cybersecurity · intermediate · ~15 min · safe pentest lab

Read a filename from a mock MFT record

Bounds-safe offset/length parsing of a record-style binary format.

Challenge

Your job

Implement:

#include <stdint.h>
#include <stddef.h>
int read_mft_name(const uint8_t *rec, size_t n, char *out, size_t cap);

Layout:

bytes 0–3: signature 'F','I','L','E'
bytes 4–5: name_offset (u16 LE)
bytes 6–7: name_length (u16 LE)
name bytes start at rec[name_offset], are name_length ASCII chars

Return:

bytes written to out (excluding NUL) on success
-1 if any input is NULL, cap == 0, n < 8, signature mismatch, offset+length walks past n, or name would not fit in cap.

Hints

(concept) Read the two u16s with byte shifts; then compute end = (size_t)name_offset + (size_t)name_length.
(common bug) name_offset and name_length are 16-bit. Add them as size_t to avoid integer overflow.

Why this matters

Real MFT parsing is complex. The defensive shape — magic, bounds-checked offsets, bounded copy — is the same in the mock and the real format.

Input format

A byte buffer + its length, an output buffer + capacity.

Output format

Non-negative byte count, or -1 on any failure.

Constraints

Signature must match. Cast to size_t before adding. NUL-terminate output.

Starter code

#include <stdint.h>
#include <stddef.h>
int read_mft_name(const uint8_t *rec, size_t n, char *out, size_t cap) {
    /* TODO */
    (void)rec; (void)n; (void)out; (void)cap;
    return -1;
}

Common mistakes

Adding off + len as u16 (overflows). Forgetting that len == 0 is a legal empty name. Reading rec[4..7] when n < 8.

Edge cases to handle

Name length 0. Offset right at the end of the buffer. NULL inputs.

Complexity

O(len) per call.

Background lessons

Pull the filename out of a mock MFT record

Up next

Recover an 8.3 filename from a FAT directory entry

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.