Log corruption

[Steve Grubb]

On Sunday 08 May 2005 09:47, Steve Grubb wrote:
> Still testing the new kernel. I've noticed that there is now log corruption
> since we added the netlink patches

I put a printk into the kernel to see what's happening. The nlmsg_len was set 
for 85 bytes when it should have been 69. I've found that it seems to be 
consistently 16 bytes too long. I also checked tail - data and that is also 
16 bytes too big.  

I did some more digging around. It turns out that the netlink header is 16 
bytes long. I looked at how the kernel used to calculate nlmsg_len. 
Basically, it is the payload length.

I also found this line in send_reply:

        nlh              = NLMSG_PUT(skb, pid, seq, t, len - sizeof(*nlh));

It seems to be subtracting the size of the netlink header to determine the 
length. So, it seems that the fix is to change audit_log_drain to be 
something like this:

                if (audit_pid) {
                        struct nlmsghdr *nlh = (struct nlmsghdr *)skb->data;
-->                    nlh->nlmsg_len = skb->len - sizeof(*nlh);
                        skb_get(skb); /* because netlink_* frees */
                        retval = netlink_unicast(audit_sock, skb, audit_pid,
                                                 MSG_DONTWAIT);
                }

Does anyone see anything wrong with that?

-Steve