From: Victor Julien Date: Tue, 21 May 2024 12:13:11 +0000 (+0200) Subject: pcap-log: use correct pkthdr size for limit enforcement X-Git-Tag: suricata-7.0.6~70 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87be155d0f194b6596a48fc94e55c010dea74322;p=thirdparty%2Fsuricata.git pcap-log: use correct pkthdr size for limit enforcement The on-disk pcap pkthdr is 16 bytes. This was calculated using `sizeof(struct pcap_pkthdr)`, which is 24 bytes on 64 bit Linux. On Macos, it's even worse, as a comment field grows the struct to 280 bytes. Address this by hardcoding the value of 16. Bug: #7037. (cherry picked from commit 6c937a9243af3423d6934439fee5df93792aa1bb) --- diff --git a/src/log-pcap.c b/src/log-pcap.c index a20fc84c37..d997471e36 100644 --- a/src/log-pcap.c +++ b/src/log-pcap.c @@ -86,6 +86,7 @@ typedef enum LogModeConditionalType_ { #define PCAP_SNAPLEN 262144 #define PCAP_BUFFER_TIMEOUT 1000000 // microseconds +#define PCAP_PKTHDR_SIZE 16 SC_ATOMIC_DECLARE(uint32_t, thread_cnt); @@ -621,11 +622,11 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p) rp = p->root; pl->h->caplen = GET_PKT_LEN(rp); pl->h->len = GET_PKT_LEN(rp); - len = sizeof(*pl->h) + GET_PKT_LEN(rp); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(rp); } else { pl->h->caplen = GET_PKT_LEN(p); pl->h->len = GET_PKT_LEN(p); - len = sizeof(*pl->h) + GET_PKT_LEN(p); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(p); } if (pl->filename == NULL) { @@ -708,11 +709,11 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p) rp = p->root; pl->h->caplen = GET_PKT_LEN(rp); pl->h->len = GET_PKT_LEN(rp); - len = sizeof(*pl->h) + GET_PKT_LEN(rp); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(rp); } else { pl->h->caplen = GET_PKT_LEN(p); pl->h->len = GET_PKT_LEN(p); - len = sizeof(*pl->h) + GET_PKT_LEN(p); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(p); } } }