From 8c70dd8d176fca0c7e4ed759de0a05c2dd6424cf Mon Sep 17 00:00:00 2001
From: Loris Degioanni <loris@sysdig.com>
Date: Tue, 6 Apr 2021 13:35:58 -0700
Subject: [PATCH] sysdig: simplified the separate handling of the two different
 sysdig block types

---
 wiretap/pcapng.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/wiretap/pcapng.c b/wiretap/pcapng.c
index 3a0ccce199..b2dcbd921e 100644
--- a/wiretap/pcapng.c
+++ b/wiretap/pcapng.c
@@ -131,9 +131,13 @@ typedef struct pcapng_name_resolution_block_s {
 
 /*
  * Minimum Sysdig size = minimum block size + packed size of sysdig_event_phdr.
+ * Minimum Sysdig event v2 header size = minimum block size + packed size of sysdig_event_v2_phdr (which, in addition 
+ * to sysdig_event_phdr, includes the nparams 32bit value).
  */
 #define SYSDIG_EVENT_HEADER_SIZE ((16 + 64 + 64 + 32 + 16)/8) /* CPU ID + TS + TID + Event len + Event type */
 #define MIN_SYSDIG_EVENT_SIZE    ((guint32)(MIN_BLOCK_SIZE + SYSDIG_EVENT_HEADER_SIZE))
+#define SYSDIG_EVENT_V2_HEADER_SIZE ((16 + 64 + 64 + 32 + 16 + 32)/8) /* CPU ID + TS + TID + Event len + Event type + nparams */
+#define MIN_SYSDIG_EVENT_V2_SIZE    ((guint32)(MIN_BLOCK_SIZE + SYSDIG_EVENT_V2_HEADER_SIZE))
 
 /*
  * We require __REALTIME_TIMESTAMP in the Journal Export Format reader in
@@ -2356,11 +2360,18 @@ pcapng_read_sysdig_event_block(FILE_T fh, pcapng_block_header_t *bh,
     guint32 event_len;
     guint16 event_type;
     guint32 nparams;
+    guint min_event_size;
+
+    if (bh->block_type == BLOCK_TYPE_SYSDIG_EVENT_V2) {
+        min_event_size = MIN_SYSDIG_EVENT_V2_SIZE;
+    } else {
+        min_event_size = MIN_SYSDIG_EVENT_SIZE;
+    }
 
     if (bh->block_total_length < MIN_SYSDIG_EVENT_SIZE) {
         *err = WTAP_ERR_BAD_FILE;
         *err_info = g_strdup_printf("%s: total block length %u is too small (< %u)", G_STRFUNC,
-                                    bh->block_total_length, MIN_SYSDIG_EVENT_SIZE);
+                                    bh->block_total_length, min_event_size);
         return FALSE;
     }
 
@@ -2380,12 +2391,6 @@ pcapng_read_sysdig_event_block(FILE_T fh, pcapng_block_header_t *bh,
     wblock->rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN /*|WTAP_HAS_INTERFACE_ID */;
     wblock->rec->tsprec = WTAP_TSPREC_NSEC;
 
-    if (bh->block_type == BLOCK_TYPE_SYSDIG_EVENT_V2) {
-        block_read = block_total_length - 4;
-    } else {
-        block_read = block_total_length;
-    }
-
     if (!wtap_read_bytes(fh, &cpu_id, sizeof cpu_id, err, err_info)) {
         pcapng_debug("pcapng_read_packet_block: failed to read sysdig event cpu id");
         return FALSE;
@@ -2413,7 +2418,6 @@ pcapng_read_sysdig_event_block(FILE_T fh, pcapng_block_header_t *bh,
         }
     }
 
-    block_read -= MIN_SYSDIG_EVENT_SIZE;
     wblock->rec->rec_header.syscall_header.byte_order = G_BYTE_ORDER;
 
     /* XXX Use Gxxx_FROM_LE macros instead? */
@@ -2441,6 +2445,8 @@ pcapng_read_sysdig_event_block(FILE_T fh, pcapng_block_header_t *bh,
     wblock->rec->ts.secs = (time_t) (ts / 1000000000);
     wblock->rec->ts.nsecs = (int) (ts % 1000000000);
 
+    block_read = block_total_length - min_event_size;
+
     wblock->rec->rec_header.syscall_header.event_filelen = block_read;
 
     /* "Sysdig Event Block" read event data */