Re: [PATCH] new audit rule interface
On Wednesday 04 January 2006 22:36, Amy Griffis wrote:
I understand the situation you're trying to address, but PATH_MAX
may
not make sense as a bound for other string fields.
Do you know of any that will be bigger? I can't think of any. The size can be
adjusted up if we ever need to.
Wouldn't checking the specified string field length against the
actual size
of the provided buffer suffice?
No. We could fall victim to some attack that overflows the variable and
appears to be correct.
> > > > +/* Pack a filter field's string
representation into data block. */
> > > > +static inline int audit_pack_string(void **bufp, char *str)
> > >
> > > What calls this?
> >
> > This should be called by a consumer from the switch in
> > audit_krule_to_xprt().
>
> I really need to see the consumer to finish evaluating the use of the
> interface.
Makes sense. I'll post a consumer patch with the next iteration.
I just need to see a little more. The unpacking I think is all I need to see
to make sure this interface can't be abused.
-Steve