tcpdump mailing list archives

Re: Buffer overwrites with pcap_next_ex

From: Andreas Rieke <andreas.rieke () isl de>
Date: Sun, 25 Jan 2009 11:05:19 +0100

Hi,

I have forgotten to mention that I use libpcap 1.0.0.

Guy Harris schrieb:


On Jan 24, 2009, at 6:36 AM, Andreas Rieke wrote:

I have seen a strange behavior of pcap_next_ex where a buffer is
overwritten. When pcap_next_ex has finished, it returns a buffer for the
packet header and one for the packet data.


No.  pcap_next_ex() returns a pointer to a packet header and a pointer
to packet data.

These are, in fact, pointers to a structure internal to libpcap and a
buffer internal to libpcap, respectively - and those buffers can be
reused, and hence overwritten, by subsequent calls to pcap_next_ex() (or
pcap_next() or pcap_dispatch() or pcap_loop()).


Sorry for the improper description.

When processing the packet
data, I have often seen strange data. For that reason, I have changed my
code to copy – for debug purposes - the packet data into a buffer, after
that process them and in the last step compare to the original data: It
has changed, although I am sure that my code does not write into that
buffer!


Do you make any pcap_next_ex() calls (or pcap_next() or pcap_dispatch()
or pcap_loop() calls) in between copying the data and comparing it?  If
so, that could cause the symptoms you're seeing, for the reason
described above.


Since I placed a debug output before and after each call to pcap, I am
very sure that no pcap functions are called - especially not those you
mention.

In future, I would like to
process multiple interfaces using select/pcap_dispatch. Will I have the
same problems there?


You won't have that problem *between* interfaces, because each pcap_t
has its own buffer.-


Just to be sure that I do not misunderstand that: When I use n pcap_t
structures, each for another interface, do you recommend to process them
 in a multithreaded environment, with one thread per pcap_t using
pcap_next_ex? In this case, I will get overlapping pcap_next_ex calls.

Or should I better change my code to work in a single thread, with
select/pcap_dispatch?

Thanks in advance,

Andreas



-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Buffer overwrites with pcap_next_ex Andreas Rieke (Jan 24)
- Re: Buffer overwrites with pcap_next_ex Guy Harris (Jan 24)
  - Re: Buffer overwrites with pcap_next_ex Guy Harris (Jan 24)
  - Re: Buffer overwrites with pcap_next_ex Andreas Rieke (Jan 26)
    - Re: Buffer overwrites with pcap_next_ex Guy Harris (Feb 14)
    - Re: Buffer overwrites with pcap_next_ex Michael Bernstein (Feb 15)
    - Re: Buffer overwrites with pcap_next_ex Andreas Rieke (Feb 15)