On Wed, 2014-10-22 at 10:25 -0400, Steve Grubb wrote: > 12) The struct audit_status was extended to include version and > backlog_wait_time. I cannot determine at runtime if they exist, meaning that > software compiled on a new kernel runs on an old kernel, it will be reading > random stack or heap to make decisions. The correct solution would be to make > a new struct with planned expansion capability with version as the first > element so any changes can be signaled. This new struct would be sent using a > new netlink command.
Incorrect. The length of the message makes it perfectly clear how much data the kernel sent, and thus if that data includes the version or backlog_wait_time. I thought this had been discussed before... The answer is 'check how much data you got from the kernel' -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
