Bug 76037 - libpcap miscalculates network buffer size
libpcap miscalculates network buffer size
Product: Red Hat Linux
Classification: Retired
Component: tcpdump (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Harald Hoyer
Depends On:
  Show dependency treegraph
Reported: 2002-10-15 19:47 EDT by Alexander Kourakos
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-03-10 10:33:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to use snaplen (406 bytes, patch)
2002-10-15 19:48 EDT, Alexander Kourakos
no flags Details | Diff

  None (edit)
Description Alexander Kourakos 2002-10-15 19:47:57 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020801

Description of problem:
I was having problems with Snort mysteriously dying on my PPP gateway machine.
It was very frustrating and I recently spent some time tracing the problem.
Turns out libpcap creates a network buffer with size based on the MTU, which is
not the upper bound for received packet size. Whenever a larger packet comes in,
it overflows the buffer, and goes on to trash the adjacent packet filter
instructions. When libpcap sees an unknown instruction, it calls abort(), which
caused the silent Snort failures that were driving me nuts.

This doesn't show up with Ethernet, where the MTU/MRU are usually fixed at 1500.

I think this problem is present on all Red Hat versions >=7.0 but I only checked
it on 7.0.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. run snort
2. receive a packet larger than the MTU

Additional info:

There are two solutions I tried, one is to simply set the bufsize to a very
large value like 64K, the other is to set the size to the available snaplen. The
latest version of libpcap does the latter, and the source code claims it will
always work on >=2.2 kernels, so I chose that solution.

I haven't had any problems with Snort, or anything else that uses libpcap, since
applying this patch!
Comment 1 Alexander Kourakos 2002-10-15 19:48:45 EDT
Created attachment 80584 [details]
patch to use snaplen
Comment 2 Harald Hoyer 2002-10-16 05:31:15 EDT
looks good to me..

Note You need to log in before you can comment on or make changes to this bug.