[Bro-Dev] Infinite loop with corrupt pcap

Matt Thompson mthompson at hexwave.com
Thu Jul 18 14:24:06 PDT 2013


Hi,

I came across a case where reading a corrupt pcap file resulted in pcap_next() to return !NULL, with hdr.len == 0 and hdr.caplen == 0.

This seems to cause Bro to enter an infinite loop consuming 100% CPU. Following patch has fixed the problem, but I'm not sure it's the best approach.

diff --git a/src/PktSrc.cc b/src/PktSrc.cc
index 105dc90..de048cc 100644
--- a/src/PktSrc.cc
+++ b/src/PktSrc.cc
@@ -77,6 +77,9 @@ int PktSrc::ExtractNextPacket()
 
        data = last_data = pcap_next(pd, &hdr);
 
+       if(hdr.len == 0 || hdr.caplen == 0)
+               return 0;
+
        if ( data )
                next_timestamp = hdr.ts.tv_sec + double(hdr.ts.tv_usec) / 1e6;


Cheers,
Matt Thompson


More information about the bro-dev mailing list