[7.17](backport #32519) winlogbeat: fix testing on windows 11 and re-…

…enable (#33074) This change is derived from the changes listed but is only a partial backport. Tests for windows 11 have not been enabled, and linting fixes are not applied. Only buffer size error in the call to _EvtFormatMessage and short-circuiting EventMetadataIterator.Next when no handle is available are included in the patch. * winlogbeat: fix testing on windows 11 and re-enable (#32519) * fix invalid write * remove lint and provide errno for failure * squelch error when template not available * enable windows-11 testing (cherry picked from commit fe37716) # Conflicts: # winlogbeat/Jenkinsfile.yml # winlogbeat/sys/wineventlog/publisher_metadata.go # winlogbeat/sys/wineventlog/syscall_windows.go # x-pack/winlogbeat/Jenkinsfile.yml * fix conflicts and disable windows 11 testing * revert error handling changes * remove irrelevant changelog lines Co-authored-by: Dan Kortschak <[email protected]> Co-authored-by: Dan Kortschak <[email protected]>
elastic · Sep 14, 2022 · e3cfd0e · e3cfd0e
1 parent e4c3db2
commit e3cfd0e
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 3 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -57,6 +57,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Winlogbeat*
 
+- Fix fatal invalid memory write on Windows 11. {issue}32469[32469] {pull}32519[32519]
+- Fix handling of event formatting when no metadata is available on Windows 11. {issue}32468[32468] {pull}32519[32519]
 - Reduce severity of message salvage failure logging. {pull}32697[32697]
 
 *Functionbeat*

diff --git a/winlogbeat/sys/wineventlog/format_message.go b/winlogbeat/sys/wineventlog/format_message.go
@@ -87,9 +87,13 @@ func evtFormatMessage(metadataHandle EvtHandle, eventHandle EvtHandle, messageID
 	// Get a buffer from the pool and adjust its length.
 	bb := sys.NewPooledByteBuffer()
 	defer bb.Free()
+	// The documentation for EventFormatMessage specifies that the buffer is
+	// requested "in characters", and the buffer itself is LPWSTR, meaning the
+	// characters are WCHAR so double the value.
+	// https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtformatmessage
 	bb.Reserve(int(bufferUsed * 2))
 
-	err = _EvtFormatMessage(metadataHandle, eventHandle, messageID, valuesCount, valuesPtr, messageFlag, uint32(bb.Len()), bb.PtrAt(0), &bufferUsed)
+	err = _EvtFormatMessage(metadataHandle, eventHandle, messageID, valuesCount, valuesPtr, messageFlag, bufferUsed, bb.PtrAt(0), &bufferUsed)
 	switch err { //nolint:errorlint // This is an errno or nil.
 	case nil: // OK
 

diff --git a/winlogbeat/sys/wineventlog/publisher_metadata.go b/winlogbeat/sys/wineventlog/publisher_metadata.go
@@ -570,6 +570,10 @@ func (itr *EventMetadataIterator) Close() error {
 // no more items or an error occurred. You should call Err() to check for an
 // error.
 func (itr *EventMetadataIterator) Next() bool {
+	if itr.eventMetadataEnumHandle == 0 {
+		// This is only the case when we could not find the event metadata file.
+		return false
+	}
 	// Close existing handle.
 	itr.currentEvent.Close()
 

diff --git a/winlogbeat/sys/wineventlog/syscall_windows.go b/winlogbeat/sys/wineventlog/syscall_windows.go
@@ -492,7 +492,7 @@ func (v EvtVariant) Data(buf []byte) (interface{}, error) {
 	case EvtVarTypeEvtHandle:
 		return EvtHandle(v.ValueAsUintPtr()), nil
 	default:
-		return nil, errors.Errorf("unhandled type: %d", typ)
+		return nil, fmt.Errorf("unhandled type: %d", typ)
 	}
 }
 

diff --git a/winlogbeat/sys/wineventlog/wineventlog_windows.go b/winlogbeat/sys/wineventlog/wineventlog_windows.go
@@ -559,7 +559,6 @@ func renderXML(eventHandle EvtHandle, flag EvtRenderFlag, renderBuf []byte, out
 	}
 
 	if int(bufferUsed) > len(renderBuf) {
-		//nolint:stylecheck // These are proper nouns.
 		return fmt.Errorf("Windows EvtRender reported that wrote %d bytes "+
 			"to the buffer, but the buffer can only hold %d bytes",
 			bufferUsed, len(renderBuf))