[Bro-Dev] Infinite loop with corrupt pcap
Robin Sommer
robin at icir.org
Fri Jul 19 08:12:08 PDT 2013
Is this something you can reproduce with a small subset of the pcap
file that we could include into our test suite?
Robin
On Thu, Jul 18, 2013 at 16:24 -0500, you wrote:
> Hi,
>
> I came across a case where reading a corrupt pcap file resulted in pcap_next() to return !NULL, with hdr.len == 0 and hdr.caplen == 0.
>
> This seems to cause Bro to enter an infinite loop consuming 100% CPU. Following patch has fixed the problem, but I'm not sure it's the best approach.
>
> diff --git a/src/PktSrc.cc b/src/PktSrc.cc
> index 105dc90..de048cc 100644
> --- a/src/PktSrc.cc
> +++ b/src/PktSrc.cc
> @@ -77,6 +77,9 @@ int PktSrc::ExtractNextPacket()
>
> data = last_data = pcap_next(pd, &hdr);
>
> + if(hdr.len == 0 || hdr.caplen == 0)
> + return 0;
> +
> if ( data )
> next_timestamp = hdr.ts.tv_sec + double(hdr.ts.tv_usec) / 1e6;
>
>
> Cheers,
> Matt Thompson
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin
More information about the bro-dev
mailing list