pcap-log: use correct pkthdr size for limit enforcement

The on-disk pcap pkthdr is 16 bytes. This was calculated using
`sizeof(struct pcap_pkthdr)`, which is 24 bytes on 64 bit Linux. On
Macos, it's even worse, as a comment field grows the struct to 280
bytes.

Address this by hardcoding the value of 16.

Bug: #7037.

diff --git a/src/log-pcap.c b/src/log-pcap.c
index 5fde4dfaba83b7592268988830d679219bb29b97..ad6a8d77c44c72846170d7febe4296b6d9749d87 100644 (file)
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@@ -84,6 +84,7 @@ typedef enum LogModeConditionalType_ {
 
 #define PCAP_SNAPLEN                    262144
 #define PCAP_BUFFER_TIMEOUT             1000000 // microseconds
+#define PCAP_PKTHDR_SIZE                16
 
 SC_ATOMIC_DECLARE(uint32_t, thread_cnt);
 
@@ -587,11 +588,11 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p)
         rp = p->root;
         pl->h->caplen = GET_PKT_LEN(rp);
         pl->h->len = GET_PKT_LEN(rp);
-        len = sizeof(*pl->h) + GET_PKT_LEN(rp);
+        len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(rp);
     } else {
         pl->h->caplen = GET_PKT_LEN(p);
         pl->h->len = GET_PKT_LEN(p);
-        len = sizeof(*pl->h) + GET_PKT_LEN(p);
+        len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(p);
     }
 
     if (pl->filename == NULL) {
@@ -661,11 +662,11 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p)
                 rp = p->root;
                 pl->h->caplen = GET_PKT_LEN(rp);
                 pl->h->len = GET_PKT_LEN(rp);
-                len = sizeof(*pl->h) + GET_PKT_LEN(rp);
+                len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(rp);
             } else {
                 pl->h->caplen = GET_PKT_LEN(p);
                 pl->h->len = GET_PKT_LEN(p);
-                len = sizeof(*pl->h) + GET_PKT_LEN(p);
+                len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(p);
             }
         }
     }