auditd netlink headers
Timothy R. Chavez
tinytim at us.ibm.com
Fri Apr 29 19:57:04 UTC 2005
On Fri, 2005-04-29 at 15:57 -0400, Steve Grubb wrote:
> On Friday 29 April 2005 15:41, Chris Wright wrote:
> > We are (in theory, not sure about practice).
>
> The code was in a function called audit_listen that was removed after 0.6.4.
>
> > Say a exe path of > 990 bytes, or any payload of that size.
>
> That was my concern. Paths can be 4096 bytes. (which is another reason I
> wanted to see test cases with big filenames - to see what all breaks.)
>
> > You should get two fragments, and auditd drops them both. The second
> > I'm suspecting it's pure luck because NLMSG_OK() is looking a audit
> > data as a netlink header.
>
> It has to be coded differently. I'll see if I can create this problem by
> making a long pathname and accessing it while doing syscall auditing.
>
> -Steve
>
It's Friday afternoon... don't you ever get the urge to just "rm -rf
*" :)?
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
>
More information about the Linux-audit
mailing list