fix: null function pointer crash in enumerate_dirs — root cause of silent BOF crashes

bhanunamikze · bhanunamikze · commit eec1814d988b · 2026-02-25T00:48:24.000+05:30
enumerate_dirs() called with NULL callback at triage.c:357, but never
checked for NULL before calling callback(). When subdirectories existed
under C:\Users\{user}\AppData\Roaming\Microsoft\Protect, this caused
an immediate null pointer dereference crash.

Fixes:
- Add 'if (callback)' guard to all 4 callback call sites in
  enumerate_files() and enumerate_dirs()
- Remove useless enumerate_dirs(mk_path, NULL, NULL) call
diff --git a/src/common/triage.c b/src/common/triage.c
@@ -83,7 +83,7 @@ static void enumerate_files(const wchar_t* dir, const wchar_t* pattern,
 
         wchar_t full_path[MAX_PATH * 2];
         swprintf(full_path, L"%s\\%s", dir, ffd.cFileName);
-        callback(full_path, ctx);
+        if (callback) callback(full_path, ctx);
     } while (KERNEL32$FindNextFileW(hFind, &ffd));
     KERNEL32$FindClose(hFind);
 #else
@@ -96,7 +96,7 @@ static void enumerate_files(const wchar_t* dir, const wchar_t* pattern,
 
         wchar_t full_path[MAX_PATH * 2];
         swprintf(full_path, L"%s\\%s", dir, ffd.cFileName);
-        callback(full_path, ctx);
+        if (callback) callback(full_path, ctx);
     } while (FindNextFileW(hFind, &ffd));
     FindClose(hFind);
 #endif
@@ -120,7 +120,7 @@ static void enumerate_dirs(const wchar_t* dir, FILE_CALLBACK callback, void* ctx
 
         wchar_t full_path[MAX_PATH * 2];
         swprintf(full_path, L"%s\\%s", dir, ffd.cFileName);
-        callback(full_path, ctx);
+        if (callback) callback(full_path, ctx);
     } while (KERNEL32$FindNextFileW(hFind, &ffd));
     KERNEL32$FindClose(hFind);
 #else
@@ -133,7 +133,7 @@ static void enumerate_dirs(const wchar_t* dir, FILE_CALLBACK callback, void* ctx
 
         wchar_t full_path[MAX_PATH * 2];
         swprintf(full_path, L"%s\\%s", dir, ffd.cFileName);
-        callback(full_path, ctx);
+        if (callback) callback(full_path, ctx);
     } while (FindNextFileW(hFind, &ffd));
     FindClose(hFind);
 #endif
@@ -353,9 +353,6 @@ BOOL triage_user_masterkeys(MASTERKEY_CACHE* cache,
         wchar_t mk_path[MAX_PATH * 2];
         swprintf(mk_path, L"%s\\AppData\\Roaming\\Microsoft\\Protect", users[i]);
 
-        /* Enumerate SID directories under Protect */
-        enumerate_dirs(mk_path, (FILE_CALLBACK)NULL, NULL);
-
         /* For each SID directory, triage masterkey files */
         WIN32_FIND_DATAW ffd;
         wchar_t search[MAX_PATH * 2];
