful to use this information to limit false positives
	1010	* when recovering deleted VK records.
	1011	*/
[172]	1012	int32_t tmp_size;
	1013	REGFI_ENCODING from_encoding = (vk->flags & REGFI_VK_FLAG_ASCIINAME)
[162]	1014	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[151]	1015
[162]	1016	if(from_encoding == output_encoding)
	1017	{
[172]	1018	vk->valuename_raw = talloc_realloc(vk, vk->valuename_raw,
	1019	uint8_t, vk->name_length+1);
	1020	vk->valuename_raw[vk->name_length] = '\0';
	1021	vk->valuename = (char*)vk->valuename_raw;
[162]	1022	}
	1023	else
	1024	{
[172]	1025	vk->valuename = talloc_array(vk, char, vk->name_length+1);
	1026	if(vk->valuename == NULL)
[162]	1027	{
[172]	1028	regfi_free_value(vk);
	1029	return;
[162]	1030	}
	1031
	1032	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
	1033	regfi_encoding_int2str(output_encoding),
[172]	1034	vk->valuename_raw, vk->valuename,
	1035	vk->name_length, vk->name_length+1);
[162]	1036	if(tmp_size < 0)
	1037	{
	1038	regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
	1039	" valuename to encoding %s. Error message: %s",
	1040	regfi_encoding_int2str(output_encoding),
	1041	strerror(-tmp_size));
[172]	1042	talloc_free(vk->valuename);
	1043	vk->valuename = NULL;
[162]	1044	}
	1045	}
[172]	1046	}
[162]	1047
[172]	1048
	1049	/******************************************************************************
	1050	******************************************************************************/
	1051	REGFI_VK_REC* regfi_load_value(REGFI_FILE* file, uint32_t offset,
	1052	REGFI_ENCODING output_encoding, bool strict)
	1053	{
	1054	REGFI_VK_REC* ret_val = NULL;
	1055	int32_t max_size;
	1056
	1057	max_size = regfi_calc_maxsize(file, offset);
	1058	if(max_size < 0)
	1059	return NULL;
	1060
	1061	ret_val = regfi_parse_vk(file, offset, max_size, strict);
	1062	if(ret_val == NULL)
	1063	return NULL;
	1064
	1065	regfi_interpret_valuename(file, ret_val, output_encoding, strict);
	1066
[103]	1067	return ret_val;
[30]	1068	}
	1069
	1070
[145]	1071	/******************************************************************************
	1072	* If !strict, the list may contain NULLs, VK records may point to NULL.
	1073	******************************************************************************/
[168]	1074	REGFI_VALUE_LIST* regfi_load_valuelist(REGFI_FILE* file, uint32_t offset,
	1075	uint32_t num_values, uint32_t max_size,
[145]	1076	bool strict)
	1077	{
[168]	1078	uint32_t usable_num_values;
[30]	1079
[168]	1080	if((num_values+1) * sizeof(uint32_t) > max_size)
[145]	1081	{
	1082	regfi_add_message(file, REGFI_MSG_WARN, "Number of values indicated by"
	1083	" parent key (%d) would cause cell to straddle HBIN"
	1084	" boundary while loading value list at offset"
	1085	" 0x%.8X.", num_values, offset);
	1086	if(strict)
	1087	return NULL;
[168]	1088	usable_num_values = max_size/sizeof(uint32_t) - sizeof(uint32_t);
[145]	1089	}
	1090	else
	1091	usable_num_values = num_values;
	1092
	1093	return regfi_parse_valuelist(file, offset, usable_num_values, strict);
	1094	}
	1095
	1096
[172]	1097	void regfi_interpret_keyname(REGFI_FILE* file, REGFI_NK_REC* nk,
[161]	1098	REGFI_ENCODING output_encoding, bool strict)
[30]	1099	{
[165]	1100	/* XXX: Registry key names are supposedly limited to 255 characters according to:
	1101	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
	1102	* Might want to emit a warning if this is exceeded.
	1103	* It is expected that "characters" could be variable width.
	1104	* Also, it may be useful to use this information to limit false positives
	1105	* when recovering deleted NK records.
	1106	*/
[172]	1107	int32_t tmp_size;
	1108	REGFI_ENCODING from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME)
[161]	1109	? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
[172]	1110
[161]	1111	if(from_encoding == output_encoding)
	1112	{
[168]	1113	nk->keyname_raw = talloc_realloc(nk, nk->keyname_raw, uint8_t, nk->name_length+1);
[161]	1114	nk->keyname_raw[nk->name_length] = '\0';
	1115	nk->keyname = (char*)nk->keyname_raw;
	1116	}
	1117	else
	1118	{
	1119	nk->keyname = talloc_array(nk, char, nk->name_length+1);
	1120	if(nk->keyname == NULL)
	1121	{
	1122	regfi_free_key(nk);
[172]	1123	return;
[161]	1124	}
	1125
	1126	tmp_size = regfi_conv_charset(regfi_encoding_int2str(from_encoding),
	1127	regfi_encoding_int2str(output_encoding),
	1128	nk->keyname_raw, nk->keyname,
	1129	nk->name_length, nk->name_length+1);
	1130	if(tmp_size < 0)
	1131	{
	1132	regfi_add_message(file, REGFI_MSG_WARN, "Error occurred while converting"
	1133	" keyname to encoding %s. Error message: %s",
	1134	regfi_encoding_int2str(output_encoding),
	1135	strerror(-tmp_size));
	1136	talloc_free(nk->keyname);
	1137	nk->keyname = NULL;
	1138	}
	1139	}
[172]	1140	}
[161]	1141
	1142
[172]	1143	/******************************************************************************
	1144	*
	1145	******************************************************************************/
	1146	REGFI_NK_REC* regfi_load_key(REGFI_FILE* file, uint32_t offset,
	1147	REGFI_ENCODING output_encoding, bool strict)
	1148	{
	1149	REGFI_NK_REC* nk;
	1150	uint32_t off;
	1151	int32_t max_size;
	1152
	1153	max_size = regfi_calc_maxsize(file, offset);
	1154	if (max_size < 0)
	1155	return NULL;
	1156
	1157	/* get the initial nk record */
	1158	if((nk = regfi_parse_nk(file, offset, max_size, true)) == NULL)
	1159	{
	1160	regfi_add_message(file, REGFI_MSG_ERROR, "Could not load NK record at"
	1161	" offset 0x%.8X.", offset);
	1162	return NULL;
	1163	}
	1164
	1165	regfi_interpret_keyname(file, nk, output_encoding, strict);
	1166
[146]	1167	/* get value list */
[135]	1168	if(nk->num_values && (nk->values_off!=REGFI_OFFSET_NONE))
[32]	1169	{
[157]	1170	off = nk->values_off + REGFI_REGF_SIZE;
	1171	max_size = regfi_calc_maxsize(file, off);
	1172	if(max_size < 0)
[32]	1173	{
[105]	1174	if(strict)
[32]	1175	{
[150]	1176	regfi_free_key(nk);
[99]	1177	return NULL;
[31]	1178	}
[105]	1179	else
	1180	nk->values = NULL;
[133]	1181
[31]	1182	}
[105]	1183	else
[103]	1184	{
[157]	1185	nk->values = regfi_load_valuelist(file, off, nk->num_values,
	1186	max_size, true);
[145]	1187	if(nk->values == NULL)
[105]	1188	{
[145]	1189	regfi_add_message(file, REGFI_MSG_WARN, "Could not load value list"
	1190	" for NK record at offset 0x%.8X.", offset);
	1191	if(strict)
	1192	{
[150]	1193	regfi_free_key(nk);
[145]	1194	return NULL;
	1195	}
[105]	1196	}
[150]	1197	talloc_steal(nk, nk->values);
[103]	1198	}
[31]	1199	}
[105]	1200
[146]	1201	/* now get subkey list */
[135]	1202	if(nk->num_subkeys && (nk->subkeys_off != REGFI_OFFSET_NONE))
[32]	1203	{
[157]	1204	off = nk->subkeys_off + REGFI_REGF_SIZE;
	1205	max_size = regfi_calc_maxsize(file, off);
	1206	if(max_size < 0)
[32]	1207	{
[105]	1208	if(strict)
[32]	1209	{
[150]	1210	regfi_free_key(nk);
[99]	1211	return NULL;
[31]	1212	}
[105]	1213	else
	1214	nk->subkeys = NULL;
[31]	1215	}
[105]	1216	else
[104]	1217	{
[134]	1218	nk->subkeys = regfi_load_subkeylist(file, off, nk->num_subkeys,
[157]	1219	max_size, true);
[134]	1220
[105]	1221	if(nk->subkeys == NULL)
	1222	{
[140]	1223	regfi_add_message(file, REGFI_MSG_WARN, "Could not load subkey list"
	1224	" while parsing NK record at offset 0x%.8X.", offset);
[105]	1225	nk->num_subkeys = 0;
	1226	}
[150]	1227	talloc_steal(nk, nk->subkeys);
[104]	1228	}
[31]	1229	}
[30]	1230
[99]	1231	return nk;
[30]	1232	}
	1233
[32]	1234
[102]	1235	/******************************************************************************
	1236	******************************************************************************/
[168]	1237	const REGFI_SK_REC* regfi_load_sk(REGFI_FILE* file, uint32_t offset, bool strict)
[146]	1238	{
	1239	REGFI_SK_REC* ret_val = NULL;
[168]	1240	int32_t max_size;
[147]	1241	void* failure_ptr = NULL;
	1242
[146]	1243	/* First look if we have already parsed it */
	1244	ret_val = (REGFI_SK_REC*)lru_cache_find(file->sk_cache, &offset, 4);
	1245
	1246	/* Bail out if we have previously cached a parse failure at this offset. */
	1247	if(ret_val == (void*)REGFI_OFFSET_NONE)
	1248	return NULL;
	1249
	1250	if(ret_val == NULL)
	1251	{
[157]	1252	max_size = regfi_calc_maxsize(file, offset);
	1253	if(max_size < 0)
[146]	1254	return NULL;
	1255
[157]	1256	ret_val = regfi_parse_sk(file, offset, max_size, strict);
[146]	1257	if(ret_val == NULL)
	1258	{ /* Cache the parse failure and bail out. */
[147]	1259	failure_ptr = talloc(NULL, uint32_t);
	1260	if(failure_ptr == NULL)
	1261	return NULL;
	1262	(uint32_t)failure_ptr = REGFI_OFFSET_NONE;
	1263	lru_cache_update(file->sk_cache, &offset, 4, failure_ptr);
[146]	1264	return NULL;
	1265	}
	1266
	1267	lru_cache_update(file->sk_cache, &offset, 4, ret_val);
	1268	}
	1269
	1270	return ret_val;
	1271	}
	1272
	1273
	1274
	1275	/******************************************************************************
	1276	******************************************************************************/
[161]	1277	REGFI_NK_REC* regfi_find_root_nk(REGFI_FILE* file, const REGFI_HBIN* hbin,
	1278	REGFI_ENCODING output_encoding)
[30]	1279	{
[135]	1280	REGFI_NK_REC* nk = NULL;
[168]	1281	uint32_t cell_length;
	1282	uint32_t cur_offset = hbin->file_off+REGFI_HBIN_HEADER_SIZE;
	1283	uint32_t hbin_end = hbin->file_off+hbin->block_size;
[158]	1284	bool unalloc;
[30]	1285
[158]	1286	while(cur_offset < hbin_end)
[32]	1287	{
[178]	1288	if(!regfi_parse_cell(file->cb, cur_offset, NULL, 0, &cell_length, &unalloc))
[158]	1289	{
	1290	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell at offset"
	1291	" 0x%.8X while searching for root key.", cur_offset);
	1292	return NULL;
	1293	}
[102]	1294
[158]	1295	if(!unalloc)
[102]	1296	{
[161]	1297	nk = regfi_load_key(file, cur_offset, output_encoding, true);
[102]	1298	if(nk != NULL)
	1299	{
[161]	1300	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1301	return nk;
[102]	1302	}
[31]	1303	}
[30]	1304
[158]	1305	cur_offset += cell_length;
[31]	1306	}
[32]	1307
[158]	1308	return NULL;
[30]	1309	}
	1310
	1311
[178]	1312
[166]	1313	/******************************************************************************
	1314	******************************************************************************/
[178]	1315	REGFI_FILE* regfi_alloc(int fd)
[30]	1316	{
[166]	1317	REGFI_FILE* ret_val;
[178]	1318	REGFI_RAW_FILE* file_cb = talloc(NULL, REGFI_RAW_FILE);
	1319	if(file_cb == NULL)
[31]	1320	return NULL;
[166]	1321
[178]	1322	file_cb->state = (void*)talloc(file_cb, int);
	1323	if(file_cb->state == NULL)
	1324	goto fail;
	1325	(int)file_cb->state = fd;
	1326
	1327	file_cb->cur_off = 0;
	1328	file_cb->size = 0;
	1329	file_cb->read = &regfi_raw_read;
	1330	file_cb->seek = &regfi_raw_seek;
	1331
	1332	ret_val = regfi_alloc_cb(file_cb);
[166]	1333	if(ret_val == NULL)
[178]	1334	goto fail;
[166]	1335
[178]	1336	/* In this case, we want file_cb to be freed when ret_val is */
	1337	talloc_steal(ret_val, file_cb);
[166]	1338	return ret_val;
[178]	1339
	1340	fail:
	1341	talloc_free(file_cb);
	1342	return NULL;
[166]	1343	}
	1344
	1345
[178]	1346
	1347	REGFI_FILE* regfi_alloc_cb(REGFI_RAW_FILE* file_cb)
[166]	1348	{
	1349	REGFI_FILE* rb;
	1350	REGFI_HBIN* hbin = NULL;
[178]	1351	uint32_t hbin_off, cache_secret;
	1352	int32_t file_length;
[166]	1353	bool rla;
	1354
[178]	1355	/* Determine file length. Must be at least big enough for the header
	1356	* and one hbin.
[137]	1357	*/
[178]	1358	file_length = file_cb->seek(file_cb, 0, SEEK_END);
[137]	1359	if(file_length < REGFI_REGF_SIZE+REGFI_HBIN_ALLOC)
	1360	return NULL;
[178]	1361	file_cb->seek(file_cb, 0, SEEK_SET);
[137]	1362
[166]	1363	/* Read file header */
[178]	1364	if ((rb = regfi_parse_regf(file_cb, true)) == NULL)
[97]	1365	{
[178]	1366	/* fprintf(stderr, "regfi_alloc_cb: Failed to read initial REGF block\n");*/
[31]	1367	return NULL;
	1368	}
[137]	1369	rb->file_length = file_length;
[178]	1370	rb->cb = file_cb;
[137]	1371
[99]	1372	rb->hbins = range_list_new();
[110]	1373	if(rb->hbins == NULL)
[99]	1374	{
[178]	1375	/* fprintf(stderr, "regfi_alloc_cb: Failed to create HBIN list.\n"); */
[150]	1376	talloc_free(rb);
[99]	1377	return NULL;
	1378	}
[150]	1379	talloc_steal(rb, rb->hbins);
	1380
[106]	1381	rla = true;
[135]	1382	hbin_off = REGFI_REGF_SIZE;
[110]	1383	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1384	while(hbin && rla)
	1385	{
[137]	1386	rla = range_list_add(rb->hbins, hbin->file_off, hbin->block_size, hbin);
[148]	1387	if(rla)
	1388	talloc_steal(rb->hbins, hbin);
[106]	1389	hbin_off = hbin->file_off + hbin->block_size;
[110]	1390	hbin = regfi_parse_hbin(rb, hbin_off, true);
[106]	1391	}
	1392
[146]	1393	/* This secret isn't very secret, but we don't need a good one. This
	1394	* secret is just designed to prevent someone from trying to blow our
	1395	* caching and make things slow.
	1396	*/
	1397	cache_secret = 0x15DEAD05^time(NULL)^(getpid()<<16);
	1398
	1399	/* Cache an unlimited number of SK records. Typically there are very few. */
[150]	1400	rb->sk_cache = lru_cache_create_ctx(rb, 0, cache_secret, true);
[146]	1401
[138]	1402	/* Default message mask */
	1403	rb->msg_mask = REGFI_MSG_ERROR\|REGFI_MSG_WARN;
	1404
[31]	1405	/* success */
	1406	return rb;
[30]	1407	}
	1408
	1409
[148]	1410	/******************************************************************************
	1411	******************************************************************************/
[166]	1412	void regfi_free(REGFI_FILE *file)
	1413	{
	1414	if(file->last_message != NULL)
[167]	1415	free(file->last_message);
[166]	1416
[150]	1417	talloc_free(file);
[30]	1418	}
	1419
	1420
[80]	1421	/******************************************************************************
[158]	1422	* First checks the offset given by the file header, then checks the
	1423	* rest of the file if that fails.
[148]	1424	******************************************************************************/
[161]	1425	REGFI_NK_REC* regfi_rootkey(REGFI_FILE* file, REGFI_ENCODING output_encoding)
[30]	1426	{
[135]	1427	REGFI_NK_REC* nk = NULL;
[146]	1428	REGFI_HBIN* hbin;
[168]	1429	uint32_t root_offset, i, num_hbins;
[99]	1430
	1431	if(!file)
[31]	1432	return NULL;
[99]	1433
[158]	1434	root_offset = file->root_cell+REGFI_REGF_SIZE;
[161]	1435	nk = regfi_load_key(file, root_offset, output_encoding, true);
[158]	1436	if(nk != NULL)
	1437	{
[161]	1438	if(nk->flags & REGFI_NK_FLAG_ROOT)
[158]	1439	return nk;
	1440	}
	1441
	1442	regfi_add_message(file, REGFI_MSG_WARN, "File header indicated root key at"
	1443	" location 0x%.8X, but no root key found."
	1444	" Searching rest of file...", root_offset);
	1445
	1446	/* If the file header gives bad info, scan through the file one HBIN
	1447	* block at a time looking for an NK record with a root key type.
[146]	1448	*/
[107]	1449	num_hbins = range_list_size(file->hbins);
[158]	1450	for(i=0; i < num_hbins && nk == NULL; i++)
[99]	1451	{
[135]	1452	hbin = (REGFI_HBIN*)range_list_get(file->hbins, i)->data;
[161]	1453	nk = regfi_find_root_nk(file, hbin, output_encoding);
[31]	1454	}
[30]	1455
[80]	1456	return nk;
[30]	1457	}
	1458
	1459
[80]	1460	/******************************************************************************
	1461	*****************************************************************************/
[150]	1462	void regfi_free_key(REGFI_NK_REC* nk)
[30]	1463	{
[127]	1464	regfi_subkeylist_free(nk->subkeys);
[150]	1465	talloc_free(nk);
	1466	}
[127]	1467
[80]	1468
[150]	1469	/******************************************************************************
	1470	*****************************************************************************/
	1471	void regfi_free_value(REGFI_VK_REC* vk)
	1472	{
	1473	talloc_free(vk);
[80]	1474	}
	1475
	1476
	1477	/******************************************************************************
	1478	*****************************************************************************/
[135]	1479	void regfi_subkeylist_free(REGFI_SUBKEY_LIST* list)
[127]	1480	{
	1481	if(list != NULL)
	1482	{
[150]	1483	talloc_free(list);
[127]	1484	}
	1485	}
	1486
	1487
	1488	/******************************************************************************
	1489	*****************************************************************************/
[161]	1490	REGFI_ITERATOR* regfi_iterator_new(REGFI_FILE* file,
	1491	REGFI_ENCODING output_encoding)
[80]	1492	{
[135]	1493	REGFI_NK_REC* root;
[161]	1494	REGFI_ITERATOR* ret_val;
	1495
	1496	if(output_encoding != REGFI_ENCODING_UTF8
	1497	&& output_encoding != REGFI_ENCODING_ASCII)
	1498	{
	1499	regfi_add_message(file, REGFI_MSG_ERROR, "Invalid output_encoding supplied"
	1500	" in creation of regfi iterator.");
	1501	return NULL;
	1502	}
	1503
	1504	ret_val = talloc(NULL, REGFI_ITERATOR);
[80]	1505	if(ret_val == NULL)
	1506	return NULL;
	1507
[161]	1508	root = regfi_rootkey(file, output_encoding);
[80]	1509	if(root == NULL)
	1510	{
[150]	1511	talloc_free(ret_val);
[80]	1512	return NULL;
	1513	}
	1514
[135]	1515	ret_val->key_positions = void_stack_new(REGFI_MAX_DEPTH);
[80]	1516	if(ret_val->key_positions == NULL)
	1517	{
[150]	1518	talloc_free(ret_val);
[80]	1519	return NULL;
	1520	}
[150]	1521	talloc_steal(ret_val, ret_val->key_positions);
[80]	1522
[159]	1523	ret_val->f = file;
[80]	1524	ret_val->cur_key = root;
	1525	ret_val->cur_subkey = 0;
	1526	ret_val->cur_value = 0;
[161]	1527	ret_val->string_encoding = output_encoding;
	1528
[80]	1529	return ret_val;
	1530	}
	1531
	1532
	1533	/******************************************************************************
	1534	*****************************************************************************/
	1535	void regfi_iterator_free(REGFI_ITERATOR* i)
	1536	{
[150]	1537	talloc_free(i);
[80]	1538	}
	1539
	1540
	1541
	1542	/******************************************************************************
	1543	*****************************************************************************/
	1544	/* XXX: some way of indicating reason for failure should be added. */
	1545	bool regfi_iterator_down(REGFI_ITERATOR* i)
	1546	{
[135]	1547	REGFI_NK_REC* subkey;
[80]	1548	REGFI_ITER_POSITION* pos;
	1549
[150]	1550	pos = talloc(i->key_positions, REGFI_ITER_POSITION);
[80]	1551	if(pos == NULL)
	1552	return false;
	1553
[135]	1554	subkey = (REGFI_NK_REC*)regfi_iterator_cur_subkey(i);
[80]	1555	if(subkey == NULL)
	1556	{
[150]	1557	talloc_free(pos);
[80]	1558	return false;
	1559	}
	1560
	1561	pos->nk = i->cur_key;
	1562	pos->cur_subkey = i->cur_subkey;
	1563	if(!void_stack_push(i->key_positions, pos))
	1564	{
[150]	1565	talloc_free(pos);
	1566	regfi_free_key(subkey);
[80]	1567	return false;
	1568	}
[150]	1569	talloc_steal(i, subkey);
[80]	1570
	1571	i->cur_key = subkey;
	1572	i->cur_subkey = 0;
	1573	i->cur_value = 0;
	1574
	1575	return true;
	1576	}
	1577
	1578
	1579	/******************************************************************************
	1580	*****************************************************************************/
	1581	bool regfi_iterator_up(REGFI_ITERATOR* i)
	1582	{
	1583	REGFI_ITER_POSITION* pos;
	1584
	1585	pos = (REGFI_ITER_POSITION*)void_stack_pop(i->key_positions);
	1586	if(pos == NULL)
	1587	return false;
	1588
[150]	1589	regfi_free_key(i->cur_key);
[80]	1590	i->cur_key = pos->nk;
	1591	i->cur_subkey = pos->cur_subkey;
	1592	i->cur_value = 0;
[150]	1593	talloc_free(pos);
[80]	1594
	1595	return true;
	1596	}
	1597
	1598
	1599	/******************************************************************************
	1600	*****************************************************************************/
	1601	bool regfi_iterator_to_root(REGFI_ITERATOR* i)
	1602	{
	1603	while(regfi_iterator_up(i))
	1604	continue;
	1605
	1606	return true;
	1607	}
	1608
	1609
	1610	/******************************************************************************
	1611	*****************************************************************************/
	1612	bool regfi_iterator_find_subkey(REGFI_ITERATOR* i, const char* subkey_name)
	1613	{
[135]	1614	REGFI_NK_REC* subkey;
[80]	1615	bool found = false;
[168]	1616	uint32_t old_subkey = i->cur_subkey;
[133]	1617
[80]	1618	if(subkey_name == NULL)
	1619	return false;
	1620
	1621	/* XXX: this alloc/free of each sub key might be a bit excessive */
[135]	1622	subkey = (REGFI_NK_REC*)regfi_iterator_first_subkey(i);
[80]	1623	while((subkey != NULL) && (found == false))
	1624	{
	1625	if(subkey->keyname != NULL
	1626	&& strcasecmp(subkey->keyname, subkey_name) == 0)
	1627	found = true;
[82]	1628	else
	1629	{
[150]	1630	regfi_free_key(subkey);
[135]	1631	subkey = (REGFI_NK_REC*)regfi_iterator_next_subkey(i);
[82]	1632	}
[80]	1633	}
	1634
	1635	if(found == false)
	1636	{
	1637	i->cur_subkey = old_subkey;
	1638	return false;
	1639	}
	1640
[150]	1641	regfi_free_key(subkey);
[80]	1642	return true;
	1643	}
	1644
	1645
	1646	/******************************************************************************
	1647	*****************************************************************************/
	1648	bool regfi_iterator_walk_path(REGFI_ITERATOR* i, const char** path)
	1649	{
[168]	1650	uint32_t x;
[80]	1651	if(path == NULL)
	1652	return false;
	1653
	1654	for(x=0;
	1655	((path[x] != NULL) && regfi_iterator_find_subkey(i, path[x])
	1656	&& regfi_iterator_down(i));
	1657	x++)
	1658	{ continue; }
	1659
	1660	if(path[x] == NULL)
	1661	return true;
	1662
	1663	/* XXX: is this the right number of times? */
	1664	for(; x > 0; x--)
	1665	regfi_iterator_up(i);
	1666
	1667	return false;
	1668	}
	1669
	1670
	1671	/******************************************************************************
	1672	*****************************************************************************/
[135]	1673	const REGFI_NK_REC* regfi_iterator_cur_key(REGFI_ITERATOR* i)
[80]	1674	{
	1675	return i->cur_key;
	1676	}
	1677
	1678
	1679	/******************************************************************************
	1680	*****************************************************************************/
[135]	1681	const REGFI_SK_REC* regfi_iterator_cur_sk(REGFI_ITERATOR* i)
[109]	1682	{
[146]	1683	if(i->cur_key == NULL \|\| i->cur_key->sk_off == REGFI_OFFSET_NONE)
[109]	1684	return NULL;
	1685
[146]	1686	return regfi_load_sk(i->f, i->cur_key->sk_off + REGFI_REGF_SIZE, true);
[109]	1687	}
	1688
	1689
	1690	/******************************************************************************
	1691	*****************************************************************************/
[150]	1692	REGFI_NK_REC* regfi_iterator_first_subkey(REGFI_ITERATOR* i)
[80]	1693	{
	1694	i->cur_subkey = 0;
	1695	return regfi_iterator_cur_subkey(i);
	1696	}
	1697
	1698
	1699	/******************************************************************************
	1700	*****************************************************************************/
[150]	1701	REGFI_NK_REC* regfi_iterator_cur_subkey(REGFI_ITERATOR* i)
[80]	1702	{
[168]	1703	uint32_t nk_offset;
[80]	1704
[31]	1705	/* see if there is anything left to report */
[135]	1706	if (!(i->cur_key) \|\| (i->cur_key->subkeys_off==REGFI_OFFSET_NONE)
[80]	1707	\|\| (i->cur_subkey >= i->cur_key->num_subkeys))
[31]	1708	return NULL;
[30]	1709
[139]	1710	nk_offset = i->cur_key->subkeys->elements[i->cur_subkey].offset;
[133]	1711
[161]	1712	return regfi_load_key(i->f, nk_offset+REGFI_REGF_SIZE, i->string_encoding,
	1713	true);
[30]	1714	}
[80]	1715
	1716
	1717	/******************************************************************************
	1718	*****************************************************************************/
	1719	/* XXX: some way of indicating reason for failure should be added. */
[150]	1720	REGFI_NK_REC* regfi_iterator_next_subkey(REGFI_ITERATOR* i)
[80]	1721	{
[150]	1722	REGFI_NK_REC* subkey;
[80]	1723
	1724	i->cur_subkey++;
	1725	subkey = regfi_iterator_cur_subkey(i);
	1726
	1727	if(subkey == NULL)
	1728	i->cur_subkey--;
	1729
	1730	return subkey;
	1731	}
	1732
	1733
	1734	/******************************************************************************
	1735	*****************************************************************************/
	1736	bool regfi_iterator_find_value(REGFI_ITERATOR* i, const char* value_name)
	1737	{
[150]	1738	REGFI_VK_REC* cur;
[80]	1739	bool found = false;
[168]	1740	uint32_t old_value = i->cur_value;
[80]	1741
	1742	/* XXX: cur->valuename can be NULL in the registry.
	1743	* Should we allow for a way to search for that?
	1744	*/
	1745	if(value_name == NULL)
	1746	return false;
	1747
	1748	cur = regfi_iterator_first_value(i);
	1749	while((cur != NULL) && (found == false))
	1750	{
	1751	if((cur->valuename != NULL)
	1752	&& (strcasecmp(cur->valuename, value_name) == 0))
	1753	found = true;
[95]	1754	else
[150]	1755	{
	1756	regfi_free_value(cur);
[95]	1757	cur = regfi_iterator_next_value(i);
[150]	1758	}
[80]	1759	}
[167]	1760
	1761	if(found == false)
	1762	{
	1763	i->cur_value = old_value;
	1764	return false;
	1765	}
[80]	1766
[167]	1767	regfi_free_value(cur);
	1768	return true;
[80]	1769	}
	1770
	1771
	1772	/******************************************************************************
	1773	*****************************************************************************/
[150]	1774	REGFI_VK_REC* regfi_iterator_first_value(REGFI_ITERATOR* i)
[80]	1775	{
	1776	i->cur_value = 0;
	1777	return regfi_iterator_cur_value(i);
	1778	}
	1779
	1780
	1781	/******************************************************************************
	1782	*****************************************************************************/
[150]	1783	REGFI_VK_REC* regfi_iterator_cur_value(REGFI_ITERATOR* i)
[80]	1784	{
[150]	1785	REGFI_VK_REC* ret_val = NULL;
[168]	1786	uint32_t voffset;
[80]	1787
[145]	1788	if(i->cur_key->values != NULL && i->cur_key->values->elements != NULL)
	1789	{
	1790	if(i->cur_value < i->cur_key->values->num_values)
	1791	{
	1792	voffset = i->cur_key->values->elements[i->cur_value];
[162]	1793	ret_val = regfi_load_value(i->f, voffset+REGFI_REGF_SIZE,
	1794	i->string_encoding, true);
[145]	1795	}
	1796	}
	1797
[80]	1798	return ret_val;
	1799	}
	1800
	1801
	1802	/******************************************************************************
	1803	*****************************************************************************/
[150]	1804	REGFI_VK_REC* regfi_iterator_next_value(REGFI_ITERATOR* i)
[80]	1805	{
[150]	1806	REGFI_VK_REC* ret_val;
[80]	1807
	1808	i->cur_value++;
	1809	ret_val = regfi_iterator_cur_value(i);
	1810	if(ret_val == NULL)
	1811	i->cur_value--;
	1812
	1813	return ret_val;
	1814	}
[97]	1815
	1816
[159]	1817	/******************************************************************************
	1818	*****************************************************************************/
[160]	1819	REGFI_CLASSNAME* regfi_iterator_fetch_classname(REGFI_ITERATOR* i,
	1820	const REGFI_NK_REC* key)
	1821	{
	1822	REGFI_CLASSNAME* ret_val;
[168]	1823	uint8_t* raw;
[160]	1824	char* interpreted;
[168]	1825	uint32_t offset;
	1826	int32_t conv_size, max_size;
	1827	uint16_t parse_length;
[160]	1828
	1829	if(key->classname_off == REGFI_OFFSET_NONE \|\| key->classname_length == 0)
	1830	return NULL;
	1831
	1832	offset = key->classname_off + REGFI_REGF_SIZE;
	1833	max_size = regfi_calc_maxsize(i->f, offset);
	1834	if(max_size <= 0)
	1835	return NULL;
	1836
	1837	parse_length = key->classname_length;
	1838	raw = regfi_parse_classname(i->f, offset, &parse_length, max_size, true);
	1839
	1840	if(raw == NULL)
	1841	{
	1842	regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse class"
	1843	" name at offset 0x%.8X for key record at offset 0x%.8X.",
	1844	offset, key->offset);
	1845	return NULL;
	1846	}
	1847
	1848	ret_val = talloc(NULL, REGFI_CLASSNAME);
	1849	if(ret_val == NULL)
	1850	return NULL;
	1851
	1852	ret_val->raw = raw;
	1853	ret_val->size = parse_length;
	1854	talloc_steal(ret_val, raw);
	1855
	1856	interpreted = talloc_array(NULL, char, parse_length);
	1857
[161]	1858	conv_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	1859	regfi_encoding_int2str(i->string_encoding),
[160]	1860	raw, interpreted,
	1861	parse_length, parse_length);
	1862	if(conv_size < 0)
	1863	{
	1864	regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred while"
	1865	" converting classname to charset %s. Error message: %s",
	1866	i->string_encoding, strerror(-conv_size));
	1867	talloc_free(interpreted);
	1868	ret_val->interpreted = NULL;
	1869	}
	1870	else
	1871	{
	1872	interpreted = talloc_realloc(NULL, interpreted, char, conv_size);
	1873	ret_val->interpreted = interpreted;
	1874	talloc_steal(ret_val, interpreted);
	1875	}
	1876
	1877	return ret_val;
	1878	}
	1879
	1880
	1881	/******************************************************************************
	1882	*****************************************************************************/
[159]	1883	REGFI_DATA* regfi_iterator_fetch_data(REGFI_ITERATOR* i,
	1884	const REGFI_VK_REC* value)
	1885	{
	1886	REGFI_DATA* ret_val = NULL;
	1887	REGFI_BUFFER raw_data;
	1888
	1889	if(value->data_size != 0)
	1890	{
	1891	raw_data = regfi_load_data(i->f, value->data_off, value->data_size,
	1892	value->data_in_offset, true);
	1893	if(raw_data.buf == NULL)
	1894	{
	1895	regfi_add_message(i->f, REGFI_MSG_WARN, "Could not parse data record"
	1896	" while parsing VK record at offset 0x%.8X.",
	1897	value->offset);
	1898	}
	1899	else
	1900	{
	1901	ret_val = regfi_buffer_to_data(raw_data);
	1902
	1903	if(ret_val == NULL)
	1904	{
	1905	regfi_add_message(i->f, REGFI_MSG_WARN, "Error occurred in converting"
	1906	" data buffer to data structure while interpreting "
	1907	"data for VK record at offset 0x%.8X.",
	1908	value->offset);
	1909	talloc_free(raw_data.buf);
	1910	return NULL;
	1911	}
	1912
	1913	if(!regfi_interpret_data(i->f, i->string_encoding, value->type, ret_val))
	1914	{
	1915	regfi_add_message(i->f, REGFI_MSG_INFO, "Error occurred while"
	1916	" interpreting data for VK record at offset 0x%.8X.",
	1917	value->offset);
	1918	}
	1919	}
	1920	}
	1921
	1922	return ret_val;
	1923	}
	1924
	1925
	1926	/******************************************************************************
	1927	*****************************************************************************/
[160]	1928	void regfi_free_classname(REGFI_CLASSNAME* classname)
	1929	{
	1930	talloc_free(classname);
	1931	}
	1932
	1933	/******************************************************************************
	1934	*****************************************************************************/
[159]	1935	void regfi_free_data(REGFI_DATA* data)
	1936	{
	1937	talloc_free(data);
	1938	}
	1939
	1940
	1941	/******************************************************************************
	1942	*****************************************************************************/
	1943	REGFI_DATA* regfi_buffer_to_data(REGFI_BUFFER raw_data)
	1944	{
	1945	REGFI_DATA* ret_val;
	1946
	1947	if(raw_data.buf == NULL)
	1948	return NULL;
	1949
	1950	ret_val = talloc(NULL, REGFI_DATA);
	1951	if(ret_val == NULL)
	1952	return NULL;
	1953
	1954	talloc_steal(ret_val, raw_data.buf);
	1955	ret_val->raw = raw_data.buf;
	1956	ret_val->size = raw_data.len;
	1957	ret_val->interpreted_size = 0;
	1958	ret_val->interpreted.qword = 0;
	1959
	1960	return ret_val;
	1961	}
	1962
	1963
	1964	/******************************************************************************
	1965	*****************************************************************************/
[161]	1966	bool regfi_interpret_data(REGFI_FILE* file, REGFI_ENCODING string_encoding,
[168]	1967	uint32_t type, REGFI_DATA* data)
[159]	1968	{
[168]	1969	uint8_t** tmp_array;
	1970	uint8_t* tmp_str;
	1971	int32_t tmp_size;
	1972	uint32_t i, j, array_size;
[159]	1973
	1974	if(data == NULL)
	1975	return false;
	1976
	1977	switch (type)
	1978	{
	1979	case REG_SZ:
	1980	case REG_EXPAND_SZ:
	1981	/* REG_LINK is a symbolic link, stored as a unicode string. */
	1982	case REG_LINK:
[168]	1983	tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]	1984	if(tmp_str == NULL)
	1985	{
	1986	data->interpreted.string = NULL;
	1987	data->interpreted_size = 0;
	1988	return false;
	1989	}
	1990
[161]	1991	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	1992	regfi_encoding_int2str(string_encoding),
[159]	1993	data->raw, (char*)tmp_str,
	1994	data->size, data->size);
	1995	if(tmp_size < 0)
	1996	{
	1997	regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
	1998	" converting data of type %d to %s. Error message: %s",
	1999	type, string_encoding, strerror(-tmp_size));
	2000	talloc_free(tmp_str);
	2001	data->interpreted.string = NULL;
	2002	data->interpreted_size = 0;
	2003	return false;
	2004	}
	2005
[168]	2006	tmp_str = talloc_realloc(NULL, tmp_str, uint8_t, tmp_size);
[159]	2007	data->interpreted.string = tmp_str;
	2008	data->interpreted_size = tmp_size;
	2009	talloc_steal(data, tmp_str);
	2010	break;
	2011
	2012	case REG_DWORD:
	2013	if(data->size < 4)
	2014	{
	2015	data->interpreted.dword = 0;
	2016	data->interpreted_size = 0;
	2017	return false;
	2018	}
	2019	data->interpreted.dword = IVAL(data->raw, 0);
	2020	data->interpreted_size = 4;
	2021	break;
	2022
	2023	case REG_DWORD_BE:
	2024	if(data->size < 4)
	2025	{
	2026	data->interpreted.dword_be = 0;
	2027	data->interpreted_size = 0;
	2028	return false;
	2029	}
	2030	data->interpreted.dword_be = RIVAL(data->raw, 0);
	2031	data->interpreted_size = 4;
	2032	break;
	2033
	2034	case REG_QWORD:
	2035	if(data->size < 8)
	2036	{
	2037	data->interpreted.qword = 0;
	2038	data->interpreted_size = 0;
	2039	return false;
	2040	}
	2041	data->interpreted.qword =
[168]	2042	(uint64_t)IVAL(data->raw, 0) + (((uint64_t)IVAL(data->raw, 4))<<32);
[159]	2043	data->interpreted_size = 8;
	2044	break;
	2045
	2046	case REG_MULTI_SZ:
[168]	2047	tmp_str = talloc_array(NULL, uint8_t, data->size);
[159]	2048	if(tmp_str == NULL)
	2049	{
	2050	data->interpreted.multiple_string = NULL;
	2051	data->interpreted_size = 0;
	2052	return false;
	2053	}
	2054
	2055	/* Attempt to convert entire string from UTF-16LE to output encoding,
	2056	* then parse and quote fields individually.
	2057	*/
[161]	2058	tmp_size = regfi_conv_charset(regfi_encoding_int2str(REGFI_ENCODING_UTF16LE),
	2059	regfi_encoding_int2str(string_encoding),
[159]	2060	data->raw, (char*)tmp_str,
	2061	data->size, data->size);
	2062	if(tmp_size < 0)
	2063	{
	2064	regfi_add_message(file, REGFI_MSG_INFO, "Error occurred while"
	2065	" converting data of type %d to %s. Error message: %s",
	2066	type, string_encoding, strerror(-tmp_size));
	2067	talloc_free(tmp_str);
	2068	data->interpreted.multiple_string = NULL;
	2069	data->interpreted_size = 0;
	2070	return false;
	2071	}
	2072
	2073	array_size = tmp_size+1;
[168]	2074	tmp_array = talloc_array(NULL, uint8_t*, array_size);
[159]	2075	if(tmp_array == NULL)
	2076	{
	2077	talloc_free(tmp_str);
	2078	data->interpreted.string = NULL;
	2079	data->interpreted_size = 0;
	2080	return false;
	2081	}
	2082
	2083	tmp_array[0] = tmp_str;
	2084	for(i=0,j=1; i < tmp_size && j < array_size-1; i++)
	2085	{
	2086	if(tmp_str[i] == '\0' && (i+1 < tmp_size))
	2087	tmp_array[j++] = tmp_str+i+1;
	2088	}
	2089	tmp_array[j] = NULL;
[168]	2090	tmp_array = talloc_realloc(NULL, tmp_array, uint8_t*, j+1);
[159]	2091	data->interpreted.multiple_string = tmp_array;
	2092	/* XXX: how meaningful is this? should we store number of strings instead? */
	2093	data->interpreted_size = tmp_size;
	2094	talloc_steal(tmp_array, tmp_str);
	2095	talloc_steal(data, tmp_array);
	2096	break;
	2097
	2098	/* XXX: Dont know how to interpret these yet, just treat as binary */
	2099	case REG_NONE:
	2100	data->interpreted.none = data->raw;
	2101	data->interpreted_size = data->size;
	2102	break;
	2103
	2104	case REG_RESOURCE_LIST:
	2105	data->interpreted.resource_list = data->raw;
	2106	data->interpreted_size = data->size;
	2107	break;
	2108
	2109	case REG_FULL_RESOURCE_DESCRIPTOR:
	2110	data->interpreted.full_resource_descriptor = data->raw;
	2111	data->interpreted_size = data->size;
	2112	break;
	2113
	2114	case REG_RESOURCE_REQUIREMENTS_LIST:
	2115	data->interpreted.resource_requirements_list = data->raw;
	2116	data->interpreted_size = data->size;
	2117	break;
	2118
	2119	case REG_BINARY:
	2120	data->interpreted.binary = data->raw;
	2121	data->interpreted_size = data->size;
	2122	break;
	2123
	2124	default:
	2125	data->interpreted.qword = 0;
	2126	data->interpreted_size = 0;
	2127	return false;
	2128	}
	2129
	2130	data->type = type;
	2131	return true;
	2132	}
	2133
	2134
[166]	2135	/******************************************************************************
[159]	2136	* Convert from UTF-16LE to specified character set.
	2137	* On error, returns a negative errno code.
[166]	2138	*****************************************************************************/
[168]	2139	int32_t regfi_conv_charset(const char* input_charset, const char* output_charset,
	2140	uint8_t* input, char* output,
	2141	uint32_t input_len, uint32_t output_max)
[159]	2142	{
	2143	iconv_t conv_desc;
	2144	char* inbuf = (char*)input;
	2145	char* outbuf = output;
	2146	size_t in_len = (size_t)input_len;
	2147	size_t out_len = (size_t)(output_max-1);
	2148	int ret;
	2149
[161]	2150	/* XXX: Consider creating a couple of conversion descriptors earlier,
	2151	* storing them on an iterator so they don't have to be recreated
	2152	* each time.
	2153	*/
	2154
[159]	2155	/* Set up conversion descriptor. */
[161]	2156	conv_desc = iconv_open(output_charset, input_charset);
[159]	2157
	2158	ret = iconv(conv_desc, &inbuf, &in_len, &outbuf, &out_len);
	2159	if(ret == -1)
	2160	{
	2161	iconv_close(conv_desc);
	2162	return -errno;
	2163	}
	2164	*outbuf = '\0';
	2165
	2166	iconv_close(conv_desc);
	2167	return output_max-out_len-1;
	2168	}
	2169
	2170
	2171
	2172	/*******************************************************************
[97]	2173	* Computes the checksum of the registry file header.
[159]	2174	* buffer must be at least the size of a regf header (4096 bytes).
[97]	2175	*******************************************************************/
[168]	2176	static uint32_t regfi_compute_header_checksum(uint8_t* buffer)
[97]	2177	{
[168]	2178	uint32_t checksum, x;
[97]	2179	int i;
	2180
	2181	/* XOR of all bytes 0x0000 - 0x01FB */
	2182
	2183	checksum = x = 0;
	2184
	2185	for ( i=0; i<0x01FB; i+=4 ) {
	2186	x = IVAL(buffer, i );
	2187	checksum ^= x;
	2188	}
	2189
	2190	return checksum;
	2191	}
	2192
	2193
	2194	/*******************************************************************
[116]	2195	* XXX: Add way to return more detailed error information.
[97]	2196	*******************************************************************/
[178]	2197	REGFI_FILE* regfi_parse_regf(REGFI_RAW_FILE* file_cb, bool strict)
[97]	2198	{
[168]	2199	uint8_t file_header[REGFI_REGF_SIZE];
	2200	uint32_t length;
[135]	2201	REGFI_FILE* ret_val;
[97]	2202
[150]	2203	ret_val = talloc(NULL, REGFI_FILE);
[97]	2204	if(ret_val == NULL)
	2205	return NULL;
	2206
[150]	2207	ret_val->sk_cache = NULL;
	2208	ret_val->last_message = NULL;
	2209	ret_val->hbins = NULL;
[178]	2210
[135]	2211	length = REGFI_REGF_SIZE;
[178]	2212	if((regfi_read(file_cb, file_header, &length)) != 0
	2213	\|\| length != REGFI_REGF_SIZE)
[150]	2214	goto fail;
	2215
[97]	2216	ret_val->checksum = IVAL(file_header, 0x1FC);
	2217	ret_val->computed_checksum = regfi_compute_header_checksum(file_header);
	2218	if (strict && (ret_val->checksum != ret_val->computed_checksum))
[150]	2219	goto fail;
[97]	2220
[135]	2221	memcpy(ret_val->magic, file_header, REGFI_REGF_MAGIC_SIZE);
[150]	2222	if(memcmp(ret_val->magic, "regf", REGFI_REGF_MAGIC_SIZE) != 0)
[97]	2223	{
[150]	2224	if(strict)
	2225	goto fail;
	2226	regfi_add_message(ret_val, REGFI_MSG_WARN, "Magic number mismatch "
	2227	"(%.2X %.2X %.2X %.2X) while parsing hive header",
[151]	2228	ret_val->magic[0], ret_val->magic[1],
[150]	2229	ret_val->magic[2], ret_val->magic[3]);
[97]	2230	}
[178]	2231
[151]	2232	ret_val->sequence1 = IVAL(file_header, 0x4);
	2233	ret_val->sequence2 = IVAL(file_header, 0x8);
[97]	2234	ret_val->mtime.low = IVAL(file_header, 0xC);
	2235	ret_val->mtime.high = IVAL(file_header, 0x10);
[151]	2236	ret_val->major_version = IVAL(file_header, 0x14);
	2237	ret_val->minor_version = IVAL(file_header, 0x18);
	2238	ret_val->type = IVAL(file_header, 0x1C);
	2239	ret_val->format = IVAL(file_header, 0x20);
	2240	ret_val->root_cell = IVAL(file_header, 0x24);
[97]	2241	ret_val->last_block = IVAL(file_header, 0x28);
	2242
[151]	2243	ret_val->cluster = IVAL(file_header, 0x2C);
[97]	2244
[151]	2245	memcpy(ret_val->file_name, file_header+0x30, REGFI_REGF_NAME_SIZE);
	2246
	2247	/* XXX: Should we add a warning if these uuid parsers fail? Can they? */
	2248	ret_val->rm_id = winsec_parse_uuid(ret_val, file_header+0x70, 16);
	2249	ret_val->log_id = winsec_parse_uuid(ret_val, file_header+0x80, 16);
	2250	ret_val->flags = IVAL(file_header, 0x90);
	2251	ret_val->tm_id = winsec_parse_uuid(ret_val, file_header+0x94, 16);
	2252	ret_val->guid_signature = IVAL(file_header, 0xa4);
	2253
	2254	memcpy(ret_val->reserved1, file_header+0xa8, REGFI_REGF_RESERVED1_SIZE);
	2255	memcpy(ret_val->reserved2, file_header+0x200, REGFI_REGF_RESERVED2_SIZE);
	2256
	2257	ret_val->thaw_tm_id = winsec_parse_uuid(ret_val, file_header+0xFC8, 16);
	2258	ret_val->thaw_rm_id = winsec_parse_uuid(ret_val, file_header+0xFD8, 16);
	2259	ret_val->thaw_log_id = winsec_parse_uuid(ret_val, file_header+0xFE8, 16);
[152]	2260	ret_val->boot_type = IVAL(file_header, 0xFF8);
	2261	ret_val->boot_recover = IVAL(file_header, 0xFFC);
[151]	2262
[97]	2263	return ret_val;
[150]	2264
	2265	fail:
	2266	talloc_free(ret_val);
	2267	return NULL;
[97]	2268	}
	2269
	2270
	2271
[148]	2272	/******************************************************************************
[97]	2273	* Given real file offset, read and parse the hbin at that location
[110]	2274	* along with it's associated cells.
[148]	2275	******************************************************************************/
[168]	2276	REGFI_HBIN* regfi_parse_hbin(REGFI_FILE* file, uint32_t offset, bool strict)
[97]	2277	{
[135]	2278	REGFI_HBIN *hbin;
[168]	2279	uint8_t hbin_header[REGFI_HBIN_HEADER_SIZE];
	2280	uint32_t length;
[99]	2281
	2282	if(offset >= file->file_length)
	2283	return NULL;
[97]	2284
[178]	2285	if(regfi_seek(file->cb, offset, SEEK_SET) == -1)
[137]	2286	{
[138]	2287	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	2288	" while parsing hbin at offset 0x%.8X.", offset);
[97]	2289	return NULL;
[137]	2290	}
[97]	2291
[135]	2292	length = REGFI_HBIN_HEADER_SIZE;
[178]	2293	if((regfi_read(file->cb, hbin_header, &length) != 0)
[135]	2294	\|\| length != REGFI_HBIN_HEADER_SIZE)
[97]	2295	return NULL;
	2296
[178]	2297	if(regfi_seek(file->cb, offset, SEEK_SET) == -1)
[137]	2298	{
[138]	2299	regfi_add_message(file, REGFI_MSG_ERROR, "Seek failed"
[137]	2300	" while parsing hbin at offset 0x%.8X.", offset);
[97]	2301	return NULL;
[137]	2302	}
[97]	2303
[148]	2304	hbin = talloc(NULL, REGFI_HBIN);
	2305	if(hbin == NULL)
[99]	2306	return NULL;
	2307	hbin->file_off = offset;
	2308
[97]	2309	memcpy(hbin->magic, hbin_header, 4);
	2310	if(strict && (memcmp(hbin->magic, "hbin", 4) != 0))
[99]	2311	{
[138]	2312	regfi_add_message(file, REGFI_MSG_INFO, "Magic number mismatch "
	2313	"(%.2X %.2X %.2X %.2X) while parsing hbin at offset"
	2314	" 0x%.8X.", hbin->magic[0], hbin->magic[1],
	2315	hbin->magic[2], hbin->magic[3], offset);
[148]	2316	talloc_free(hbin);
[97]	2317	return NULL;
[99]	2318	}
[97]	2319
	2320	hbin->first_hbin_off = IVAL(hbin_header, 0x4);
	2321	hbin->block_size = IVAL(hbin_header, 0x8);
	2322	/* this should be the same thing as hbin->block_size but just in case */
	2323	hbin->next_block = IVAL(hbin_header, 0x1C);
	2324
	2325
	2326	/* Ensure the block size is a multiple of 0x1000 and doesn't run off
	2327	* the end of the file.
	2328	*/
[116]	2329	/* XXX: This may need to be relaxed for dealing with
	2330	* partial or corrupt files.
	2331	*/
[97]	2332	if((offset + hbin->block_size > file->file_length)
	2333	\|\| (hbin->block_size & 0xFFFFF000) != hbin->block_size)
[99]	2334	{
[138]	2335	regfi_add_message(file, REGFI_MSG_ERROR, "The hbin offset is not aligned"
[137]	2336	" or runs off the end of the file"
	2337	" while parsing hbin at offset 0x%.8X.", offset);
[148]	2338	talloc_free(hbin);
[97]	2339	return NULL;
[99]	2340	}
[97]	2341
	2342	return hbin;
	2343	}
	2344
	2345
[126]	2346	/*******************************************************************
	2347	*******************************************************************/
[168]	2348	REGFI_NK_REC* regfi_parse_nk(REGFI_FILE* file, uint32_t offset,
	2349	uint32_t max_size, bool strict)
[99]	2350	{
[168]	2351	uint8_t nk_header[REGFI_NK_MIN_LENGTH];
[135]	2352	REGFI_NK_REC* ret_val;
[168]	2353	uint32_t length,cell_length;
[101]	2354	bool unalloc = false;
[99]	2355
[178]	2356	if(!regfi_parse_cell(file->cb, offset, nk_header, REGFI_NK_MIN_LENGTH,
[101]	2357	&cell_length, &unalloc))
[137]	2358	{
[138]	2359	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2360	" while parsing NK record at offset 0x%.8X.", offset);
	2361	return NULL;
	2362	}
	2363
[99]	2364	/* A bit of validation before bothering to allocate memory */
[101]	2365	if((nk_header[0x0] != 'n') \|\| (nk_header[0x1] != 'k'))
[135]	2366	{
[138]	2367	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch in parsing"
	2368	" NK record at offset 0x%.8X.", offset);
[99]	2369	return NULL;
[135]	2370	}
[99]	2371
[150]	2372	ret_val = talloc(NULL, REGFI_NK_REC);
[99]	2373	if(ret_val == NULL)
[135]	2374	{
[138]	2375	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to allocate memory while"
[137]	2376	" parsing NK record at offset 0x%.8X.", offset);
[99]	2377	return NULL;
[135]	2378	}
[99]	2379
[150]	2380	ret_val->values = NULL;
	2381	ret_val->subkeys = NULL;
[99]	2382	ret_val->offset = offset;
[101]	2383	ret_val->cell_size = cell_length;
	2384
[99]	2385	if(ret_val->cell_size > max_size)
	2386	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2387	if((ret_val->cell_size < REGFI_NK_MIN_LENGTH)
[157]	2388	\|\| (strict && (ret_val->cell_size & 0x00000007) != 0))
[99]	2389	{
[140]	2390	regfi_add_message(file, REGFI_MSG_WARN, "A length check failed while"
[138]	2391	" parsing NK record at offset 0x%.8X.", offset);
[150]	2392	talloc_free(ret_val);
[99]	2393	return NULL;
	2394	}
	2395
[101]	2396	ret_val->magic[0] = nk_header[0x0];
	2397	ret_val->magic[1] = nk_header[0x1];
[161]	2398	ret_val->flags = SVAL(nk_header, 0x2);
[152]	2399
[161]	2400	if((ret_val->flags & ~REGFI_NK_KNOWN_FLAGS) != 0)
[99]	2401	{
[152]	2402	regfi_add_message(file, REGFI_MSG_WARN, "Unknown key flags (0x%.4X) while"
[138]	2403	" parsing NK record at offset 0x%.8X.",
[161]	2404	(ret_val->flags & ~REGFI_NK_KNOWN_FLAGS), offset);
[99]	2405	}
[101]	2406
	2407	ret_val->mtime.low = IVAL(nk_header, 0x4);
	2408	ret_val->mtime.high = IVAL(nk_header, 0x8);
[116]	2409	/* If the key is unallocated and the MTIME is earlier than Jan 1, 1990
	2410	* or later than Jan 1, 2290, we consider this a bad key. This helps
	2411	* weed out some false positives during deleted data recovery.
	2412	*/
	2413	if(unalloc
[178]	2414	&& (ret_val->mtime.high < REGFI_MTIME_MIN_HIGH
	2415	\|\| ret_val->mtime.high > REGFI_MTIME_MAX_HIGH))
	2416	{
	2417	talloc_free(ret_val);
[116]	2418	return NULL;
[178]	2419	}
[116]	2420
[101]	2421	ret_val->unknown1 = IVAL(nk_header, 0xC);
	2422	ret_val->parent_off = IVAL(nk_header, 0x10);
	2423	ret_val->num_subkeys = IVAL(nk_header, 0x14);
	2424	ret_val->unknown2 = IVAL(nk_header, 0x18);
	2425	ret_val->subkeys_off = IVAL(nk_header, 0x1C);
	2426	ret_val->unknown3 = IVAL(nk_header, 0x20);
	2427	ret_val->num_values = IVAL(nk_header, 0x24);
	2428	ret_val->values_off = IVAL(nk_header, 0x28);
	2429	ret_val->sk_off = IVAL(nk_header, 0x2C);
	2430	ret_val->classname_off = IVAL(nk_header, 0x30);
[99]	2431
[101]	2432	ret_val->max_bytes_subkeyname = IVAL(nk_header, 0x34);
	2433	ret_val->max_bytes_subkeyclassname = IVAL(nk_header, 0x38);
	2434	ret_val->max_bytes_valuename = IVAL(nk_header, 0x3C);
	2435	ret_val->max_bytes_value = IVAL(nk_header, 0x40);
	2436	ret_val->unk_index = IVAL(nk_header, 0x44);
[99]	2437
[101]	2438	ret_val->name_length = SVAL(nk_header, 0x48);
	2439	ret_val->classname_length = SVAL(nk_header, 0x4A);
[161]	2440	ret_val->keyname = NULL;
[99]	2441
	2442	if(ret_val->name_length + REGFI_NK_MIN_LENGTH > ret_val->cell_size)
[101]	2443	{
	2444	if(strict)
	2445	{
[138]	2446	regfi_add_message(file, REGFI_MSG_ERROR, "Contents too large for cell"
[137]	2447	" while parsing NK record at offset 0x%.8X.", offset);
[150]	2448	talloc_free(ret_val);
[101]	2449	return NULL;
	2450	}
	2451	else
	2452	ret_val->name_length = ret_val->cell_size - REGFI_NK_MIN_LENGTH;
	2453	}
	2454	else if (unalloc)
	2455	{ /* Truncate cell_size if it's much larger than the apparent total record length. */
	2456	/* Round up to the next multiple of 8 */
	2457	length = (ret_val->name_length + REGFI_NK_MIN_LENGTH) & 0xFFFFFFF8;
	2458	if(length < ret_val->name_length + REGFI_NK_MIN_LENGTH)
	2459	length+=8;
[99]	2460
[101]	2461	/* If cell_size is still greater, truncate. */
	2462	if(length < ret_val->cell_size)
	2463	ret_val->cell_size = length;
	2464	}
	2465
[168]	2466	ret_val->keyname_raw = talloc_array(ret_val, uint8_t, ret_val->name_length);
[161]	2467	if(ret_val->keyname_raw == NULL)
[99]	2468	{
[150]	2469	talloc_free(ret_val);
[99]	2470	return NULL;
	2471	}
	2472
	2473	/* Don't need to seek, should be at the right offset */
	2474	length = ret_val->name_length;
[178]	2475	if((regfi_read(file->cb, (uint8_t*)ret_val->keyname_raw, &length) != 0)
[99]	2476	\|\| length != ret_val->name_length)
	2477	{
[138]	2478	regfi_add_message(file, REGFI_MSG_ERROR, "Failed to read key name"
[137]	2479	" while parsing NK record at offset 0x%.8X.", offset);
[150]	2480	talloc_free(ret_val);
[99]	2481	return NULL;
	2482	}
	2483
[126]	2484	return ret_val;
	2485	}
	2486
	2487
[168]	2488	uint8_t* regfi_parse_classname(REGFI_FILE* file, uint32_t offset,
	2489	uint16_t* name_length, uint32_t max_size, bool strict)
[126]	2490	{
[168]	2491	uint8_t* ret_val = NULL;
	2492	uint32_t length;
	2493	uint32_t cell_length;
[126]	2494	bool unalloc = false;
	2495
[135]	2496	if(*name_length > 0 && offset != REGFI_OFFSET_NONE
[157]	2497	&& (offset & 0x00000007) == 0)
[131]	2498	{
[178]	2499	if(!regfi_parse_cell(file->cb, offset, NULL, 0, &cell_length, &unalloc))
[137]	2500	{
[138]	2501	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2502	" while parsing class name at offset 0x%.8X.", offset);
[126]	2503	return NULL;
[137]	2504	}
[126]	2505
[157]	2506	if((cell_length & 0x0000007) != 0)
[137]	2507	{
[138]	2508	regfi_add_message(file, REGFI_MSG_ERROR, "Cell length not a multiple of 8"
[137]	2509	" while parsing class name at offset 0x%.8X.", offset);
[131]	2510	return NULL;
[137]	2511	}
	2512
[131]	2513	if(cell_length > max_size)
[125]	2514	{
[138]	2515	regfi_add_message(file, REGFI_MSG_WARN, "Cell stretches past hbin "
	2516	"boundary while parsing class name at offset 0x%.8X.",
	2517	offset);
[126]	2518	if(strict)
	2519	return NULL;
[131]	2520	cell_length = max_size;
[126]	2521	}
[131]	2522
	2523	if((cell_length - 4) < *name_length)
	2524	{
[138]	2525	regfi_add_message(file, REGFI_MSG_WARN, "Class name is larger than"
	2526	" cell_length while parsing class name at offset"
	2527	" 0x%.8X.", offset);
[131]	2528	if(strict)
	2529	return NULL;
	2530	*name_length = cell_length - 4;
	2531	}
[126]	2532
[168]	2533	ret_val = talloc_array(NULL, uint8_t, *name_length);
[126]	2534	if(ret_val != NULL)
	2535	{
	2536	length = *name_length;
[178]	2537	if((regfi_read(file->cb, ret_val, &length) != 0)
[126]	2538	\|\| length != *name_length)
[125]	2539	{
[138]	2540	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read class name"
[137]	2541	" while parsing class name at offset 0x%.8X.", offset);
[150]	2542	talloc_free(ret_val);
[126]	2543	return NULL;
[125]	2544	}
	2545	}
	2546	}
	2547
[99]	2548	return ret_val;
	2549	}
	2550
	2551
[152]	2552	/******************************************************************************
	2553	*******************************************************************************/
[168]	2554	REGFI_VK_REC* regfi_parse_vk(REGFI_FILE* file, uint32_t offset,
	2555	uint32_t max_size, bool strict)
[97]	2556	{
[135]	2557	REGFI_VK_REC* ret_val;
[168]	2558	uint8_t vk_header[REGFI_VK_MIN_LENGTH];
	2559	uint32_t raw_data_size, length, cell_length;
[101]	2560	bool unalloc = false;
[97]	2561
[178]	2562	if(!regfi_parse_cell(file->cb, offset, vk_header, REGFI_VK_MIN_LENGTH,
[101]	2563	&cell_length, &unalloc))
[137]	2564	{
[138]	2565	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell header"
[137]	2566	" while parsing VK record at offset 0x%.8X.", offset);
[101]	2567	return NULL;
[137]	2568	}
[111]	2569
[150]	2570	ret_val = talloc(NULL, REGFI_VK_REC);
[101]	2571	if(ret_val == NULL)
	2572	return NULL;
	2573
	2574	ret_val->offset = offset;
	2575	ret_val->cell_size = cell_length;
[150]	2576	ret_val->valuename = NULL;
[162]	2577	ret_val->valuename_raw = NULL;
[150]	2578
[101]	2579	if(ret_val->cell_size > max_size)
	2580	ret_val->cell_size = max_size & 0xFFFFFFF8;
	2581	if((ret_val->cell_size < REGFI_VK_MIN_LENGTH)
[157]	2582	\|\| (ret_val->cell_size & 0x00000007) != 0)
[97]	2583	{
[138]	2584	regfi_add_message(file, REGFI_MSG_WARN, "Invalid cell size encountered"
[137]	2585	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2586	talloc_free(ret_val);
[101]	2587	return NULL;
	2588	}
[97]	2589
[101]	2590	ret_val->magic[0] = vk_header[0x0];
	2591	ret_val->magic[1] = vk_header[0x1];
	2592	if((ret_val->magic[0] != 'v') \|\| (ret_val->magic[1] != 'k'))
	2593	{
[124]	2594	/* XXX: This does not account for deleted keys under Win2K which
	2595	* often have this (and the name length) overwritten with
	2596	* 0xFFFF.
	2597	*/
[138]	2598	regfi_add_message(file, REGFI_MSG_WARN, "Magic number mismatch"
[137]	2599	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2600	talloc_free(ret_val);
[101]	2601	return NULL;
	2602	}
	2603
	2604	ret_val->name_length = SVAL(vk_header, 0x2);
	2605	raw_data_size = IVAL(vk_header, 0x4);
[135]	2606	ret_val->data_size = raw_data_size & ~REGFI_VK_DATA_IN_OFFSET;
[157]	2607	/* The data is typically stored in the offset if the size <= 4,
	2608	* in which case this flag is set.
	2609	*/
[135]	2610	ret_val->data_in_offset = (bool)(raw_data_size & REGFI_VK_DATA_IN_OFFSET);
[101]	2611	ret_val->data_off = IVAL(vk_header, 0x8);
	2612	ret_val->type = IVAL(vk_header, 0xC);
[162]	2613	ret_val->flags = SVAL(vk_header, 0x10);
[101]	2614	ret_val->unknown1 = SVAL(vk_header, 0x12);
	2615
[162]	2616	if(ret_val->name_length > 0)
[101]	2617	{
[113]	2618	if(ret_val->name_length + REGFI_VK_MIN_LENGTH + 4 > ret_val->cell_size)
[101]	2619	{
[138]	2620	regfi_add_message(file, REGFI_MSG_WARN, "Name too long for remaining cell"
	2621	" space while parsing VK record at offset 0x%.8X.",
	2622	offset);
[101]	2623	if(strict)
	2624	{
[150]	2625	talloc_free(ret_val);
[101]	2626	return NULL;
	2627	}
	2628	else
[113]	2629	ret_val->name_length = ret_val->cell_size - REGFI_VK_MIN_LENGTH - 4;
[101]	2630	}
	2631
	2632	/* Round up to the next multiple of 8 */
[113]	2633	cell_length = (ret_val->name_length + REGFI_VK_MIN_LENGTH + 4) & 0xFFFFFFF8;
	2634	if(cell_length < ret_val->name_length + REGFI_VK_MIN_LENGTH + 4)
	2635	cell_length+=8;
[101]	2636
[168]	2637	ret_val->valuename_raw = talloc_array(ret_val, uint8_t, ret_val->name_length);
[162]	2638	if(ret_val->valuename_raw == NULL)
[101]	2639	{
[150]	2640	talloc_free(ret_val);
[101]	2641	return NULL;
	2642	}
[113]	2643
[101]	2644	length = ret_val->name_length;
[178]	2645	if((regfi_read(file->cb, (uint8_t*)ret_val->valuename_raw, &length) != 0)
[101]	2646	\|\| length != ret_val->name_length)
	2647	{
[138]	2648	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read value name"
[137]	2649	" while parsing VK record at offset 0x%.8X.", offset);
[150]	2650	talloc_free(ret_val);
[101]	2651	return NULL;
	2652	}
	2653	}
	2654	else
[113]	2655	cell_length = REGFI_VK_MIN_LENGTH + 4;
[101]	2656
	2657	if(unalloc)
	2658	{
	2659	/* If cell_size is still greater, truncate. */
[113]	2660	if(cell_length < ret_val->cell_size)
	2661	ret_val->cell_size = cell_length;
[101]	2662	}
	2663
	2664	return ret_val;
[97]	2665	}
[101]	2666
	2667
[152]	2668	/******************************************************************************
[157]	2669	*
	2670	******************************************************************************/
[168]	2671	REGFI_BUFFER regfi_load_data(REGFI_FILE* file, uint32_t voffset,
	2672	uint32_t length, bool data_in_offset,
[157]	2673	bool strict)
[101]	2674	{
[151]	2675	REGFI_BUFFER ret_val;
[168]	2676	uint32_t cell_length, offset;
	2677	int32_t max_size;
[101]	2678	bool unalloc;
[151]	2679
[159]	2680	/* Microsoft's documentation indicates that "available memory" is
[165]	2681	* the limit on value sizes for the more recent registry format version.
	2682	* This is not only annoying, but it's probably also incorrect, since clearly
	2683	* value data sizes are limited to 2^31 (high bit used as a flag) and even
	2684	* with big data records, the apparent max size is:
	2685	* 16344 * 2^16 = 1071104040 (~1GB).
	2686	*
	2687	* We choose to limit it to 1M which was the limit in older versions and
	2688	* should rarely be exceeded unless the file is corrupt or malicious.
	2689	* For more info, see:
	2690	* http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
[159]	2691	*/
[160]	2692	/* XXX: add way to skip this check at user discression. */
	2693	if(length > REGFI_VK_MAX_DATA_LENGTH)
[159]	2694	{
[160]	2695	regfi_add_message(file, REGFI_MSG_WARN, "Value data size %d larger than "
	2696	"%d, truncating...", length, REGFI_VK_MAX_DATA_LENGTH);
	2697	length = REGFI_VK_MAX_DATA_LENGTH;
[159]	2698	}
	2699
[145]	2700	if(data_in_offset)
[157]	2701	return regfi_parse_little_data(file, voffset, length, strict);
	2702	else
[101]	2703	{
[157]	2704	offset = voffset + REGFI_REGF_SIZE;
	2705	max_size = regfi_calc_maxsize(file, offset);
	2706	if(max_size < 0)
[137]	2707	{
[157]	2708	regfi_add_message(file, REGFI_MSG_WARN, "Could not find HBIN for data"
	2709	" at offset 0x%.8X.", offset);
[151]	2710	goto fail;
[137]	2711	}
[157]	2712
[178]	2713	if(!regfi_parse_cell(file->cb, offset, NULL, 0,
[101]	2714	&cell_length, &unalloc))
[137]	2715	{
[138]	2716	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[137]	2717	" parsing data record at offset 0x%.8X.", offset);
[151]	2718	goto fail;
[137]	2719	}
[111]	2720
[157]	2721	if((cell_length & 0x00000007) != 0)
[137]	2722	{
[138]	2723	regfi_add_message(file, REGFI_MSG_WARN, "Cell length not multiple of 8"
[137]	2724	" while parsing data record at offset 0x%.8X.",
	2725	offset);
[151]	2726	goto fail;
[137]	2727	}
[101]	2728
[131]	2729	if(cell_length > max_size)
	2730	{
[145]	2731	regfi_add_message(file, REGFI_MSG_WARN, "Cell extends past HBIN boundary"
	2732	" while parsing data record at offset 0x%.8X.",
[137]	2733	offset);
[157]	2734	goto fail;
[131]	2735	}
	2736
[101]	2737	if(cell_length - 4 < length)
	2738	{
[155]	2739	/* XXX: All big data records thus far have been 16 bytes long.
	2740	* Should we check for this precise size instead of just
	2741	* relying upon the above check?
	2742	*/
[152]	2743	if (file->major_version >= 1 && file->minor_version >= 5)
	2744	{
	2745	/* Attempt to parse a big data record */
[157]	2746	return regfi_load_big_data(file, offset, length, cell_length,
	2747	NULL, strict);
[152]	2748	}
[101]	2749	else
[152]	2750	{
	2751	regfi_add_message(file, REGFI_MSG_WARN, "Data length (0x%.8X) larger than"
	2752	" remaining cell length (0x%.8X)"
	2753	" while parsing data record at offset 0x%.8X.",
	2754	length, cell_length - 4, offset);
	2755	if(strict)
	2756	goto fail;
	2757	else
	2758	length = cell_length - 4;
	2759	}
[101]	2760	}
	2761
[157]	2762	ret_val = regfi_parse_data(file, offset, length, strict);
[101]	2763	}
	2764
	2765	return ret_val;
[151]	2766
	2767	fail:
	2768	ret_val.buf = NULL;
	2769	ret_val.len = 0;
	2770	return ret_val;
[101]	2771	}
[110]	2772
	2773
[152]	2774	/******************************************************************************
[157]	2775	* Parses the common case data records stored in a single cell.
	2776	******************************************************************************/
[168]	2777	REGFI_BUFFER regfi_parse_data(REGFI_FILE* file, uint32_t offset,
	2778	uint32_t length, bool strict)
[157]	2779	{
	2780	REGFI_BUFFER ret_val;
[168]	2781	uint32_t read_length;
[157]	2782
	2783	ret_val.buf = NULL;
	2784	ret_val.len = 0;
	2785
[178]	2786	if(regfi_seek(file->cb, offset+4, SEEK_SET) == -1)
[157]	2787	{
	2788	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek while "
	2789	"reading data at offset 0x%.8X.", offset);
	2790	return ret_val;
	2791	}
	2792
[168]	2793	if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
[157]	2794	return ret_val;
	2795	ret_val.len = length;
	2796
	2797	read_length = length;
[178]	2798	if((regfi_read(file->cb, ret_val.buf, &read_length) != 0)
[157]	2799	\|\| read_length != length)
	2800	{
	2801	regfi_add_message(file, REGFI_MSG_ERROR, "Could not read data block while"
	2802	" parsing data record at offset 0x%.8X.", offset);
	2803	talloc_free(ret_val.buf);
	2804	ret_val.buf = NULL;
	2805	ret_val.buf = 0;
	2806	}
	2807
	2808	return ret_val;
	2809	}
	2810
	2811
	2812
	2813	/******************************************************************************
	2814	*
	2815	******************************************************************************/
[168]	2816	REGFI_BUFFER regfi_parse_little_data(REGFI_FILE* file, uint32_t voffset,
	2817	uint32_t length, bool strict)
[157]	2818	{
[173]	2819	uint8_t i;
[157]	2820	REGFI_BUFFER ret_val;
	2821
	2822	ret_val.buf = NULL;
	2823	ret_val.len = 0;
	2824
	2825	if(length > 4)
	2826	{
	2827	regfi_add_message(file, REGFI_MSG_ERROR, "Data in offset but length > 4"
	2828	" while parsing data record. (voffset=0x%.8X, length=%d)",
	2829	voffset, length);
	2830	return ret_val;
	2831	}
	2832
[168]	2833	if((ret_val.buf = talloc_array(NULL, uint8_t, length)) == NULL)
[157]	2834	return ret_val;
	2835	ret_val.len = length;
	2836
	2837	for(i = 0; i < length; i++)
[168]	2838	ret_val.buf[i] = (uint8_t)((voffset >> i*8) & 0xFF);
[157]	2839
	2840	return ret_val;
	2841	}
	2842
	2843	/******************************************************************************
[152]	2844	*******************************************************************************/
[168]	2845	REGFI_BUFFER regfi_parse_big_data_header(REGFI_FILE* file, uint32_t offset,
	2846	uint32_t max_size, bool strict)
[152]	2847	{
	2848	REGFI_BUFFER ret_val;
[168]	2849	uint32_t cell_length;
[152]	2850	bool unalloc;
[157]	2851
	2852	/* XXX: do something with unalloc? */
[168]	2853	ret_val.buf = (uint8_t*)talloc_array(NULL, uint8_t, REGFI_BIG_DATA_MIN_LENGTH);
[157]	2854	if(ret_val.buf == NULL)
[152]	2855	goto fail;
	2856
[157]	2857	if(REGFI_BIG_DATA_MIN_LENGTH > max_size)
	2858	{
	2859	regfi_add_message(file, REGFI_MSG_WARN, "Big data header exceeded max_size "
	2860	"while parsing big data header at offset 0x%.8X.",offset);
	2861	goto fail;
	2862	}
	2863
[178]	2864	if(!regfi_parse_cell(file->cb, offset, ret_val.buf, REGFI_BIG_DATA_MIN_LENGTH,
[152]	2865	&cell_length, &unalloc))
	2866	{
	2867	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
[157]	2868	" parsing big data header at offset 0x%.8X.", offset);
[152]	2869	goto fail;
	2870	}
[157]	2871
	2872	if((ret_val.buf[0] != 'd') \|\| (ret_val.buf[1] != 'b'))
[152]	2873	{
	2874	regfi_add_message(file, REGFI_MSG_WARN, "Unknown magic number"
	2875	" (0x%.2X, 0x%.2X) encountered while parsing"
[157]	2876	" big data header at offset 0x%.8X.",
	2877	ret_val.buf[0], ret_val.buf[1], offset);
[152]	2878	goto fail;
	2879	}
	2880
[157]	2881	ret_val.len = REGFI_BIG_DATA_MIN_LENGTH;
	2882	return ret_val;
	2883
	2884	fail:
	2885	if(ret_val.buf != NULL)
	2886	{
	2887	talloc_free(ret_val.buf);
	2888	ret_val.buf = NULL;
	2889	}
	2890	ret_val.len = 0;
	2891	return ret_val;
	2892	}
	2893
	2894
	2895
	2896	/******************************************************************************
	2897	*
	2898	******************************************************************************/
[168]	2899	uint32_t* regfi_parse_big_data_indirect(REGFI_FILE* file, uint32_t offset,
	2900	uint16_t num_chunks, bool strict)
[157]	2901	{
[168]	2902	uint32_t* ret_val;
	2903	uint32_t indirect_length;
	2904	int32_t max_size;
	2905	uint16_t i;
[157]	2906	bool unalloc;
	2907
	2908	/* XXX: do something with unalloc? */
	2909
	2910	max_size = regfi_calc_maxsize(file, offset);
[168]	2911	if((max_size < 0) \|\| (num_chunks*sizeof(uint32_t) + 4 > max_size))
[157]	2912	return NULL;
	2913
[168]	2914	ret_val = (uint32_t*)talloc_array(NULL, uint32_t, num_chunks);
[157]	2915	if(ret_val == NULL)
[152]	2916	goto fail;
	2917
[178]	2918	if(!regfi_parse_cell(file->cb, offset, (uint8_t*)ret_val,
[168]	2919	num_chunks*sizeof(uint32_t),
[152]	2920	&indirect_length, &unalloc))
	2921	{
	2922	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
	2923	" parsing big data indirect record at offset 0x%.8X.",
	2924	offset);
	2925	goto fail;
	2926	}
[157]	2927
	2928	/* Convert pointers to proper endianess, verify they are aligned. */
	2929	for(i=0; i<num_chunks; i++)
[152]	2930	{
[168]	2931	ret_val[i] = IVAL(ret_val, i*sizeof(uint32_t));
[157]	2932	if((ret_val[i] & 0x00000007) != 0)
	2933	goto fail;
[152]	2934	}
[157]	2935
	2936	return ret_val;
[152]	2937
[157]	2938	fail:
	2939	if(ret_val != NULL)
	2940	talloc_free(ret_val);
	2941	return NULL;
	2942	}
	2943
	2944
	2945	/******************************************************************************
	2946	* Arguments:
	2947	* file --
	2948	* offsets -- list of virtual offsets.
	2949	* num_chunks --
	2950	* strict --
	2951	*
	2952	* Returns:
	2953	* A range_list with physical offsets and complete lengths
	2954	* (including cell headers) of associated cells.
	2955	* No data in range_list elements.
	2956	******************************************************************************/
[168]	2957	range_list* regfi_parse_big_data_cells(REGFI_FILE* file, uint32_t* offsets,
	2958	uint16_t num_chunks, bool strict)
[157]	2959	{
[168]	2960	uint32_t cell_length, chunk_offset;
[157]	2961	range_list* ret_val;
[168]	2962	uint16_t i;
[157]	2963	bool unalloc;
	2964
	2965	/* XXX: do something with unalloc? */
	2966	ret_val = range_list_new();
	2967	if(ret_val == NULL)
	2968	goto fail;
	2969
[166]	2970	for(i=0; i<num_chunks; i++)
[152]	2971	{
[157]	2972	chunk_offset = offsets[i]+REGFI_REGF_SIZE;
[178]	2973	if(!regfi_parse_cell(file->cb, chunk_offset, NULL, 0,
[157]	2974	&cell_length, &unalloc))
[152]	2975	{
	2976	regfi_add_message(file, REGFI_MSG_WARN, "Could not parse cell while"
	2977	" parsing big data chunk at offset 0x%.8X.",
	2978	chunk_offset);
[157]	2979	goto fail;
[152]	2980	}
	2981
[157]	2982	if(!range_list_add(ret_val, chunk_offset, cell_length, NULL))
	2983	goto fail;
	2984	}
	2985
	2986	return ret_val;
	2987
	2988	fail:
	2989	if(ret_val != NULL)
	2990	range_list_free(ret_val);
	2991	return NULL;
	2992	}
	2993
	2994
	2995	/******************************************************************************
	2996	*******************************************************************************/
	2997	REGFI_BUFFER regfi_load_big_data(REGFI_FILE* file,
[168]	2998	uint32_t offset, uint32_t data_length,
	2999	uint32_t cell_length, range_list* used_ranges,
[157]	3000	bool strict)
	3001	{
	3002	REGFI_BUFFER ret_val;
[168]	3003	uint16_t num_chunks, i;
	3004	uint32_t read_length, data_left, tmp_len, indirect_offset;
	3005	uint32_t* indirect_ptrs = NULL;
[157]	3006	REGFI_BUFFER bd_header;
	3007	range_list* bd_cells = NULL;
	3008	const range_list_element* cell_info;
	3009
	3010	ret_val.buf = NULL;
	3011
	3012	/* XXX: Add better error/warning messages */
	3013
	3014	bd_header = regfi_parse_big_data_header(file, offset, cell_length, strict);
	3015	if(bd_header.buf == NULL)
	3016	goto fail;
	3017
	3018	/* Keep track of used space for use by reglookup-recover */
	3019	if(used_ranges != NULL)
	3020	if(!range_list_add(used_ranges, offset, cell_length, NULL))
	3021	goto fail;
	3022
	3023	num_chunks = SVAL(bd_header.buf, 0x2);
	3024	indirect_offset = IVAL(bd_header.buf, 0x4) + REGFI_REGF_SIZE;
	3025	talloc_free(bd_header.buf);
	3026
	3027	indirect_ptrs = regfi_parse_big_data_indirect(file, indirect_offset,
	3028	num_chunks, strict);
	3029	if(indirect_ptrs == NULL)
	3030	goto fail;
	3031
	3032	if(used_ranges != NULL)
	3033	if(!range_list_add(used_ranges, indirect_offset, num_chunks*4+4, NULL))
	3034	goto fail;
	3035
	3036	if((ret_val.buf = talloc_array(NULL, uint8_t, data_length)) == NULL)
	3037	goto fail;
	3038	data_left = data_length;
	3039
	3040	bd_cells = regfi_parse_big_data_cells(file, indirect_ptrs, num_chunks, strict);
	3041	if(bd_cells == NULL)
	3042	goto fail;
	3043
	3044	talloc_free(indirect_ptrs);
	3045	indirect_ptrs = NULL;
	3046
	3047	for(i=0; (i<num_chunks) && (data_left>0); i++)
	3048	{
	3049	cell_info = range_list_get(bd_cells, i);
	3050	if(cell_info == NULL)
	3051	goto fail;
	3052
	3053	/* XXX: This should be "cell_info->length-4" to account for the 4 byte cell
[154]	3054	* length. However, it has been observed that some (all?) chunks
	3055	* have an additional 4 bytes of 0 at the end of their cells that
	3056	* isn't part of the data, so we're trimming that off too.
[157]	3057	* Perhaps it's just an 8 byte alignment requirement...
[154]	3058	*/
[157]	3059	if(cell_info->length - 8 >= data_left)
	3060	{
	3061	if(i+1 != num_chunks)
	3062	{
	3063	regfi_add_message(file, REGFI_MSG_WARN, "Left over chunks detected "
	3064	"while constructing big data at offset 0x%.8X "
	3065	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	3066	}
[152]	3067	read_length = data_left;
[157]	3068	}
[152]	3069	else
[157]	3070	read_length = cell_info->length - 8;
[152]	3071
[157]	3072
	3073	if(read_length > regfi_calc_maxsize(file, cell_info->offset))
	3074	{
	3075	regfi_add_message(file, REGFI_MSG_WARN, "A chunk exceeded the maxsize "
	3076	"while constructing big data at offset 0x%.8X "
	3077	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	3078	goto fail;
	3079	}
	3080
[178]	3081	if(regfi_seek(file->cb, cell_info->offset+sizeof(uint32_t), SEEK_SET) == -1)
[157]	3082	{
	3083	regfi_add_message(file, REGFI_MSG_WARN, "Could not seek to chunk while "
	3084	"constructing big data at offset 0x%.8X "
	3085	"(chunk offset 0x%.8X).", offset, cell_info->offset);
	3086	goto fail;
	3087	}
	3088
	3089	tmp_len = read_length;
[178]	3090	if(regfi_read(file->cb, ret_val.buf+(data_length-data_left),
[157]	3091	&read_length) != 0 \|\| (read_length != tmp_len))
[152]	3092	{
	3093	regfi_add_message(file, REGFI_MSG_WARN, "Could not read data chunk while"
[157]	3094	" constructing big data at offset 0x%.8X"
	3095	" (chunk offset 0x%.8X).", offset, cell_info->offset);
	3096	goto fail;
[152]	3097	}
	3098
[157]	3099	if(used_ranges != NULL)
	3100	if(!range_list_add(used_ranges, cell_info->offset,cell_info->length,NULL))
	3101	goto fail;
	3102
[152]	3103	data_left -= read_length;
	3104	}
[157]	3105	range_list_free(bd_cells);
	3106
[152]	3107	ret_val.len = data_length-data_left;
	3108	return ret_val;
	3109
	3110	fail:
[157]	3111	if(ret_val.buf != NULL)
	3112	talloc_free(ret_val.buf);
	3113	if(indirect_ptrs != NULL)
	3114	talloc_free(indirect_ptrs);
	3115	if(bd_cells != NULL)
	3116	range_list_free(bd_cells);
[152]	3117	ret_val.buf = NULL;
	3118	ret_val.len = 0;
	3119	return ret_val;
	3120	}
	3121
	3122
[135]	3123	range_list* regfi_parse_unalloc_cells(REGFI_FILE* file)
[110]	3124	{
	3125	range_list* ret_val;
[135]	3126	REGFI_HBIN* hbin;
[110]	3127	const range_list_element* hbins_elem;
[168]	3128	uint32_t i, num_hbins, curr_off, cell_len;
[110]	3129	bool is_unalloc;
	3130
	3131	ret_val = range_list_new();
	3132	if(ret_val == NULL)
	3133	return NULL;
	3134
	3135	num_hbins = range_list_size(file->hbins);
	3136	for(i=0; i<num_hbins; i++)
	3137	{
	3138	hbins_elem = range_list_get(file->hbins, i);
	3139	if(hbins_elem == NULL)
	3140	break;
[135]	3141	hbin = (REGFI_HBIN*)hbins_elem->data;
[110]	3142
[135]	3143	curr_off = REGFI_HBIN_HEADER_SIZE;
[110]	3144	while(curr_off < hbin->block_size)
	3145	{
[178]	3146	if(!regfi_parse_cell(file->cb, hbin->file_off+curr_off, NULL, 0,
[110]	3147	&cell_len, &is_unalloc))
	3148	break;
	3149
[157]	3150	if((cell_len == 0) \|\| ((cell_len & 0x00000007) != 0))
[140]	3151	{
	3152	regfi_add_message(file, REGFI_MSG_ERROR, "Bad cell length encountered"
	3153	" while parsing unallocated cells at offset 0x%.8X.",
	3154	hbin->file_off+curr_off);
[110]	3155	break;
[140]	3156	}
	3157
[110]	3158	/* for some reason the record_size of the last record in
	3159	an hbin block can extend past the end of the block
	3160	even though the record fits within the remaining
	3161	space....aaarrrgggghhhhhh */
	3162	if(curr_off + cell_len >= hbin->block_size)
	3163	cell_len = hbin->block_size - curr_off;
	3164
	3165	if(is_unalloc)
	3166	range_list_add(ret_val, hbin->file_off+curr_off,
	3167	cell_len, NULL);
	3168
	3169	curr_off = curr_off+cell_len;
	3170	}
	3171	}
	3172
	3173	return ret_val;
	3174	}
[168]	3175
	3176
	3177	/* From lib/time.c */
	3178
	3179	/****************************************************************************
	3180	Put a 8 byte filetime from a time_t
	3181	This takes real GMT as input and converts to kludge-GMT
	3182	****************************************************************************/
	3183	void regfi_unix2nt_time(REGFI_NTTIME *nt, time_t t)
	3184	{
	3185	double d;
	3186
	3187	if (t==0)
	3188	{
	3189	nt->low = 0;
	3190	nt->high = 0;
	3191	return;
	3192	}
	3193
	3194	if (t == TIME_T_MAX)
	3195	{
	3196	nt->low = 0xffffffff;
	3197	nt->high = 0x7fffffff;
	3198	return;
	3199	}
	3200
	3201	if (t == -1)
	3202	{
	3203	nt->low = 0xffffffff;
	3204	nt->high = 0xffffffff;
	3205	return;
	3206	}
	3207
	3208	/* this converts GMT to kludge-GMT */
	3209	/* XXX: This was removed due to difficult dependency requirements.
	3210	* So far, times appear to be correct without this adjustment, but
	3211	* that may be proven wrong with adequate testing.
	3212	*/
	3213	/* t -= TimeDiff(t) - get_serverzone(); */
	3214
	3215	d = (double)(t);
	3216	d += TIME_FIXUP_CONSTANT;
	3217	d *= 1.0e7;
	3218
	3219	nt->high = (uint32_t)(d * (1.0/(4.0*(double)(1<<30))));
	3220	nt->low = (uint32_t)(d - ((double)nt->high)4.0(double)(1<<30));
	3221	}
	3222
	3223
	3224	/****************************************************************************
	3225	Interpret an 8 byte "filetime" structure to a time_t
	3226	It's originally in "100ns units since jan 1st 1601"
	3227
	3228	An 8 byte value of 0xffffffffffffffff will be returned as (time_t)0.
	3229
	3230	It appears to be kludge-GMT (at least for file listings). This means
	3231	its the GMT you get by taking a localtime and adding the
	3232	serverzone. This is NOT the same as GMT in some cases. This routine
	3233	converts this to real GMT.
	3234	****************************************************************************/
	3235	time_t regfi_nt2unix_time(const REGFI_NTTIME* nt)
	3236	{
	3237	double d;
	3238	time_t ret;
	3239	/* The next two lines are a fix needed for the
	3240	broken SCO compiler. JRA. */
	3241	time_t l_time_min = TIME_T_MIN;
	3242	time_t l_time_max = TIME_T_MAX;
	3243
	3244	if (nt->high == 0 \|\| (nt->high == 0xffffffff && nt->low == 0xffffffff))
	3245	return(0);
	3246
	3247	d = ((double)nt->high)4.0(double)(1<<30);
	3248	d += (nt->low&0xFFF00000);
	3249	d *= 1.0e-7;
	3250
	3251	/* now adjust by 369 years to make the secs since 1970 */
	3252	d -= TIME_FIXUP_CONSTANT;
	3253
	3254	if (d <= l_time_min)
	3255	return (l_time_min);
	3256
	3257	if (d >= l_time_max)
	3258	return (l_time_max);
	3259
	3260	ret = (time_t)(d+0.5);
	3261
	3262	/* this takes us from kludge-GMT to real GMT */
	3263	/* XXX: This was removed due to difficult dependency requirements.
	3264	* So far, times appear to be correct without this adjustment, but
	3265	* that may be proven wrong with adequate testing.
	3266	*/
	3267	/*
	3268	ret -= get_serverzone();
	3269	ret += LocTimeDiff(ret);
	3270	*/
	3271
	3272	return(ret);
	3273	}
	3274
	3275	/* End of stuff from lib/time.c */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: