Bad bug in remote logging
Stephan Mueller
smueller at atsec.com
Tue Apr 12 07:23:08 UTC 2011
Am Dienstag, 12. April 2011, um 05:18:44 schrieb Linda Knippers:
Hi Linda,
> Steve Grubb wrote:
> > Hello,
> >
> > There was a bug reported to day that I think merits an email and/or
> > discussion.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=695419
> > =================================
> > audisp-remote does
> >
> >> memset (&address, 0, sizeof(address));
> >> address.sin_family = htons(AF_INET);
> >> address.sin_port = htons(config.local_port);
> >> address.sin_addr.s_addr = htonl(INADDR_ANY);
> >
> > which shows in strace as
> >
> >> bind(3, {sa_family=0x200 /* AF_??? */,
> >> sa_data="\0<\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) =
Bind does not do anything with the family - it just calls the bind callback
function set for the protocol by the socket syscall. What is the socket
syscall saying here?
Note that the socket syscall (specifically __sock_create) has the following
code for the family:
if (family < 0 || family >= NPROTO)
return -EAFNOSUPPORT;
And NPROTO is defined as decimal 39 (in 2.6.38). Hence, 0x200 as a family does
not work for socket - the socket syscall would have returned an error.
If for some reason the socket syscall uses AF_INET and diverts into IPv4,
sin_family does not seem to be used unless you have a socket-specific bind
function (e.g. RAW sockets).
To make a final determination on the impact, I would check:
- strace for socket syscall
- tcpdump on the connection
Ciao
Stephan
More information about the Linux-audit
mailing list