tcpdump mailing list archives

Re: Buffer overwrites with pcap_next_ex

From: Andreas Rieke <andreas.rieke () isl de>
Date: Sun, 15 Feb 2009 19:52:58 +0100

Hi,

thank you very much, I was already despairing of that issue,

best regards,

Andreas



Guy Harris schrieb:


On Jan 25, 2009, at 2:05 AM, Andreas Rieke wrote:

I have forgotten to mention that I use libpcap 1.0.0.


...which means that, at least on Linux, libpcap's probably using the
memory-mapped interface...

Since I placed a debug output before and after each call to pcap, I am
very sure that no pcap functions are called - especially not those you
mention.


...and:

    in the memory-mapped interface, each packet in the buffer shared
between the kernel and userland has a status flag indicating, among
other things, to whom the packet "belongs";

    when the callback for a packet returns, the packet is marked as
belonging to the kernel, which means the kernel can reuse that space in
the shared buffer;

    pcap_next() and pcap_next_ex() use pcap_dispatch() plus a callback
which fills in pointers to the packet header and the packet data, and
then, after pcap_dispatch() returns (which means the callback routine
has returned), returns.

This means that, with the memory-mapped interface, the packet is subject
to being overwritten by the kernel after pcap_next() or pcap_next_ex()
returns.

This is probably fixable only by releasing the packet to the kernel
before we call the callback for the *next* packet rather than after the
callback for *that* packet returns.

For now, the workaround would be not to use pcap_next() or
pcap_next_ex(), but to use pcap_loop() or pcap_dispatch(), and not to
assume that you can do anything with the packet data once your callback
returns.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.



-- 
Dr. Andreas Rieke
Geschäftsführer
ISL Internet Sicherheitslösungen GmbH
Bergstrasse 128, 58095 Hagen
Amtsgericht Hagen HRB 3816

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Buffer overwrites with pcap_next_ex Andreas Rieke (Jan 24)
- Re: Buffer overwrites with pcap_next_ex Guy Harris (Jan 24)
  - Re: Buffer overwrites with pcap_next_ex Guy Harris (Jan 24)
  - Re: Buffer overwrites with pcap_next_ex Andreas Rieke (Jan 26)
    - Re: Buffer overwrites with pcap_next_ex Guy Harris (Feb 14)
    - Re: Buffer overwrites with pcap_next_ex Michael Bernstein (Feb 15)
    - Re: Buffer overwrites with pcap_next_ex Andreas Rieke (Feb 15)