Re: auditd netlink headers
On Friday 29 April 2005 15:41, Chris Wright wrote:
We are (in theory, not sure about practice).
The code was in a function called audit_listen that was removed after 0.6.4.
Say a exe path of > 990 bytes, or any payload of that size.
That was my concern. Paths can be 4096 bytes. (which is another reason I
wanted to see test cases with big filenames - to see what all breaks.)
You should get two fragments, and auditd drops them both. The
second
I'm suspecting it's pure luck because NLMSG_OK() is looking a audit
data as a netlink header.
It has to be coded differently. I'll see if I can create this problem by
making a long pathname and accessing it while doing syscall auditing.
-Steve