Commit b87ce6e4 authored by Eric Paris's avatar Eric Paris Committed by Al Viro

Audit: better estimation of execve record length

The audit execve record splitting code estimates the length of the message
generated.  But it forgot to include the "" that wrap each string in its
estimation.  This means that execve messages with lots of tiny (1-2 byte)
arguments could still cause records greater than 8k to be emitted.  Simply
fix the estimate.
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 35aa901c
...@@ -1024,8 +1024,8 @@ static int audit_log_single_execve_arg(struct audit_context *context, ...@@ -1024,8 +1024,8 @@ static int audit_log_single_execve_arg(struct audit_context *context,
{ {
char arg_num_len_buf[12]; char arg_num_len_buf[12];
const char __user *tmp_p = p; const char __user *tmp_p = p;
/* how many digits are in arg_num? 3 is the length of " a=" */ /* how many digits are in arg_num? 5 is the length of ' a=""' */
size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 3; size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
size_t len, len_left, to_send; size_t len, len_left, to_send;
size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN; size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
unsigned int i, has_cntl = 0, too_long = 0; unsigned int i, has_cntl = 0, too_long = 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment