Re: [WinPcap-users] BSOD while setting packet filter in Winpcap 3.0

Fri, 14 May 2004 12:35:46 -0700

Gianluca Varenni wrote: 
#ifdef WIN32
          // This is a workaround for a bug in the winpcap driver that
can cause a BSOD
          // on windows.  There is an off by one read when setting the
filter that we can
          // avoid by appending a BPF_SEPARATION instruction to the
filter program.
          {
           struct bpf_insn *ins;
           unsigned len;

len = bpf.bf_len;

           ins = (struct bpf_insn *)malloc((len + 1) * sizeof(struct
bpf_insn));
           if(ins) {
               memset(ins, 0, (len + 1) * sizeof (struct bpf_insn));
               memcpy(ins, bpf.bf_insns, len * sizeof(struct bpf_insn));
               pcap_freecode(&bpf);
               ins[len].code = BPF_SEPARATION;
               bpf.bf_len = len + 1;
               bpf.bf_insns = ins;
           }
          }
#endif



I think that this patch is applied to your code (and not in wpcap.dll).
Isn't it?

Yes, this code is intended to be placed between a call to pcap_compile() and pcap_setfilter() in the application itself. I wanted to avoid touching the libraries at all because my application doesn't always have the option of upgrading the current winpcap install since it is a type of temporary remote probe that needs to leave the workstation in the exact same state when it is finished.


Be careful if you allocate memory inside your app (ins = (...)malloc(...)),
and then free it by using "pcap_freecode()" (somewhere in your code, not the
one in the snippet you sent). It's always extremely dangerous to allocate
memory into an exe/dll and free it into another dll/exe: you don't know

I made that mistake in my first draft by calling pcap_freecode() with the pointer I had created with malloc() and it crashed immediately. I should mention that this code leaks the instruction array that it allocates and that you should call free(bpf.bf_insns) (and never pcap_freecode() for the reasons that you mention) sometime after pcap_setfilter().

Have a nice day
GV

Thanks a lot for such a quick reply!

cheers,

--brl




==================================================================
This is the WinPcap users list. It is archived at
http://www.mail-archive.com/[EMAIL PROTECTED]/

To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================

Reply via email to