/** \internal
* Process a directory and load up FS_DIR with the entries. If a pointer to
* an already allocated FS_DIR struture is given, it will be cleared. If no existing
* FS_DIR structure is passed (i.e. NULL), then a new one will be created. If the return
* value is error or corruption, then the FS_DIR structure could
* have entries (depending on when the error occured).
*
* @param a_fs File system to analyze
* @param a_fs_dir Pointer to FS_DIR pointer. Can contain an already allocated
* structure or a new structure.
* @param a_addr Address of directory to process.
* @returns error, corruption, ok etc.
*/
TSK_RETVAL_ENUM
ffs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir,
TSK_INUM_T a_addr)
{
TSK_OFF_T size;
FFS_INFO *ffs = (FFS_INFO *) a_fs;
char *dirbuf;
int nchnk, cidx;
TSK_FS_LOAD_FILE load_file;
TSK_FS_DIR *fs_dir;
/* If we get corruption in one of the blocks, then continue processing.
* retval_final will change when corruption is detected. Errors are
* returned immediately. */
TSK_RETVAL_ENUM retval_tmp;
TSK_RETVAL_ENUM retval_final = TSK_OK;
if (a_addr < a_fs->first_inum || a_addr > a_fs->last_inum) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
tsk_error_set_errstr("ffs_dir_open_meta: Invalid inode value: %"
PRIuINUM, a_addr);
return TSK_ERR;
}
else if (a_fs_dir == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_ARG);
tsk_error_set_errstr
("ffs_dir_open_meta: NULL fs_attr argument given");
return TSK_ERR;
}
if (tsk_verbose)
tsk_fprintf(stderr,
"ffs_dir_open_meta: Processing directory %" PRIuINUM "\n",
a_addr);
fs_dir = *a_fs_dir;
if (fs_dir) {
tsk_fs_dir_reset(fs_dir);
}
else {
if ((*a_fs_dir = fs_dir =
tsk_fs_dir_alloc(a_fs, a_addr, 128)) == NULL) {
return TSK_ERR;
}
}
// handle the orphan directory if its contents were requested
if (a_addr == TSK_FS_ORPHANDIR_INUM(a_fs)) {
return tsk_fs_dir_find_orphans(a_fs, fs_dir);
}
if ((fs_dir->fs_file =
tsk_fs_file_open_meta(a_fs, NULL, a_addr)) == NULL) {
tsk_error_reset();
tsk_error_errstr2_concat("- ffs_dir_open_meta");
return TSK_COR;
}
/* make a copy of the directory contents that we can process */
/* round up cause we want the slack space too */
size = roundup(fs_dir->fs_file->meta->size, FFS_DIRBLKSIZ);
if ((dirbuf = tsk_malloc((size_t) size)) == NULL) {
return TSK_ERR;
}
load_file.total = load_file.left = (size_t) size;
load_file.base = load_file.cur = dirbuf;
if (tsk_fs_file_walk(fs_dir->fs_file,
TSK_FS_FILE_WALK_FLAG_SLACK,
tsk_fs_load_file_action, (void *) &load_file)) {
tsk_error_reset();
tsk_error_errstr2_concat("- ffs_dir_open_meta");
free(dirbuf);
return TSK_COR;
}
/* Not all of the directory was copied, so we return */
if (load_file.left > 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_FWALK);
tsk_error_set_errstr("ffs_dir_open_meta: Error reading directory %"
PRIuINUM, a_addr);
free(dirbuf);
return TSK_COR;
}
/* Directory entries are written in chunks of DIRBLKSIZ
** determine how many chunks of this size we have to read to
** get a full block
**
** Entries do not cross over the DIRBLKSIZ boundary
*/
nchnk = (int) (size) / (FFS_DIRBLKSIZ) + 1;
for (cidx = 0; cidx < nchnk && (int64_t) size > 0; cidx++) {
int len = (FFS_DIRBLKSIZ < size) ? FFS_DIRBLKSIZ : (int) size;
retval_tmp =
ffs_dent_parse_block(ffs, fs_dir,
(fs_dir->fs_file->
meta->flags & TSK_FS_META_FLAG_UNALLOC) ? 1 : 0,
dirbuf + cidx * FFS_DIRBLKSIZ, len);
if (retval_tmp == TSK_ERR) {
retval_final = TSK_ERR;
break;
}
else if (retval_tmp == TSK_COR) {
retval_final = TSK_COR;
}
size -= len;
}
free(dirbuf);
// if we are listing the root directory, add the Orphan directory entry
if (a_addr == a_fs->root_inum) {
TSK_FS_NAME *fs_name = tsk_fs_name_alloc(256, 0);
if (fs_name == NULL)
return TSK_ERR;
if (tsk_fs_dir_make_orphan_dir_name(a_fs, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
if (tsk_fs_dir_add(fs_dir, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
tsk_fs_name_free(fs_name);
}
return retval_final;
}
/** \internal
* Process a directory and load up FS_DIR with the entries. If a pointer to
* an already allocated FS_DIR struture is given, it will be cleared. If no existing
* FS_DIR structure is passed (i.e. NULL), then a new one will be created. If the return
* value is error or corruption, then the FS_DIR structure could
* have entries (depending on when the error occured).
*
* @param a_fs File system to analyze
* @param a_fs_dir Pointer to FS_DIR pointer. Can contain an already allocated
* structure or a new structure.
* @param a_addr Address of directory to process.
* @returns error, corruption, ok etc.
*/
TSK_RETVAL_ENUM
ntfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir,
TSK_INUM_T a_addr)
{
NTFS_INFO *ntfs = (NTFS_INFO *) a_fs;
TSK_FS_DIR *fs_dir;
const TSK_FS_ATTR *fs_attr_root = NULL;
const TSK_FS_ATTR *fs_attr_idx;
char *idxalloc;
ntfs_idxentry *idxe;
ntfs_idxroot *idxroot;
ntfs_idxelist *idxelist;
ntfs_idxrec *idxrec_p, *idxrec;
int off;
TSK_OFF_T idxalloc_len;
TSK_FS_LOAD_FILE load_file;
NTFS_PAR_MAP *map;
/* In this function, we will return immediately if we get an error.
* If we get corruption though, we will record that in 'retval_final'
* and continue processing.
*/
TSK_RETVAL_ENUM retval_final = TSK_OK;
TSK_RETVAL_ENUM retval_tmp;
/* sanity check */
if (a_addr < a_fs->first_inum || a_addr > a_fs->last_inum) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_WALK_RNG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"ntfs_dir_open_meta: inode value: %" PRIuINUM "\n", a_addr);
return TSK_ERR;
}
else if (a_fs_dir == NULL) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"ntfs_dir_open_meta: NULL fs_attr argument given");
return TSK_ERR;
}
if (tsk_verbose)
tsk_fprintf(stderr,
"ntfs_open_dir: Processing directory %" PRIuINUM "\n", a_addr);
fs_dir = *a_fs_dir;
if (fs_dir) {
tsk_fs_dir_reset(fs_dir);
}
else {
if ((*a_fs_dir = fs_dir = tsk_fs_dir_alloc(a_fs, 128)) == NULL) {
return TSK_ERR;
}
}
// handle the orphan directory if its contents were requested
if (a_addr == TSK_FS_ORPHANDIR_INUM(a_fs)) {
return tsk_fs_dir_find_orphans(a_fs, fs_dir);
}
/* Get the inode and verify it has attributes */
if ((fs_dir->fs_file =
tsk_fs_file_open_meta(a_fs, NULL, a_addr)) == NULL) {
strncat(tsk_errstr2, " - ntfs_dir_open_meta",
TSK_ERRSTR_L - strlen(tsk_errstr2));
return TSK_COR;
}
if (!(fs_dir->fs_file->meta->attr)) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_INODE_COR;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"dent_walk: Error: Directory address %" PRIuINUM
" has no attributes", a_addr);
return TSK_COR;
}
/*
* Read the Index Root Attribute -- we do some sanity checking here
* to report errors before we start to make up data for the "." and ".."
* entries
*/
fs_attr_root =
tsk_fs_attrlist_get(fs_dir->fs_file->meta->attr,
NTFS_ATYPE_IDXROOT);
if (!fs_attr_root) {
strncat(tsk_errstr2, " - dent_walk: $IDX_ROOT not found",
TSK_ERRSTR_L - strlen(tsk_errstr2));
return TSK_COR;
}
if (fs_attr_root->flags & TSK_FS_ATTR_NONRES) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_INODE_COR;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"dent_walk: $IDX_ROOT is not resident - it should be");
return TSK_COR;
}
idxroot = (ntfs_idxroot *) fs_attr_root->rd.buf;
/* Verify that the attribute type is $FILE_NAME */
if (tsk_getu32(a_fs->endian, idxroot->type) == 0) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_INODE_COR;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"dent_walk: Attribute type in index root is 0");
return TSK_COR;
}
else if (tsk_getu32(a_fs->endian, idxroot->type) != NTFS_ATYPE_FNAME) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_INODE_COR;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"ERROR: Directory index is sorted by type: %" PRIu32
".\nOnly $FNAME is currently supported",
tsk_getu32(a_fs->endian, idxroot->type));
return TSK_COR;
}
/* Get the header of the index entry list */
idxelist = &idxroot->list;
/* Get the offset to the start of the index entry list */
idxe = (ntfs_idxentry *) ((uintptr_t) idxelist +
tsk_getu32(a_fs->endian, idxelist->begin_off));
/*
* NTFS does not have "." and ".." entries in the index trees
* (except for a "." entry in the root directory)
*
* So, we'll make 'em up by making a TSK_FS_NAME structure for
* a '.' and '..' entry and call the action
*/
if (a_addr != a_fs->root_inum) { // && (flags & TSK_FS_NAME_FLAG_ALLOC)) {
TSK_FS_NAME *fs_name;
TSK_FS_META_NAME_LIST *fs_name_list;
if (tsk_verbose)
tsk_fprintf(stderr,
"ntfs_dir_open_meta: Creating . and .. entries\n");
if ((fs_name = tsk_fs_name_alloc(16, 0)) == NULL) {
return TSK_ERR;
}
/*
* "."
*/
fs_name->meta_addr = a_addr;
fs_name->meta_seq = fs_dir->fs_file->meta->seq;
fs_name->type = TSK_FS_NAME_TYPE_DIR;
strcpy(fs_name->name, ".");
fs_name->flags = TSK_FS_NAME_FLAG_ALLOC;
if (tsk_fs_dir_add(fs_dir, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
/*
* ".."
*/
strcpy(fs_name->name, "..");
fs_name->type = TSK_FS_NAME_TYPE_DIR;
/* The fs_name structure holds the parent inode value, so we
* just cycle using those
*/
for (fs_name_list = fs_dir->fs_file->meta->name2;
fs_name_list != NULL; fs_name_list = fs_name_list->next) {
fs_name->meta_addr = fs_name_list->par_inode;
fs_name->meta_seq = fs_name_list->par_seq;
if (tsk_fs_dir_add(fs_dir, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
}
tsk_fs_name_free(fs_name);
fs_name = NULL;
}
/* Now we return to processing the Index Root Attribute */
if (tsk_verbose)
tsk_fprintf(stderr,
"ntfs_dir_open_meta: Processing $IDX_ROOT of inum %" PRIuINUM
"\n", a_addr);
/* Verify the offset pointers */
if ((tsk_getu32(a_fs->endian, idxelist->seqend_off) <
tsk_getu32(a_fs->endian, idxelist->begin_off)) ||
(tsk_getu32(a_fs->endian, idxelist->bufend_off) <
tsk_getu32(a_fs->endian, idxelist->seqend_off)) ||
(((uintptr_t) idxe + tsk_getu32(a_fs->endian,
idxelist->bufend_off)) >
((uintptr_t) fs_attr_root->rd.buf +
fs_attr_root->rd.buf_size))) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_INODE_COR;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"Error: Index list offsets are invalid on entry: %" PRIuINUM,
fs_dir->fs_file->meta->addr);
return TSK_COR;
}
retval_tmp = ntfs_proc_idxentry(ntfs, fs_dir,
(fs_dir->fs_file->meta->flags & TSK_FS_META_FLAG_UNALLOC) ? 1 : 0,
idxe,
tsk_getu32(a_fs->endian, idxelist->bufend_off) -
tsk_getu32(a_fs->endian, idxelist->begin_off),
tsk_getu32(a_fs->endian, idxelist->seqend_off) -
tsk_getu32(a_fs->endian, idxelist->begin_off));
// stop if we get an error, continue if we got corruption
if (retval_tmp == TSK_ERR) {
return TSK_ERR;
}
else if (retval_tmp == TSK_COR) {
retval_final = TSK_COR;
}
/*
* get the index allocation attribute if it exists (it doesn't for
* small directories
*/
fs_attr_idx =
tsk_fs_attrlist_get(fs_dir->fs_file->meta->attr,
NTFS_ATYPE_IDXALLOC);
/* if we don't have an index alloc then return, we have processed
* all of the entries
*/
if (!fs_attr_idx) {
if (tsk_getu32(a_fs->endian,
idxelist->flags) & NTFS_IDXELIST_CHILD) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_INODE_COR;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"Error: $IDX_ROOT says there should be children, but there isn't");
return TSK_COR;
}
}
else {
if (fs_attr_idx->flags & TSK_FS_ATTR_RES) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_INODE_COR;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"$IDX_ALLOC is Resident - it shouldn't be");
return TSK_COR;
}
/*
* Copy the index allocation run into a big buffer
*/
idxalloc_len = fs_attr_idx->nrd.allocsize;
if ((idxalloc = tsk_malloc((size_t) idxalloc_len)) == NULL) {
return TSK_ERR;
}
/* Fill in the loading data structure */
load_file.total = load_file.left = (size_t) idxalloc_len;
load_file.cur = load_file.base = idxalloc;
if (tsk_verbose)
tsk_fprintf(stderr,
"ntfs_dir_open_meta: Copying $IDX_ALLOC into buffer\n");
if (tsk_fs_attr_walk(fs_attr_idx,
TSK_FS_FILE_WALK_FLAG_SLACK, tsk_fs_load_file_action,
(void *) &load_file)) {
free(idxalloc);
strncat(tsk_errstr2, " - ntfs_dir_open_meta",
TSK_ERRSTR_L - strlen(tsk_errstr2));
return TSK_COR; // this could be an error though
}
/* Not all of the directory was copied, so we exit */
if (load_file.left > 0) {
free(idxalloc);
tsk_error_reset();
tsk_errno = TSK_ERR_FS_FWALK;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"Error reading directory contents: %" PRIuINUM "\n",
a_addr);
return TSK_COR;
}
/*
* The idxalloc is a big buffer that contains one or more
* idx buffer structures. Each idxrec is a node in the B-Tree.
* We do not process the tree as a tree because then we could
* not find the deleted file names.
*
* Therefore, we scan the big buffer looking for the index record
* structures. We save a pointer to the known beginning (idxrec_p).
* Then we scan for the beginning of the next one (idxrec) and process
* everything in the middle as an ntfs_idxrec. We can't use the
* size given because then we wouldn't see the deleted names
*/
/* Set the previous pointer to NULL */
idxrec_p = idxrec = NULL;
/* Loop by cluster size */
for (off = 0; off < idxalloc_len; off += ntfs->csize_b) {
uint32_t list_len, rec_len;
idxrec = (ntfs_idxrec *) & idxalloc[off];
if (tsk_verbose)
tsk_fprintf(stderr,
"ntfs_dir_open_meta: Index Buffer Offset: %d Magic: %"
PRIx32 "\n", off, tsk_getu32(a_fs->endian,
idxrec->magic));
/* Is this the begining of an index record? */
if (tsk_getu32(a_fs->endian,
idxrec->magic) != NTFS_IDXREC_MAGIC)
continue;
/* idxrec_p is only NULL for the first time
* Set it and start again to find the next one */
if (idxrec_p == NULL) {
idxrec_p = idxrec;
continue;
}
/* Process the previous structure */
/* idxrec points to the next idxrec structure, idxrec_p
* points to the one we are going to process
*/
rec_len =
(uint32_t) ((uintptr_t) idxrec - (uintptr_t) idxrec_p);
if (tsk_verbose)
tsk_fprintf(stderr,
"ntfs_dir_open_meta: Processing previous index record (len: %"
PRIu32 ")\n", rec_len);
/* remove the update sequence in the index record */
if (ntfs_fix_idxrec(ntfs, idxrec_p, rec_len)) {
free(idxalloc);
return TSK_COR;
}
/* Locate the start of the index entry list */
idxelist = &idxrec_p->list;
idxe = (ntfs_idxentry *) ((uintptr_t) idxelist +
tsk_getu32(a_fs->endian, idxelist->begin_off));
/* the length from the start of the next record to where our
* list starts.
* This should be the same as bufend_off in idxelist, but we don't
* trust it.
*/
list_len = (uint32_t) ((uintptr_t) idxrec - (uintptr_t) idxe);
/* Verify the offset pointers */
if (((uintptr_t) idxe > (uintptr_t) idxrec) ||
((uintptr_t) idxelist +
tsk_getu32(a_fs->endian,
idxelist->seqend_off) > (uintptr_t) idxrec)) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_INODE_COR;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"Error: Index list offsets are invalid on entry: %"
PRIuINUM, fs_dir->fs_file->meta->addr);
free(idxalloc);
return TSK_COR;
}
/* process the list of index entries */
retval_tmp = ntfs_proc_idxentry(ntfs, fs_dir,
(fs_dir->fs_file->
meta->flags & TSK_FS_META_FLAG_UNALLOC) ? 1 : 0, idxe,
list_len, tsk_getu32(a_fs->endian,
idxelist->seqend_off) - tsk_getu32(a_fs->endian,
idxelist->begin_off));
// stop if we get an error, record if we get corruption
if (retval_tmp == TSK_ERR) {
free(idxalloc);
return TSK_ERR;
}
else if (retval_tmp == TSK_COR) {
retval_final = TSK_COR;
}
/* reset the pointer to the next record */
idxrec_p = idxrec;
} /* end of cluster loop */
/* Process the final record */
if (idxrec_p) {
uint32_t list_len, rec_len;
/* Length from end of attribute to start of this */
rec_len =
(uint32_t) (idxalloc_len - (uintptr_t) idxrec_p -
(uintptr_t) idxalloc);
if (tsk_verbose)
tsk_fprintf(stderr,
"ntfs_dir_open_meta: Processing final index record (len: %"
PRIu32 ")\n", rec_len);
/* remove the update sequence */
if (ntfs_fix_idxrec(ntfs, idxrec_p, rec_len)) {
free(idxalloc);
return TSK_COR;
}
idxelist = &idxrec_p->list;
idxe = (ntfs_idxentry *) ((uintptr_t) idxelist +
tsk_getu32(a_fs->endian, idxelist->begin_off));
/* This is the length of the idx entries */
list_len =
(uint32_t) ((uintptr_t) idxalloc + idxalloc_len) -
(uintptr_t) idxe;
/* Verify the offset pointers */
if ((list_len > rec_len) ||
((uintptr_t) idxelist +
tsk_getu32(a_fs->endian, idxelist->seqend_off) >
(uintptr_t) idxalloc + idxalloc_len)) {
tsk_error_reset();
tsk_errno = TSK_ERR_FS_INODE_COR;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"Error: Index list offsets are invalid on entry: %"
PRIuINUM, fs_dir->fs_file->meta->addr);
free(idxalloc);
return TSK_COR;
}
/* process the list of index entries */
retval_tmp = ntfs_proc_idxentry(ntfs, fs_dir,
(fs_dir->fs_file->
meta->flags & TSK_FS_META_FLAG_UNALLOC) ? 1 : 0, idxe,
list_len, tsk_getu32(a_fs->endian,
idxelist->seqend_off) - tsk_getu32(a_fs->endian,
idxelist->begin_off));
// stop if we get an error, record if we get corruption
if (retval_tmp == TSK_ERR) {
free(idxalloc);
return TSK_ERR;
}
else if (retval_tmp == TSK_COR) {
retval_final = TSK_COR;
}
}
free(idxalloc);
}
// get the orphan files
// load and cache the map if it has not already been done
if (ntfs->orphan_map == NULL) {
if (a_fs->inode_walk(a_fs, a_fs->first_inum, a_fs->last_inum,
TSK_FS_META_FLAG_UNALLOC, ntfs_orphan_act, NULL)) {
return TSK_ERR;
}
}
// see if there are any entries for this dir
map = ntfs_orphan_map_get(ntfs, a_addr);
if (map != NULL) {
int a;
TSK_FS_NAME *fs_name;
TSK_FS_FILE *fs_file_orp = NULL;
if ((fs_name = tsk_fs_name_alloc(256, 0)) == NULL)
return TSK_ERR;
fs_name->flags = TSK_FS_NAME_FLAG_UNALLOC;
fs_name->type = TSK_FS_NAME_TYPE_UNDEF;
for (a = 0; a < map->used_cnt; a++) {
/* Fill in the basics of the fs_name entry
* so we can print in the fls formats */
fs_name->meta_addr = map->addrs[a];
// lookup the file to get its name (we did not cache that)
fs_file_orp =
tsk_fs_file_open_meta(a_fs, fs_file_orp, map->addrs[a]);
if ((fs_file_orp) && (fs_file_orp->meta)
&& (fs_file_orp->meta->name2)) {
TSK_FS_META_NAME_LIST *n2 = fs_file_orp->meta->name2;
while (n2) {
if (n2->par_inode == a_addr) {
strncpy(fs_name->name, n2->name,
fs_name->name_size);
tsk_fs_dir_add(fs_dir, fs_name);
}
n2 = n2->next;
}
}
}
tsk_fs_name_free(fs_name);
}
// if we are listing the root directory, add the Orphan directory entry
if (a_addr == a_fs->root_inum) {
TSK_FS_NAME *fs_name;
if ((fs_name = tsk_fs_name_alloc(256, 0)) == NULL)
return TSK_ERR;
if (tsk_fs_dir_make_orphan_dir_name(a_fs, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
if (tsk_fs_dir_add(fs_dir, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
tsk_fs_name_free(fs_name);
}
return retval_final;
}
TSK_RETVAL_ENUM
ext2fs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir,
TSK_INUM_T a_addr)
{
EXT2FS_INFO *ext2fs = (EXT2FS_INFO *) a_fs;
char *dirbuf, *dirptr;
TSK_OFF_T size;
TSK_FS_LOAD_FILE load_file;
TSK_FS_DIR *fs_dir;
TSK_LIST *list_seen = NULL;
/* If we get corruption in one of the blocks, then continue processing.
* retval_final will change when corruption is detected. Errors are
* returned immediately. */
TSK_RETVAL_ENUM retval_tmp;
TSK_RETVAL_ENUM retval_final = TSK_OK;
if (a_addr < a_fs->first_inum || a_addr > a_fs->last_inum) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
tsk_error_set_errstr("ext2fs_dir_open_meta: inode value: %"
PRIuINUM "\n", a_addr);
return TSK_ERR;
}
else if (a_fs_dir == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_ARG);
tsk_error_set_errstr
("ext2fs_dir_open_meta: NULL fs_attr argument given");
return TSK_ERR;
}
if (tsk_verbose) {
tsk_fprintf(stderr,
"ext2fs_dir_open_meta: Processing directory %" PRIuINUM
"\n", a_addr);
#ifdef Ext4_DBG
tsk_fprintf(stderr,
"ext2fs_dir_open_meta: $OrphanFiles Inum %" PRIuINUM
" == %" PRIuINUM ": %d\n", TSK_FS_ORPHANDIR_INUM(a_fs), a_addr,
a_addr == TSK_FS_ORPHANDIR_INUM(a_fs));
#endif
}
fs_dir = *a_fs_dir;
if (fs_dir) {
tsk_fs_dir_reset(fs_dir);
fs_dir->addr = a_addr;
}
else {
if ((*a_fs_dir = fs_dir =
tsk_fs_dir_alloc(a_fs, a_addr, 128)) == NULL) {
return TSK_ERR;
}
}
// handle the orphan directory if its contents were requested
if (a_addr == TSK_FS_ORPHANDIR_INUM(a_fs)) {
#ifdef Ext4_DBG
tsk_fprintf(stderr, "DEBUG: Getting ready to process ORPHANS\n");
#endif
return tsk_fs_dir_find_orphans(a_fs, fs_dir);
}
else {
#ifdef Ext4_DBG
tsk_fprintf(stderr,
"DEBUG: not orphan %" PRIuINUM "!=%" PRIuINUM "\n", a_addr,
TSK_FS_ORPHANDIR_INUM(a_fs));
#endif
}
if ((fs_dir->fs_file =
tsk_fs_file_open_meta(a_fs, NULL, a_addr)) == NULL) {
tsk_error_reset();
tsk_error_errstr2_concat("- ext2fs_dir_open_meta");
return TSK_COR;
}
size = roundup(fs_dir->fs_file->meta->size, a_fs->block_size);
if ((dirbuf = tsk_malloc((size_t) size)) == NULL) {
return TSK_ERR;
}
/* make a copy of the directory contents that we can process */
load_file.left = load_file.total = (size_t) size;
load_file.base = load_file.cur = dirbuf;
if (tsk_fs_file_walk(fs_dir->fs_file,
TSK_FS_FILE_WALK_FLAG_SLACK,
tsk_fs_load_file_action, (void *) &load_file)) {
tsk_error_reset();
tsk_error_errstr2_concat("- ext2fs_dir_open_meta");
free(dirbuf);
return TSK_COR;
}
/* Not all of the directory was copied, so we exit */
if (load_file.left > 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_FWALK);
tsk_error_set_errstr
("ext2fs_dir_open_meta: Error reading directory contents: %"
PRIuINUM "\n", a_addr);
free(dirbuf);
return TSK_COR;
}
dirptr = dirbuf;
while ((int64_t) size > 0) {
int len =
(a_fs->block_size < size) ? a_fs->block_size : (int) size;
retval_tmp =
ext2fs_dent_parse_block(ext2fs, fs_dir,
(fs_dir->fs_file->meta->
flags & TSK_FS_META_FLAG_UNALLOC) ? 1 : 0, &list_seen,
dirptr, len);
if (retval_tmp == TSK_ERR) {
retval_final = TSK_ERR;
break;
}
else if (retval_tmp == TSK_COR) {
retval_final = TSK_COR;
}
size -= len;
dirptr = (char *) ((uintptr_t) dirptr + len);
}
free(dirbuf);
// if we are listing the root directory, add the Orphan directory entry
if (a_addr == a_fs->root_inum) {
TSK_FS_NAME *fs_name = tsk_fs_name_alloc(256, 0);
if (fs_name == NULL)
return TSK_ERR;
if (tsk_fs_dir_make_orphan_dir_name(a_fs, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
if (tsk_fs_dir_add(fs_dir, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
tsk_fs_name_free(fs_name);
}
return retval_final;
}
TSK_RETVAL_ENUM
fatfs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir,
TSK_INUM_T a_addr)
{
TSK_OFF_T size, len;
FATFS_INFO *fatfs = (FATFS_INFO *) a_fs;
char *dirbuf;
TSK_DADDR_T *addrbuf;
FATFS_LOAD_DIR load;
int retval;
TSK_FS_DIR *fs_dir;
if ((a_addr < a_fs->first_inum) || (a_addr > a_fs->last_inum)) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
tsk_error_set_errstr("fatfs_dir_open_meta: invalid a_addr value: %"
PRIuINUM "\n", a_addr);
return TSK_ERR;
}
else if (a_fs_dir == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_ARG);
tsk_error_set_errstr
("fatfs_dir_open_meta: NULL fs_attr argument given");
return TSK_ERR;
}
fs_dir = *a_fs_dir;
if (fs_dir) {
tsk_fs_dir_reset(fs_dir);
}
else {
if ((*a_fs_dir = fs_dir =
tsk_fs_dir_alloc(a_fs, a_addr, 128)) == NULL) {
return TSK_ERR;
}
}
// handle the orphan directory if its contents were requested
if (a_addr == TSK_FS_ORPHANDIR_INUM(a_fs)) {
return tsk_fs_dir_find_orphans(a_fs, fs_dir);
}
fs_dir->fs_file = tsk_fs_file_open_meta(a_fs, NULL, a_addr);
if (fs_dir->fs_file == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_INODE_NUM);
tsk_error_set_errstr("fatfs_dir_open_meta: %" PRIuINUM
" is not a valid inode", a_addr);
return TSK_COR;
}
size = fs_dir->fs_file->meta->size;
len = roundup(size, fatfs->ssize);
if (tsk_verbose)
tsk_fprintf(stderr,
"fatfs_dir_open_meta: Processing directory %" PRIuINUM "\n",
a_addr);
if (size == 0) {
if (tsk_verbose)
tsk_fprintf(stderr,
"fatfs_dir_open_meta: directory has 0 size\n");
return TSK_OK;
}
/* Make a copy of the directory contents using file_walk */
if ((dirbuf = tsk_malloc((size_t) len)) == NULL) {
return TSK_ERR;
}
load.curdirptr = dirbuf;
load.dirleft = (size_t) size;
/* We are going to save the address of each sector in the directory
* in a stack - they are needed to determine the inode address.
*/
load.addrsize = (size_t) (len / fatfs->ssize);
addrbuf =
(TSK_DADDR_T *) tsk_malloc(load.addrsize * sizeof(TSK_DADDR_T));
if (addrbuf == NULL) {
free(dirbuf);
return TSK_ERR;
}
/* Set the variables that are used during the copy */
load.addridx = 0;
load.addrbuf = addrbuf;
/* save the directory contents into dirbuf */
if (tsk_fs_file_walk(fs_dir->fs_file,
TSK_FS_FILE_WALK_FLAG_SLACK,
fatfs_dent_action, (void *) &load)) {
tsk_error_errstr2_concat("- fatfs_dir_open_meta");
free(dirbuf);
free(addrbuf);
return TSK_COR;
}
/* We did not copy the entire directory, which occurs if an error occured */
if (load.dirleft > 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_FWALK);
tsk_error_set_errstr
("fatfs_dir_open_meta: Error reading directory %" PRIuINUM,
a_addr);
/* Free the local buffers */
free(dirbuf);
free(addrbuf);
return TSK_COR;
}
if (tsk_verbose)
fprintf(stderr,
"fatfs_dir_open_meta: Parsing directory %" PRIuINUM "\n",
a_addr);
retval = fatfs_dent_parse_buf(fatfs, fs_dir, dirbuf, len, addrbuf);
free(dirbuf);
free(addrbuf);
// if we are listing the root directory, add the Orphan directory and special FAT file entries
if (a_addr == a_fs->root_inum) {
TSK_FS_NAME *fs_name = tsk_fs_name_alloc(256, 0);
if (fs_name == NULL)
return TSK_ERR;
// MBR Entry
strncpy(fs_name->name, FATFS_MBRNAME, fs_name->name_size);
fs_name->meta_addr = FATFS_MBRINO(a_fs);
fs_name->type = TSK_FS_NAME_TYPE_VIRT;
fs_name->flags = TSK_FS_NAME_FLAG_ALLOC;
if (tsk_fs_dir_add(fs_dir, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
// FAT1 Entry
strncpy(fs_name->name, FATFS_FAT1NAME, fs_name->name_size);
fs_name->meta_addr = FATFS_FAT1INO(a_fs);
fs_name->type = TSK_FS_NAME_TYPE_VIRT;
fs_name->flags = TSK_FS_NAME_FLAG_ALLOC;
if (tsk_fs_dir_add(fs_dir, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
// FAT2 Entry
strncpy(fs_name->name, FATFS_FAT2NAME, fs_name->name_size);
fs_name->meta_addr = FATFS_FAT2INO(a_fs);
fs_name->type = TSK_FS_NAME_TYPE_VIRT;
fs_name->flags = TSK_FS_NAME_FLAG_ALLOC;
if (tsk_fs_dir_add(fs_dir, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
// orphan directory
if (tsk_fs_dir_make_orphan_dir_name(a_fs, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
if (tsk_fs_dir_add(fs_dir, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
tsk_fs_name_free(fs_name);
}
return retval;
}
/** \internal
* Process a directory and load up FS_DIR with the entries. If a pointer to
* an already allocated FS_DIR struture is given, it will be cleared. If no existing
* FS_DIR structure is passed (i.e. NULL), then a new one will be created. If the return
* value is error or corruption, then the FS_DIR structure could
* have entries (depending on when the error occured).
*
* @param a_fs File system to analyze
* @param a_fs_dir Pointer to FS_DIR pointer. Can contain an already allocated
* structure or a new structure.
* @param a_addr Address of directory to process.
* @returns error, corruption, ok etc.
*/
TSK_RETVAL_ENUM
iso9660_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir,
TSK_INUM_T a_addr)
{
TSK_RETVAL_ENUM retval;
TSK_FS_DIR *fs_dir;
ssize_t cnt;
char *buf;
size_t length;
if (a_addr < a_fs->first_inum || a_addr > a_fs->last_inum) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
tsk_error_set_errstr
("iso9660_dir_open_meta: Invalid inode value: %" PRIuINUM,
a_addr);
return TSK_ERR;
}
else if (a_fs_dir == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_ARG);
tsk_error_set_errstr
("iso9660_dir_open_meta: NULL fs_attr argument given");
return TSK_ERR;
}
if (tsk_verbose)
tsk_fprintf(stderr,
"iso9660_dir_open_meta: Processing directory %" PRIuINUM "\n",
a_addr);
fs_dir = *a_fs_dir;
if (fs_dir) {
tsk_fs_dir_reset(fs_dir);
}
else {
if ((*a_fs_dir = fs_dir =
tsk_fs_dir_alloc(a_fs, a_addr, 128)) == NULL) {
return TSK_ERR;
}
}
// handle the orphan directory if its contents were requested
if (a_addr == TSK_FS_ORPHANDIR_INUM(a_fs)) {
return tsk_fs_dir_find_orphans(a_fs, fs_dir);
}
fs_dir->fs_file = tsk_fs_file_open_meta(a_fs, NULL, a_addr);
if (fs_dir->fs_file == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_INODE_NUM);
tsk_error_set_errstr("iso9660_dir_open_meta: %" PRIuINUM
" is not a valid inode", a_addr);
return TSK_COR;
}
/* read directory extent into memory */
length = (size_t) fs_dir->fs_file->meta->size;
if ((buf = tsk_malloc(length)) == NULL)
return TSK_ERR;
cnt = tsk_fs_file_read(fs_dir->fs_file, 0, buf, length, 0);
if (cnt != length) {
if (cnt >= 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_READ);
}
tsk_error_set_errstr2("iso9660_dir_open_meta");
return TSK_ERR;
}
// process the contents
retval = iso9660_proc_dir(a_fs, fs_dir, buf, length, a_addr,
fs_dir->fs_file->meta->attr->head->nrd.run->addr);
// if we are listing the root directory, add the Orphan directory entry
if (a_addr == a_fs->root_inum) {
TSK_FS_NAME *fs_name = tsk_fs_name_alloc(256, 0);
if (fs_name == NULL)
return TSK_ERR;
if (tsk_fs_dir_make_orphan_dir_name(a_fs, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
if (tsk_fs_dir_add(fs_dir, fs_name)) {
tsk_fs_name_free(fs_name);
return TSK_ERR;
}
tsk_fs_name_free(fs_name);
}
return retval;
}
