From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: [PATCH] Don't crash on unknown S_IFMT file modes
Date: Thu, 26 Mar 2009 07:41:00 -0500
Message-ID: <1238071260.7013.141.camel@homeserver>
References: <1028938143.2404851238069172743.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1028938143.2404851238069172743.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Miloslav Trmac <mitr@redhat.com>
Cc: linux-audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com


On Thu, 2009-03-26 at 08:06 -0400, Miloslav Trmac wrote:
> Hello,
> ausearch -i and libauparse currently crash (access NULL) if a mode= field contains an unknown file type.  Such records are generated by the kernel for IPC, e.g.
> 
>     node=jcdx156 type=IPC msg=audit(1237915952.720:2294): ouid=500 ogid=1106 mode=0600 obj=siterep_u:siterep_r:siterep_t:s0-s15:c0.c1023
> 
> The attached patch:
> * Modifies ausearch and libauparse to output the file format in octal if it is unknown.
> * Modifies libauparse to use the same interpreted field format as ausearch (without a space in the middle).
> * Modifies comma handling in libauparse to avoid a strcat() call.
> 
>     Mirek

Mirek,

Thank you for this patch...wherever it may be.
:)
I really appreciate you fixing this!

Do you have a standard auparse test you use to track these down?
If so, does it use auparse_feed?

Thanks again,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com