Skip to content

Commit b5de703

Browse files
rabbitstackrabbitstack
committed
fix(event): Copy registry data buffer
This prevents referencing a dangling buffer as it is invalidated after the callback function returns.
1 parent 344d270 commit b5de703

File tree

1 file changed

+16
-10
lines changed

1 file changed

+16
-10
lines changed

pkg/event/param_windows.go

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,13 @@ import (
2222
"encoding/binary"
2323
"expvar"
2424
"fmt"
25+
"net"
26+
"path/filepath"
27+
"strconv"
28+
"strings"
29+
"time"
30+
"unsafe"
31+
2532
"github.com/rabbitstack/fibratus/pkg/event/params"
2633
"github.com/rabbitstack/fibratus/pkg/fs"
2734
htypes "github.com/rabbitstack/fibratus/pkg/handle/types"
@@ -35,12 +42,6 @@ import (
3542
"github.com/rabbitstack/fibratus/pkg/util/va"
3643
"golang.org/x/sys/windows"
3744
"golang.org/x/sys/windows/registry"
38-
"net"
39-
"path/filepath"
40-
"strconv"
41-
"strings"
42-
"time"
43-
"unsafe"
4445
)
4546

4647
// unknownKeysCount counts the number of times the registry key failed to convert from native format
@@ -520,6 +521,11 @@ func (e *Event) produceParams(evt *etw.EventRecord) {
520521
capturedSize := evt.ReadUint16(voffset)
521522
capturedData := evt.ReadBytes(2+voffset, capturedSize)
522523

524+
// copy the buffer as it points to invalid
525+
// memory when the callback function returns
526+
b := make([]byte, capturedSize)
527+
copy(b, capturedData)
528+
523529
e.AppendParam(params.RegKeyHandle, params.Address, keyObject)
524530
e.AppendParam(params.NTStatus, params.Status, status)
525531
e.AppendParam(params.RegPath, params.Key, filepath.Join(keyName, valueName))
@@ -530,13 +536,13 @@ func (e *Event) produceParams(evt *etw.EventRecord) {
530536
case registry.SZ, registry.MULTI_SZ, registry.EXPAND_SZ:
531537
e.AppendParam(params.RegData, params.UnicodeString, string(capturedData))
532538
case registry.BINARY:
533-
e.AppendParam(params.RegData, params.Binary, capturedData)
539+
e.AppendParam(params.RegData, params.Binary, b)
534540
case registry.DWORD:
535-
e.AppendParam(params.RegData, params.Uint32, binary.LittleEndian.Uint32(capturedData))
541+
e.AppendParam(params.RegData, params.Uint32, binary.LittleEndian.Uint32(b))
536542
case registry.DWORD_BIG_ENDIAN:
537-
e.AppendParam(params.RegData, params.Uint32, binary.BigEndian.Uint32(capturedData))
543+
e.AppendParam(params.RegData, params.Uint32, binary.BigEndian.Uint32(b))
538544
case registry.QWORD:
539-
e.AppendParam(params.RegData, params.Uint64, binary.LittleEndian.Uint64(capturedData))
545+
e.AppendParam(params.RegData, params.Uint64, binary.LittleEndian.Uint64(b))
540546
}
541547
}
542548
case CreateFile:

0 commit comments

Comments
 (0)