Date: Mon, 23 Jul 2018 16:20:44 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 229983] Incorrect logical operator while verifying the feasibility of setting auditpipe queue limit Message-ID: <bug-229983-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229983 Bug ID: 229983 Summary: Incorrect logical operator while verifying the feasibility of setting auditpipe queue limit Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: aniketp@iitk.ac.in The logical operator which verifies that the desired limit of auditpipe que= ue length to be set is between QLIMIT_MIN and QLIMIT_MAX is wrong. case AUDITPIPE_SET_QLIMIT: /* Lockless integer write. */ if (*(u_int *)data >=3D AUDIT_PIPE_QLIMIT_MIN || *(u_int *)data <=3D AUDIT_PIPE_QLIMIT_MAX) { should be case AUDITPIPE_SET_QLIMIT: /* Lockless integer write. */ if (*(u_int *)data >=3D AUDIT_PIPE_QLIMIT_MIN && *(u_int *)data <=3D AUDIT_PIPE_QLIMIT_MAX) { Steps to reproduce the bug: (On 12-CURRENT) #include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <security/audit/audit_ioctl.h> void main() { int fd =3D open("/dev/auditpipe", O_RDWR); if (fd < 0) perror("auditpipe"); int qlimit_min;=20 ioctl(fd, AUDITPIPE_GET_QLIMIT_MIN, &qlimit_min); qlimit_min -=3D 5; \* Not allowed since it is less than QLIMIT_= MIN *\ ioctl(fd, AUDITPIPE_SET_QLIMIT, &qlimit_min); perror("set qlimit"); close(fd); } Output: "set qlimit: No error: 0" --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-229983-227>