auditd netlink headers

[Chris Wright]

I'm missing what in auditd allows for continuation of a netlink packet
from the kernel.  If the payload is larger than one packet, AFAICT the
whole thing is dropped.  This could be used to hide activity I think.

Problem is this:

lib/netlink.c::adjust_reply()

        if (!NLMSG_OK(rep->nlh, (unsigned int)len))
	                return 0;

If the payload spans audit_buffers, the first packet has the netlink
header, and subsequent packets don't.  Also, the netlink header on the
first packet says the length is the full audit buffer, which could be
larger than the 1200byte + header size that audit_get_reply() looks for.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net