audit: fix signedness bug in audit_log_execve_info()
In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
parent
10d6836087
commit
5afb8a3f96
|
@ -1362,8 +1362,8 @@ static void audit_log_execve_info(struct audit_context *context,
|
||||||
struct audit_buffer **ab,
|
struct audit_buffer **ab,
|
||||||
struct audit_aux_data_execve *axi)
|
struct audit_aux_data_execve *axi)
|
||||||
{
|
{
|
||||||
int i;
|
int i, len;
|
||||||
size_t len, len_sent = 0;
|
size_t len_sent = 0;
|
||||||
const char __user *p;
|
const char __user *p;
|
||||||
char *buf;
|
char *buf;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue