Re: [PATCH] Don't crash on unknown S_IFMT file modes
On Thu, 2009-03-26 at 08:06 -0400, Miloslav Trmac wrote:
Hello,
ausearch -i and libauparse currently crash (access NULL) if a mode= field contains an
unknown file type. Such records are generated by the kernel for IPC, e.g.
node=jcdx156 type=IPC msg=audit(1237915952.720:2294): ouid=500 ogid=1106 mode=0600
obj=siterep_u:siterep_r:siterep_t:s0-s15:c0.c1023
The attached patch:
* Modifies ausearch and libauparse to output the file format in octal if it is unknown.
* Modifies libauparse to use the same interpreted field format as ausearch (without a
space in the middle).
* Modifies comma handling in libauparse to avoid a strcat() call.
Mirek
Mirek,
Thank you for this patch...wherever it may be.
:)
I really appreciate you fixing this!
Do you have a standard auparse test you use to track these down?
If so, does it use auparse_feed?
Thanks again,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com