Skip to content

Commit 365ea5d

Browse files
committed
filter: fix theoretical overread on long records
The concern is that the read length can be longer than MAX_AUDIT_MESSAGE_LENGTH. If that were the case, the strncpy keeps it the right size, but len is not adjusted. Which can lead to an overread later. In practice, MAX_AUDIT_MESSAGE_LENGTH was selected as the limit for records throughout the audit system. Unless you're dealing with a corrupted record, this should never happen.
1 parent d043dfb commit 365ea5d

1 file changed

Lines changed: 8 additions & 4 deletions

File tree

auplugin/auplugin.c

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -127,14 +127,18 @@ static void common_inbound(void)
127127
int len;
128128
if ((len = auplugin_fgets(rx_buf,
129129
MAX_AUDIT_EVENT_FRAME_SIZE + 1, fd)) > 0) {
130+
size_t copy_len;
131+
130132
// Got one - enqueue it
131133
event_t *e = (event_t *)calloc(1,
132134
sizeof(event_t));
133135
if (e) {
134-
strncpy(e->data, rx_buf,
135-
MAX_AUDIT_MESSAGE_LENGTH);
136-
e->data[MAX_AUDIT_MESSAGE_LENGTH-1] = 0;
137-
e->hdr.size = len;
136+
copy_len = (size_t)len;
137+
if (copy_len >= MAX_AUDIT_MESSAGE_LENGTH)
138+
copy_len = MAX_AUDIT_MESSAGE_LENGTH - 1;
139+
memcpy(e->data, rx_buf, copy_len);
140+
e->data[copy_len] = 0;
141+
e->hdr.size = copy_len;
138142
e->hdr.ver = AUDISP_PROTOCOL_VER2;
139143
enqueue(e, &q_config);
140144
}

0 commit comments

Comments
 (0)