• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 1993, 1994, 1995, 1996, 1997
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  *
21  * sf-pcapng.c - pcapng-file-format-specific code from savefile.c
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27 
28 #include <pcap/pcap-inttypes.h>
29 
30 #include <errno.h>
31 #include <memory.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 
36 #include "pcap-int.h"
37 #include "pcap-util.h"
38 
39 #include "pcap-common.h"
40 
41 #ifdef HAVE_OS_PROTO_H
42 #include "os-proto.h"
43 #endif
44 
45 #include "sf-pcapng.h"
46 
47 /*
48  * Block types.
49  */
50 
51 /*
52  * Common part at the beginning of all blocks.
53  */
54 struct block_header {
55 	bpf_u_int32	block_type;
56 	bpf_u_int32	total_length;
57 };
58 
59 /*
60  * Common trailer at the end of all blocks.
61  */
62 struct block_trailer {
63 	bpf_u_int32	total_length;
64 };
65 
66 /*
67  * Common options.
68  */
69 #define OPT_ENDOFOPT	0	/* end of options */
70 #define OPT_COMMENT	1	/* comment string */
71 
72 /*
73  * Option header.
74  */
75 struct option_header {
76 	u_short		option_code;
77 	u_short		option_length;
78 };
79 
80 /*
81  * Structures for the part of each block type following the common
82  * part.
83  */
84 
85 /*
86  * Section Header Block.
87  */
88 #define BT_SHB			0x0A0D0D0A
89 #define BT_SHB_INSANE_MAX       1024U*1024U*1U  /* 1MB should be enough */
90 struct section_header_block {
91 	bpf_u_int32	byte_order_magic;
92 	u_short		major_version;
93 	u_short		minor_version;
94 	uint64_t	section_length;
95 	/* followed by options and trailer */
96 };
97 
98 /*
99  * Byte-order magic value.
100  */
101 #define BYTE_ORDER_MAGIC	0x1A2B3C4D
102 
103 /*
104  * Current version number.  If major_version isn't PCAP_NG_VERSION_MAJOR,
105  * or if minor_version isn't PCAP_NG_VERSION_MINOR or 2, that means that
106  * this code can't read the file.
107  */
108 #define PCAP_NG_VERSION_MAJOR	1
109 #define PCAP_NG_VERSION_MINOR	0
110 
111 /*
112  * Interface Description Block.
113  */
114 #define BT_IDB			0x00000001
115 
116 struct interface_description_block {
117 	u_short		linktype;
118 	u_short		reserved;
119 	bpf_u_int32	snaplen;
120 	/* followed by options and trailer */
121 };
122 
123 /*
124  * Options in the IDB.
125  */
126 #define IF_NAME		2	/* interface name string */
127 #define IF_DESCRIPTION	3	/* interface description string */
128 #define IF_IPV4ADDR	4	/* interface's IPv4 address and netmask */
129 #define IF_IPV6ADDR	5	/* interface's IPv6 address and prefix length */
130 #define IF_MACADDR	6	/* interface's MAC address */
131 #define IF_EUIADDR	7	/* interface's EUI address */
132 #define IF_SPEED	8	/* interface's speed, in bits/s */
133 #define IF_TSRESOL	9	/* interface's time stamp resolution */
134 #define IF_TZONE	10	/* interface's time zone */
135 #define IF_FILTER	11	/* filter used when capturing on interface */
136 #define IF_OS		12	/* string OS on which capture on this interface was done */
137 #define IF_FCSLEN	13	/* FCS length for this interface */
138 #define IF_TSOFFSET	14	/* time stamp offset for this interface */
139 
140 /*
141  * Enhanced Packet Block.
142  */
143 #define BT_EPB			0x00000006
144 
145 struct enhanced_packet_block {
146 	bpf_u_int32	interface_id;
147 	bpf_u_int32	timestamp_high;
148 	bpf_u_int32	timestamp_low;
149 	bpf_u_int32	caplen;
150 	bpf_u_int32	len;
151 	/* followed by packet data, options, and trailer */
152 };
153 
154 /*
155  * Simple Packet Block.
156  */
157 #define BT_SPB			0x00000003
158 
159 struct simple_packet_block {
160 	bpf_u_int32	len;
161 	/* followed by packet data and trailer */
162 };
163 
164 /*
165  * Packet Block.
166  */
167 #define BT_PB			0x00000002
168 
169 struct packet_block {
170 	u_short		interface_id;
171 	u_short		drops_count;
172 	bpf_u_int32	timestamp_high;
173 	bpf_u_int32	timestamp_low;
174 	bpf_u_int32	caplen;
175 	bpf_u_int32	len;
176 	/* followed by packet data, options, and trailer */
177 };
178 
179 /*
180  * Block cursor - used when processing the contents of a block.
181  * Contains a pointer into the data being processed and a count
182  * of bytes remaining in the block.
183  */
184 struct block_cursor {
185 	u_char		*data;
186 	size_t		data_remaining;
187 	bpf_u_int32	block_type;
188 };
189 
190 typedef enum {
191 	PASS_THROUGH,
192 	SCALE_UP_DEC,
193 	SCALE_DOWN_DEC,
194 	SCALE_UP_BIN,
195 	SCALE_DOWN_BIN
196 } tstamp_scale_type_t;
197 
198 /*
199  * Per-interface information.
200  */
201 struct pcap_ng_if {
202 	uint32_t snaplen;		/* snapshot length */
203 	uint64_t tsresol;		/* time stamp resolution */
204 	tstamp_scale_type_t scale_type;	/* how to scale */
205 	uint64_t scale_factor;		/* time stamp scale factor for power-of-10 tsresol */
206 	uint64_t tsoffset;		/* time stamp offset */
207 };
208 
209 /*
210  * Per-pcap_t private data.
211  *
212  * max_blocksize is the maximum size of a block that we'll accept.  We
213  * reject blocks bigger than this, so we don't consume too much memory
214  * with a truly huge block.  It can change as we see IDBs with different
215  * link-layer header types.  (Currently, we don't support IDBs with
216  * different link-layer header types, but we will support it in the
217  * future, when we offer file-reading APIs that support it.)
218  *
219  * XXX - that's an issue on ILP32 platforms, where the maximum block
220  * size of 2^31-1 would eat all but one byte of the entire address space.
221  * It's less of an issue on ILP64/LLP64 platforms, but the actual size
222  * of the address space may be limited by 1) the number of *significant*
223  * address bits (currently, x86-64 only supports 48 bits of address), 2)
224  * any limitations imposed by the operating system; 3) any limitations
225  * imposed by the amount of available backing store for anonymous pages,
226  * so we impose a limit regardless of the size of a pointer.
227  */
228 struct pcap_ng_sf {
229 	uint64_t user_tsresol;		/* time stamp resolution requested by the user */
230 	u_int max_blocksize;		/* don't grow buffer size past this */
231 	bpf_u_int32 ifcount;		/* number of interfaces seen in this capture */
232 	bpf_u_int32 ifaces_size;	/* size of array below */
233 	struct pcap_ng_if *ifaces;	/* array of interface information */
234 };
235 
236 /*
237  * The maximum block size we start with; we use an arbitrary value of
238  * 16 MiB.
239  */
240 #define INITIAL_MAX_BLOCKSIZE	(16*1024*1024)
241 
242 /*
243  * Maximum block size for a given maximum snapshot length; we define it
244  * as the size of an EPB with a max_snaplen-sized packet and 128KB of
245  * options.
246  */
247 #define MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen) \
248 	(sizeof (struct block_header) + \
249 	 sizeof (struct enhanced_packet_block) + \
250 	 (max_snaplen) + 131072 + \
251 	 sizeof (struct block_trailer))
252 
253 static void pcap_ng_cleanup(pcap_t *p);
254 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
255     u_char **data);
256 
257 static int
read_bytes(FILE * fp,void * buf,size_t bytes_to_read,int fail_on_eof,char * errbuf)258 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
259     char *errbuf)
260 {
261 	size_t amt_read;
262 
263 	amt_read = fread(buf, 1, bytes_to_read, fp);
264 	if (amt_read != bytes_to_read) {
265 		if (ferror(fp)) {
266 			pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
267 			    errno, "error reading dump file");
268 		} else {
269 			if (amt_read == 0 && !fail_on_eof)
270 				return (0);	/* EOF */
271 			snprintf(errbuf, PCAP_ERRBUF_SIZE,
272 			    "truncated pcapng dump file; tried to read %zu bytes, only got %zu",
273 			    bytes_to_read, amt_read);
274 		}
275 		return (-1);
276 	}
277 	return (1);
278 }
279 
280 static int
read_block(FILE * fp,pcap_t * p,struct block_cursor * cursor,char * errbuf)281 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
282 {
283 	struct pcap_ng_sf *ps;
284 	int status;
285 	struct block_header bhdr;
286 	struct block_trailer *btrlr;
287 	u_char *bdata;
288 	size_t data_remaining;
289 
290 	ps = p->priv;
291 
292 	status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
293 	if (status <= 0)
294 		return (status);	/* error or EOF */
295 
296 	if (p->swapped) {
297 		bhdr.block_type = SWAPLONG(bhdr.block_type);
298 		bhdr.total_length = SWAPLONG(bhdr.total_length);
299 	}
300 
301 	/*
302 	 * Is this block "too small" - i.e., is it shorter than a block
303 	 * header plus a block trailer?
304 	 */
305 	if (bhdr.total_length < sizeof(struct block_header) +
306 	    sizeof(struct block_trailer)) {
307 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
308 		    "block in pcapng dump file has a length of %u < %zu",
309 		    bhdr.total_length,
310 		    sizeof(struct block_header) + sizeof(struct block_trailer));
311 		return (-1);
312 	}
313 
314 	/*
315 	 * Is the block total length a multiple of 4?
316 	 */
317 	if ((bhdr.total_length % 4) != 0) {
318 		/*
319 		 * No.  Report that as an error.
320 		 */
321 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
322 		    "block in pcapng dump file has a length of %u that is not a multiple of 4",
323 		    bhdr.total_length);
324 		return (-1);
325 	}
326 
327 	/*
328 	 * Is the buffer big enough?
329 	 */
330 	if (p->bufsize < bhdr.total_length) {
331 		/*
332 		 * No - make it big enough, unless it's too big, in
333 		 * which case we fail.
334 		 */
335 		void *bigger_buffer;
336 
337 		if (bhdr.total_length > ps->max_blocksize) {
338 			snprintf(errbuf, PCAP_ERRBUF_SIZE, "pcapng block size %u > maximum %u", bhdr.total_length,
339 			    ps->max_blocksize);
340 			return (-1);
341 		}
342 		bigger_buffer = realloc(p->buffer, bhdr.total_length);
343 		if (bigger_buffer == NULL) {
344 			snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
345 			return (-1);
346 		}
347 		p->buffer = bigger_buffer;
348 	}
349 
350 	/*
351 	 * Copy the stuff we've read to the buffer, and read the rest
352 	 * of the block.
353 	 */
354 	memcpy(p->buffer, &bhdr, sizeof(bhdr));
355 	bdata = (u_char *)p->buffer + sizeof(bhdr);
356 	data_remaining = bhdr.total_length - sizeof(bhdr);
357 	if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
358 		return (-1);
359 
360 	/*
361 	 * Get the block size from the trailer.
362 	 */
363 	btrlr = (struct block_trailer *)(bdata + data_remaining - sizeof (struct block_trailer));
364 	if (p->swapped)
365 		btrlr->total_length = SWAPLONG(btrlr->total_length);
366 
367 	/*
368 	 * Is the total length from the trailer the same as the total
369 	 * length from the header?
370 	 */
371 	if (bhdr.total_length != btrlr->total_length) {
372 		/*
373 		 * No.
374 		 */
375 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
376 		    "block total length in header and trailer don't match");
377 		return (-1);
378 	}
379 
380 	/*
381 	 * Initialize the cursor.
382 	 */
383 	cursor->data = bdata;
384 	cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
385 	cursor->block_type = bhdr.block_type;
386 	return (1);
387 }
388 
389 static void *
get_from_block_data(struct block_cursor * cursor,size_t chunk_size,char * errbuf)390 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
391     char *errbuf)
392 {
393 	void *data;
394 
395 	/*
396 	 * Make sure we have the specified amount of data remaining in
397 	 * the block data.
398 	 */
399 	if (cursor->data_remaining < chunk_size) {
400 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
401 		    "block of type %u in pcapng dump file is too short",
402 		    cursor->block_type);
403 		return (NULL);
404 	}
405 
406 	/*
407 	 * Return the current pointer, and skip past the chunk.
408 	 */
409 	data = cursor->data;
410 	cursor->data += chunk_size;
411 	cursor->data_remaining -= chunk_size;
412 	return (data);
413 }
414 
415 static struct option_header *
get_opthdr_from_block_data(pcap_t * p,struct block_cursor * cursor,char * errbuf)416 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
417 {
418 	struct option_header *opthdr;
419 
420 	opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
421 	if (opthdr == NULL) {
422 		/*
423 		 * Option header is cut short.
424 		 */
425 		return (NULL);
426 	}
427 
428 	/*
429 	 * Byte-swap it if necessary.
430 	 */
431 	if (p->swapped) {
432 		opthdr->option_code = SWAPSHORT(opthdr->option_code);
433 		opthdr->option_length = SWAPSHORT(opthdr->option_length);
434 	}
435 
436 	return (opthdr);
437 }
438 
439 static void *
get_optvalue_from_block_data(struct block_cursor * cursor,struct option_header * opthdr,char * errbuf)440 get_optvalue_from_block_data(struct block_cursor *cursor,
441     struct option_header *opthdr, char *errbuf)
442 {
443 	size_t padded_option_len;
444 	void *optvalue;
445 
446 	/* Pad option length to 4-byte boundary */
447 	padded_option_len = opthdr->option_length;
448 	padded_option_len = ((padded_option_len + 3)/4)*4;
449 
450 	optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
451 	if (optvalue == NULL) {
452 		/*
453 		 * Option value is cut short.
454 		 */
455 		return (NULL);
456 	}
457 
458 	return (optvalue);
459 }
460 
461 static int
process_idb_options(pcap_t * p,struct block_cursor * cursor,uint64_t * tsresol,uint64_t * tsoffset,int * is_binary,char * errbuf)462 process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol,
463     uint64_t *tsoffset, int *is_binary, char *errbuf)
464 {
465 	struct option_header *opthdr;
466 	void *optvalue;
467 	int saw_tsresol, saw_tsoffset;
468 	uint8_t tsresol_opt;
469 	u_int i;
470 
471 	saw_tsresol = 0;
472 	saw_tsoffset = 0;
473 	while (cursor->data_remaining != 0) {
474 		/*
475 		 * Get the option header.
476 		 */
477 		opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
478 		if (opthdr == NULL) {
479 			/*
480 			 * Option header is cut short.
481 			 */
482 			return (-1);
483 		}
484 
485 		/*
486 		 * Get option value.
487 		 */
488 		optvalue = get_optvalue_from_block_data(cursor, opthdr,
489 		    errbuf);
490 		if (optvalue == NULL) {
491 			/*
492 			 * Option value is cut short.
493 			 */
494 			return (-1);
495 		}
496 
497 		switch (opthdr->option_code) {
498 
499 		case OPT_ENDOFOPT:
500 			if (opthdr->option_length != 0) {
501 				snprintf(errbuf, PCAP_ERRBUF_SIZE,
502 				    "Interface Description Block has opt_endofopt option with length %u != 0",
503 				    opthdr->option_length);
504 				return (-1);
505 			}
506 			goto done;
507 
508 		case IF_TSRESOL:
509 			if (opthdr->option_length != 1) {
510 				snprintf(errbuf, PCAP_ERRBUF_SIZE,
511 				    "Interface Description Block has if_tsresol option with length %u != 1",
512 				    opthdr->option_length);
513 				return (-1);
514 			}
515 			if (saw_tsresol) {
516 				snprintf(errbuf, PCAP_ERRBUF_SIZE,
517 				    "Interface Description Block has more than one if_tsresol option");
518 				return (-1);
519 			}
520 			saw_tsresol = 1;
521 			memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
522 			if (tsresol_opt & 0x80) {
523 				/*
524 				 * Resolution is negative power of 2.
525 				 */
526 				uint8_t tsresol_shift = (tsresol_opt & 0x7F);
527 
528 				if (tsresol_shift > 63) {
529 					/*
530 					 * Resolution is too high; 2^-{res}
531 					 * won't fit in a 64-bit value.
532 					 */
533 					snprintf(errbuf, PCAP_ERRBUF_SIZE,
534 					    "Interface Description Block if_tsresol option resolution 2^-%u is too high",
535 					    tsresol_shift);
536 					return (-1);
537 				}
538 				*is_binary = 1;
539 				*tsresol = ((uint64_t)1) << tsresol_shift;
540 			} else {
541 				/*
542 				 * Resolution is negative power of 10.
543 				 */
544 				if (tsresol_opt > 19) {
545 					/*
546 					 * Resolution is too high; 2^-{res}
547 					 * won't fit in a 64-bit value (the
548 					 * largest power of 10 that fits
549 					 * in a 64-bit value is 10^19, as
550 					 * the largest 64-bit unsigned
551 					 * value is ~1.8*10^19).
552 					 */
553 					snprintf(errbuf, PCAP_ERRBUF_SIZE,
554 					    "Interface Description Block if_tsresol option resolution 10^-%u is too high",
555 					    tsresol_opt);
556 					return (-1);
557 				}
558 				*is_binary = 0;
559 				*tsresol = 1;
560 				for (i = 0; i < tsresol_opt; i++)
561 					*tsresol *= 10;
562 			}
563 			break;
564 
565 		case IF_TSOFFSET:
566 			if (opthdr->option_length != 8) {
567 				snprintf(errbuf, PCAP_ERRBUF_SIZE,
568 				    "Interface Description Block has if_tsoffset option with length %u != 8",
569 				    opthdr->option_length);
570 				return (-1);
571 			}
572 			if (saw_tsoffset) {
573 				snprintf(errbuf, PCAP_ERRBUF_SIZE,
574 				    "Interface Description Block has more than one if_tsoffset option");
575 				return (-1);
576 			}
577 			saw_tsoffset = 1;
578 			memcpy(tsoffset, optvalue, sizeof(*tsoffset));
579 			if (p->swapped)
580 				*tsoffset = SWAPLL(*tsoffset);
581 			break;
582 
583 		default:
584 			break;
585 		}
586 	}
587 
588 done:
589 	return (0);
590 }
591 
592 static int
add_interface(pcap_t * p,struct interface_description_block * idbp,struct block_cursor * cursor,char * errbuf)593 add_interface(pcap_t *p, struct interface_description_block *idbp,
594     struct block_cursor *cursor, char *errbuf)
595 {
596 	struct pcap_ng_sf *ps;
597 	uint64_t tsresol;
598 	uint64_t tsoffset;
599 	int is_binary;
600 
601 	ps = p->priv;
602 
603 	/*
604 	 * Count this interface.
605 	 */
606 	ps->ifcount++;
607 
608 	/*
609 	 * Grow the array of per-interface information as necessary.
610 	 */
611 	if (ps->ifcount > ps->ifaces_size) {
612 		/*
613 		 * We need to grow the array.
614 		 */
615 		bpf_u_int32 new_ifaces_size;
616 		struct pcap_ng_if *new_ifaces;
617 
618 		if (ps->ifaces_size == 0) {
619 			/*
620 			 * It's currently empty.
621 			 *
622 			 * (The Clang static analyzer doesn't do enough,
623 			 * err, umm, dataflow *analysis* to realize that
624 			 * ps->ifaces_size == 0 if ps->ifaces == NULL,
625 			 * and so complains about a possible zero argument
626 			 * to realloc(), so we check for the former
627 			 * condition to shut it up.
628 			 *
629 			 * However, it doesn't complain that one of the
630 			 * multiplications below could overflow, which is
631 			 * a real, albeit extremely unlikely, problem (you'd
632 			 * need a pcapng file with tens of millions of
633 			 * interfaces).)
634 			 */
635 			new_ifaces_size = 1;
636 			new_ifaces = malloc(sizeof (struct pcap_ng_if));
637 		} else {
638 			/*
639 			 * It's not currently empty; double its size.
640 			 * (Perhaps overkill once we have a lot of interfaces.)
641 			 *
642 			 * Check for overflow if we double it.
643 			 */
644 			if (ps->ifaces_size * 2 < ps->ifaces_size) {
645 				/*
646 				 * The maximum number of interfaces before
647 				 * ps->ifaces_size overflows is the largest
648 				 * possible 32-bit power of 2, as we do
649 				 * size doubling.
650 				 */
651 				snprintf(errbuf, PCAP_ERRBUF_SIZE,
652 				    "more than %u interfaces in the file",
653 				    0x80000000U);
654 				return (0);
655 			}
656 
657 			/*
658 			 * ps->ifaces_size * 2 doesn't overflow, so it's
659 			 * safe to multiply.
660 			 */
661 			new_ifaces_size = ps->ifaces_size * 2;
662 
663 			/*
664 			 * Now make sure that's not so big that it overflows
665 			 * if we multiply by sizeof (struct pcap_ng_if).
666 			 *
667 			 * That can happen on 32-bit platforms, with a 32-bit
668 			 * size_t; it shouldn't happen on 64-bit platforms,
669 			 * with a 64-bit size_t, as new_ifaces_size is
670 			 * 32 bits.
671 			 */
672 			if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
673 				/*
674 				 * As this fails only with 32-bit size_t,
675 				 * the multiplication was 32x32->32, and
676 				 * the largest 32-bit value that can safely
677 				 * be multiplied by sizeof (struct pcap_ng_if)
678 				 * without overflow is the largest 32-bit
679 				 * (unsigned) value divided by
680 				 * sizeof (struct pcap_ng_if).
681 				 */
682 				snprintf(errbuf, PCAP_ERRBUF_SIZE,
683 				    "more than %u interfaces in the file",
684 				    0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
685 				return (0);
686 			}
687 			new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
688 		}
689 		if (new_ifaces == NULL) {
690 			/*
691 			 * We ran out of memory.
692 			 * Give up.
693 			 */
694 			snprintf(errbuf, PCAP_ERRBUF_SIZE,
695 			    "out of memory for per-interface information (%u interfaces)",
696 			    ps->ifcount);
697 			return (0);
698 		}
699 		ps->ifaces_size = new_ifaces_size;
700 		ps->ifaces = new_ifaces;
701 	}
702 
703 	ps->ifaces[ps->ifcount - 1].snaplen = idbp->snaplen;
704 
705 	/*
706 	 * Set the default time stamp resolution and offset.
707 	 */
708 	tsresol = 1000000;	/* microsecond resolution */
709 	is_binary = 0;		/* which is a power of 10 */
710 	tsoffset = 0;		/* absolute timestamps */
711 
712 	/*
713 	 * Now look for various time stamp options, so we know
714 	 * how to interpret the time stamps for this interface.
715 	 */
716 	if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
717 	    errbuf) == -1)
718 		return (0);
719 
720 	ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
721 	ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
722 
723 	/*
724 	 * Determine whether we're scaling up or down or not
725 	 * at all for this interface.
726 	 */
727 	if (tsresol == ps->user_tsresol) {
728 		/*
729 		 * The resolution is the resolution the user wants,
730 		 * so we don't have to do scaling.
731 		 */
732 		ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
733 	} else if (tsresol > ps->user_tsresol) {
734 		/*
735 		 * The resolution is greater than what the user wants,
736 		 * so we have to scale the timestamps down.
737 		 */
738 		if (is_binary)
739 			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
740 		else {
741 			/*
742 			 * Calculate the scale factor.
743 			 */
744 			ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
745 			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
746 		}
747 	} else {
748 		/*
749 		 * The resolution is less than what the user wants,
750 		 * so we have to scale the timestamps up.
751 		 */
752 		if (is_binary)
753 			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
754 		else {
755 			/*
756 			 * Calculate the scale factor.
757 			 */
758 			ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
759 			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
760 		}
761 	}
762 	return (1);
763 }
764 
765 /*
766  * Check whether this is a pcapng savefile and, if it is, extract the
767  * relevant information from the header.
768  */
769 pcap_t *
pcap_ng_check_header(const uint8_t * magic,FILE * fp,u_int precision,char * errbuf,int * err)770 pcap_ng_check_header(const uint8_t *magic, FILE *fp, u_int precision,
771     char *errbuf, int *err)
772 {
773 	bpf_u_int32 magic_int;
774 	size_t amt_read;
775 	bpf_u_int32 total_length;
776 	bpf_u_int32 byte_order_magic;
777 	struct block_header *bhdrp;
778 	struct section_header_block *shbp;
779 	pcap_t *p;
780 	int swapped = 0;
781 	struct pcap_ng_sf *ps;
782 	int status;
783 	struct block_cursor cursor;
784 	struct interface_description_block *idbp;
785 
786 	/*
787 	 * Assume no read errors.
788 	 */
789 	*err = 0;
790 
791 	/*
792 	 * Check whether the first 4 bytes of the file are the block
793 	 * type for a pcapng savefile.
794 	 */
795 	memcpy(&magic_int, magic, sizeof(magic_int));
796 	if (magic_int != BT_SHB) {
797 		/*
798 		 * XXX - check whether this looks like what the block
799 		 * type would be after being munged by mapping between
800 		 * UN*X and DOS/Windows text file format and, if it
801 		 * does, look for the byte-order magic number in
802 		 * the appropriate place and, if we find it, report
803 		 * this as possibly being a pcapng file transferred
804 		 * between UN*X and Windows in text file format?
805 		 */
806 		return (NULL);	/* nope */
807 	}
808 
809 	/*
810 	 * OK, they are.  However, that's just \n\r\r\n, so it could,
811 	 * conceivably, be an ordinary text file.
812 	 *
813 	 * It could not, however, conceivably be any other type of
814 	 * capture file, so we can read the rest of the putative
815 	 * Section Header Block; put the block type in the common
816 	 * header, read the rest of the common header and the
817 	 * fixed-length portion of the SHB, and look for the byte-order
818 	 * magic value.
819 	 */
820 	amt_read = fread(&total_length, 1, sizeof(total_length), fp);
821 	if (amt_read < sizeof(total_length)) {
822 		if (ferror(fp)) {
823 			pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
824 			    errno, "error reading dump file");
825 			*err = 1;
826 			return (NULL);	/* fail */
827 		}
828 
829 		/*
830 		 * Possibly a weird short text file, so just say
831 		 * "not pcapng".
832 		 */
833 		return (NULL);
834 	}
835 	amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
836 	if (amt_read < sizeof(byte_order_magic)) {
837 		if (ferror(fp)) {
838 			pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
839 			    errno, "error reading dump file");
840 			*err = 1;
841 			return (NULL);	/* fail */
842 		}
843 
844 		/*
845 		 * Possibly a weird short text file, so just say
846 		 * "not pcapng".
847 		 */
848 		return (NULL);
849 	}
850 	if (byte_order_magic != BYTE_ORDER_MAGIC) {
851 		byte_order_magic = SWAPLONG(byte_order_magic);
852 		if (byte_order_magic != BYTE_ORDER_MAGIC) {
853 			/*
854 			 * Not a pcapng file.
855 			 */
856 			return (NULL);
857 		}
858 		swapped = 1;
859 		total_length = SWAPLONG(total_length);
860 	}
861 
862 	/*
863 	 * Check the sanity of the total length.
864 	 */
865 	if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
866             (total_length > BT_SHB_INSANE_MAX)) {
867 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
868 		    "Section Header Block in pcapng dump file has invalid length %zu < _%u_ < %u (BT_SHB_INSANE_MAX)",
869 		    sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer),
870 		    total_length,
871 		    BT_SHB_INSANE_MAX);
872 
873 		*err = 1;
874 		return (NULL);
875 	}
876 
877 	/*
878 	 * OK, this is a good pcapng file.
879 	 * Allocate a pcap_t for it.
880 	 */
881 	p = PCAP_OPEN_OFFLINE_COMMON(errbuf, struct pcap_ng_sf);
882 	if (p == NULL) {
883 		/* Allocation failed. */
884 		*err = 1;
885 		return (NULL);
886 	}
887 	p->swapped = swapped;
888 	ps = p->priv;
889 
890 	/*
891 	 * What precision does the user want?
892 	 */
893 	switch (precision) {
894 
895 	case PCAP_TSTAMP_PRECISION_MICRO:
896 		ps->user_tsresol = 1000000;
897 		break;
898 
899 	case PCAP_TSTAMP_PRECISION_NANO:
900 		ps->user_tsresol = 1000000000;
901 		break;
902 
903 	default:
904 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
905 		    "unknown time stamp resolution %u", precision);
906 		free(p);
907 		*err = 1;
908 		return (NULL);
909 	}
910 
911 	p->opt.tstamp_precision = precision;
912 
913 	/*
914 	 * Allocate a buffer into which to read blocks.  We default to
915 	 * the maximum of:
916 	 *
917 	 *	the total length of the SHB for which we read the header;
918 	 *
919 	 *	2K, which should be more than large enough for an Enhanced
920 	 *	Packet Block containing a full-size Ethernet frame, and
921 	 *	leaving room for some options.
922 	 *
923 	 * If we find a bigger block, we reallocate the buffer, up to
924 	 * the maximum size.  We start out with a maximum size of
925 	 * INITIAL_MAX_BLOCKSIZE; if we see any link-layer header types
926 	 * with a maximum snapshot that results in a larger maximum
927 	 * block length, we boost the maximum.
928 	 */
929 	p->bufsize = 2048;
930 	if (p->bufsize < total_length)
931 		p->bufsize = total_length;
932 	p->buffer = malloc(p->bufsize);
933 	if (p->buffer == NULL) {
934 		snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
935 		free(p);
936 		*err = 1;
937 		return (NULL);
938 	}
939 	ps->max_blocksize = INITIAL_MAX_BLOCKSIZE;
940 
941 	/*
942 	 * Copy the stuff we've read to the buffer, and read the rest
943 	 * of the SHB.
944 	 */
945 	bhdrp = (struct block_header *)p->buffer;
946 	shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
947 	bhdrp->block_type = magic_int;
948 	bhdrp->total_length = total_length;
949 	shbp->byte_order_magic = byte_order_magic;
950 	if (read_bytes(fp,
951 	    (u_char *)p->buffer + (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
952 	    total_length - (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
953 	    1, errbuf) == -1)
954 		goto fail;
955 
956 	if (p->swapped) {
957 		/*
958 		 * Byte-swap the fields we've read.
959 		 */
960 		shbp->major_version = SWAPSHORT(shbp->major_version);
961 		shbp->minor_version = SWAPSHORT(shbp->minor_version);
962 
963 		/*
964 		 * XXX - we don't care about the section length.
965 		 */
966 	}
967 	/* Currently only SHB versions 1.0 and 1.2 are supported;
968 	   version 1.2 is treated as being the same as version 1.0.
969 	   See the current version of the pcapng specification.
970 
971 	   Version 1.2 is written by some programs that write additional
972 	   block types (which can be read by any code that handles them,
973 	   regardless of whether the minor version if 0 or 2, so that's
974 	   not a reason to change the minor version number).
975 
976 	   XXX - the pcapng specification says that readers should
977 	   just ignore sections with an unsupported version number;
978 	   presumably they can also report an error if they skip
979 	   all the way to the end of the file without finding
980 	   any versions that they support. */
981 	if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
982 	       (shbp->minor_version == PCAP_NG_VERSION_MINOR ||
983 	        shbp->minor_version == 2))) {
984 		snprintf(errbuf, PCAP_ERRBUF_SIZE,
985 		    "unsupported pcapng savefile version %u.%u",
986 		    shbp->major_version, shbp->minor_version);
987 		goto fail;
988 	}
989 	p->version_major = shbp->major_version;
990 	p->version_minor = shbp->minor_version;
991 
992 	/*
993 	 * Save the time stamp resolution the user requested.
994 	 */
995 	p->opt.tstamp_precision = precision;
996 
997 	/*
998 	 * Now start looking for an Interface Description Block.
999 	 */
1000 	for (;;) {
1001 		/*
1002 		 * Read the next block.
1003 		 */
1004 		status = read_block(fp, p, &cursor, errbuf);
1005 		if (status == 0) {
1006 			/* EOF - no IDB in this file */
1007 			snprintf(errbuf, PCAP_ERRBUF_SIZE,
1008 			    "the capture file has no Interface Description Blocks");
1009 			goto fail;
1010 		}
1011 		if (status == -1)
1012 			goto fail;	/* error */
1013 		switch (cursor.block_type) {
1014 
1015 		case BT_IDB:
1016 			/*
1017 			 * Get a pointer to the fixed-length portion of the
1018 			 * IDB.
1019 			 */
1020 			idbp = get_from_block_data(&cursor, sizeof(*idbp),
1021 			    errbuf);
1022 			if (idbp == NULL)
1023 				goto fail;	/* error */
1024 
1025 			/*
1026 			 * Byte-swap it if necessary.
1027 			 */
1028 			if (p->swapped) {
1029 				idbp->linktype = SWAPSHORT(idbp->linktype);
1030 				idbp->snaplen = SWAPLONG(idbp->snaplen);
1031 			}
1032 
1033 			/*
1034 			 * Try to add this interface.
1035 			 */
1036 			if (!add_interface(p, idbp, &cursor, errbuf))
1037 				goto fail;
1038 
1039 			goto done;
1040 
1041 		case BT_EPB:
1042 		case BT_SPB:
1043 		case BT_PB:
1044 			/*
1045 			 * Saw a packet before we saw any IDBs.  That's
1046 			 * not valid, as we don't know what link-layer
1047 			 * encapsulation the packet has.
1048 			 */
1049 			snprintf(errbuf, PCAP_ERRBUF_SIZE,
1050 			    "the capture file has a packet block before any Interface Description Blocks");
1051 			goto fail;
1052 
1053 		default:
1054 			/*
1055 			 * Just ignore it.
1056 			 */
1057 			break;
1058 		}
1059 	}
1060 
1061 done:
1062 	p->linktype = linktype_to_dlt(idbp->linktype);
1063 	p->snapshot = pcap_adjust_snapshot(p->linktype, idbp->snaplen);
1064 	p->linktype_ext = 0;
1065 
1066 	/*
1067 	 * If the maximum block size for a packet with the maximum
1068 	 * snapshot length for this DLT_ is bigger than the current
1069 	 * maximum block size, increase the maximum.
1070 	 */
1071 	if (MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
1072 		ps->max_blocksize = MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype));
1073 
1074 	p->next_packet_op = pcap_ng_next_packet;
1075 	p->cleanup_op = pcap_ng_cleanup;
1076 
1077 	return (p);
1078 
1079 fail:
1080 	free(ps->ifaces);
1081 	free(p->buffer);
1082 	free(p);
1083 	*err = 1;
1084 	return (NULL);
1085 }
1086 
1087 static void
pcap_ng_cleanup(pcap_t * p)1088 pcap_ng_cleanup(pcap_t *p)
1089 {
1090 	struct pcap_ng_sf *ps = p->priv;
1091 
1092 	free(ps->ifaces);
1093 	sf_cleanup(p);
1094 }
1095 
1096 /*
1097  * Read and return the next packet from the savefile.  Return the header
1098  * in hdr and a pointer to the contents in data.  Return 1 on success, 0
1099  * if there were no more packets, and -1 on an error.
1100  */
1101 static int
pcap_ng_next_packet(pcap_t * p,struct pcap_pkthdr * hdr,u_char ** data)1102 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1103 {
1104 	struct pcap_ng_sf *ps = p->priv;
1105 	struct block_cursor cursor;
1106 	int status;
1107 	struct enhanced_packet_block *epbp;
1108 	struct simple_packet_block *spbp;
1109 	struct packet_block *pbp;
1110 	bpf_u_int32 interface_id = 0xFFFFFFFF;
1111 	struct interface_description_block *idbp;
1112 	struct section_header_block *shbp;
1113 	FILE *fp = p->rfile;
1114 	uint64_t t, sec, frac;
1115 
1116 	/*
1117 	 * Look for an Enhanced Packet Block, a Simple Packet Block,
1118 	 * or a Packet Block.
1119 	 */
1120 	for (;;) {
1121 		/*
1122 		 * Read the block type and length; those are common
1123 		 * to all blocks.
1124 		 */
1125 		status = read_block(fp, p, &cursor, p->errbuf);
1126 		if (status == 0)
1127 			return (0);	/* EOF */
1128 		if (status == -1)
1129 			return (-1);	/* error */
1130 		switch (cursor.block_type) {
1131 
1132 		case BT_EPB:
1133 			/*
1134 			 * Get a pointer to the fixed-length portion of the
1135 			 * EPB.
1136 			 */
1137 			epbp = get_from_block_data(&cursor, sizeof(*epbp),
1138 			    p->errbuf);
1139 			if (epbp == NULL)
1140 				return (-1);	/* error */
1141 
1142 			/*
1143 			 * Byte-swap it if necessary.
1144 			 */
1145 			if (p->swapped) {
1146 				/* these were written in opposite byte order */
1147 				interface_id = SWAPLONG(epbp->interface_id);
1148 				hdr->caplen = SWAPLONG(epbp->caplen);
1149 				hdr->len = SWAPLONG(epbp->len);
1150 				t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1151 				    SWAPLONG(epbp->timestamp_low);
1152 			} else {
1153 				interface_id = epbp->interface_id;
1154 				hdr->caplen = epbp->caplen;
1155 				hdr->len = epbp->len;
1156 				t = ((uint64_t)epbp->timestamp_high) << 32 |
1157 				    epbp->timestamp_low;
1158 			}
1159 			goto found;
1160 
1161 		case BT_SPB:
1162 			/*
1163 			 * Get a pointer to the fixed-length portion of the
1164 			 * SPB.
1165 			 */
1166 			spbp = get_from_block_data(&cursor, sizeof(*spbp),
1167 			    p->errbuf);
1168 			if (spbp == NULL)
1169 				return (-1);	/* error */
1170 
1171 			/*
1172 			 * SPB packets are assumed to have arrived on
1173 			 * the first interface.
1174 			 */
1175 			interface_id = 0;
1176 
1177 			/*
1178 			 * Byte-swap it if necessary.
1179 			 */
1180 			if (p->swapped) {
1181 				/* these were written in opposite byte order */
1182 				hdr->len = SWAPLONG(spbp->len);
1183 			} else
1184 				hdr->len = spbp->len;
1185 
1186 			/*
1187 			 * The SPB doesn't give the captured length;
1188 			 * it's the minimum of the snapshot length
1189 			 * and the packet length.
1190 			 */
1191 			hdr->caplen = hdr->len;
1192 			if (hdr->caplen > (bpf_u_int32)p->snapshot)
1193 				hdr->caplen = p->snapshot;
1194 			t = 0;	/* no time stamps */
1195 			goto found;
1196 
1197 		case BT_PB:
1198 			/*
1199 			 * Get a pointer to the fixed-length portion of the
1200 			 * PB.
1201 			 */
1202 			pbp = get_from_block_data(&cursor, sizeof(*pbp),
1203 			    p->errbuf);
1204 			if (pbp == NULL)
1205 				return (-1);	/* error */
1206 
1207 			/*
1208 			 * Byte-swap it if necessary.
1209 			 */
1210 			if (p->swapped) {
1211 				/* these were written in opposite byte order */
1212 				interface_id = SWAPSHORT(pbp->interface_id);
1213 				hdr->caplen = SWAPLONG(pbp->caplen);
1214 				hdr->len = SWAPLONG(pbp->len);
1215 				t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1216 				    SWAPLONG(pbp->timestamp_low);
1217 			} else {
1218 				interface_id = pbp->interface_id;
1219 				hdr->caplen = pbp->caplen;
1220 				hdr->len = pbp->len;
1221 				t = ((uint64_t)pbp->timestamp_high) << 32 |
1222 				    pbp->timestamp_low;
1223 			}
1224 			goto found;
1225 
1226 		case BT_IDB:
1227 			/*
1228 			 * Interface Description Block.  Get a pointer
1229 			 * to its fixed-length portion.
1230 			 */
1231 			idbp = get_from_block_data(&cursor, sizeof(*idbp),
1232 			    p->errbuf);
1233 			if (idbp == NULL)
1234 				return (-1);	/* error */
1235 
1236 			/*
1237 			 * Byte-swap it if necessary.
1238 			 */
1239 			if (p->swapped) {
1240 				idbp->linktype = SWAPSHORT(idbp->linktype);
1241 				idbp->snaplen = SWAPLONG(idbp->snaplen);
1242 			}
1243 
1244 			/*
1245 			 * If the link-layer type or snapshot length
1246 			 * differ from the ones for the first IDB we
1247 			 * saw, quit.
1248 			 *
1249 			 * XXX - just discard packets from those
1250 			 * interfaces?
1251 			 */
1252 			if (p->linktype != idbp->linktype) {
1253 				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1254 				    "an interface has a type %u different from the type of the first interface",
1255 				    idbp->linktype);
1256 				return (-1);
1257 			}
1258 
1259 			/*
1260 			 * Check against the *adjusted* value of this IDB's
1261 			 * snapshot length.
1262 			 */
1263 			if ((bpf_u_int32)p->snapshot !=
1264 			    pcap_adjust_snapshot(p->linktype, idbp->snaplen)) {
1265 				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1266 				    "an interface has a snapshot length %u different from the snapshot length of the first interface",
1267 				    idbp->snaplen);
1268 				return (-1);
1269 			}
1270 
1271 			/*
1272 			 * Try to add this interface.
1273 			 */
1274 			if (!add_interface(p, idbp, &cursor, p->errbuf))
1275 				return (-1);
1276 			break;
1277 
1278 		case BT_SHB:
1279 			/*
1280 			 * Section Header Block.  Get a pointer
1281 			 * to its fixed-length portion.
1282 			 */
1283 			shbp = get_from_block_data(&cursor, sizeof(*shbp),
1284 			    p->errbuf);
1285 			if (shbp == NULL)
1286 				return (-1);	/* error */
1287 
1288 			/*
1289 			 * Assume the byte order of this section is
1290 			 * the same as that of the previous section.
1291 			 * We'll check for that later.
1292 			 */
1293 			if (p->swapped) {
1294 				shbp->byte_order_magic =
1295 				    SWAPLONG(shbp->byte_order_magic);
1296 				shbp->major_version =
1297 				    SWAPSHORT(shbp->major_version);
1298 			}
1299 
1300 			/*
1301 			 * Make sure the byte order doesn't change;
1302 			 * pcap_is_swapped() shouldn't change its
1303 			 * return value in the middle of reading a capture.
1304 			 */
1305 			switch (shbp->byte_order_magic) {
1306 
1307 			case BYTE_ORDER_MAGIC:
1308 				/*
1309 				 * OK.
1310 				 */
1311 				break;
1312 
1313 			case SWAPLONG(BYTE_ORDER_MAGIC):
1314 				/*
1315 				 * Byte order changes.
1316 				 */
1317 				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1318 				    "the file has sections with different byte orders");
1319 				return (-1);
1320 
1321 			default:
1322 				/*
1323 				 * Not a valid SHB.
1324 				 */
1325 				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1326 				    "the file has a section with a bad byte order magic field");
1327 				return (-1);
1328 			}
1329 
1330 			/*
1331 			 * Make sure the major version is the version
1332 			 * we handle.
1333 			 */
1334 			if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1335 				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1336 				    "unknown pcapng savefile major version number %u",
1337 				    shbp->major_version);
1338 				return (-1);
1339 			}
1340 
1341 			/*
1342 			 * Reset the interface count; this section should
1343 			 * have its own set of IDBs.  If any of them
1344 			 * don't have the same interface type, snapshot
1345 			 * length, or resolution as the first interface
1346 			 * we saw, we'll fail.  (And if we don't see
1347 			 * any IDBs, we'll fail when we see a packet
1348 			 * block.)
1349 			 */
1350 			ps->ifcount = 0;
1351 			break;
1352 
1353 		default:
1354 			/*
1355 			 * Not a packet block, IDB, or SHB; ignore it.
1356 			 */
1357 			break;
1358 		}
1359 	}
1360 
1361 found:
1362 	/*
1363 	 * Is the interface ID an interface we know?
1364 	 */
1365 	if (interface_id >= ps->ifcount) {
1366 		/*
1367 		 * Yes.  Fail.
1368 		 */
1369 		snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1370 		    "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1371 		    interface_id);
1372 		return (-1);
1373 	}
1374 
1375 	if (hdr->caplen > (bpf_u_int32)p->snapshot) {
1376 		snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1377 		    "invalid packet capture length %u, bigger than "
1378 		    "snaplen of %d", hdr->caplen, p->snapshot);
1379 		return (-1);
1380 	}
1381 
1382 	/*
1383 	 * Convert the time stamp to seconds and fractions of a second,
1384 	 * with the fractions being in units of the file-supplied resolution.
1385 	 */
1386 	sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1387 	frac = t % ps->ifaces[interface_id].tsresol;
1388 
1389 	/*
1390 	 * Convert the fractions from units of the file-supplied resolution
1391 	 * to units of the user-requested resolution.
1392 	 */
1393 	switch (ps->ifaces[interface_id].scale_type) {
1394 
1395 	case PASS_THROUGH:
1396 		/*
1397 		 * The interface resolution is what the user wants,
1398 		 * so we're done.
1399 		 */
1400 		break;
1401 
1402 	case SCALE_UP_DEC:
1403 		/*
1404 		 * The interface resolution is less than what the user
1405 		 * wants; scale the fractional part up to the units of
1406 		 * the resolution the user requested by multiplying by
1407 		 * the quotient of the user-requested resolution and the
1408 		 * file-supplied resolution.
1409 		 *
1410 		 * Those resolutions are both powers of 10, and the user-
1411 		 * requested resolution is greater than the file-supplied
1412 		 * resolution, so the quotient in question is an integer.
1413 		 * We've calculated that quotient already, so we just
1414 		 * multiply by it.
1415 		 */
1416 		frac *= ps->ifaces[interface_id].scale_factor;
1417 		break;
1418 
1419 	case SCALE_UP_BIN:
1420 		/*
1421 		 * The interface resolution is less than what the user
1422 		 * wants; scale the fractional part up to the units of
1423 		 * the resolution the user requested by multiplying by
1424 		 * the quotient of the user-requested resolution and the
1425 		 * file-supplied resolution.
1426 		 *
1427 		 * The file-supplied resolution is a power of 2, so the
1428 		 * quotient is not an integer, so, in order to do this
1429 		 * entirely with integer arithmetic, we multiply by the
1430 		 * user-requested resolution and divide by the file-
1431 		 * supplied resolution.
1432 		 *
1433 		 * XXX - Is there something clever we could do here,
1434 		 * given that we know that the file-supplied resolution
1435 		 * is a power of 2?  Doing a multiplication followed by
1436 		 * a division runs the risk of overflowing, and involves
1437 		 * two non-simple arithmetic operations.
1438 		 */
1439 		frac *= ps->user_tsresol;
1440 		frac /= ps->ifaces[interface_id].tsresol;
1441 		break;
1442 
1443 	case SCALE_DOWN_DEC:
1444 		/*
1445 		 * The interface resolution is greater than what the user
1446 		 * wants; scale the fractional part up to the units of
1447 		 * the resolution the user requested by multiplying by
1448 		 * the quotient of the user-requested resolution and the
1449 		 * file-supplied resolution.
1450 		 *
1451 		 * Those resolutions are both powers of 10, and the user-
1452 		 * requested resolution is less than the file-supplied
1453 		 * resolution, so the quotient in question isn't an
1454 		 * integer, but its reciprocal is, and we can just divide
1455 		 * by the reciprocal of the quotient.  We've calculated
1456 		 * the reciprocal of that quotient already, so we must
1457 		 * divide by it.
1458 		 */
1459 		frac /= ps->ifaces[interface_id].scale_factor;
1460 		break;
1461 
1462 
1463 	case SCALE_DOWN_BIN:
1464 		/*
1465 		 * The interface resolution is greater than what the user
1466 		 * wants; convert the fractional part to units of the
1467 		 * resolution the user requested by multiplying by the
1468 		 * quotient of the user-requested resolution and the
1469 		 * file-supplied resolution.  We do that by multiplying
1470 		 * by the user-requested resolution and dividing by the
1471 		 * file-supplied resolution, as the quotient might not
1472 		 * fit in an integer.
1473 		 *
1474 		 * The file-supplied resolution is a power of 2, so the
1475 		 * quotient is not an integer, and neither is its
1476 		 * reciprocal, so, in order to do this entirely with
1477 		 * integer arithmetic, we multiply by the user-requested
1478 		 * resolution and divide by the file-supplied resolution.
1479 		 *
1480 		 * XXX - Is there something clever we could do here,
1481 		 * given that we know that the file-supplied resolution
1482 		 * is a power of 2?  Doing a multiplication followed by
1483 		 * a division runs the risk of overflowing, and involves
1484 		 * two non-simple arithmetic operations.
1485 		 */
1486 		frac *= ps->user_tsresol;
1487 		frac /= ps->ifaces[interface_id].tsresol;
1488 		break;
1489 	}
1490 #ifdef _WIN32
1491 	/*
1492 	 * tv_sec and tv_used in the Windows struct timeval are both
1493 	 * longs.
1494 	 */
1495 	hdr->ts.tv_sec = (long)sec;
1496 	hdr->ts.tv_usec = (long)frac;
1497 #else
1498 	/*
1499 	 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1500 	 * suseconds_t in UN*Xes that work the way the current Single
1501 	 * UNIX Standard specify - but not all older UN*Xes necessarily
1502 	 * support that type, so just cast to int.
1503 	 */
1504 	hdr->ts.tv_sec = (time_t)sec;
1505 	hdr->ts.tv_usec = (int)frac;
1506 #endif
1507 
1508 	/*
1509 	 * Get a pointer to the packet data.
1510 	 */
1511 	*data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1512 	if (*data == NULL)
1513 		return (-1);
1514 
1515 	pcap_post_process(p->linktype, p->swapped, hdr, *data);
1516 
1517 	return (1);
1518 }
1519