[Winpcap-bugs] RE: Crash in pcap_open when using incorrect flag

Thu Aug 9 18:49:45 GMT 2007

I found the bug. Its in pcap-new.c. You will get a core dump under the
following conditions:

1) You specify invalid device name to pcap_open AND

2) You specify any of the WIN32 specific flags such as
PCAP_OPENFLAG_NOCAPTURE_LOCAL or PCAP_OPENFLAG_MAX_RESPONSIVENESS.

In the code below you can see, that if pcap_open_live fails to open a device
at the top, the flag dependent if statements below it, use  the 'fp' ptr
without checking if its NULL. Which in this case is NULL, because
pcap_open_live failed. Thus a crash in the if statement itself (fp->adapter)
where fp == NULL. 

So have to check for NULL too. 

if (fp != NULL && !PacketSetLoopbackBehavior(fp->adapter,
NPF_DISABLE_LOOPBACK))
...

Or better yet return immediately after the pcap_open_live if its null.

Source from pcap-new.c:

#ifdef WIN32
//
// these flags are supported on Windows only
//
			fp = pcap_open_live(name, snaplen, (flags &
PCAP_OPENFLAG_PROMISCUOUS), read_timeout, errbuf);

			/* disable loopback capture if requested */
			if(flags & PCAP_OPENFLAG_NOCAPTURE_LOCAL)
			{
				if(!PacketSetLoopbackBehavior(fp->adapter,
NPF_DISABLE_LOOPBACK))
				{
					snprintf(errbuf, PCAP_ERRBUF_SIZE,
"Unable to disable the capture of loopback packets.");
					pcap_close(fp);
					return NULL;
				}
			}

			/* set mintocopy to zero if requested */
			if(flags & PCAP_OPENFLAG_MAX_RESPONSIVENESS)
			{
				if(!PacketSetMinToCopy(fp->adapter, 0))
				{
					snprintf(errbuf, PCAP_ERRBUF_SIZE,
"Unable to set max responsiveness.");
					pcap_close(fp);
					return NULL;
				}
			}
#endif //WIN32			

So in my original report of the problem, its just not any flag value above
8, it's a value that gets a bitwise hit on one of the PCAP_OPENFLAG_* flags.
And you have to have misspelled device name. Which in my test rigs (jUnit
test cases) I do all these things on purpose.

Cheers,
mark...