add forward declaration to get rid of compile warning

stevegrubb · stevegrubb · commit e62a849c654c · 2025-08-02T15:59:46.000-04:00
diff --git a/auparse/expression.c b/auparse/expression.c
@@ -391,23 +391,39 @@ parse_timestamp_value(struct expr *dest, struct parsing *p)
 	 * On a timestamp field we will do all the parsing ourselves
 	 * rather than use lex(). At the end we will move the internal cursor.
 	 */
-	if (sscanf(p->token_start, "ts:%jd.%u:%u", &sec,
-		   &dest->v.p.value.timestamp_ex.milli,
-		   &dest->v.p.value.timestamp_ex.serial) != 3) {
-		if (sscanf(p->token_start, "ts:%jd.%u", &sec,
-			   &dest->v.p.value.timestamp.milli) != 2) {
+	int ret;
+
+	ret = sscanf(p->token_start, "ts:%jd.%u:%u", &sec,
+		     &dest->v.p.value.timestamp_ex.milli,
+		     &dest->v.p.value.timestamp_ex.serial);
+	if (ret != 3) {
+		ret = sscanf(p->token_start, "ts:%jd.%u", &sec,
+			     &dest->v.p.value.timestamp.milli);
+		if (ret != 2) {
 			if (asprintf(p->error, "Invalid timestamp value `%.*s'",
 				     p->token_len, p->token_start) < 0)
 				*p->error = NULL;
 			return -1;
 		}
+		if (dest->v.p.value.timestamp.milli >= 1000) {
+			if (asprintf(p->error,
+				     "Millisecond out of range in `%.*s'",
+				     p->token_len, p->token_start) < 0)
+				*p->error = NULL;
+			return -1;
+		}
+	} else if (dest->v.p.value.timestamp_ex.milli >= 1000) {
+		if (asprintf(p->error,
+			     "Millisecond out of range in `%.*s'",
+			     p->token_len, p->token_start) < 0)
+			*p->error = NULL;
+		return -1;
 	}
 
 	/* Move the cursor past what we parsed. */
 	size_t num = strspn(p->token_start, "ts:0123456789.");
 	p->src = p->token_start + num;
 
-	/* FIXME: validate milli */
 	dest->v.p.value.timestamp.sec = sec;
 	if (dest->v.p.value.timestamp.sec != sec) {
 		if (asprintf(p->error, "Timestamp overflow in `%.*s'",
diff --git a/auparse/test/auparse_extra_test.c b/auparse/test/auparse_extra_test.c
@@ -2,6 +2,7 @@
 #include <assert.h>
 #include <stdio.h>
 #include <string.h>
+#include <stdlib.h>
 #include "libaudit.h"
 #include "auparse.h"
 
@@ -73,12 +74,39 @@ static void test_compare(void)
 	auparse_destroy(au);
 }
 
+/* Test parsing of timestamp expressions for millisecond range. */
+static void test_timestamp_milli(void)
+{
+	auparse_state_t *au;
+	char *err = NULL;
+	int rc;
+
+	au = auparse_init(AUSOURCE_FILE, "./test.log");
+	assert(au != NULL);
+
+	rc = ausearch_add_expression(au,
+				"\\timestamp == ts:1.999",
+				&err, AUSEARCH_RULE_CLEAR);
+	assert(rc == 0);
+	assert(err == NULL);
+
+	rc = ausearch_add_expression(au,
+				"\\timestamp == ts:1.1000",
+				&err, AUSEARCH_RULE_CLEAR);
+	assert(rc == -1);
+	assert(err != NULL);
+	free(err);
+
+	auparse_destroy(au);
+}
+
 int main(void)
 {
 	test_new_buffer();
 	test_feed_state();
 	test_normalize();
 	test_compare();
+	test_timestamp_milli();
 	printf("extra auparse tests: all passed\n");
 	return 0;
 }
diff --git a/lib/private.h b/lib/private.h
@@ -135,6 +135,7 @@ const char *audit_perm_to_name(int perm);
 AUDIT_HIDDEN_END
 
 // libaudit.c
+struct audit_rule_data;	// Forward declaration to prevent warnings
 int _audit_parse_syscall(const char *optarg, struct audit_rule_data *rule);
 extern int _audit_permadded;
 extern int _audit_archadded;
