From 87be155d0f194b6596a48fc94e55c010dea74322 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 21 May 2024 14:13:11 +0200 Subject: [PATCH] pcap-log: use correct pkthdr size for limit enforcement The on-disk pcap pkthdr is 16 bytes. This was calculated using `sizeof(struct pcap_pkthdr)`, which is 24 bytes on 64 bit Linux. On Macos, it's even worse, as a comment field grows the struct to 280 bytes. Address this by hardcoding the value of 16. Bug: #7037. (cherry picked from commit 6c937a9243af3423d6934439fee5df93792aa1bb) --- src/log-pcap.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/log-pcap.c b/src/log-pcap.c index a20fc84c37..d997471e36 100644 --- a/src/log-pcap.c +++ b/src/log-pcap.c @@ -86,6 +86,7 @@ typedef enum LogModeConditionalType_ { #define PCAP_SNAPLEN 262144 #define PCAP_BUFFER_TIMEOUT 1000000 // microseconds +#define PCAP_PKTHDR_SIZE 16 SC_ATOMIC_DECLARE(uint32_t, thread_cnt); @@ -621,11 +622,11 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p) rp = p->root; pl->h->caplen = GET_PKT_LEN(rp); pl->h->len = GET_PKT_LEN(rp); - len = sizeof(*pl->h) + GET_PKT_LEN(rp); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(rp); } else { pl->h->caplen = GET_PKT_LEN(p); pl->h->len = GET_PKT_LEN(p); - len = sizeof(*pl->h) + GET_PKT_LEN(p); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(p); } if (pl->filename == NULL) { @@ -708,11 +709,11 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p) rp = p->root; pl->h->caplen = GET_PKT_LEN(rp); pl->h->len = GET_PKT_LEN(rp); - len = sizeof(*pl->h) + GET_PKT_LEN(rp); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(rp); } else { pl->h->caplen = GET_PKT_LEN(p); pl->h->len = GET_PKT_LEN(p); - len = sizeof(*pl->h) + GET_PKT_LEN(p); + len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(p); } } } -- 2.47.2