From samm@os2.kiev.ua  Thu Jul 12 18:21:50 2007
Return-Path: <samm@os2.kiev.ua>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4060D16A400
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 12 Jul 2007 18:21:50 +0000 (UTC)
	(envelope-from samm@os2.kiev.ua)
Received: from deepvision.tsua.net (deepvision.tsua.net [212.40.43.22])
	by mx1.freebsd.org (Postfix) with ESMTP id DC50413C448
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 12 Jul 2007 18:21:49 +0000 (UTC)
	(envelope-from samm@os2.kiev.ua)
Received: from 110-32-124-91.pool.ukrtel.net ([91.124.32.110] helo=samm.local)
	by deepvision.tsua.net with esmtpa (Exim 4.67 (FreeBSD))
	(envelope-from <samm@os2.kiev.ua>)
	id 1I92xo-000J0K-6l; Thu, 12 Jul 2007 21:00:28 +0300
Message-Id: <1184263218.4541@samm.local>
Date: Thu, 12 Jul 2007 21:00:18 +0300
From: "Alex Samorukov" <samm@os2.kiev.ua>
To: "FreeBSD gnats submit" <FreeBSD-gnats-submit@freebsd.org>
Cc: samm@os2.kiev.ua
Subject: OpenBSM auditreduce fail with short date format
X-Send-Pr-Version: gtk-send-pr 0.4.8 
X-GNATS-Notify:

>Number:         114534
>Category:       bin
>Synopsis:       [patch] auditreduce(1): OpenBSM auditreduce fail with short date format
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    rwatson
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 12 18:30:05 GMT 2007
>Closed-Date:    Sun Oct 21 00:34:16 UTC 2007
>Last-Modified:  Sun Oct 21 00:34:16 UTC 2007
>Originator:     Alex Samorukov
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
Shevchenko Didkovskiy and Partners 
>Environment:


System: FreeBSD 6.2-STABLE #3: Thu Jul 12 17:22:52 EEST 2007
    root@samm.local:/usr/obj/usr/src/sys/SAMMKRNL



>Description:


I found a bug on auditreduce tool.
The problem is with '-a' key, which allow us to select records that
occurred after or on the given datetime.

Man states that it has format:
 -a YYYYMMDD[HH[MM[SS]]]

When i`m using -a with full format (e.g. -a -a 20070712175500)
auditreduce work correctly, but with short format (e.g. -a 200707121755)
it fail. After some testing i found that problem is with strptime function. 
Here is a quote from the manual:

     If the format string does not contain enough conversion specifications to
     completely specify the resulting struct tm, the unspecified members of
     timeptr are left untouched.  For example, if format is ``%H:%M:%S'', only
     tm_hour, tm_sec and tm_min will be modified.  If time relative to today
     is desired, initialize the timeptr structure with today's date before
     passing it to strptime().

But tm structure in the sources was not zerowed and contain garbage, so we got random result with the short form. 


>How-To-Repeat:


run auditreduce with short form and see no output.
After patch all work as designed


>Fix:


--- auditreduce.c       Sat Sep 30 01:41:53 2006
+++ auditreduce.c.patched       Thu Jul 12 19:23:06 2007
@@ -629,6 +629,7 @@
                                usage("d is exclusive with a and b");
                        }
                        SETOPT(opttochk, OPT_a);
+                       bzero(&tm, sizeof(tm));
                        strptime(optarg, "%Y%m%d%H%M%S", &tm);
                        strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S",
                            &tm);
@@ -641,6 +642,7 @@
                                usage("d is exclusive with a and b");
                        }
                        SETOPT(opttochk, OPT_b);
+                       bzero(&tm, sizeof(tm));
                        strptime(optarg, "%Y%m%d%H%M%S", &tm);
                        strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S",
                            &tm);
@@ -661,6 +663,7 @@
                            OPT_a))
                                usage("'d' is exclusive with 'a' and 'b'");
                        SETOPT(opttochk, OPT_d);
+                       bzero(&tm, sizeof(tm));
                        strptime(optarg, "%Y%m%d", &tm);
                        strftime(timestr, sizeof(timestr), "%Y%m%d", &tm);
                        /* fprintf(stderr, "Time converted = %s\n", timestr); */



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sat Jul 14 15:41:02 UTC 2007 
Responsible-Changed-Why:  
Take ownership of this PR as it relates to OpenBSM. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=114534 
State-Changed-From-To: open->patched 
State-Changed-By: rwatson 
State-Changed-When: Sat Jul 14 17:09:42 UTC 2007 
State-Changed-Why:  
OpenBSM 1.0a15 will contain this fix, merged in Perforce changeset 123491. 
I will merge an updated OpenBSM to CVS HEAD this week, pulling this fix in 
for 7.0 beta 1. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=114534 
State-Changed-From-To: patched->closed 
State-Changed-By: rwatson 
State-Changed-When: Sun Oct 21 00:32:28 UTC 2007 
State-Changed-Why:  
OpenBSM 1.0 alpha 15 was merged on 22 July 2007, so this fix is now present 
in 7.0.  I will look at merging OpenBSM 1.0 to RELENG_6 once it has been 
released and imported into 8.x/7.x and settled for some period of time.  6.x 
continues to use OpenBSM 1.0 alpha 12 for the time being. 

Thanks for the bug report! 


http://www.freebsd.org/cgi/query-pr.cgi?pr=114534 
>Unformatted:
