Commit 5afb8a3f authored by Xi Wang's avatar Xi Wang Committed by Al Viro

audit: fix signedness bug in audit_log_execve_info()

In the loop, a size_t "len" is used to hold the return value of
audit_log_single_execve_arg(), which returns -1 on error.  In that
case the error handling (len <= 0) will be bypassed since "len" is
unsigned, and the loop continues with (p += len) being wrapped.
Change the type of "len" to signed int to fix the error handling.

	size_t len;
	...
	for (...) {
		len = audit_log_single_execve_arg(...);
		if (len <= 0)
			break;
		p += len;
	}
Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 10d68360
...@@ -1362,8 +1362,8 @@ static void audit_log_execve_info(struct audit_context *context, ...@@ -1362,8 +1362,8 @@ static void audit_log_execve_info(struct audit_context *context,
struct audit_buffer **ab, struct audit_buffer **ab,
struct audit_aux_data_execve *axi) struct audit_aux_data_execve *axi)
{ {
int i; int i, len;
size_t len, len_sent = 0; size_t len_sent = 0;
const char __user *p; const char __user *p;
char *buf; char *buf;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment