get_field_str() and interpret_field() bug with multi-word fields
Jonathan Kelly
jkelly at rackspace.com
Wed Aug 13 16:57:37 UTC 2008
Hi again,
For what it's worth, I dug through the code a bit, and am pretty sure that this particular issue exists in lines 71-78 of ellist.c:
ptr = strtok_r(buf, " ", &saved);
if (ptr == NULL)
return -1;
do { // If there's an '=' sign, its a keeper
nvnode n;
char *val = strchr(ptr, '=');
if (val) {
Basically, it's splitting the string at " " and discarding anything that doesn't contain '=', which is what is resulting in anything after the initial space in a field being discarded. Splitting at '\s\w+=' (pardon my regexp) instead would allow for the desired results, unless I'm mistaken, but would require some significant recoding of that function (beyond my capacity as a C programmer without much fail and gnashing of teeth). I hope this is helpful!
Best regards,
Jonathan Kelly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080813/41cd34da/attachment.htm>
More information about the Linux-audit
mailing list