From 4d8f70c61348a45cea86c5d737204929130bc886 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Wed, 5 Sep 2012 00:15:16 +0200 Subject: [PATCH] af-packet: fix kernel offset issue It seems that, in some case, there is a read waiting but the offset in the ring buffer is not correct and Suricata need to walk the ring to find the correct place and make the read. --- src/source-af-packet.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/source-af-packet.c b/src/source-af-packet.c index d907fb0335..94c2c19f3c 100644 --- a/src/source-af-packet.c +++ b/src/source-af-packet.c @@ -655,6 +655,8 @@ int AFPReadFromRing(AFPThreadVars *ptv) union thdr h; struct sockaddr_ll *from; uint8_t emergency_flush = 0; + int read_pkts = 0; + /* Loop till we have packets available */ while (1) { @@ -665,12 +667,21 @@ int AFPReadFromRing(AFPThreadVars *ptv) } if (h.h2->tp_status == TP_STATUS_KERNEL) { + if (read_pkts == 0) { + if (++ptv->frame_offset >= ptv->req.tp_frame_nr) { + ptv->frame_offset = 0; + } + continue; + } if ((emergency_flush) && (ptv->flags & AFP_EMERGENCY_MODE)) { SCReturnInt(AFP_KERNEL_DROP); } else { SCReturnInt(AFP_READ_OK); } } + + read_pkts++; + if ((ptv->flags & AFP_EMERGENCY_MODE) && (emergency_flush == 1)) { h.h2->tp_status = TP_STATUS_KERNEL; goto next_frame;