Essentially when opening pcapng files which were improperly saved (containing truncated blocks) the file reading fails due to out-of-bound memory access. Details which allowed me to fix this issue are as follows (quoted from the PcapPlusPlus github issue):
I updated to the latest release. I was able to enable debug symbols and get into the debugger with the file at hand... Here I actually found the root of the crash to be at line 236 of light_pcapng.c:
memcpy(current->block_body, local_data, raw_size);
It looks like because the file is truncated the pcapng library is making assumptions about the validity of the next block size and trying to read a very large (invalid) number of bytes.
I might be able to make an example pcap for you to test, but it looks as though the exeception that I am hitting is indeed in the lightpcapng library.
UPDATE
It appears that when reading the file in question, the number of bytes reported in the variable remaining is less than that reported by bytes_remaining. Thus remaining has a value of 668 bytes where bytes_read says it read 1060 bytes. Since remaining is a size_t it wraps and continues to read into invalid memory.
My fix was to simply insert this check:
if (remaining < bytes_read)
{
remaining = 0;
continue;
}
beneath line 250:
bytes_read = current->block_total_lenght;
This appears to handle the edge-case properly. I will report this over at the lightpcapng github but it might be useful for you to be aware of this issue also...
This is a duplicate issue I found via another library which utilizes LightPcapNG. For more details see the issue I reported over on the PcapPlusPlus github
Essentially when opening pcapng files which were improperly saved (containing truncated blocks) the file reading fails due to out-of-bound memory access. Details which allowed me to fix this issue are as follows (quoted from the PcapPlusPlus github issue):