Bug on PktSrc.cc


I think I found a weird bug in PktSrc.cc, related to the libpcap version
Bro ships.

The version of the arithmetic operation block generator we ship
( libpcap-0.7.2:gencode.c:get_arth() ) has a well-known bug [1], which
makes gencode() punt when the filter being compiled has too many
arithmetic operations.

When this happens, PktSrc::PrecompileFilter() returns 0
(BPF_Program::Compile() returns false and fills the errbuf), but this is
not caught by neither PktInterfaceSrc::PktInterfaceSrc() nor
PktFileSrc::PktFileSrc(). Eventually Bro dies, with an unrelated

If you want to test this, the following filter produces a weird error

((tcp[(ip[2:2] - ((ip[0]&0x0f)<<2))-1] == 0) and ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) != 0) and ((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 512)) or ( tcp[(tcp[12]>>2):4] = 0x5353482D and ( tcp[((tcp[12]>>2)+4):2] = 0x312e or tcp[((tcp[12]>>2)+4):2] = 0x322e))

I enclose a patch for Bro to die with a better error message.

The patch to fix pcap is in [1]


[1] http://www.tcpdump.org/lists/workers/2002/04/msg00014.html

bro.current.20050914.fix_for_wrong_filter_detection.diff (715 Bytes)