From 79c75bbb4d89d2a323646bf56874ae89ef0b0c40 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Thu, 6 Sep 2012 07:53:52 +0200
Subject: [PATCH] af-packet: fix kernel offset issue

It seems that, in some case, there is a read waiting but the
offset in the ring buffer is not correct and Suricata need to
walk the ring to find the correct place and make the read.
---
 src/source-af-packet.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/source-af-packet.c b/src/source-af-packet.c
index a671fd5346..97eead2e90 100644
--- a/src/source-af-packet.c
+++ b/src/source-af-packet.c
@@ -399,6 +399,7 @@ int AFPReadFromRing(AFPThreadVars *ptv)
 {
     Packet *p = NULL;
     union thdr h;
+    int read_pkts = 0;
 
     /* Loop till we have packets available */
     while (1) {
@@ -408,9 +409,17 @@ int AFPReadFromRing(AFPThreadVars *ptv)
             SCReturnInt(AFP_FAILURE);
         }
         if (h.h2->tp_status == TP_STATUS_KERNEL) {
+            if (read_pkts == 0) {
+               if (++ptv->frame_offset >= ptv->req.tp_frame_nr) {
+                   ptv->frame_offset = 0;
+               }
+               continue;
+            }
             SCReturnInt(AFP_READ_OK);
         }
 
+        read_pkts++;
+
         p = PacketGetFromQueueOrAlloc();
         if (p == NULL) {
             SCReturnInt(AFP_FAILURE);
-- 
2.47.3