Commit Graph

4989 Commits

Author SHA1 Message Date
Jean-Pierre André
7a0cf11e1c Fixed expanding $STANDARD_INFORMATION with almost-full MFT record
When setting a security descriptor on an NTFS v1.2 format file in an
NTFS v3.0+ volume, NTFS-3G would migrate $STANDARD_INFORMATION to the
new format, which requires extending its size from 48 to 72 bytes.  If
this happened while the file's MFT record was almost full, and none of
the file's attributes could be made non-resident, and the file did not
have an attribute list attribute, then the operation would unexpectedly
fail with ENOENT.  Fix this by adding an attribute list to the file in
this situation.

(contributed by Eric Biggers)
2017-02-11 10:58:46 +01:00
Jean-Pierre André
17b56ccfa2 Allowed names with trailing dot or space on conditions
Windows places filenames with a trailing dot or space in the Win32
namespace and allows setting DOS names on such files.  This is true even
though on Windows such filenames can only be created and accessed using
WinNT-style paths and will confuse most Windows software.  Regardless,
because libntfs-3g did not allow setting DOS names on such files, in
some cases it was impossible to correctly restore, using libntfs-3g, a
directory structure that was created under Windows.

Update ntfs_set_ntfs_dos_name() to permit operating on a file that has a
long name with a trailing dot or space.  But continue to forbid creating
such names on a filesystem FUSE-mounted with the windows_name option.
Additionally, continue to forbid a trailing a dot or space in DOS names;
this matches the Windows behavior.

(contributed by Eric Biggers)
2017-02-11 10:54:51 +01:00
Jean-Pierre André
1178a7a801 Fixed setting opening contexts for plugins
The opening context was incorrectly passed to plugins by lowntfs-3g

(contributed by Eric Biggers)
2017-02-11 10:44:02 +01:00
Jean-Pierre André
94677ae961 Accepted displaying bad security descriptors on conditions
Display security descriptors in ntfssecaudit when they appear as
correctly formed, even when they contain unsupported items.
2017-02-11 10:37:47 +01:00
Jean-Pierre André
ea9b8a487c Fixed memory leak when failing to lookup an index
When an index could not be used, the search context was not freed
2017-02-11 10:29:39 +01:00
Jean-Pierre André
d69d2d9a1f Got ready for Posix ACL support in fuse kernel
Following a recent patch to the fuse kernel, the Posix ACL checks can
be done within the kernel instead of having to be done in the file
system, provided lowntfs-3g is used.

This mode is still not used by default until the fuse patch is
released by distributions.
2017-02-11 10:21:07 +01:00
Jean-Pierre André
35cb222233 Removed unused argument from ntfs_make_symlink()
Now that the size of the reparse point attribute is no longer used by
the FUSE drivers to populate st_size for symlinks and junctions, it no
longer needs to be returned by ntfs_make_symlink().

(contributed by Eric Biggers)
2017-02-11 10:11:01 +01:00
Jean-Pierre André
051a4b556b Returned the size of locale encoded target as the size of symlinks
Made ntfs-3f conform to the standard POSIX convention of setting st_size
to the length of the symlink target without a terminating null.

(contributed by Eric Biggers)
2017-02-11 10:04:15 +01:00
Jean-Pierre André
376f4cbca7 Validated minimum size of mountpoint/symlink reparse points
valid_reparse_data() would read past the end of the reparse point buffer
if it was passed a malformed reparse point that had the tag for a
mountpoint or a symlink but had a data buffer smaller than expected.
Fix this by validating the buffer size.

(contributed by Eric Biggers)
2017-02-11 10:00:34 +01:00
Jean-Pierre André
3c5fb9b352 Eliminated unnecessary strlen() in ntfs_get_ntfs_dos_name()
Since ntfs_ucstombs() returns the output string length, there is no need
to call strlen().

(contributed by Eric Biggers)
2017-02-11 09:58:30 +01:00
Jean-Pierre André
2052b46639 Fixed a possible buffer overrun in ntfs_utf16_to_utf8()
If an output buffer was provided, ntfs_utf16_to_utf8() limited the
output string length without the terminating null to 'outs_len'.  This
was incorrect because a terminating null was always added to the string,
causing a buffer overrun if the output string happened to have exactly
the maximum length.  This was a longstanding bug.  Fix it by leaving
space for a terminating null.

(contributed by Eric Biggers)
2017-02-11 09:51:17 +01:00
Jean-Pierre André
b9624542e0 Made utf16_to_utf8_size() always honor @outs_len
utf16_to_utf8_size() was not guaranteed to fail with ENAMETOOLONG if the
computed length was greater than @outs_len.  This could cause a buffer
overrun in ntfs_utf16_to_utf8().

(contributed by Eric Biggers)
2017-02-11 09:49:03 +01:00
Jean-Pierre André
e60056d377 Preventing --enable-plugins from disabling the plugins
The plugins are enabled by default, and the can be disabled by the
configure option --disable-plugins, but the option --enable-plugins
also led to disabling them.
2017-02-11 09:36:30 +01:00
Jean-Pierre André
b337582d36 Fixed DISABLE_PLUGINS as the condition for not using plugins
The condition for using plugins did not match the definition by
./configure
2017-02-11 09:33:27 +01:00
Jean-Pierre André
c314a8115b Fixed nesting when not using plugins
The logical nesting (defined by {...}) did not match the physical nesting
(defined by #ifdef...#endif)
2017-02-11 09:26:58 +01:00
Jean-Pierre André
8f0fbd286d Fixed updating the backup boot sector in ntfslabel
The location of the backup boot sector was one-off
2017-02-11 09:22:50 +01:00
Jean-Pierre André
fa0a7a5686 Logged more information when a plugin could not be loaded
Put the explanation from dlerr() into the syslog when a plugin could
not be loaded.
2017-02-11 09:15:33 +01:00
Jean-Pierre André
2eb5052480 Decoded the reparse tag for deduplication in ntfsinfo
Take into account the reparse tag for deduplication and display its meaning
2017-02-11 09:11:51 +01:00
Jean-Pierre André
30ae872b89 Included <paths.h> where useful in fuse-lite
Both fusermount.c and mount_util.c use _PATH_MOUNTED, so they should
include <paths.h>, which provides this definition.
This is required for building with the musl C library.

Contributed by Thomas Petazzoni
2017-02-11 09:08:22 +01:00
Jean-Pierre André
28c479af6a Denied creating/removing files or directories from $Extend
$Extend is a directory reserved for metadata specific to Windows.
Inserting other files or directories there leads to problems with
some Windows versions.
2017-02-11 09:00:49 +01:00
Jean-Pierre André
b66f5f8241 Replaced secaudit by ntfssecaudit in its own usage output
The usage output did not match the command name change
2017-02-11 08:57:37 +01:00
Jean-Pierre André
fdefd8feba Fixed bad indentations (cosmetic) 2017-02-11 08:53:20 +01:00
Jean-Pierre André
32587b485c Improved opening/closing $Secure when un/mounting NTFS volume
Call ntfs_close_secure() earlier, check for error, and other cleanups

Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
2016-09-02 08:30:07 +02:00
Jean-Pierre André
d4dfa18f7d Corrected code with misleading indentation
GCC 6 reports a warning in ntfs_allowed_dir_access() because the code has
misleading indentation.  Fix by adding braces.  There is no actual change
in behavior because of the '(allowed == 2)' condition.

Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
2016-07-28 16:30:05 +02:00
Jean-Pierre André
f86c4403ed Corrected validation of multi sector transfer protected records
The validation contained an off-by-one error.  The
expression '(u32)(usa_ofs + (usa_count * 2)) > size' used 'usa_count'
after it had been decremented to skip the update sequence number entry.
Consequently, the code could read out of bounds, up to two bytes past the
end of the MST-protected record.

Furthermore, as documented in the comment in layout.h for "NTFS_RECORD"
and also on MSDN for "MULTI_SECTOR_HEADER", the update sequence array
must end before the last le16 in the first logical sector --- not merely
before the end of the record.

Fix the validation and move it into a helper function, as it was done
identically in the read and write paths.

Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
2016-07-28 16:26:21 +02:00
Jean-Pierre André
2840e84a97 Always opened $Secure when mounting NTFS volume
Currently, applications that wish to access security descriptors have to
explicitly open the volume's security descriptor index ("$Secure") using
ntfs_open_secure().  Applications are also responsible for closing the
index when done with it.  However, the cleanup function for doing,
ntfs_close_secure(), cannot be called easily by all applications because
it requires a SECURITY_CONTEXT argument, not simply the ntfs_volume.
Some applications therefore have to close the inode and index contexts
manually in order to clean up properly.

This proposal updates libntfs-3g to open $Secure unconditonally as part
of ntfs_mount(), so that applications do not have to worry about it.

This proposal updates libntfs-3g to open $Secure unconditonally as part
of ntfs_mount(), so that applications do not have to worry about it.

ntfs_close_secure() is updated to take in a ntfs_volume for internal use,
and ntfs_destroy_security_context() is now the function to call to free
memory associated with a SECURITY_CONTEXT rather than a ntfs_volume.

Some memory leaks in error paths of ntfs_open_secure() are also fixed.

Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
2016-07-28 16:22:16 +02:00
Jean-Pierre André
ab4c6a6141 Fixed tautological comparison
Wrong comparison in ntfscmp.c
2016-07-28 16:19:29 +02:00
Jean-Pierre André
e6cbd4d221 Removed unused variables
A few variables in xattrs.c are not used any more
2016-07-28 16:16:42 +02:00
Jean-Pierre André
043b0e6e73 Allowed using full library API on systems without extended attributes support
A number of functions in libntfs-3g are generally useful, but are tied to
extended attributes support and are not included when the library is
built on platforms without extended attributes support.

This proposal updates libntfs-3g to always include these functions.

The only tricky part is dealing with the XATTR_CREATE and XATTR_REPLACE
flags.  These flags are defined in <sys/xattr.h>, so they must be
redefined on platforms without extended attributes support.

Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
2016-07-28 16:13:59 +02:00
Jean-Pierre André
4264f19acb Cleaned up file name collation code
- Update documentation for COLLATION_RULES
- Document how ntfs_names_full_collate() compares names
- Update comments and DEBUG code to reflect that ntfs_names_full_collate()
  always access 'upcase', even in CASE_SENSITIVE mode
- Remove unneeded assignments to 'c1' and 'c2' in IGNORE_CASE mode

Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
2016-07-28 16:10:14 +02:00
Jean-Pierre André
54b78660d7 Allowed dlopen API to be either in libc or libdl
On Linux, the functions in the dlopen API are in libdl.  However, on
FreeBSD, libdl doesn't exist and the functions are instead in libc.

Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
2016-07-19 11:53:28 +02:00
Jean-Pierre André
0babe3c0db Made plugin.h include all prerequisite declarations
Only <plugin.h> to be included in plugins code.

Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
2016-07-19 11:50:32 +02:00
Jean-Pierre André
68dec8ddbc Renamed include guard for plugin.h to _NTFS_PLUGIN_H
Be consistent with other NTFS-3G headers and use the "_NTFS_" prefix.

Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
2016-07-19 11:49:04 +02:00
Jean-Pierre André
38ff4602a7 Cleared the sparse flags when clearing the bad cluster list
The bad cluster list may be updated in ntfsresize and ntfsfix. Though
technically it is organized as a sparse file, Windows does not set
the sparse flags. Do the same to avoid problems with third-party
packages.
2016-07-19 11:44:59 +02:00
Jean-Pierre André
191e47ff9d Tolerated garbage put by Windows 10 into the last ACE
For some reason, Windows 10 sometimes inserts garbage after the
last ACE of an ACL. The ACL consistency check has to tolerate this.
2016-07-19 11:40:20 +02:00
Jean-Pierre André
b973c0bd3c Compiled out conditionally debug-oriented code
Although ntfs_log_trace() is defined to a no-op in non-DEBUG builds,
ntfs_attr_name_get() is not.  This function performs a string conversion
and a memory allocation, so it is nice to have the call to it compiled
out when not needed.

Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
2016-06-22 12:01:25 +02:00
Jean-Pierre André
5693341f0d Fixed ntfs_delete() failure caused by string conversion error
It was possible for ntfs_attr_name_get() to set errno due to a wide
character string that could not be converted to a multibyte string.  This
caused ntfs_delete() to fail.

Fix by checking for a nonzero return value specifically from
ntfs_attr_lookup(), rather than assuming that nothing else sets errno.

Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
2016-06-22 11:58:20 +02:00
Jean-Pierre André
cf6f265069 Switch to using the standard autoconf AC_HEADER_MAJOR macro
Switch to the standard autoconf AC_HEADER_MAJOR macro which takes care
of the ugly details like when to use mkdev.h and when to use sysmacros.h.
(requires <sys/types.h> to be included)
Also include these in all files that use major/minor/makedev funcs.

(Contributed by Mike Frysinger)
2016-05-31 08:33:10 +02:00
Jean-Pierre André
e7c5950117 Silenced a truncation warning in upper case table
The upper case value for 0x1d79 is 0xa77d, so the difference is 0x8a04,
which overflows in the table which defines the computation of upper case
values. Rewriting this difference as -0x75fc leads to the same result
in an upper case table truncated to two bytes, and this avoid the
compiler warning.
2016-05-31 08:24:23 +02:00
Jean-Pierre André
08d3bcb2bf Ported patches to libfuse from the OpenIndiana variant
A few patches had been found useful to the OpenIndiana variant of libfuse
(2.7.6). Port them to libfuse-lite and restrict them to Solaris/OpenIndiana.
2016-05-04 10:15:35 +02:00
Jean-Pierre André
a7ce195489 383 Fixed masks for major and minor in fuse-lite for OpenIndiana
On Solaris/OpenIndiana, the major and minor fields in st_rdev have to
be represented on 14 bits and 18 bits respectively. They must have
the same representation on 32-bit and 64-bit builds as the kernel
and the library do not know the word size of each other.
2016-05-04 10:08:06 +02:00
Jean-Pierre André
34f7bd7ff0 Used <sys/mkdev.h> instead of <sys/sysmacros.h> on OpenIndiana
On Solaris/OpenIndiana, use the macroes makedev(), major() and minor()
from <sys/mkdev.h>. Those from <sys/sysmacros.h> are inappropriate for
current builds.
2016-05-04 10:03:39 +02:00
Jean-Pierre André
040153adcb Redefined ELIBBAD as ENOEXEC when missing
When a plugin cannot be initialized a ELIBBAD error is returned on Linux
and OpenIndiana. As this is not a Posix error code, use ENOEXEC on
systems which do not define ELIBBAD.
2016-05-04 09:59:18 +02:00
Jean-Pierre André
0ad352b40f Updated information about ntfsprogs to the README file
Added mentions of ntfssecaudit, ntfsusermap and ntfsrecover to the
README file.
2016-05-04 09:55:16 +02:00
Jean-Pierre André
4278fbb7f6 Defined an option to kill the Windows cache and play the log file
The new ntfsrecover option --kill-fast-restart can be used to delete
the Windows fast-restart indication before playing the log. This can
lead to data loss, but is needed before mounting a partition improperly
unmounted from Windows when remounting on Windows is inconvenient.
2016-05-04 09:47:51 +02:00
Jean-Pierre André
ab4bdea00f Rejected implicit mounting read-only when hiberfile option is present
If the remove_hiberfile mount option is present, explicitly disallow
the library from switching to a read-only mount. This is only to avoid
confusion, as the remove_hiberfile is processed before taking the
decision to fall back to read-only.
2016-05-04 09:39:48 +02:00
Jean-Pierre André
0c855fe36b Used Microsoft terminology for SID names
A few SIDs descriptions might be confusing because of a wording different
from Microsoft usage.
2016-05-04 09:33:42 +02:00
Jean-Pierre André
df01bf1b4d Displayed the SID revision as an unsigned number (cosmetic)
Properly display a SID revision if it should ever reach 128.
(suggested by Ulf Zibis)
2016-05-04 09:30:48 +02:00
Jean-Pierre André
1b8b599408 Checked the number of subauthorities before accessing them
Be more crash resistent when analyzing a badly formed SID.
(contributed by Ulf Zibis)
2016-05-04 09:27:32 +02:00
Jean-Pierre André
d587ff54f9 Fixed segmentation fault on empty $LogFile in ntfsrecover
ntfsrecover -f -v <log file> receives a SIGSEGV because of trying to
read memory outside allocated buffer because of no sanity checks on
restart page header values. This happens on an empty $LogFile because
of no basic checks present. Attached patch adds basic checks similar
to those inside logfile library and allows tool to exit with more
suitable message.
(contributed by Rakesh Pandit)
2016-05-04 09:24:51 +02:00