audit/backport-Another-hardening-measure-for-corrupted-logs.patch

From ab8f522953a56c860cac2cca2a7d7874419111d5 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Sat, 7 Aug 2021 13:13:19 -0400
Subject: [PATCH 2198/2246] Another hardening measure for corrupted logs

---
 src/ausearch-lookup.c |  3 +++
 src/ausearch-parse.c  | 25 +++++++++++++++----------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/src/ausearch-lookup.c b/src/ausearch-lookup.c
index e27c784..dd58c36 100644
--- a/src/ausearch-lookup.c
+++ b/src/ausearch-lookup.c
@@ -300,6 +300,9 @@ char *unescape(const char *buf)
 		while (isxdigit(*ptr))
 			ptr++;
 	}
+	if ((ptr - buf) == 0)
+		return NULL;
+
 	str = strndup(buf, ptr - buf);
 
 	if (*buf == '(')
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index d051137..78dc44c 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1658,12 +1658,21 @@ static int parse_sockaddr(const lnode *n, search_items *s)
 	if (event_hostname || event_filename) {
 		str = strstr(n->message, "saddr=");
 		if (str) {
-			int len;
+			unsigned int len = 0;
 			struct sockaddr *saddr;
 			char name[NI_MAXHOST];
 
 			str += 6;
-			len = strlen(str)/2;
+			const char *ptr = str;
+			if (*ptr == '(') {
+				const char *ptr2 = strchr(ptr, ')');
+				if (ptr2)
+					len = (ptr2 - ptr) + 1;
+			} else {
+				while (isxdigit(ptr[len]))
+					len++;
+				len /= 2;
+			}
 			s->hostname = unescape(str);
 			if (s->hostname == NULL)
 				return 4;
@@ -1683,17 +1692,13 @@ static int parse_sockaddr(const lnode *n, search_items *s)
 				}
 				len = sizeof(struct sockaddr_in6);
 			} else if (saddr->sa_family == AF_UNIX) {
-				struct sockaddr_un *un =
-					(struct sockaddr_un *)saddr;
-				if (un->sun_path[0])
-					len = strlen(un->sun_path);
-				else // abstract name
-					len = strlen(&un->sun_path[1]);
-				if (len == 0) {
+				if (len < 4) {
 					fprintf(stderr,
 						"sun_path len too short\n");
 					return 3;
 				}
+				struct sockaddr_un *un =
+					(struct sockaddr_un *)saddr;
 				if (event_filename) {
 					if (!s->filename) {
 						//create
@@ -1736,7 +1741,7 @@ static int parse_sockaddr(const lnode *n, search_items *s)
 				s->hostname = NULL;
 				return 0;
 			}
-			if (getnameinfo(saddr, len, name, NI_MAXHOST, 
+			if (getnameinfo(saddr, len, name, NI_MAXHOST,
 					NULL, 0, NI_NUMERICHOST) ) {
 				free(s->hostname);
 				s->hostname = NULL;
-- 
1.8.3.1
backport some patches 2021-11-16 15:31:18 +08:00			`From ab8f522953a56c860cac2cca2a7d7874419111d5 Mon Sep 17 00:00:00 2001`
			`From: Steve Grubb <sgrubb@redhat.com>`
			`Date: Sat, 7 Aug 2021 13:13:19 -0400`
			`Subject: [PATCH 2198/2246] Another hardening measure for corrupted logs`

			`---`
			`src/ausearch-lookup.c \| 3 +++`
			`src/ausearch-parse.c \| 25 +++++++++++++++----------`
			`2 files changed, 18 insertions(+), 10 deletions(-)`

			`diff --git a/src/ausearch-lookup.c b/src/ausearch-lookup.c`
			`index e27c784..dd58c36 100644`
			`--- a/src/ausearch-lookup.c`
			`+++ b/src/ausearch-lookup.c`
			`@@ -300,6 +300,9 @@ char unescape(const char buf)`
			`while (isxdigit(*ptr))`
			`ptr++;`
			`}`
			`+ if ((ptr - buf) == 0)`
			`+ return NULL;`
			`+`
			`str = strndup(buf, ptr - buf);`

			`if (*buf == '(')`
			`diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c`
			`index d051137..78dc44c 100644`
			`--- a/src/ausearch-parse.c`
			`+++ b/src/ausearch-parse.c`
			`@@ -1658,12 +1658,21 @@ static int parse_sockaddr(const lnode n, search_items s)`
			`if (event_hostname \|\| event_filename) {`
			`str = strstr(n->message, "saddr=");`
			`if (str) {`
			`- int len;`
			`+ unsigned int len = 0;`
			`struct sockaddr *saddr;`
			`char name[NI_MAXHOST];`

			`str += 6;`
			`- len = strlen(str)/2;`
			`+ const char *ptr = str;`
			`+ if (*ptr == '(') {`
			`+ const char *ptr2 = strchr(ptr, ')');`
			`+ if (ptr2)`
			`+ len = (ptr2 - ptr) + 1;`
			`+ } else {`
			`+ while (isxdigit(ptr[len]))`
			`+ len++;`
			`+ len /= 2;`
			`+ }`
			`s->hostname = unescape(str);`
			`if (s->hostname == NULL)`
			`return 4;`
			`@@ -1683,17 +1692,13 @@ static int parse_sockaddr(const lnode n, search_items s)`
			`}`
			`len = sizeof(struct sockaddr_in6);`
			`} else if (saddr->sa_family == AF_UNIX) {`
			`- struct sockaddr_un *un =`
			`- (struct sockaddr_un *)saddr;`
			`- if (un->sun_path[0])`
			`- len = strlen(un->sun_path);`
			`- else // abstract name`
			`- len = strlen(&un->sun_path[1]);`
			`- if (len == 0) {`
			`+ if (len < 4) {`
			`fprintf(stderr,`
			`"sun_path len too short\n");`
			`return 3;`
			`}`
			`+ struct sockaddr_un *un =`
			`+ (struct sockaddr_un *)saddr;`
			`if (event_filename) {`
			`if (!s->filename) {`
			`//create`
			`@@ -1736,7 +1741,7 @@ static int parse_sockaddr(const lnode n, search_items s)`
			`s->hostname = NULL;`
			`return 0;`
			`}`
			`- if (getnameinfo(saddr, len, name, NI_MAXHOST,`
			`+ if (getnameinfo(saddr, len, name, NI_MAXHOST,`
			`NULL, 0, NI_NUMERICHOST) ) {`
			`free(s->hostname);`
			`s->hostname = NULL;`
			`--`
			`1.8.3.1`