Make sure the attribute designated to readall() has a reasonable size.
Apart from a bitmap, in a valid call, the attribute size is limited to
65536, and bitmaps are limited by the number of cluster.
When appending to an existing compressed file, the last block must first
be decompressed. When doing so, clear the tail of buffer in order to not
leak unrelated data.
Reject updating uninitialized MFTMirr because it leads to endless
recursions as updating the MFTMirr entry of MFT implies further updating
MFTMirr.
This is probably specific to ntfsfix, as mounts are normally rejected
when MFTMirr does not match MFT.
Make sure the attributes fully lie within the MFT record, and make sure
their variable components (name, runlist, value) fully lie within the
attribute.
The consistency check on the upcase size was laxist.
The unicode points are limited to 1048575 (20 bits), but there is no
provision to support code points beyond 65535.
In the current implementation the upcase size must be even and <= 131072.
Optionally record the special files (symlinks, fifos, sockets, character
and block devices) using reparse points instead of using Interix representation.
Doing so, the special files are interoperable with Windows Subsystem for
linux (WSL).
Windows traditionally rejected having both EA and reparse data assigned
to a file, but Windows 10 has dropped the constraint and it uses this
condition massively, so do the same. Note that pre-Windows 10 chkdsk.exe
removes the EA' on reparse points, potentially damaging more recent
volumes.
The Windows Subsystem for Linux (WSL) of Windows 10 uses reparse points
to record special files (symlinks, fifos, sockets, char or block devices).
Honor such reparse points with the same meaning as WSL.
Currently memory allocations are done through ntfs_malloc() and
ntfs_calloc(), but releases are done through free(3). Defining an
ntfs_free() relay facilitates the debugging of memory leaks in
plugins.
When building a symlink to emulate a Windows junction or absolute
symlink, use the mount point recorded in the volume attributes.
This enables the plugins to emulate object as symlinks.
When filling a hole in a sparse file, the beginning of the runlist
does not need to be updated. However the allocated size is within
the extent holding its beginning and it needs to be updated.
In rare situations, removing an entry from an index root while
rebalancing the index tree, its space was not recovered from the index
root, causing chkdsk to complain. Truncate the index root when this
happens.
When the mount option "posix_nlink" is used, the number of links
returned by stat complies with Posix : the legacy 8.3 names are not
taken into account, and the subdirectories are taken into account
for directories. This causes some overhead for recomputing the
number of links.
When a compressed file has been deteriorated through hardware error
or accidental overwriting, some unrelated data could be leaked.
Make sure to zero fill the buffer when this happens.
The translations of Windows paths designed for translating Windows symlinks
and mount points may also be used in plugins for translation execlinks,
so make them available.
The types of reparse point objects cannot be decided upon the data
available in a directory, so we must delegate their determination to a
specific plugin when available, and be consistent if there is none.
Since Windows 10, the cluster size may be greater than 128 sectors, and
it has to be recorded as a power of 2 in the boot sector. Hence there
are two possible ways of cluster size. Accept both ways leading to
valid values.
On linux the request argument of ioctl() is defined as an unsigned long,
but the fuse protocol squashes it into a signed int. As a consequence
the value received by ntfs-3g may appear as negative and different from
the value defined by the corresponding macro.
So define the request argument as unsigned long in ntfs-3g. It has
however to be fed as unsigned from fuse until the fuse protocol is
updated.
An earlier patch enabled updating a file proper id without changing
the other id (birth, volume, domain). However the first time the id
is set, these other ids have to be zeroed.
The alignment of times set in an extended attribute value cannot be
asserted, and this cause alignment errors on some CPUs (met on ARM).
Be safe by copying them in a properly aligned array.
From Windows 10 Creators edition, the cluster size limit has been
extended to 2MB. This has implied redefining the boot sector field
"sectors_per_cluster" so that values greater than 128 can be recorded.
When extents are needed to store the runlist of the MFT, the first one
must be located in record 15 so that its location can be determined from
the part in the base extent. As this record is always marked in use,
determining whether it is not really in use requires a specific logic.
Since its 2017 edition, Windows 10 has stopped mirroring $MFT to the
full size of $MFTMirr leading to mounts of partitions with big clusters
to be rejected because of mismatches. With this patch, only 16 records
are checked, though mirroring is still done for all records in $MFTMirr.
Object ids can be used to locate files which have been move to another
volume. This is only possible when the birth ids are recorded, but in most
cases files reside on their birth volume and their birth ids are not set.
The patch enables setting a file id without changing its birth id, by
setting an extended attribute "system.ntfs_object_id" limited to 16
bytes.
Windows 10 brought security descriptors which contain ACE's related to
new ways of accessing files or directories. These ACE are now accepted
with minimal consistency checks. They are still ignored for translating
permissions and for Windows-type inheritance.
When setting a security descriptor on an NTFS v1.2 format file in an
NTFS v3.0+ volume, NTFS-3G would migrate $STANDARD_INFORMATION to the
new format, which requires extending its size from 48 to 72 bytes. If
this happened while the file's MFT record was almost full, and none of
the file's attributes could be made non-resident, and the file did not
have an attribute list attribute, then the operation would unexpectedly
fail with ENOENT. Fix this by adding an attribute list to the file in
this situation.
(contributed by Eric Biggers)
Windows places filenames with a trailing dot or space in the Win32
namespace and allows setting DOS names on such files. This is true even
though on Windows such filenames can only be created and accessed using
WinNT-style paths and will confuse most Windows software. Regardless,
because libntfs-3g did not allow setting DOS names on such files, in
some cases it was impossible to correctly restore, using libntfs-3g, a
directory structure that was created under Windows.
Update ntfs_set_ntfs_dos_name() to permit operating on a file that has a
long name with a trailing dot or space. But continue to forbid creating
such names on a filesystem FUSE-mounted with the windows_name option.
Additionally, continue to forbid a trailing a dot or space in DOS names;
this matches the Windows behavior.
(contributed by Eric Biggers)
Jean-Pierre André
Jean-Pierre André