Fix a problem that shows up with a max packet count passed to pcap_dispatch().

If the last record read in by a read() from a BPF device isn't a multiple of the alignment value for BPF_WORDALIGN(), we could increment bp past ep; handle that case. While we're at it, properly set p->bp and p->cc in the case where we break out of the loop due to a pcap_breakloop() call.
2010-09-01 00:36:07 -07:00 · 2010-09-01 00:36:07 -07:00 · b26d8d2aa8
parent 7f1c9ba7ad
commit b26d8d2aa8
1 changed files with 23 additions and 4 deletions
--- a/pcap-bpf.c
+++ b/pcap-bpf.c
@ -955,15 +955,29 @@ pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
 		 * processed so far.
 		 */
 		if (p->break_loop) {
+			p->bp = bp;
+			p->cc = ep - bp;
+			/*
+			 * ep is set based on the return value of read(),
+			 * but read() from a BPF device doesn't necessarily
+			 * return a value that's a multiple of the alignment
+			 * value for BPF_WORDALIGN().  However, whenever we
+			 * increment bp, we round up the increment value by
+			 * a value rounded up by BPF_WORDALIGN(), so we
+			 * could increment bp past ep after processing the
+			 * last packet in the buffer.
+			 *
+			 * We treat ep < bp as an indication that this
+			 * happened, and just set p->cc to 0.
+			 */
+			if (p->cc < 0)
+				p->cc = 0;
 			if (n == 0) {
 				p->break_loop = 0;
 				return (PCAP_ERROR_BREAK);
-			} else {
-				p->bp = bp;
-				p->cc = ep - bp;
+			} else
 				return (n);
 		}
-		}

 		caplen = bhp->bh_caplen;
 		hdrlen = bhp->bh_hdrlen;
@ -1014,6 +1028,11 @@ pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
 			if (++n >= cnt && cnt > 0) {
 				p->bp = bp;
 				p->cc = ep - bp;
+				/*
+				 * See comment above about p->cc < 0.
+				 */
+				if (p->cc < 0)
+					p->cc = 0;
 				return (n);
 			}
 		} else {