Weird timestamp length constraint in auparse.c
Santosh Ananthakrishnan
santosh at dropbox.com
Thu Dec 10 02:10:08 UTC 2015
Hi list
auparse breaks if supplied events with timestamps that are less than 10
characters long, including the milliseconds field. This should never happen
in production, but it can make for fairly mysterious output during testing
if you're generating your own timestamp and eventid numbers :-)
I think the issue is in the str2event function:
static int str2event(char *s, au_event_t *e)
{
char *ptr;
errno = 0;
ptr = strchr(s*+10*, ':');
if (ptr) {
e->serial = strtoul(ptr+1, NULL, 10);
This function seems to be searching for the colon that splits the timestamp
from the eventId, but it's starting at s+10, instead of just s. The
variable s points to the first byte after the "msg=audit(" prefix. (10 also
happens to be the length of that prefix, which is what made me suspicious
this might not be micro-optimization)
-Santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20151209/941156e3/attachment.htm>
More information about the Linux-audit
mailing list