Re: [Libguestfs] [PATCH 2/2] lib: allow to walk registry with corrupted blocks

On Wed, Feb 08, 2017 at 04:36:31PM -0500, Dawid Zamirski wrote: > There are some corrupted registry files that have invalid hbin > cells > but are still readable. This patch makes the following changes: > > * hivex_open - do not abort with complete failure if we run across > a >   block with invalid size (unless it's the root block). Instead > just >   log the event, and move on. This will allow open hives that have >   apparent invalid blocks but the ones of potential interest might > be >   perfectly accessible. > * _hivex_get_children - similiarly, if the's invalid subkey, just > skip >   it instead of failing so one can continue to browse other valid >   subkeys. > > The above is similar to the behavior to Windows regedit where one > can > load such corrupted hives with e.g. "reg load HKU\Corrupted" and > browse/change it despite some keys might be missing. > --- >  lib/handle.c | 13 +++++++++---- >  lib/node.c   | 11 +++++------ >  2 files changed, 14 insertions(+), 10 deletions(-) > > diff --git a/lib/handle.c b/lib/handle.c > index 1e122ea..9be3b5f 100644 > --- a/lib/handle.c > +++ b/lib/handle.c > @@ -300,10 +300,15 @@ hivex_open (const char *filename, int flags) >        int used; >        seg_len = block_len (h, blkoff, &used); >        if (seg_len <= 4 || (seg_len & 3) != 0) { > -        SET_ERRNO (ENOTSUP, > -                   "%s: block size %" PRIi32 " at 0x%zx, bad > registry", > -                   filename, le32toh (block->seg_len), blkoff); > -        goto error; > +        if (is_root) { > +          bad_root_block = 1;

> +        } else { > +          DEBUG(2, As before, space before parens in function and macro calls. > @@ -408,7 +407,7 @@ _get_children (hive_h *h, hive_node_h blkoff, >        hive_node_h subkey = le32toh (lf->keys[i].offset); >        subkey += 0x1000; >        if (check_child_is_nk_block (h, subkey, flags) == -1) > -        return -1; > +        continue; I think this deserves a debug message. There is also a further call to check_child_is_nk_block in this function, but if that fails it still returns.  Why is that case different? Rich. >        if (_hivex_add_to_offset_list (children, subkey) == -1) >          return -1; >      } > --  > 2.9.3 > > _______________________________________________ > Libguestfs mailing list > Libguestfs(a)redhat.com > https://www.redhat.com/mailman/listinfo/libguestfs