fix comments

aquasecurity · Jun 25, 2023 · 68276d4 · 68276d4
1 parent 5ffce7d
commit 68276d4
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 12 deletions.
diff --git a/pkg/bufferdecoder/eventsreader.go b/pkg/bufferdecoder/eventsreader.go
@@ -59,6 +59,7 @@ func ReadArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.A
 	var res interface{}
 	var argIdx uint8
 	var arg trace.Argument
+
 	err = ebpfMsgDecoder.DecodeUint8(&argIdx)
 	if err != nil {
 		return 0, arg, errfmt.Errorf("error reading arg index: %v", err)

diff --git a/pkg/ebpf/c/common/buffer.h b/pkg/ebpf/c/common/buffer.h
@@ -166,23 +166,24 @@ statfunc int save_u64_arr_to_buf(event_data_t *event, const u64 *ptr, int len, u
 
     // Save argument index
     event->args[event->buf_off] = index;
-    event->buf_off += 1;
 
     // Save number of elements
-    if (event->buf_off > ARGS_BUF_SIZE - sizeof(restricted_len))
+    if (event->buf_off + sizeof(index) > ARGS_BUF_SIZE - sizeof(restricted_len))
         return 0;
-    __builtin_memcpy(&(event->args[event->buf_off]), &restricted_len, sizeof(restricted_len));
-    event->buf_off += sizeof(restricted_len);
-    event->context.argnum++;
+    __builtin_memcpy(
+        &(event->args[event->buf_off + sizeof(index)]), &restricted_len, sizeof(restricted_len));
 
-    if ((event->buf_off > ARGS_BUF_SIZE - MAX_BYTES_ARR_SIZE))
+    if ((event->buf_off + sizeof(index) + sizeof(restricted_len) >
+         ARGS_BUF_SIZE - MAX_BYTES_ARR_SIZE))
         return 0;
 
-    if (bpf_probe_read(&(event->args[event->buf_off]),
+    if (bpf_probe_read(&(event->args[event->buf_off + sizeof(index) + sizeof(restricted_len)]),
                        total_size & (MAX_BYTES_ARR_SIZE - 1),
                        (void *) ptr) != 0)
         return 0;
-    event->buf_off += total_size;
+
+    event->context.argnum++;
+    event->buf_off += sizeof(index) + sizeof(restricted_len) + total_size;
 
     return 1;
 }

diff --git a/pkg/ebpf/capture.go b/pkg/ebpf/capture.go
@@ -108,7 +108,6 @@ func (t *Tracee) processFileCaptures(ctx context.Context) {
 					t.handleError(err)
 					continue
 				}
-
 				// note: size of buffer will determine maximum extracted file size! (as writes from kernel are immediate)
 				if t.config.Output.RelativeTime {
 					// To get the monotonic time since tracee was started, we have to subtract the start time from the timestamp.

diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -1627,9 +1627,9 @@ func (t *Tracee) triggerSyscallsIntegrityCheck(event trace.Event) error {
 		if len(derive.SyscallsToCheck) == 0 {
 			syscallFilter, ok := hookedSyscallsFilters["check_syscalls"].(*filters.StringFilter)
 			if syscallFilter != nil && ok {
-				eventNames := events.Definitions.NamesToIDs()
+				eventNamesToID := events.Definitions.NamesToIDs()
 				for _, syscall := range syscallFilter.Equal() {
-					_, ok := eventNames[syscall]
+					_, ok := eventNamesToID[syscall]
 					if !ok {
 						errArgFilter[p.ID] = fmt.Errorf("policy %d: %s - no such syscall", p.ID, syscall)
 						break

diff --git a/pkg/events/derive/hooked_syscall.go b/pkg/events/derive/hooked_syscall.go
@@ -13,7 +13,7 @@ import (
 )
 
 var SyscallsToCheck = make([]string, 0)
-var MaxSupportedSyscallID = 293 // Based on the __NR_syscalls value for the lowest supported version 4.18
+var MaxSupportedSyscallID = events.IoPgetevents // Was the last syscall introduced in the minimum version supported 4.18
 
 func DetectHookedSyscall(kernelSymbols helpers.KernelSymbolTable) DeriveFunction {
 	return deriveSingleEvent(events.HookedSyscalls, deriveDetectHookedSyscallArgs(kernelSymbols))