From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auparse, stdin, and AUPARSE_CB_EVENT_READY
Date: Wed, 7 Mar 2012 12:19:02 -0500
Message-ID: <201203071219.02278.sgrubb@redhat.com>
References: <4F555904.8000603@tzib.net> <4F5791D2.8080201@mozilla.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4F5791D2.8080201@mozilla.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, March 07, 2012 11:50:26 AM Guillaume Destuynder wrote:
> Below patch "fixes" it. The problem is that if you have a node name
> included in the message, and that it's a long hostname, it's just not
> copying a long enough string, and it will fail to parse the message
> serial. When the serial is incorrect, auparse will fail to group them
> and notify with AUPARSE_CB_EVENT_READY as a consequence.
> 
> Now, I write this "fixes" it because if you have a really, really long
> hostname, it will fail in the same manner.

Yes. It looks like we support names up to 255 bytes. So, the "fix" needs more to 
it. This also affects ausearch/report as well. Since this points directly to the 
problem, the real fix should be straight forward.

> Or just do away with strtok and avoid duping strings.

Sure, that's the long term plan. 

-Steve