[PATCH 1/2] audit: fix NUL handling in untrusted strings
John Dennis
jdennis at redhat.com
Thu Sep 11 19:19:49 UTC 2008
Steve Grubb wrote:
> On Thursday 11 September 2008 14:10:12 Miloslav Trmač wrote:
>
>>> As a side note I'm concerned there may be places in the user audit
>>> code which treat string data as null terminated (at least that is my
>>> recollection).
>>>
>> Yes, auditd adds a NUL terminator to the audit record, and then treats
>> it as a regular NUL-terminated string; if the audit record contains an
>> embedded NUL byte, the rest of the record is discarded by auditd.
>>
>
> In every case where this occurs (kernel or user space), the field values are
> expected to be encoded to prevent it from being discarded.
>
This is true. The proposed patch defeats the encoding of the entire data
block and thus fails the criteria Steve correctly states is a requirement.
The concern I have in the user level audit code is not with handling the
encoded string values which is fine, but rather with the handling the
decoded string block.
--
John Dennis <jdennis at redhat.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080911/b57c2266/attachment.htm>
More information about the Linux-audit
mailing list