Re: Log corruption

On Sunday 08 May 2005 09:47, Steve Grubb wrote: I put a printk into the kernel to see what's happening. The nlmsg_len was set for 85 bytes when it should have been 69. I've found that it seems to be consistently 16 bytes too long. I also checked tail - data and that is also 16 bytes too big. I did some more digging around. It turns out that the netlink header is 16 bytes long. I looked at how the kernel used to calculate nlmsg_len. Basically, it is the payload length. I also found this line in send_reply: nlh = NLMSG_PUT(skb, pid, seq, t, len - sizeof(*nlh)); It seems to be subtracting the size of the netlink header to determine the length. So, it seems that the fix is to change audit_log_drain to be something like this: if (audit_pid) { struct nlmsghdr *nlh = (struct nlmsghdr *)skb->data; --> nlh->nlmsg_len = skb->len - sizeof(*nlh); skb_get(skb); /* because netlink_* frees */ retval = netlink_unicast(audit_sock, skb, audit_pid, MSG_DONTWAIT); } Does anyone see anything wrong with that? -Steve