Add length checking to ToRawPktHdrVal for truncated packets

src/iosource/Packet.cc

@@ -117,8 +117,18 @@ RecordValPtr Packet::ToRawPktHdrVal() const
 		// Ethernet header layout is:
 		//    dst[6bytes] src[6bytes] ethertype[2bytes]...
 		l2_hdr->Assign(0, BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_ETHERNET));
+
+		// FmtEUI48 needs at least 6 bytes to print out the mac address, plus 6 bytes for
+		// skipping over the destination address.
+		if ( cap_len >= 12 )
 			l2_hdr->Assign(3, FmtEUI48(data + 6)); // src
+		else
+			l2_hdr->Assign(3, "00:00:00:00:00:00");
+
+		if ( cap_len >= 6 )
 			l2_hdr->Assign(4, FmtEUI48(data)); // dst
+		else
+			l2_hdr->Assign(4, "00:00:00:00:00:00");
 
 		if ( vlan )
 			l2_hdr->Assign(5, vlan);

testing/btest/Baseline/core.raw-truncation/weird.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	-	-	-	-	-	truncated_ethernet_frame	-	F	zeek	ETHERNET
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/core/raw-truncation.zeek

@@ -0,0 +1,11 @@
+# @TEST-DOC: Test that raw_packet works correctly with a truncated packet
+# @TEST-EXEC: zeek -r $TRACES/trunc/trunc-hdr.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+
+event raw_packet(p: raw_pkt_hdr) {
+        if ( ! p?$ip )
+                return;
+
+        if ( p$ip$hl != 20 )
+                print p$ip;
+}