Re: [userspace PATCH] Prevent free() of stack buffer with NOLOG format
On Tuesday, December 6, 2016 7:57:33 AM EST George McCollister wrote:
On Mon, Dec 5, 2016 at 6:30 PM, Steve Grubb <sgrubb(a)redhat.com>
wrote:
> On Monday, December 5, 2016 6:01:02 PM EST George McCollister wrote:
>> When the NOLOG format is used replace_event_msg() doesn't change
>> e->reply.message so the message located on the stack is left and later is
>
>> free()'d in cleanup_event() resulting in the following:
> Hmm...thanks for reporting this. Which version of audit are you using?
I'm using 2.6.6 but I reproduced the problem and made the change
against the HEAD of the master branch (using this mirror
https://github.com/linux-audit/audit-userspace).
OK. Got it. The patch isn't exactly the right fix. While it may hide the
problem, the intent is that people may want to use the enriched format and
send logs to a remote collector. By any chance do you know which buffer on the
stack is getting freed? I'm trying to reproduce this but I thought I'd ask if
you where it is since you have already looked into it.
Thanks,
-Steve