diff options
author | Tomasz Moń <desowin@gmail.com> | 2022-06-01 22:32:20 +0200 |
---|---|---|
committer | Tomasz Moń <desowin@gmail.com> | 2022-08-03 18:50:53 +0200 |
commit | bf26f538c65ee37f321bc63ca9a27114914224dc (patch) | |
tree | 0c80044a57d8130f36902a217682c32b7a6f1e5c /wiretap | |
parent | 566ea8ceb4296f1d1cf246174cab9be5f170e1c6 (diff) |
wiretap: Do not silently limit capture length
Libpcap assumes that packet length is greater or equal to captured data
length. However, due to a bug in libpcap, it was possible for libpcap to
generate isochronous URB packets (WTAP_ENCAP_USB_LINUX_MMAPPED) with
captured data length greater than packet length. The discrepancy comes
from slightly different semantics in Linux kernel.
Linux kernel usbmon packet documentation mentions:
unsigned int length; /* 32: Length of data (submitted or actual) */
unsigned int len_cap; /* 36: Delivered length */
Wireshark shows usbmon packet length as URB length (usb.urb_len) and
len_cap as Data length (usb.data_len). For usbmon isochronous IN packets
containing data (URB complete), usbmon length is "actual". Actual length
is the sum of payload packets length received from device. Delivered
length refers to the amount of data associated with usbmon packet, that
is the isochronous descriptors and actual isochronous data. There can be
multiple isochronous descriptors in single URB and the actual payload in
special cases can be noncontiguous (there can be gaps).
Libpcap when reading usbmon capture calculates packet length based on
usbmon packet structure size (64), "actual length" and number of
isochronous descriptors. This gives expected packet length as long as
there are no gaps between isochronous data. If there are gaps, the
calculated packet length will be smaller than delivered length.
Wireshark should show the frame length and captured length as provided
by the capture engine, even if the capture length is greater than frame
length. Silently limiting captured length essentially hides the issue
from the user and allows misbehaving capture engine to go unnoticed.
Passing unmodified Frame Length and Capture Length to dissectors (and
thus complete tvb) allows USB dissector to show all ISO Data fields
captured on Linux usbmon interface using bugged libpcap.
Fixes #18021
Diffstat (limited to 'wiretap')
-rw-r--r-- | wiretap/wtap.c | 14 |
1 files changed, 0 insertions, 14 deletions
diff --git a/wiretap/wtap.c b/wiretap/wtap.c index 7063dee683..7eef40b7d2 100644 --- a/wiretap/wtap.c +++ b/wiretap/wtap.c @@ -1579,13 +1579,6 @@ wtap_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, */ if (rec->rec_type == REC_TYPE_PACKET) { /* - * It makes no sense for the captured data length - * to be bigger than the actual data length. - */ - if (rec->rec_header.packet_header.caplen > rec->rec_header.packet_header.len) - rec->rec_header.packet_header.caplen = rec->rec_header.packet_header.len; - - /* * Make sure that it's not WTAP_ENCAP_PER_PACKET, as that * probably means the file has that encapsulation type * but the read routine didn't set this packet's @@ -1742,13 +1735,6 @@ wtap_seek_read(wtap *wth, gint64 seek_off, wtap_rec *rec, Buffer *buf, */ if (rec->rec_type == REC_TYPE_PACKET) { /* - * It makes no sense for the captured data length - * to be bigger than the actual data length. - */ - if (rec->rec_header.packet_header.caplen > rec->rec_header.packet_header.len) - rec->rec_header.packet_header.caplen = rec->rec_header.packet_header.len; - - /* * Make sure that it's not WTAP_ENCAP_PER_PACKET, as that * probably means the file has that encapsulation type * but the read routine didn't set this packet's |