summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2009-01-10 15:51:30 +0100
committerChristophe Grenier <grenier@cgsecurity.org>2009-01-10 15:51:30 +0100
commit38ce28702691b4adc56898262a09cd1f0500a681 (patch)
tree5741300be7e78e685aa8db756ffe5a1f87668eda
parentdbba3af27b57bc1771111d810e332fefb853052c (diff)
HFS+, HFSX: check the version field to reduce false positive
-rw-r--r--src/hfsp.c52
-rw-r--r--src/hfsp.h9
2 files changed, 31 insertions, 30 deletions
diff --git a/src/hfsp.c b/src/hfsp.c
index e1a7c94..493ce5f 100644
--- a/src/hfsp.c
+++ b/src/hfsp.c
@@ -85,47 +85,41 @@ int recover_HFSP(disk_t *disk_car, const struct hfsp_vh *vh,partition_t *partiti
int test_HFSP(disk_t *disk_car, const struct hfsp_vh *vh,partition_t *partition,const int verbose, const int dump_ind)
{
- if (vh->signature==be16(HFSP_VOLHEAD_SIG) && be32(vh->blocksize)%512==0 && be32(vh->blocksize)!=0 && be32(vh->free_blocks)<=be32(vh->total_blocks))
+ if (!(be32(vh->blocksize)%512==0 && be32(vh->blocksize)!=0 && be32(vh->free_blocks)<=be32(vh->total_blocks)))
+ return 1;
+ /* http://developer.apple.com/technotes/tn/tn1150.html */
+ if (be16(vh->version)==4 && vh->signature==be16(HFSP_VOLHEAD_SIG))
{
+ partition->upart_type=UP_HFSP;
if(verbose>0 || dump_ind!=0)
{
log_info("\nHFS+ magic value at %u/%u/%u\n", offset2cylinder(disk_car,partition->part_offset),offset2head(disk_car,partition->part_offset),offset2sector(disk_car,partition->part_offset));
}
- if(dump_ind!=0)
- {
- /* There is a little offset ... */
- dump_log(vh,DEFAULT_SECTOR_SIZE);
- }
- if(verbose>1)
- {
- log_info("blocksize %u\n",(unsigned) be32(vh->blocksize));
- log_info("total_blocks %u\n",(unsigned) be32(vh->total_blocks));
- log_info("free_blocks %u\n",(unsigned) be32(vh->free_blocks));
- }
- partition->upart_type=UP_HFSP;
- return 0;
}
- if (vh->signature==be16(HFSX_VOLHEAD_SIG) && be32(vh->blocksize)%512==0 && be32(vh->blocksize)!=0 && be32(vh->free_blocks)<=be32(vh->total_blocks))
+ else if (be16(vh->version)==5 && vh->signature==be16(HFSX_VOLHEAD_SIG))
{
+ partition->upart_type=UP_HFSX;
if(verbose>0 || dump_ind!=0)
{
log_info("\nHFSX magic value at %u/%u/%u\n", offset2cylinder(disk_car,partition->part_offset),offset2head(disk_car,partition->part_offset),offset2sector(disk_car,partition->part_offset));
}
- if(dump_ind!=0)
- {
- /* There is a little offset ... */
- dump_log(vh,DEFAULT_SECTOR_SIZE);
- }
- if(verbose>1)
- {
- log_info("blocksize %u\n",(unsigned) be32(vh->blocksize));
- log_info("total_blocks %u\n",(unsigned) be32(vh->total_blocks));
- log_info("free_blocks %u\n",(unsigned) be32(vh->free_blocks));
- }
- partition->upart_type=UP_HFSX;
- return 0;
}
- return 1;
+ else
+ {
+ return 1;
+ }
+ if(dump_ind!=0)
+ {
+ /* There is a little offset ... */
+ dump_log(vh,DEFAULT_SECTOR_SIZE);
+ }
+ if(verbose>1)
+ {
+ log_info("blocksize %u\n",(unsigned) be32(vh->blocksize));
+ log_info("total_blocks %u\n",(unsigned) be32(vh->total_blocks));
+ log_info("free_blocks %u\n",(unsigned) be32(vh->free_blocks));
+ }
+ return 0;
}
static int set_HFSP_info(partition_t *partition, const struct hfsp_vh *vh)
diff --git a/src/hfsp.h b/src/hfsp.h
index 0fa016f..1c4dc48 100644
--- a/src/hfsp.h
+++ b/src/hfsp.h
@@ -25,6 +25,10 @@
*/
#ifndef _HFSP_H
#define _HFSP_H
+#ifdef __cplusplus
+extern "C" {
+#endif
+
#define HFSP_BOOT_SECTOR_SIZE 512
#define HFSP_BLOCKSZ 512 /* A sector for Apple is always 512 bytes */
#define HFSP_BLOCKSZ_BITS 9 /* 1<<9 == 512 */
@@ -77,7 +81,7 @@ typedef struct {
*/
typedef struct hfsp_vh {
uint16_t signature; // must be HFSPLUS_VOLHEAD_SIG 'H+'
- uint16_t version; // currently 4, ignored
+ uint16_t version; // 4 for HFS+, 5 for HFSX
uint32_t attributes; // See bit constants below
uint32_t last_mount_vers;
// Use a registered creator code here (See libhfsp.h)
@@ -148,4 +152,7 @@ int check_HFSP(disk_t *disk_car,partition_t *partition,const int verbose);
int test_HFSP(disk_t *disk_car, const struct hfsp_vh *vh,partition_t *partition,const int verbose, const int dump_ind);
int recover_HFSP(disk_t *disk_car, const struct hfsp_vh *vh,partition_t *partition,const int verbose, const int dump_ind, const int backup);
+#ifdef __cplusplus
+} /* closing brace for extern "C" */
+#endif
#endif