> > The failure when comparing against zero is a bug in the > libpcap optimizer. > It was introduced in 1995, with the log message: > > - Fixed compiler and optimizer bugs. The BPF filter engine > uses unsigned > comparison operators, while the code generator and optimizer assumed > signed semantics in several places. Thanks to Charlie Slater > ([EMAIL PROTECTED]) for pointing this out. > > Early on, a compare against a constant has 0x80000000 added; later > the 0x80000000 is subtracted off if it is recognized. However, > a compare against 0 is a subtraction of 0 so is optimized out, so > the later code does not recognize it as an instance that needs to > be fixed up. > > It'd be easy enough to back this out, but obviously it was there > because it fixed some problems, so if we backed it out we'd have to > find these problems again and try to fix them another way. > > Bill >
Wow! After talking to Jeff, I have to agree that the compiler/optimizer is in a poor state. Is there any effort underway to recode the beast? I looked a bit arround the net and the only other bpf compiler that I found was lsfcc (which is pretty crude). All the other sniffing tools (and several highly regarded ones) use libpcap as the bpf compiler. I find it very enerving that libpcap, which is a major building block in several other security tools, has these kinds of bugs. I would gladly offer my help in this project, but I dont think I have the necessary knowledge to start a compiler from scratch. Is there anyone working on this? Danil Shane. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
