Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 12586] Error reading an externally generated CAP

Wireshark-bugs: [Wireshark-bugs] [Bug 12586] Error reading an externally generated CAP

Date: Sat, 16 Jul 2016 21:10:31 +0000

What	Removed	Added
Status	UNCONFIRMED	RESOLVED
CC		pascal.quantin@gmail.com
Resolution	---	NOTOURBUG

Comment # 3 on bug 12586 from Pascal Quantin

We added extra checks to ensure that the incl_len field is not bigger than what
Wireshark supports (WTAP_MAX_PACKET_SIZE = 262144).

    if (hdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
        /*
         * Probably a corrupt capture file; return an error,
         * so that our caller doesn't blow up trying to allocate
         * space for an immensely-large packet.
         */
        *err = WTAP_ERR_BAD_FILE;
        if (err_info != NULL) {
            *err_info = g_strdup_printf("pcap: File has %u-byte packet, bigger
than maximum of %u",
                hdr.hdr.incl_len, WTAP_MAX_PACKET_SIZE);
        }
        return FALSE;
    } 

This field is NOT designed to store private information. As Jaap indicated,
libpcap was not designed for this, while pcapng was.

You are now hitting one of our heuristics to detect potential malformed capture
files (see https://code.wireshark.org/review/3808).

We are probably not wiling to change this.

You are receiving this mail because:

You are watching all bug changes.

References:
- [Wireshark-bugs] [Bug 12586] New: Error reading an externally generated CAP
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 12625] New: Buildbot crash output: fuzz-2016-07-16-4514.pcap
Next by Date: [Wireshark-bugs] [Bug 12624] Infinite loop in dissect_mmse()
Previous by thread: [Wireshark-bugs] [Bug 12586] Error reading an externally generated CAP
Next by thread: [Wireshark-bugs] [Bug 12586] Error reading an externally generated CAP
Index(es):
- Date
- Thread