Is this something you can reproduce with a small subset of the pcap file that we could include into our test suite?
Robin On Thu, Jul 18, 2013 at 16:24 -0500, you wrote: > Hi, > > I came across a case where reading a corrupt pcap file resulted in > pcap_next() to return !NULL, with hdr.len == 0 and hdr.caplen == 0. > > This seems to cause Bro to enter an infinite loop consuming 100% CPU. > Following patch has fixed the problem, but I'm not sure it's the best > approach. > > diff --git a/src/PktSrc.cc b/src/PktSrc.cc > index 105dc90..de048cc 100644 > --- a/src/PktSrc.cc > +++ b/src/PktSrc.cc > @@ -77,6 +77,9 @@ int PktSrc::ExtractNextPacket() > > data = last_data = pcap_next(pd, &hdr); > > + if(hdr.len == 0 || hdr.caplen == 0) > + return 0; > + > if ( data ) > next_timestamp = hdr.ts.tv_sec + double(hdr.ts.tv_usec) / 1e6; > > > Cheers, > Matt Thompson > _______________________________________________ > bro-dev mailing list > bro-dev@bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > -- Robin Sommer * Phone +1 (510) 722-6541 * ro...@icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
