search

rusticata / pcap-parser

PCAP/PCAPNG file format parser written in pure Rust. Fast, zero-copy, safe.
Other
104 stars 24 forks source link

The MSB of if_tsresol in pcapng::build_ts #16

Closed noriov closed 2 years ago

noriov commented 2 years ago

Hello,

I just downloaded (git-clone'd) the source code of pcap-parser. I had a glance and found the following code fragment may have a typo.

According to the description of if_tsresol in draft-ietf-opsawg-pcapng, if_tsresol is one-byte and its most significant bit has a special meaning. Hence, I think the mask below should be 0x80 instead of 0x70.

Because I don't have test data for this patch, I'm sorry I didn't test it. I'm sorry if I misunderstand something.

diff --git a/src/pcapng.rs b/src/pcapng.rs
index 115a881..b491e18 100644
--- a/src/pcapng.rs
+++ b/src/pcapng.rs
@@ -227,11 +227,11 @@ impl<'a> Iterator for InterfaceBlockIterator<'a> {
 pub fn build_ts(ts_high: u32, ts_low: u32, ts_offset: u64, ts_resol: u8) -> (u32, u32, u64) {
     let if_tsoffset = ts_offset;
     let if_tsresol = ts_resol;
-    let ts_mode = if_tsresol & 0x70;
+    let ts_mode = if_tsresol & 0x80;
     let unit = if ts_mode == 0 {
         10u64.pow(if_tsresol as u32)
     } else {
-        2u64.pow((if_tsresol & !0x70) as u32)
+        2u64.pow((if_tsresol & !0x80) as u32)
     };
     let ts: u64 = ((ts_high as u64) << 32) | (ts_low as u64);
     let ts_sec = (if_tsoffset + (ts / unit)) as u32;

The PCAPNG specification I read was https://pcapng.github.io/pcapng/draft-ietf-opsawg-pcapng.html#name-interface-description-block

chifflier commented 2 years ago

Hi, Thanks for the report. This 0x70 looks indeed suspicious. I'm investigating.

chifflier commented 2 years ago

The specifications clearly states this, so your patch seems correct.

However, it shows a (previously existing) problem in the code, which is a risk of overflow in the computation of the resolution. Also, it recalculates the resolution at each call, while it is constant for an interface.

I\ll fix this in two steps:

chifflier commented 2 years ago

Side note: I could not find any pcapng file with a resolution encoded as power of two. I'd be interested if anyone has one!