pcap-log: use correct pkthdr size for limit enforcement

The on-disk pcap pkthdr is 16 bytes. This was calculated using `sizeof(struct pcap_pkthdr)`, which is 24 bytes on 64 bit Linux. On Macos, it's even worse, as a comment field grows the struct to 280 bytes. Address this by hardcoding the value of 16. Bug: #7037.
10 months ago · 6c937a9243
parent 9b980b18a8
commit 6c937a9243
1 changed files with 5 additions and 4 deletions
--- a/src/log-pcap.c
+++ b/src/log-pcap.c
@ -84,6 +84,7 @@ typedef enum LogModeConditionalType_ {

 #define PCAP_SNAPLEN                    262144
 #define PCAP_BUFFER_TIMEOUT             1000000 // microseconds
+#define PCAP_PKTHDR_SIZE                16

 SC_ATOMIC_DECLARE(uint32_t, thread_cnt);

@ -587,11 +588,11 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p)
        rp = p->root;
        pl->h->caplen = GET_PKT_LEN(rp);
        pl->h->len = GET_PKT_LEN(rp);
-        len = sizeof(*pl->h) + GET_PKT_LEN(rp);
+        len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(rp);
    } else {
        pl->h->caplen = GET_PKT_LEN(p);
        pl->h->len = GET_PKT_LEN(p);
-        len = sizeof(*pl->h) + GET_PKT_LEN(p);
+        len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(p);
    }

    if (pl->filename == NULL) {
@ -661,11 +662,11 @@ static int PcapLog (ThreadVars *t, void *thread_data, const Packet *p)
                rp = p->root;
                pl->h->caplen = GET_PKT_LEN(rp);
                pl->h->len = GET_PKT_LEN(rp);
-                len = sizeof(*pl->h) + GET_PKT_LEN(rp);
+                len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(rp);
            } else {
                pl->h->caplen = GET_PKT_LEN(p);
                pl->h->len = GET_PKT_LEN(p);
-                len = sizeof(*pl->h) + GET_PKT_LEN(p);
+                len = PCAP_PKTHDR_SIZE + GET_PKT_LEN(p);
            }
        }
    }