diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4050b1f657df..186d1b08e060 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -57,6 +57,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* +- Fix fatal invalid memory write on Windows 11. {issue}32469[32469] {pull}32519[32519] +- Fix handling of event formatting when no metadata is available on Windows 11. {issue}32468[32468] {pull}32519[32519] - Reduce severity of message salvage failure logging. {pull}32697[32697] *Functionbeat* diff --git a/winlogbeat/sys/wineventlog/format_message.go b/winlogbeat/sys/wineventlog/format_message.go index 642eaa69965b..f97024b663c0 100644 --- a/winlogbeat/sys/wineventlog/format_message.go +++ b/winlogbeat/sys/wineventlog/format_message.go @@ -87,9 +87,13 @@ func evtFormatMessage(metadataHandle EvtHandle, eventHandle EvtHandle, messageID // Get a buffer from the pool and adjust its length. bb := sys.NewPooledByteBuffer() defer bb.Free() + // The documentation for EventFormatMessage specifies that the buffer is + // requested "in characters", and the buffer itself is LPWSTR, meaning the + // characters are WCHAR so double the value. + // https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtformatmessage bb.Reserve(int(bufferUsed * 2)) - err = _EvtFormatMessage(metadataHandle, eventHandle, messageID, valuesCount, valuesPtr, messageFlag, uint32(bb.Len()), bb.PtrAt(0), &bufferUsed) + err = _EvtFormatMessage(metadataHandle, eventHandle, messageID, valuesCount, valuesPtr, messageFlag, bufferUsed, bb.PtrAt(0), &bufferUsed) switch err { //nolint:errorlint // This is an errno or nil. case nil: // OK diff --git a/winlogbeat/sys/wineventlog/publisher_metadata.go b/winlogbeat/sys/wineventlog/publisher_metadata.go index 0dddec678aaf..d5f90f860795 100644 --- a/winlogbeat/sys/wineventlog/publisher_metadata.go +++ b/winlogbeat/sys/wineventlog/publisher_metadata.go @@ -570,6 +570,10 @@ func (itr *EventMetadataIterator) Close() error { // no more items or an error occurred. You should call Err() to check for an // error. func (itr *EventMetadataIterator) Next() bool { + if itr.eventMetadataEnumHandle == 0 { + // This is only the case when we could not find the event metadata file. + return false + } // Close existing handle. itr.currentEvent.Close() diff --git a/winlogbeat/sys/wineventlog/syscall_windows.go b/winlogbeat/sys/wineventlog/syscall_windows.go index be8c0481b4b2..e27a849c5c21 100644 --- a/winlogbeat/sys/wineventlog/syscall_windows.go +++ b/winlogbeat/sys/wineventlog/syscall_windows.go @@ -492,7 +492,7 @@ func (v EvtVariant) Data(buf []byte) (interface{}, error) { case EvtVarTypeEvtHandle: return EvtHandle(v.ValueAsUintPtr()), nil default: - return nil, errors.Errorf("unhandled type: %d", typ) + return nil, fmt.Errorf("unhandled type: %d", typ) } } diff --git a/winlogbeat/sys/wineventlog/wineventlog_windows.go b/winlogbeat/sys/wineventlog/wineventlog_windows.go index 96d4187387d7..ffa7a2ae150d 100644 --- a/winlogbeat/sys/wineventlog/wineventlog_windows.go +++ b/winlogbeat/sys/wineventlog/wineventlog_windows.go @@ -559,7 +559,6 @@ func renderXML(eventHandle EvtHandle, flag EvtRenderFlag, renderBuf []byte, out } if int(bufferUsed) > len(renderBuf) { - //nolint:stylecheck // These are proper nouns. return fmt.Errorf("Windows EvtRender reported that wrote %d bytes "+ "to the buffer, but the buffer can only hold %d bytes", bufferUsed, len(renderBuf))