Wireshark-dev: Re: [Wireshark-dev] Is snaplen check in editcap.c correct?
From: Jeff Morriss <[email protected]>
Date: Thu, 21 Jul 2011 17:23:10 -0400
Martin Mathieson wrote:
Hi,

I'm using editcap with Catapult DCT2000 log files. The wiretap module doesn't set wth->snapshot_len, so its coming out as 0. It was intentionally left as 0, as I thought this corresponded to "we have the whole frame, its not truncated". Most other wiretap modules seem to do the same.
editcap.c has this test:

        if(phdr->caplen > wtap_snapshot_length(wth)) {
fprintf(stderr, "Warning: packet %d too big for file type, skipping it...\n", count);
            count++;
            continue;
        }

which will discard any packet which has the snapshot length set to 0.

I'm happily using this test instead, i.e. only do the comparison if its non-zero.
        if((wtap_snapshot_length(wth) != 0) && (phdr->caplen > 
wtap_snapshot_length(wth))) {
            fprintf(stderr, "Warning: packet %d too big for file type, 
skipping it...\n", count);
            count++;
            continue;
        }

Would it be correct to check in this change?
Should the wiretap modules set some large value for the snapshot length instead?
(For the record, you made the change proposed above in r38132.)

I put in the original check to try to solve a fuzz testing problem (r37633), but I think Gerald's solution (r37634) makes more sense. So I backed out (that part of) 37633 in r38155.
I also scheduled r37634 for 1.6.2.