On Wed, 2014-10-22 at 10:36 -0400, Steve Grubb wrote: > On Wednesday, October 22, 2014 10:30:12 AM Eric Paris wrote: > > On Wed, 2014-10-22 at 10:25 -0400, Steve Grubb wrote: > > > 12) The struct audit_status was extended to include version and > > > backlog_wait_time. I cannot determine at runtime if they exist, meaning > > > that software compiled on a new kernel runs on an old kernel, it will be > > > reading random stack or heap to make decisions. The correct solution > > > would be to make a new struct with planned expansion capability with > > > version as the first element so any changes can be signaled. This new > > > struct would be sent using a new netlink command. > > > > Incorrect. The length of the message makes it perfectly clear how much > > data the kernel sent, and thus if that data includes the version or > > backlog_wait_time. I thought this had been discussed before... > > > > The answer is 'check how much data you got from the kernel' > > Is the padding the same for all arches? :-)
completely irrelevant... The code in audit_get_reply() seems like poor practice... You aren't doing any sanity checks on the data coming back. I guess that's why userspace has so much trouble handling things. It's just completely ignore the length the kernel gave you... -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
