From b6444dce0c9c830ee3be5398b62e9a68efe56902 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Mon, 27 Sep 2021 12:11:19 -0700 Subject: [PATCH] Fix issue with broken libpcaps that return repeat packets This is apparently a problem with the Myricom version of libpcap, where instead of returning a null or a zero if no packets are available, it returns the previous packet. This causes Zeek to improperly parse the packet and crash. We thought we had fixed this previously with a check for a null packet but that fix was not enough. --- src/iosource/pcap/Source.cc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc index 164bd06a2c..8afe55638a 100644 --- a/src/iosource/pcap/Source.cc +++ b/src/iosource/pcap/Source.cc @@ -247,6 +247,14 @@ bool PcapSource::ExtractNextPacket(Packet* pkt) ++stats.received; stats.bytes_received += header->len; + // Some versions of libpcap (myricom) are somewhat broken and will return a duplicate + // packet if there are no more packets available. Namely, it returns the exact same + // packet structure (including the header) out of the library without reinitializing + // any of the values. If we set the header lengths to zero here, we can keep from + // processing it a second time. + header->len = 0; + header->caplen = 0; + return true; }