Steve Grubb wrote: > On Thursday 11 September 2008 14:10:12 Miloslav Trmač wrote: > >>> As a side note I'm concerned there may be places in the user audit >>> code which treat string data as null terminated (at least that is my >>> recollection). >>> >> Yes, auditd adds a NUL terminator to the audit record, and then treats >> it as a regular NUL-terminated string; if the audit record contains an >> embedded NUL byte, the rest of the record is discarded by auditd. >> > > In every case where this occurs (kernel or user space), the field values are > expected to be encoded to prevent it from being discarded. > This is true. The proposed patch defeats the encoding of the entire data block and thus fails the criteria Steve correctly states is a requirement. The concern I have in the user level audit code is not with handling the encoded string values which is fine, but rather with the handling the decoded string block. -- John Dennis