Infinite loop with corrupt pcap


I came across a case where reading a corrupt pcap file resulted in pcap_next() to return !NULL, with hdr.len == 0 and hdr.caplen == 0.

This seems to cause Bro to enter an infinite loop consuming 100% CPU. Following patch has fixed the problem, but I'm not sure it's the best approach.

diff --git a/src/ b/src/
index 105dc90..de048cc 100644
--- a/src/
+++ b/src/
@@ -77,6 +77,9 @@ int PktSrc::ExtractNextPacket()

        data = last_data = pcap_next(pd, &hdr);

+ if(hdr.len == 0 || hdr.caplen == 0)
+ return 0;

Is this something you can reproduce with a small subset of the pcap
file that we could include into our test suite?