Reject pcap files that claim on-the-wire packet sizes > 64MB. This fixes many

heuristic cases broken in r49999 when we permitted packets > 64KB, since that relaxed so severely the definition of a valid packet header. 64MB is an arbitrary and perhaps suboptimal number, but it seems to do the right thing in all the examples I have handy. Fixes https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9634 svn path=/trunk/; revision=54812
2014-01-15 02:09:11 +00:00 · 2014-01-15 02:09:11 +00:00 · dae86605b6
parent 61867d0b2f
commit dae86605b6
1 changed files with 18 additions and 0 deletions
--- a/wiretap/libpcap.c
+++ b/wiretap/libpcap.c
@ -764,6 +764,24 @@ static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
 		return -1;
 	}

+        if (hdr->hdr.orig_len > 64*1024*1024) {
+		/*
+                 * In theory I guess the on-the-wire packet size can be
+                 * arbitrarily large, and it can certainly be larger than the
+                 * 64KB which bounds the snapshot size, but any file claiming
+                 * 64MB in a single packet is *probably* corrupt, and makes the
+                 * heuristics much more reliable. See, for example,
+                 * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9634
+                 * (64MB is an arbitrary size at this point)
+		 */
+		*err = WTAP_ERR_BAD_FILE;
+		if (err_info != NULL) {
+			*err_info = g_strdup_printf("pcap: File claims packet was %u bytes on the wire",
+			    hdr->hdr.orig_len);
+		}
+		return -1;
+        }
+
        /* Disabling because this is not a fatal error, and packets that have
         * one such packet probably have thousands. For discussion, see
         * https://www.wireshark.org/lists/wireshark-dev/201307/msg00076.html