PERFORCE change 106331 for review

Tue Sep 19 02:02:55 PDT 2006

http://perforce.freebsd.org/chv.cgi?CH=106331

Change 106331 by rwatson at rwatson_fledge on 2006/09/19 08:27:50

	Fix bugs in execve(2) argument and environmental variable parsing
	for tokens containing large numbers of entries.  Bump default
	maximum (changes ABI of token structure).  Comment.

Affected files ...

.. //depot/projects/trustedbsd/openbsm/HISTORY#30 edit
.. //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#29 edit
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#41 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/HISTORY#30 (text+ko) ====

@@ -25,6 +25,8 @@
 - Update auditd to read the audit_control policy field and set the kernel
   policy to match it when configuring/reconfiguring.  Remove the -s and -h
   arguments as these policies are now set via the configuration file.
+- Fix bugs in the parsing of large execve(2) arguments and environmental
+  variable tokens; increase maximum parsed argument and variable count.
 
 OpenBSM 1.0 alpha 10
 
@@ -237,4 +239,4 @@
   to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/openbsm/HISTORY#29 $
+$P4: //depot/projects/trustedbsd/openbsm/HISTORY#30 $

==== //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#29 (text+ko) ====

@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#28 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#29 $
  */
 
 #ifndef _LIBBSM_H_
@@ -37,9 +37,6 @@
  * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
  */
 
-#define	AUDIT_MAX_ARGS	10
-#define	AUDIT_MAX_ENV	10
-
 #include <sys/types.h>
 #include <sys/cdefs.h>
 
@@ -55,13 +52,25 @@
 #include <mach/mach.h>		/* audit_token_t */
 #endif
 
+/*
+ * Size parsed token vectors for execve(2) arguments and environmental
+ * variables.  Note: changing these sizes affects the ABI of the token
+ * structure, and as the token structure is often placed in the caller stack,
+ * this is undesirable.
+ */
+#define	AUDIT_MAX_ARGS	128
+#define	AUDIT_MAX_ENV	128
+
+/*
+ * Arguments to au_preselect(3).
+ */
+#define	AU_PRS_USECACHE	0
+#define	AU_PRS_REREAD	1
+
 #define	AU_PRS_SUCCESS	1
 #define	AU_PRS_FAILURE	2
 #define	AU_PRS_BOTH	(AU_PRS_SUCCESS|AU_PRS_FAILURE)
 
-#define	AU_PRS_USECACHE	0
-#define	AU_PRS_REREAD	1
-
 #define	AUDIT_EVENT_FILE	"/etc/security/audit_event"
 #define	AUDIT_CLASS_FILE	"/etc/security/audit_class"
 #define	AUDIT_CONTROL_FILE	"/etc/security/audit_control"

==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#41 (text+ko) ====

@@ -31,7 +31,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#40 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#41 $
  */
 
 #include <sys/types.h>
@@ -1190,7 +1190,8 @@
 
 	for (i = 0; i < tok->tt.execarg.count; i++) {
 		bptr = buf + tok->len;
-		tok->tt.execarg.text[i] = bptr;
+		if (i < AUDIT_MAX_ARGS)
+			tok->tt.execarg.text[i] = bptr;
 
 		/* Look for a null terminated string. */
 		while (bptr && (*bptr != '\0')) {
@@ -1202,6 +1203,8 @@
 			return (-1);
 		tok->len++; /* \0 character */
 	}
+	if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
+		tok->tt.execarg.count = AUDIT_MAX_ARGS;
 
 	return (0);
 }
@@ -1235,9 +1238,10 @@
 	if (err)
 		return (-1);
 
-	for (i = 0; i< tok->tt.execenv.count; i++) {
+	for (i = 0; i < tok->tt.execenv.count; i++) {
 		bptr = buf + tok->len;
-		tok->tt.execenv.text[i] = bptr;
+		if (i < AUDIT_MAX_ENV)
+			tok->tt.execenv.text[i] = bptr;
 
 		/* Look for a null terminated string. */
 		while (bptr && (*bptr != '\0')) {
@@ -1249,6 +1253,8 @@
 			return (-1);
 		tok->len++; /* \0 character */
 	}
+	if (tok->tt.execenv.count > AUDIT_MAX_ENV)
+		tok->tt.execenv.count = AUDIT_MAX_ENV;
 
 	return (0);
 }
