Project

General

Profile

Bug #5586

snoop doesn't correctly read files over 4GB

Added by David Pacheco about 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2015-02-04
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

If you give snoop an input file larger than 4GB, it happily tries to process it, but only maps the first (filesize % 4GB) bytes of it. This will usually wind up attempting to read a packet that isn't completely contained in the file, and it will bail out with:

(warning) bad packet header in capture file offset 159385680: length=1464

The reason is that it uses ints to store the file size. The problem starts in cap_open_read() when we fstat the input file (which works) and assign cap_len (an int) to the value of st_size (a larger value). After that, we pass around the size as an int.

A similar issue likely affects files over 2GB as well, since the size will be negative. I haven't tested that case, and I don't know what the failure mode is.


Related issues

Related to illumos gate - Bug #4487: snoop can only work with 2GB filesResolved2014-01-16

Actions

Also available in: Atom PDF