From ef43fd48b4f981392a0c61b5e9a804e8f9c85eb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dr=2E=20Lars=20V=C3=B6lker?=
 <lars.voelker@technica-engineering.de>
Date: Wed, 12 Jan 2022 20:17:42 +0100
Subject: [PATCH] tshark: improve robustness for PCAPNGs not starting with IDBs

The PCAPNG code assumes that PCAPNGs start with IDBs, which might not be
true. This patch adds a workaround for Tshark to process such files.
---
 tshark.c         | 18 ++++++++++++++++++
 wiretap/pcapng.c |  1 +
 2 files changed, 19 insertions(+)

diff --git a/tshark.c b/tshark.c
index 3a01f5b84c..b58fd26878 100644
--- a/tshark.c
+++ b/tshark.c
@@ -3625,11 +3625,24 @@ process_cap_file(capture_file *cf, char *save_file, int out_file_type,
   wtap_dump_params params = WTAP_DUMP_PARAMS_INIT;
   char        *shb_user_appl;
   pass_status_t first_pass_status, second_pass_status;
+  gboolean pcapng_pcapng_workaround = false;
+  wtapng_iface_descriptions_t if_tmp;
 
   if (save_file != NULL) {
     /* Set up to write to the capture file. */
     wtap_dump_params_init_no_idbs(&params, cf->provider.wth);
 
+    /* workaround for pcapng -> pcapng (e.g., when pcapng starts with a custom block) */
+    if (out_file_type == wtap_pcapng_file_type_subtype() && params.encap == WTAP_ENCAP_UNKNOWN) {
+      pcapng_pcapng_workaround = true;
+      params.encap = WTAP_ENCAP_PER_PACKET;
+      params.dont_copy_idbs = true; /* make sure this stay true */
+      if (params.idb_inf->interface_data != NULL) {
+        /* lets fake an interface, which is not copied anyway */
+        g_array_insert_val(params.idb_inf->interface_data, 0, if_tmp);
+      }
+    }
+
     /* If we don't have an application name add TShark */
     if (wtap_block_get_string_option_value(g_array_index(params.shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
       /* this is free'd by wtap_block_unref() later */
@@ -3653,6 +3666,11 @@ process_cap_file(capture_file *cf, char *save_file, int out_file_type,
                            &err, &err_info);
     }
 
+    if (pcapng_pcapng_workaround) {
+      /* remove the fake interface before it will be used */
+      g_array_remove_index((params.idb_inf->interface_data), 0);
+    }
+
     g_free(params.idb_inf);
     params.idb_inf = NULL;
 
diff --git a/wiretap/pcapng.c b/wiretap/pcapng.c
index 604b348e09..7e60cfc040 100644
--- a/wiretap/pcapng.c
+++ b/wiretap/pcapng.c
@@ -3530,6 +3530,7 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
         ws_debug("Check for more IDBs, block_type 0x%08x",
                  bh.block_type);
 
+        /* XXX - This code expects that the PCAPNG Sections start with IDBs but the PCAPNG RFC does not say that!? */
         if (bh.block_type != BLOCK_TYPE_IDB) {
             break;  /* No more IDBs */
         }