From 96a197fb642933b625996947b2e18ff2ed1df261 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 3 Nov 2021 10:22:55 -0300
Subject: [PATCH 5/5] auparse: refact nvlist cleanup cod
The nvlist_clear function tries to guess whether we allocated a buffer
or if the pointer points to a spot in the parsed up record by using a
name. This is fragile because someone actually used a reserved name in
a record unexpectedly. The refactored code does a range check to see if
the pointer is within the parsed up buffer area. If not, it can free the
buffer.
Backport of upstream 5baa2a860c
---
auparse/ellist.c | 12 ++++++++++--
auparse/nvlist.c | 23 +++++++++++++++++------
auparse/nvlist.h | 2 +-
auparse/rnode.h | 1 +
4 files changed, 29 insertions(+), 9 deletions(-)
diff --git a/auparse/ellist.c b/auparse/ellist.c
index bbb4064..048ac4c 100644
--- a/auparse/ellist.c
+++ b/auparse/ellist.c
@@ -103,7 +103,7 @@ static char *escape(const char *tmp)
static int parse_up_record(rnode* r)
{
char *ptr, *buf, *saved=NULL;
- unsigned int offset = 0;
+ unsigned int offset = 0, len;
// Potentially cut the record in two
ptr = strchr(r->record, AUDIT_INTERP_SEPARATOR);
@@ -112,7 +112,15 @@ static int parse_up_record(rnode* r)
ptr++;
}
r->interp = ptr;
- r->nv.record = buf = strdup(r->record);
+ // Rather than call strndup, we will do it ourselves to reduce
+ // the number of interations across the record.
+ // len includes the string terminator.
+ len = strlen(r->record) + 1;
+ r->nv.record = buf = malloc(len);
+ if (r->nv.record == NULL)
+ return -1;
+ memcpy(r->nv.record, r->record, len);
+ r->nv.end = r->nv.record + len;
ptr = audit_strsplit_r(buf, &saved);
if (ptr == NULL) {
free(buf);
diff --git a/auparse/nvlist.c b/auparse/nvlist.c
index 99c7c2b..c9ccc8f 100644
--- a/auparse/nvlist.c
+++ b/auparse/nvlist.c
@@ -36,11 +36,13 @@ void nvlist_create(nvlist *l)
l->cur = 0;
l->cnt = 0;
l->record = NULL;
+ l->end = NULL;
}
}
nvnode *nvlist_next(nvlist *l)
{
+ // Since cur will be incremented, check for 1 less that total
if (l->cnt && l->cur < (l->cnt - 1)) {
l->cur++;
return &l->array[l->cur];
@@ -125,11 +127,21 @@ const char *nvlist_interp_cur_val(rnode *r, auparse_esc_t escape_mode)
return do_interpret(r, escape_mode);
}
+// This function determines if a chunk of memory is part of the parsed up
+// record. If it is, do not free it since it gets free'd at the very end.
+// NOTE: This function causes invalid-pointer-pair errors with ASAN
+static inline int not_in_rec_buf(nvlist *l, const char *ptr)
+{
+ if (ptr >= l->record && ptr < l->end)
+ return 0;
+ return 1;
+}
+
// free_interp does not apply to thing coming from interpretation_list
-void nvlist_clear(nvlist* l, int free_interp)
+void nvlist_clear(nvlist *l, int free_interp)
{
unsigned int i = 0;
- register nvnode* current;
+ register nvnode *current;
if (l->cnt == 0)
return;
@@ -140,11 +152,9 @@ void nvlist_clear(nvlist* l, int free_interp)
free(current->interp_val);
// A couple items are not in parsed up list.
// These all come from the aup_list_append path.
- if ((strcmp(current->name, "key") == 0) ||
- (strcmp(current->name, "seperms") == 0) ||
- (strcmp(current->name, "seresult") == 0)) {
+ if (not_in_rec_buf(l, current->name)) {
// seperms & key values are strdup'ed
- if (current->name[2] != 'r')
+ if (not_in_rec_buf(l, current->val))
free(current->val);
free(current->name);
}
@@ -153,6 +163,7 @@ void nvlist_clear(nvlist* l, int free_interp)
}
free((void *)l->record);
l->record = NULL;
+ l->end = NULL;
l->cur = 0;
l->cnt = 0;
}
diff --git a/auparse/nvlist.h b/auparse/nvlist.h
index b006caa..59f3e13 100644
--- a/auparse/nvlist.h
+++ b/auparse/nvlist.h
@@ -45,7 +45,7 @@ static inline const char *nvlist_get_cur_val_interp(nvlist *l)
AUDIT_HIDDEN_START
void nvlist_create(nvlist *l);
-void nvlist_clear(nvlist* l, int free_interp);
+void nvlist_clear(nvlist *l, int free_interp);
nvnode *nvlist_next(nvlist *l);
int nvlist_get_cur_type(rnode *r);
const char *nvlist_interp_cur_val(rnode *r, auparse_esc_t escape_mode);
diff --git a/auparse/rnode.h b/auparse/rnode.h
index 06303c7..69f0843 100644
--- a/auparse/rnode.h
+++ b/auparse/rnode.h
@@ -40,6 +40,7 @@ typedef struct {
unsigned int cur; // Index to current node
unsigned int cnt; // How many items in this list
char *record; // Holds the parsed up record
+ char *end; // End of the parsed up record
} nvlist;
--
2.33.1