Hello,
auparse would crash if there was an interpreted filter item defined and
the field could not be interpreted (e.g. it had an invalid format).
The attached patch modifies auparse to use the raw value in such cases.
Mirek
diff -ur audit/auparse/auparse.c audit-1.6.6/auparse/auparse.c
--- audit/auparse/auparse.c 2007-11-19 19:44:04.000000000 +0100
+++ audit-1.6.6/auparse/auparse.c 2008-01-31 09:41:02.000000000 +0100
@@ -899,9 +899,10 @@
if (search_op == AUSEARCH_EXISTS)
return 1;
+ val = NULL;
if ((rule->search_op & AUSEARCH_INTERPRETED) != 0)
val = nvlist_interp_cur_val(r);
- else
+ if (val == NULL)
val = nvlist_get_cur_val(&r->nv);
rc = strcmp(rule->v.field.val, val);
if (search_op == AUSEARCH_EQUAL)
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
