On Mar 2, 2012, at 3:04 PM, Guy Harris wrote:
>
> On Mar 2, 2012, at 2:45 PM, Guy Harris wrote:
>
>> On Mar 2, 2012, at 2:36 PM, Jeff Morriss wrote:
>>
>>> The source file itself is fine (well it no longer aborts for me after r41325), but running it through the fuzz tester fails every time. Looks like editcap needs some PCAPNG smarts to avoid corrupting the non-packet parts. (Or Wiretap needs to not give the non-packet parts to editcap.)
>>
>> ...or my recent changes to wiretap/pcapng.c broke something, or....
>
> Without fuzzing, editcap will mangle your test file when converted to pcap-NG, so it's not a question of editcap corrupting the non-packet parts.
Or, at least, not *intentionally* corrupting it as part of the fuzzing process.
It does, however, appear to be a question of editcap not handling a file with multiple IDBs - it's calling pcap_dump_open(), not pcap_dump_open_ng().
Perhaps the offending file, which has two IDBs, is new to the menagerie, and no other files in the menagerie are pcap-NG files with more than one IDB, so we haven't bumped into this yet.
