Infinite loop with corrupt pcap

Matt_Thompson · July 18, 2013, 9:24pm

Hi,

I came across a case where reading a corrupt pcap file resulted in pcap_next() to return !NULL, with hdr.len == 0 and hdr.caplen == 0.

This seems to cause Bro to enter an infinite loop consuming 100% CPU. Following patch has fixed the problem, but I'm not sure it's the best approach.

diff --git a/src/PktSrc.cc b/src/PktSrc.cc
index 105dc90..de048cc 100644
--- a/src/PktSrc.cc
+++ b/src/PktSrc.cc
@@ -77,6 +77,9 @@ int PktSrc::ExtractNextPacket()

data = last_data = pcap_next(pd, &hdr);

+ if(hdr.len == 0 || hdr.caplen == 0)
+ return 0;

robin · July 19, 2013, 3:12pm

Is this something you can reproduce with a small subset of the pcap
file that we could include into our test suite?

Robin

Topic		Replies	Views
pcap_next Question Zeek	13	79	May 6, 2022
Bug on PktSrc.cc Zeek	1	55	May 6, 2022
Using Bro in offline mode (pcap spooling) Zeek	2	101	May 6, 2022
unknown data link type 0xc Zeek	3	65	May 6, 2022
Experiences with Bro and FreeBSD 8.2 Zerocopy BPF Zeek	3	54	May 6, 2022

Infinite loop with corrupt pcap

Related Topics