Open tklauser opened 10 years ago
I currently suspect an integer overflow related to the mmap size (of the pcap file).
I believe this issue may be caused by kernel security patch to net/patacket/af_packet.c. The patch has been backported to older kernels. It will prevent you from allocating a ring buffer greater than 4 GiB. The largest you can get is --ring-size 4194303KiB (2^32 - 1024 bytes).
https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308
Reported by Michal Purzynski (see http://article.gmane.org/gmane.linux.network.netsniff-ng/519 for details)