Changeset 165


Ignore:
Timestamp:
12/11/09 22:13:27 (15 years ago)
Author:
tim
Message:

added misc comments

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/include/regfi.h

    r162 r165  
    9696#define REG_KEY                    0x7FFFFFFF
    9797
     98#define REGFI_OFFSET_NONE          0xffffffff
     99
     100
     101/* This maximum depth is described here:
     102 * http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
     103 */
    98104#define REGFI_MAX_DEPTH            512
    99 #define REGFI_OFFSET_NONE          0xffffffff
    100 
    101 /* XXX: This is totally arbitrary right now. */
     105
     106/* This limit defines the maximum number of levels deep that ri subkey list
     107 * trees can go.
     108 */
     109/* XXX: This is totally arbitrary right now.
     110 *      The actual limit may need to be discovered by experimentation.
     111 */
    102112#define REGFI_MAX_SUBKEY_DEPTH     255
     113
    103114
    104115/* Header sizes and magic number lengths for various records */
     
    475486
    476487
    477 /* XXX: Should move all caching (SK records, HBINs, NKs, etc) to a single
    478  *      structure, probably REGFI_FILE.  Once key caching is in place,
    479  *      convert key_positions stack to store just key offsets rather than
    480  *      whole keys.
    481  */
    482488typedef struct _regfi_iterator
    483489{
  • trunk/lib/regfi.c

    r162 r165  
    988988    return NULL;
    989989
     990  /* XXX: Registry value names are supposedly limited to 16383 characters
     991   *      according to:
     992   *      http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
     993   *      Might want to emit a warning if this is exceeded. 
     994   *      It is expected that "characters" could be variable width.
     995   *      Also, it may be useful to use this information to limit false positives
     996   *      when recovering deleted VK records.
     997   */
     998
    990999  from_encoding = (ret_val->flags & REGFI_VK_FLAG_ASCIINAME)
    9911000    ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
     
    10761085  }
    10771086
     1087  /* XXX: Registry key names are supposedly limited to 255 characters according to:
     1088   *      http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
     1089   *      Might want to emit a warning if this is exceeded. 
     1090   *      It is expected that "characters" could be variable width.
     1091   *      Also, it may be useful to use this information to limit false positives
     1092   *      when recovering deleted NK records.
     1093   */
    10781094  from_encoding = (nk->flags & REGFI_NK_FLAG_ASCIINAME)
    10791095    ? REGFI_ENCODING_ASCII : REGFI_ENCODING_UTF16LE;
     
    26062622 
    26072623  /* Microsoft's documentation indicates that "available memory" is
    2608    * the limit on value sizes.  Annoying.  We limit it to 1M which
    2609    * should rarely be exceeded, unless the file is corrupt or
    2610    * malicious. For more info, see:
    2611    *   http://msdn2.microsoft.com/en-us/library/ms724872.aspx
     2624   * the limit on value sizes for the more recent registry format version.
     2625   * This is not only annoying, but it's probably also incorrect, since clearly
     2626   * value data sizes are limited to 2^31 (high bit used as a flag) and even
     2627   * with big data records, the apparent max size is:
     2628   *   16344 * 2^16 = 1071104040 (~1GB).
     2629   *
     2630   * We choose to limit it to 1M which was the limit in older versions and
     2631   * should rarely be exceeded unless the file is corrupt or malicious.
     2632   * For more info, see:
     2633   *   http://msdn.microsoft.com/en-us/library/ms724872%28VS.85%29.aspx
    26122634   */
    26132635  /* XXX: add way to skip this check at user discression. */
Note: See TracChangeset for help on using the changeset viewer.