fix: trim net events process name (aquasecurity#1741)

Process name for network events was not trimmed properly. Fixes: aquasecurity#1740
EBWi11 · May 9, 2022 · 3752a35 · 3752a35
1 parent fc053d1
commit 3752a35
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 10 deletions.
diff --git a/pkg/bufferdecoder/net_decoder.go b/pkg/bufferdecoder/net_decoder.go
@@ -1,7 +1,6 @@
 package bufferdecoder
 
 import (
-	"bytes"
 	"encoding/binary"
 	"fmt"
 )
@@ -26,7 +25,7 @@ func (decoder *EbpfDecoder) DecodeNetEventMetadata(eventMetaData *NetEventMetada
 	eventMetaData.TimeStamp = binary.LittleEndian.Uint64(decoder.buffer[offset : offset+8])
 	eventMetaData.NetEventId = int32(binary.LittleEndian.Uint32(decoder.buffer[offset+8 : offset+12]))
 	eventMetaData.HostTid = binary.LittleEndian.Uint32(decoder.buffer[offset+12 : offset+16])
-	copy(eventMetaData.ProcessName[:], bytes.TrimRight(decoder.buffer[offset+16:offset+32], "\x00"))
+	copy(eventMetaData.ProcessName[:], decoder.buffer[offset+16:offset+32])
 
 	decoder.cursor += int(eventMetaData.GetSizeBytes())
 	return nil

diff --git a/pkg/ebpf/net_events.go b/pkg/ebpf/net_events.go
@@ -1,6 +1,7 @@
 package ebpf
 
 import (
+	"bytes"
 	gocontext "context"
 	"fmt"
 	lru "github.com/hashicorp/golang-lru"
@@ -281,26 +282,27 @@ func (t *Tracee) processNetEvents(ctx gocontext.Context) {
 					t.handleError(err)
 					continue
 				}
+				procName := string(bytes.TrimRight(netEventMetadata.ProcessName[:], "\x00"))
 				switch netEventMetadata.NetEventId {
 				case DebugNetSecurityBind:
 					fmt.Printf("%v  %-16s  %-7d  debug_net/security_socket_bind LocalIP: %v, LocalPort: %d, Protocol: %d\n",
-						timeStampObj, netEventMetadata.ProcessName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
+						timeStampObj, procName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
 				case DebugNetUdpSendmsg:
 					fmt.Printf("%v  %-16s  %-7d  debug_net/udp_sendmsg          LocalIP: %v, LocalPort: %d, Protocol: %d\n",
-						timeStampObj, netEventMetadata.ProcessName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
+						timeStampObj, procName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
 				case DebugNetUdpDisconnect:
 					fmt.Printf("%v  %-16s  %-7d  debug_net/__udp_disconnect     LocalIP: %v, LocalPort: %d, Protocol: %d\n",
-						timeStampObj, netEventMetadata.ProcessName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
+						timeStampObj, procName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
 				case DebugNetUdpDestroySock:
 					fmt.Printf("%v  %-16s  %-7d  debug_net/udp_destroy_sock     LocalIP: %v, LocalPort: %d, Protocol: %d\n",
-						timeStampObj, netEventMetadata.ProcessName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
+						timeStampObj, procName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
 				case DebugNetUdpV6DestroySock:
 					fmt.Printf("%v  %-16s  %-7d  debug_net/udpv6_destroy_sock   LocalIP: %v, LocalPort: %d, Protocol: %d\n",
-						timeStampObj, netEventMetadata.ProcessName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
+						timeStampObj, procName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
 				case DebugNetInetSockSetState:
 					fmt.Printf("%v  %-16s  %-7d  debug_net/inet_sock_set_state  LocalIP: %v, LocalPort: %d, RemoteIP: %v, RemotePort: %d, Protocol: %d, OldState: %d, NewState: %d, SockPtr: 0x%x\n",
 						timeStampObj,
-						netEventMetadata.ProcessName,
+						procName,
 						netEventMetadata.HostTid,
 						netaddr.IPFrom16(netDebugEvent.LocalIP),
 						netDebugEvent.LocalPort,
@@ -312,7 +314,7 @@ func (t *Tracee) processNetEvents(ctx gocontext.Context) {
 						netDebugEvent.SockPtr)
 				case DebugNetTcpConnect:
 					fmt.Printf("%v  %-16s  %-7d  debug_net/tcp_connect     LocalIP: %v, LocalPort: %d, Protocol: %d\n",
-						timeStampObj, netEventMetadata.ProcessName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
+						timeStampObj, procName, netEventMetadata.HostTid, netaddr.IPFrom16(netDebugEvent.LocalIP), netDebugEvent.LocalPort, netDebugEvent.Protocol)
 				}
 			}
 
@@ -388,7 +390,7 @@ func netPacketProtocolHandler(netDecoder *bufferdecoder.EbpfDecoder, evtMeta buf
 func CreateNetEvent(eventMeta bufferdecoder.NetEventMetadata, ctx procinfo.ProcessCtx, eventName string) trace.Event {
 	evt := ctx.GetEventByProcessCtx()
 	evt.Timestamp = int(eventMeta.TimeStamp)
-	evt.ProcessName = string(eventMeta.ProcessName[:])
+	evt.ProcessName = string(bytes.TrimRight(eventMeta.ProcessName[:], "\x00"))
 	evt.EventID = int(eventMeta.NetEventId)
 	evt.EventName = eventName
 	return evt