Re: PCAP-NG files being corrupted by fuzz tester

[Guy Harris <guy () alum mit edu>]

On Mar 2, 2012, at 3:04 PM, Guy Harris wrote:

> On Mar 2, 2012, at 2:45 PM, Guy Harris wrote:
>
> > On Mar 2, 2012, at 2:36 PM, Jeff Morriss wrote:
> >
> > > The source file itself is fine (well it no longer aborts for me after r41325), but running it through the fuzz 
> > > tester fails every time.  Looks like editcap needs some PCAPNG smarts to avoid corrupting the non-packet parts.  
> > > (Or Wiretap needs to not give the non-packet parts to editcap.)
> >
> > ...or my recent changes to wiretap/pcapng.c broke something, or....
>
> Without fuzzing, editcap will mangle your test file when converted to pcap-NG, so it's not a question of editcap 
> corrupting the non-packet parts.

Or, at least, not *intentionally* corrupting it as part of the fuzzing process.

It does, however, appear to be a question of editcap not handling a file with multiple IDBs - it's calling 
pcap_dump_open(), not pcap_dump_open_ng().

Perhaps the offending file, which has two IDBs, is new to the menagerie, and no other files in the menagerie are 
pcap-NG files with more than one IDB, so we haven't bumped into this yet.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe