From jim@meyering.net Mon Jul 20 16:46:56 2009 Return-Path: jim@meyering.net X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on amd.home.annexia.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=5.0 tests=AWL,BAYES_00, UNPARSEABLE_RELAY autolearn=ham version=3.2.5 Received: from mail.corp.redhat.com [10.5.5.51] by amd.home.annexia.org with IMAP (fetchmail-6.3.8) for <rjones@localhost> (single-drop); Mon, 20 Jul 2009 16:46:56 +0100 (BST) Received: from zmta02.collab.prod.int.phx2.redhat.com (LHLO zmta02.collab.prod.int.phx2.redhat.com) (10.5.5.32) by mail06.corp.redhat.com with LMTP; Mon, 20 Jul 2009 11:31:43 -0400 (EDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 27CD09E195 for <rjones@redhat.com>; Mon, 20 Jul 2009 11:31:43 -0400 (EDT) Received: from zmta02.collab.prod.int.phx2.redhat.com ([127.0.0.1]) by localhost (zmta02.collab.prod.int.phx2.redhat.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TTbuqA5poqWA for <rjones@redhat.com>; Mon, 20 Jul 2009 11:31:43 -0400 (EDT) Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by zmta02.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 087319E193 for <rjones@mail.corp.redhat.com>; Mon, 20 Jul 2009 11:31:43 -0400 (EDT) Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n6KFVfBF002494 for <rjones@int-mx2.corp.redhat.com>; Mon, 20 Jul 2009 11:31:42 -0400 Received: from mx.meyering.net (sebastian-int.corp.redhat.com [172.16.52.221]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n6KFVeiP013799 for <rjones@redhat.com>; Mon, 20 Jul 2009 11:31:41 -0400 Received: by rho.meyering.net (Acme Bit-Twister, from userid 1000) id D157838154; Mon, 20 Jul 2009 17:31:40 +0200 (CEST) From: Jim Meyering <jim@meyering.net> To: "Richard W. M. Jones" <rjones@redhat.com> Subject: chntpw patches Date: Mon, 20 Jul 2009 17:31:40 +0200 Message-ID: <87my6z8j6r.fsf@meyering.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Scanned-By: MIMEDefang 2.58 on 172.16.27.26 Status: RO Content-Length: 4197 Lines: 140 Hi Rich, The first two were spotted via inspection. The 3rd one was to address this: $ : > j && valgrind ./reged -e j ~/w/co/chntpw: ==16084== Memcheck, a memory error detector. ==16084== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al. ==16084== Using LibVEX rev 1884, a library for dynamic binary translation. ==16084== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP. ==16084== Using valgrind-3.4.1, a dynamic binary instrumentation framework. ==16084== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al. ==16084== For more details, rerun with: -v ==16084== reged version 0.1 080526, (c) Petter N Hagen ==16084== Invalid read of size 4 ==16084== at 0x407D09: openHive (ntreg.c:2856) ==16084== by 0x4011E3: main (reged.c:103) ==16084== Address 0x4c230d8 is 0 bytes after a block of size 0 alloc'd ==16084== at 0x4A05414: calloc (vg_replace_malloc.c:397) ==16084== by 0x407C5C: openHive (ntreg.c:2840) ==16084== by 0x4011E3: main (reged.c:103) openHive(j): File does not seem to be a registry hive! Simple registry editor. ? for help. ==16084== ==16084== Invalid read of size 2 ==16084== at 0x403C4D: get_abs_path (ntreg.c:1204) ==16084== by 0x408D57: regedit_interactive (edlib.c:379) ==16084== by 0x401277: main (reged.c:111) ==16084== Address 0x4c230dc is 4 bytes after a block of size 0 alloc'd ==16084== at 0x4A05414: calloc (vg_replace_malloc.c:397) ==16084== by 0x407C5C: openHive (ntreg.c:2840) ==16084== by 0x4011E3: main (reged.c:103) get_abs_path: Not a 'nk' node! > >From 5c287bb158db10af96b1f1f67d4df49a47323b94 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering@redhat.com> Date: Mon, 20 Jul 2009 09:57:13 -0400 Subject: [PATCH 1/3] improved robustness * ntreg.c (fmyinput): Don't clobber ibuf[-1] upon NUL input. --- ntreg.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ntreg.c b/ntreg.c index e27a5b9..1b84410 100644 --- a/ntreg.c +++ b/ntreg.c @@ -82,14 +82,16 @@ char *str_dup( const char *str ) int fmyinput(char *prmpt, char *ibuf, int maxlen) { - + int len; printf("%s",prmpt); fgets(ibuf,maxlen+1,stdin); + len = strlen(ibuf); - ibuf[strlen(ibuf)-1] = 0; + if (len) + ibuf[len-1] = 0; - return(strlen(ibuf)); + return len; } /* Print len number of hexbytes */ -- 1.6.2.5 >From b9bfb44aa1bff1f9b7badf65425f8190352966a0 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering@redhat.com> Date: Mon, 20 Jul 2009 10:04:23 -0400 Subject: [PATCH 2/3] robustness: avoid low-memory segfault * ntreg.c (convert_string): Don't segfault upon low memory. --- ntreg.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/ntreg.c b/ntreg.c index 1b84410..08f9124 100644 --- a/ntreg.c +++ b/ntreg.c @@ -2585,7 +2585,10 @@ char * convert_string(void *string, int len) int i, k; int reallen = len / 2; char *cstring = (char *)malloc(reallen); - + if (cstring == NULL) { + printf("FATAL! convert_string: malloc() failed! Out of memory?\n"); + abort(); + } for(i = 0, k = 0; i < len; i += 2, k++) { cstring[k] = ((char *)string)[i]; -- 1.6.2.5 >From 81ae3189a8dffcdb3db7229cbe992ed12b8d1327 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering@redhat.com> Date: Mon, 20 Jul 2009 11:04:38 -0400 Subject: [PATCH 3/3] robustness: avoid malfunction for too-small hive file * ntreg.c (openHive): Don't read uninitialized when file is too small. --- ntreg.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/ntreg.c b/ntreg.c index 08f9124..be6b680 100644 --- a/ntreg.c +++ b/ntreg.c @@ -2847,6 +2847,14 @@ struct hive *openHive(char *filename, int mode) return(NULL); } + if (r < sizeof (*hdesc)) { + fprintf(stderr, + "file is too small; got %d bytes while expecting %d or more\n", + r, sizeof (*hdesc)); + closeHive(hdesc); + return(NULL); + } + /* Now run through file, tallying all pages */ /* NOTE/KLUDGE: Assume first page starts at offset 0x1000 */ -- 1.6.2.5