From mboxrd@z Thu Jan 1 00:00:00 1970 From: Miloslav Trmac Subject: [PATCH] Fix error handing when searching for an interpreted value Date: Thu, 31 Jan 2008 10:02:06 +0100 Message-ID: <47A18E8E.8040008@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------030500090200070200070508" Return-path: Received: from [10.32.4.14] (vpn-4-14.str.redhat.com [10.32.4.14]) by pobox.stuttgart.redhat.com (8.13.1/8.13.1) with ESMTP id m0V92G24005112 for ; Thu, 31 Jan 2008 04:02:16 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --------------030500090200070200070508 Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Hello, auparse would crash if there was an interpreted filter item defined and the field could not be interpreted (e.g. it had an invalid format). The attached patch modifies auparse to use the raw value in such cases. Mirek --------------030500090200070200070508 Content-Type: text/x-patch; name="audit-1.6.6-auparse-crash.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="audit-1.6.6-auparse-crash.patch" diff -ur audit/auparse/auparse.c audit-1.6.6/auparse/auparse.c --- audit/auparse/auparse.c 2007-11-19 19:44:04.000000000 +0100 +++ audit-1.6.6/auparse/auparse.c 2008-01-31 09:41:02.000000000 +0100 @@ -899,9 +899,10 @@ if (search_op == AUSEARCH_EXISTS) return 1; + val = NULL; if ((rule->search_op & AUSEARCH_INTERPRETED) != 0) val = nvlist_interp_cur_val(r); - else + if (val == NULL) val = nvlist_get_cur_val(&r->nv); rc = strcmp(rule->v.field.val, val); if (search_op == AUSEARCH_EQUAL) --------------030500090200070200070508 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --------------030500090200070200070508--