Date: Fri, 10 Sep 1999 12:23:14 +0200 (SAT) From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za> To: freebsd-hackers@freebsd.org Cc: freebsd-current@freebsd.org Subject: Endless loop in libpcap 2.2.x/3.x/-current Message-ID: <199909101023.MAA09680@oskar.nanoteq.co.za>
next in thread | raw e-mail | index | archive | help
--ELM936958994-8969-0_ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hi ... We are running a system where we use the libpcap to capture packets from an ethernet device. We've been observing a problem where the monitor program goes into an endless loop and spins for ever. I've compiled the program with debugging on and observed that the call-back function is called repeatedly from the libpcap library. I examined the library and ended up in the pcap_read function in pcap-bpf.c The code follows snip - snip - snip round line 110 in 2.2.x and in -current ------------------ #define bhp ((struct bpf_hdr *)bp) ep = bp + cc; while (bp < ep) { register int caplen, hdrlen; caplen = bhp->bh_caplen; hdrlen = bhp->bh_hdrlen; /* * XXX A bpf_hdr matches a pcap_pkthdr. */ (*callback)(user, (struct pcap_pkthdr*)bp, bp + hdrlen); bp += BPF_WORDALIGN(caplen + hdrlen); if (++n >= cnt && cnt > 0) { p->bp = bp; p->cc = ep - bp; return (n); } } #undef bhp p->cc = 0; return (n); ---------- In our case (from the debug info obtained from our program, I can see that bhp->bh_caplen and bhp->bh_hdrlen are both zero (0). (gdb) p *(struct bpf_hdr *)pkt $11 = {bh_tstamp = {tv_sec = 16652, tv_usec = 0}, bh_caplen = 0, bh_datalen = 33555200, bh_hdrlen = 0} pkt is bp received back from libpcap. cnt is -1 when we installed the callback function. As can be seen ... caplen and hdrlen is then set to 0. bp is smaller than ep because cc >0 (data was read) It enters the while loop, set caplen, hdrlen to 0, calls the callback function. libpcap then tries to increment bp with the BPF_WORDALIGN macro. From bpf.h #define BPF_ALIGNMENT sizeof(long) #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) This concludes to (gdb) p (((0)+(sizeof(long)-1))&~(sizeof(long)-1)) $12 = 0 so bp is NOT incremented and the whole process is repeated and here it gets stuck in the loop. I attached a possible fix for this, please review, edit as necessar and commit :) The patch is to -current file, put should apply to most other versions too. Thankyou Reinier --ELM936958994-8969-0_ Content-Type: text/plain; charset=ISO-8859-1 Content-Disposition: attachment; filename=pcap.diff Content-Description: /tmp/pcap.diff Content-Transfer-Encoding: 7bit Index: pcap-bpf.c =================================================================== RCS file: /home/freebsd-cvs/src/contrib/libpcap/pcap-bpf.c,v retrieving revision 1.1.1.3 diff -c -r1.1.1.3 pcap-bpf.c *** pcap-bpf.c 1998/09/15 19:28:05 1.1.1.3 --- pcap-bpf.c 1999/09/10 10:11:49 *************** *** 117,122 **** --- 117,130 ---- * XXX A bpf_hdr matches a pcap_pkthdr. */ (*callback)(user, (struct pcap_pkthdr*)bp, bp + hdrlen); + /* + * If we can't increment bp, get out of the while + * We've atleast called the callback with the data + * we have at out disposal - NB : it might be garbage + */ + if (!BPF_WORDALIGN(caplen + hdrlen)) { + break; + } bp += BPF_WORDALIGN(caplen + hdrlen); if (++n >= cnt && cnt > 0) { p->bp = bp; --ELM936958994-8969-0_-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909101023.MAA09680>