Red Hat Bugzilla – Bug 76037
libpcap miscalculates network buffer size
Last modified: 2008-05-01 11:38:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020801
Description of problem:
I was having problems with Snort mysteriously dying on my PPP gateway machine.
It was very frustrating and I recently spent some time tracing the problem.
Turns out libpcap creates a network buffer with size based on the MTU, which is
not the upper bound for received packet size. Whenever a larger packet comes in,
it overflows the buffer, and goes on to trash the adjacent packet filter
instructions. When libpcap sees an unknown instruction, it calls abort(), which
caused the silent Snort failures that were driving me nuts.
This doesn't show up with Ethernet, where the MTU/MRU are usually fixed at 1500.
I think this problem is present on all Red Hat versions >=7.0 but I only checked
it on 7.0.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. run snort
2. receive a packet larger than the MTU
There are two solutions I tried, one is to simply set the bufsize to a very
large value like 64K, the other is to set the size to the available snaplen. The
latest version of libpcap does the latter, and the source code claims it will
always work on >=2.2 kernels, so I chose that solution.
I haven't had any problems with Snort, or anything else that uses libpcap, since
applying this patch!
Created attachment 80584 [details]
patch to use snaplen
looks good to me..