Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2027937

Summary: libpcap 1.5.3 with distro patch applied writes pcap file with broken pkthdr
Product: Red Hat Enterprise Linux 7 Reporter: Yousong Zhou <yszhou4tech>
Component: libpcapAssignee: Michal Ruprich <mruprich>
Status: CLOSED ERRATA QA Contact: FrantiĊĦek Hrdina <fhrdina>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.9CC: fhrdina, gharris, jorton, kpfleming, mruprich
Target Milestone: rcKeywords: AutoVerified, Reproducer, Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libpcap-1.5.3-13.el7_9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-05 17:17:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yousong Zhou 2021-12-01 05:08:29 UTC 
Description of problem:

The issue was found on a RHEL 7 derivative.  It was also reported to the-tcpdump-group/libpcap and CentOS community

 - https://github.com/the-tcpdump-group/libpcap/issues/1071
 - https://bugs.centos.org/view.php?id=18365

Quote:

To summarize, pcap file written with `tcpdump -i any -w a.pcap` will be rejected by tcpdump 4.99 which adds sanity checks on pkthdr struct.

The other issue as analyzed there by @guyharris is that when inspecting the bad pcap file with tcpdump 4.9, it may access 16 bytes of data out of bounds. See https://github.com/the-tcpdump-group/libpcap/issues/1071#issuecomment-980442403


Version-Release number of selected component (if applicable):

libpcap-1.5.3-12.1.al7.src.rpm


How reproducible:

Always


Steps to Reproduce:

Run the following commands to dump a few packets

  tcpdump -i any -w a.pcap -c 8

Hexdump check on first few bytes of the file. snaplen is 16 bytes bigger than actual len field for each packet header

00000000  d4 c3 b2 a1 02 00 04 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 04 00 71 00 00 00  cb 5e 9f 61 ae 80 04 00  |....q....^.a....|
00000020  c9 03 00 00 b9 03 00 00  00 00 00 01 00 06 ee ff  |................|
          ^^          ^^
Comment 3 Michal Ruprich 2021-12-14 10:38:46 UTC 
Just adding a reproducer where it might be a little bit simpler to see what is going on and what is wrong:

In one terminal:
# tcpdump -i any -w ping.pcap --immediate-mode -c 1 icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

In another terminal:
# ping -c 1 -p ff 127.0.0.1

In the first terminal:
1 packet captured
4 packets received by filter
0 packets dropped by kernel
# tcpdump -X -r ping.pcap
reading from file ping.pcap, link-type LINUX_SLL (Linux cooked)
05:31:04.048163 IP localhost > localhost: ICMP echo request, id 8156, seq 1, length 64
	0x0000:  4500 0054 e899 4000 4001 540d 7f00 0001  E..T..@.@.T.....
	0x0010:  7f00 0001 0800 ad92 1fdc 0001 6872 b861  ............hr.a
	0x0020:  0000 0000 09bc 0000 0000 0000 ffff ffff  ................
	0x0030:  ffff ffff ffff ffff ffff ffff ffff ffff  ................
	0x0040:  ffff ffff ffff ffff ffff ffff ffff ffff  ................
	0x0050:  ffff ffff 0000 0000 0000 0000 0000 0000  ................
	0x0060:  0000 0000 <-------- These zeros should not be here, exactly 16 extra bytes as the size of sll_header

The output of ping.pcap should look like this:
11:32:18.409143 lo    In  IP localhost > localhost: ICMP echo request, id 1, seq 1, length 64
	0x0000:  4500 0054 00a3 4000 4001 3c04 7f00 0001  E..T..@.@.<.....
	0x0010:  7f00 0001 0800 abeb 0001 0001 b272 b861  .............r.a
	0x0020:  0000 0000 db3d 0600 0000 0000 ffff ffff  .....=..........
	0x0030:  ffff ffff ffff ffff ffff ffff ffff ffff  ................
	0x0040:  ffff ffff ffff ffff ffff ffff ffff ffff  ................
	0x0050:  ffff ffff
Comment 20 errata-xmlrpc 2022-04-05 17:17:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libpcap bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1201