From: Victor Julien Date: Tue, 21 May 2024 12:13:11 +0000 (+0200) Subject: pcap-log: use correct pkthdr size for limit enforcement X-Git-Tag: suricata-8.0.0-beta1~1280 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6c937a9243af3423d6934439fee5df93792aa1bb;p=thirdparty%2Fsuricata.git pcap-log: use correct pkthdr size for limit enforcement The on-disk pcap pkthdr is 16 bytes. This was calculated using `sizeof(struct pcap_pkthdr)`, which is 24 bytes on 64 bit Linux. On Macos, it's even worse, as a comment field grows the struct to 280 bytes. Address this by hardcoding the value of 16. Bug: #7037. --- diff --git a/src/log-pcap.c b/src/log-pcap.c index 5fde4dfaba..ad6a8d77c4 100644 --- a/src/log-pcap.c +++ b/src/log-pcap.c @@ -84,6 +84,7 @@ typedef enum LogModeConditionalType_ { #define PCAP_SNAPLEN 262144 #define PCAP_BUFFER_TIMEOUT 1000000 // microseconds +#define PCAP_PKTHDR_SIZE 16 SC_ATOMIC_DECLARE(uint32_t, thread_cnt); @@ -587,11 +588,11 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p) rp = p->root; pl->h->caplen = GET_PKT_LEN(rp); pl->h->len = GET_PKT_LEN(rp); - len = sizeof(*pl->h) + GET_PKT_LEN(rp); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(rp); } else { pl->h->caplen = GET_PKT_LEN(p); pl->h->len = GET_PKT_LEN(p); - len = sizeof(*pl->h) + GET_PKT_LEN(p); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(p); } if (pl->filename == NULL) { @@ -661,11 +662,11 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p) rp = p->root; pl->h->caplen = GET_PKT_LEN(rp); pl->h->len = GET_PKT_LEN(rp); - len = sizeof(*pl->h) + GET_PKT_LEN(rp); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(rp); } else { pl->h->caplen = GET_PKT_LEN(p); pl->h->len = GET_PKT_LEN(p); - len = sizeof(*pl->h) + GET_PKT_LEN(p); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(p); } } }