sleuthkit / sleuthkit

The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

http://www.sleuthkit.org/sleuthkit/

tsk_fs_load_file_action: does not check for buf1->cur == NULL

joachimmetz opened this issue a year ago · comments

Joachim Metz commented a year ago

https://github.com/sleuthkit/sleuthkit/blame/develop/tsk/fs/fs_load.c#L35 is called from https://github.com/sleuthkit/sleuthkit/blame/develop/tsk/fs/fs_attr.c#L840 as callback by https://github.com/sleuthkit/sleuthkit/blame/develop/tsk/fs/ntfs_dent.cpp#L1053

From memcpy(3)

DESCRIPTION
       The memcpy() function copies n bytes from memory area src to memory area dest.  The memory areas must not overlap.  Use memmove(3) if the memory areas do overlap.

The memory areas must not overlap. Use memmove(3) if the memory areas do overlap.

Joachim Metz commented a year ago

Suggested changes in #2808 though it looks like this overlapping ranges issue might be masking another issue.

Joachim Metz commented a year ago

Per https://github.com/sleuthkit/sleuthkit/blame/develop/tsk/fs/ntfs_dent.cpp#L1041 if idxalloc_len == 0 then https://github.com/sleuthkit/sleuthkit/blame/develop/tsk/fs/ntfs_dent.cpp#L1047 load_file.cur and load_file.base are set to NULL. But tsk_fs_load_file_action does not check for this condition.

Joachim Metz commented a year ago

Updated #2808