From e60e6e9186fdc8a80b9b8b7ce98a922b3aa0a927 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Thu, 5 Feb 2026 18:02:17 +0100 Subject: [PATCH] fix(event): Registry data buffer bound checks In some occasions, the registry data buffer is provided without enough length to satisfy the underlying value type. To prevent panics, when converting the buffer to an integer data type, incorporate bound checks. --- pkg/event/param_windows.go | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/pkg/event/param_windows.go b/pkg/event/param_windows.go index 4e2b9b110..c928787b0 100644 --- a/pkg/event/param_windows.go +++ b/pkg/event/param_windows.go @@ -540,11 +540,40 @@ func (e *Event) produceParams(evt *etw.EventRecord) { case registry.BINARY: e.AppendParam(params.RegData, params.Binary, b) case registry.DWORD: - e.AppendParam(params.RegData, params.Uint32, binary.LittleEndian.Uint32(b)) + var v uint32 + switch len(b) { + case 4: + v = binary.LittleEndian.Uint32(b) + case 2: + v = uint32(binary.LittleEndian.Uint16(b)) + case 1: + v = uint32(b[0]) + } + e.AppendParam(params.RegData, params.Uint32, v) case registry.DWORD_BIG_ENDIAN: - e.AppendParam(params.RegData, params.Uint32, binary.BigEndian.Uint32(b)) + var v uint32 + switch len(b) { + case 4: + v = binary.BigEndian.Uint32(b) + case 2: + v = uint32(binary.BigEndian.Uint32(b)) + case 1: + v = uint32(b[0]) + } + e.AppendParam(params.RegData, params.Uint32, v) case registry.QWORD: - e.AppendParam(params.RegData, params.Uint64, binary.LittleEndian.Uint64(b)) + var v uint64 + switch len(b) { + case 8: + v = binary.LittleEndian.Uint64(b) + case 4: + v = uint64(binary.LittleEndian.Uint32(b)) + case 2: + v = uint64(binary.LittleEndian.Uint16(b)) + case 1: + v = uint64(b[0]) + } + e.AppendParam(params.RegData, params.Uint64, v) } } case CreateFile: