bin/114534: OpenBSM auditreduce fail with short date format

Thu Jul 12 18:30:06 UTC 2007

>Number:         114534
>Category:       bin
>Synopsis:       OpenBSM auditreduce fail with short date format
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 12 18:30:05 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Alex Samorukov
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
Shevchenko Didkovskiy and Partners 
>Environment:


System: FreeBSD 6.2-STABLE #3: Thu Jul 12 17:22:52 EEST 2007
    root at samm.local:/usr/obj/usr/src/sys/SAMMKRNL



>Description:


I found a bug on auditreduce tool.
The problem is with '-a' key, which allow us to select  records that occurred after or on the given datetime.
Man states that it has format:
 -a YYYYMMDD[HH[MM[SS]]]

When i`m using -a with full format (e.g. -a -a 20070712175500) auditreduce work correctly, but with short format (e.g. -a 200707121755) it fail. After some testing i found that problem is with strptime function. 
Here is a quote from the manual:

     If the format string does not contain enough conversion specifications to
     completely specify the resulting struct tm, the unspecified members of
     timeptr are left untouched.  For example, if format is ``%H:%M:%S'', only
     tm_hour, tm_sec and tm_min will be modified.  If time relative to today
     is desired, initialize the timeptr structure with today's date before
     passing it to strptime().

But tm structure in the sources was not zerowed and contain garbage, so we got random result with the short form. 


>How-To-Repeat:


run auditreduce with short form and see no output.
After patch all work as designed


>Fix:

--- auditreduce.c       Sat Sep 30 01:41:53 2006
+++ auditreduce.c.patched       Thu Jul 12 19:23:06 2007
@@ -629,6 +629,7 @@
                                usage("d is exclusive with a and b");
                        }
                        SETOPT(opttochk, OPT_a);
+                       bzero(&tm, sizeof(tm));
                        strptime(optarg, "%Y%m%d%H%M%S", &tm);
                        strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S",
                            &tm);
@@ -641,6 +642,7 @@
                                usage("d is exclusive with a and b");
                        }
                        SETOPT(opttochk, OPT_b);
+                       bzero(&tm, sizeof(tm));
                        strptime(optarg, "%Y%m%d%H%M%S", &tm);
                        strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S",
                            &tm);
@@ -661,6 +663,7 @@
                            OPT_a))
                                usage("'d' is exclusive with 'a' and 'b'");
                        SETOPT(opttochk, OPT_d);
+                       bzero(&tm, sizeof(tm));
                        strptime(optarg, "%Y%m%d", &tm);
                        strftime(timestr, sizeof(timestr), "%Y%m%d", &tm);
                        /* fprintf(stderr, "Time converted = %s\n", timestr); */



>Release-Note:
>Audit-Trail:
>Unformatted:
