[PATCH] Don't crash on unknown S_IFMT file modes
LC Bruzenak
lenny at magitekltd.com
Thu Mar 26 12:41:00 UTC 2009
On Thu, 2009-03-26 at 08:06 -0400, Miloslav Trmac wrote:
> Hello,
> ausearch -i and libauparse currently crash (access NULL) if a mode= field contains an unknown file type. Such records are generated by the kernel for IPC, e.g.
>
> node=jcdx156 type=IPC msg=audit(1237915952.720:2294): ouid=500 ogid=1106 mode=0600 obj=siterep_u:siterep_r:siterep_t:s0-s15:c0.c1023
>
> The attached patch:
> * Modifies ausearch and libauparse to output the file format in octal if it is unknown.
> * Modifies libauparse to use the same interpreted field format as ausearch (without a space in the middle).
> * Modifies comma handling in libauparse to avoid a strcat() call.
>
> Mirek
Mirek,
Thank you for this patch...wherever it may be.
:)
I really appreciate you fixing this!
Do you have a standard auparse test you use to track these down?
If so, does it use auparse_feed?
Thanks again,
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list