Fix some static analysis findings

struct audit_message embeds a netlink header followed by a fixed-size payload buffer, so copying more than sizeof(req.data) bytes into the stack object will clobber adjacent state.
The updated sender now rejects requests whose payload exceeds that buffer and makes sure the padded wire size stays within the kernel’s maximum before copying the user data into the in-struct array, eliminating the unchecked write Coverity spotted.
We still populate nlmsg_len with NLMSG_SPACE(size), so the layout expected by the historical macros is preserved while giving the analyzer an obvious bound check.

During a live reconfigure, the new settings structure is torn down once the merge finishes. If we simply assigned oconf->plugin_dir = nconf->plugin_dir, the old configuration would wind up pointing at memory that destroy_config(nconf) later frees, which is exactly what Coverity warned about. The revised code duplicates any new path into storage owned by the running configuration, frees the superseded value, and clears whichever pointer the temporary configuration no longer owns so the final cleanup cannot free it twice.
That removes the aliasing path Coverity described.

Bad-login reporting used to stuff whatever pointer auparse returned into a temporary stack lnode and then pass it to report_session, which blindly printed term+5 when the name started with /dev/. If term was the short literal "?", advancing five bytes ran off the end of the two-byte buffer Coverity modeled. The new logic normalizes the pointer before printing—falling back to "?" when the field is missing and only skipping the /dev/ prefix when the string is actually long enough—so nothing dereferences past the available characters.

Author: stevegrubb

lib/netlink.c

@@ -200,6 +200,11 @@ int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq
 		return -errno;
 	}
 
+	if (size > sizeof(req.data)) {
+		errno = EINVAL;
+		return -errno;
+	}
+
 	if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH) {
 		errno = EINVAL;
 		return -errno;
@@ -217,7 +222,7 @@ int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq
 	req.nlh.nlmsg_flags = NLM_F_REQUEST|NLM_F_ACK;
 	req.nlh.nlmsg_seq = sequence;
 	if (size && data)
-		memcpy(NLMSG_DATA(&req.nlh), data, size);
+		memcpy(req.data, data, size);
 	memset(&addr, 0, sizeof(addr));
 	addr.nl_family = AF_NETLINK;
 	addr.nl_pid = 0;

src/auditd-event.c

@@ -1574,11 +1574,29 @@ static void reconfigure(struct auditd_event *e)
 	oconf->q_depth = nconf->q_depth;
 	oconf->overflow_action = nconf->overflow_action;
 	oconf->max_restarts = nconf->max_restarts;
-	if (oconf->plugin_dir != nconf->plugin_dir ||
-		(oconf->plugin_dir && nconf->plugin_dir &&
-		strcmp(oconf->plugin_dir, nconf->plugin_dir) != 0)) {
+	if (nconf->plugin_dir) {
+		if (!oconf->plugin_dir ||
+				strcmp(oconf->plugin_dir,
+					nconf->plugin_dir) != 0) {
+			char *tmp = strdup(nconf->plugin_dir);
+
+			if (tmp == NULL)
+				audit_msg(LOG_ERR,
+				"Cannot duplicate plugin_dir in reconfigure");
+			else {
+				free(oconf->plugin_dir);
+				oconf->plugin_dir = tmp;
+			}
+		}
+	} else if (oconf->plugin_dir) {
 		free(oconf->plugin_dir);
-		oconf->plugin_dir = nconf->plugin_dir;
+		oconf->plugin_dir = NULL;
+	}
+	if (nconf->plugin_dir == oconf->plugin_dir)
+		nconf->plugin_dir = NULL;
+	else {
+		free(nconf->plugin_dir);
+		nconf->plugin_dir = NULL;
 	}
 
 	/* At this point we will work on the items that are related to

tools/aulast/aulast.c

@@ -53,6 +53,8 @@ void usage(void)
 static void report_session(lnode* cur)
 {
 	int notime = 0;
+	const char *term;
+	const char *term_to_print;
 
 	// Don't list failed logins
 	if (cur == NULL)
@@ -71,10 +73,15 @@ static void report_session(lnode* cur)
 	} else
 		printf("%-8.u ", cur->auid);
 
-	if (strncmp("/dev/", cur->term, 5) == 0)
-		printf("%-12.12s ", cur->term+5);
-	else
-		printf("%-12.12s ", cur->term);
+	term = cur->term ? cur->term : "?";
+	term_to_print = term;
+	if (strncmp(term, "/dev/", 5) == 0) {
+		if (strlen(term) > 5)
+			term_to_print = term + 5;
+		else
+			term_to_print = "";
+	}
+	printf("%-12.12s ", term_to_print);
 	printf("%-16.16s ", cur->host ? cur->host : "?");
 	printf("%-16.16s ", ctime(&cur->start));
 	switch(cur->status)