Skip to content

Commit

Permalink
review: Be more explicit with names
Browse files Browse the repository at this point in the history
  • Loading branch information
Smjert committed Nov 22, 2023
1 parent 5f63cc9 commit 0180c69
Showing 1 changed file with 18 additions and 6 deletions.
24 changes: 18 additions & 6 deletions osquery/tables/utility/file.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,13 @@ namespace osquery {

namespace tables {

/* These are the number of bytes to read from the ShellLinkHeader structure
at the start of a ShellLink file for the "HeaderSize" field */
constexpr std::uint32_t kShellLinkHeaderSizeFieldSize = 4;

// This is the expected value of the "HeaderSize" field
constexpr std::uint32_t kShellLinkHeaderSizeExpectedValue = 0x4C;

namespace {
#ifdef WIN32

Expand Down Expand Up @@ -99,16 +106,21 @@ boost::optional<LnkData> parseLnkData(const fs::path& link) {
/* Empty files are still able to be loaded via the ShellLink COM interface,
but they are not ShellLink files, so verify that the file
contains a header of a certain size */
std::string header_size;
auto status = readFile(link, header_size, 4);
std::string header_size_field_bytes;
auto status =
readFile(link, header_size_field_bytes, kShellLinkHeaderSizeFieldSize);

if (!status.ok() || header_size.size() != 4) {
if (!status.ok() ||
header_size_field_bytes.size() != kShellLinkHeaderSizeFieldSize) {
return boost::none;
}

std::uint32_t expected_size = 0x4C;
if (std::memcmp(header_size.data(), &expected_size, sizeof(expected_size)) !=
0) {
std::uint32_t header_size_field_value;
std::memcpy(&header_size_field_value,
header_size_field_bytes.data(),
kShellLinkHeaderSizeFieldSize);

if (header_size_field_value != kShellLinkHeaderSizeExpectedValue) {
return boost::none;
}

Expand Down

0 comments on commit 0180c69

Please sign in to comment.