Actions
Bug #5436
closedInfinite loop if the sniffing interface temporarily goes down (6.0.x backports)
Affected Versions:
Effort:
Difficulty:
Label:
Description
How to reproduce: start suricata in live-pcap mode. Bring the sniffing interface down with ip link set {interface_name} down, then bring it up again.
Suricata doesn't exit, but it no longer produces events either.
The problem appears to be that function ReceivePcapLoop keeps calling PcapTryReopen in a loop, which in turn keeps returning PCAP_ERROR_ACTIVATED, resulting in an infinite loop.
The following patch fixes it:
--- a/src/source-pcap.c
+++ b/src/source-pcap.c
@@ -250,6 +250,7 @@ TmEcode ReceivePcapLoop(ThreadVars *tv, void *data, void *slo
t)
ptv->slot = s->slot_next;
ptv->cb_result = TM_ECODE_OK;
+ TmEcode retval = TM_ECODE_OK;
while (1) {
if (suricata_ctl_flags & SURICATA_STOP) {
@@ -278,7 +279,16 @@ TmEcode ReceivePcapLoop(ThreadVars *tv, void *data, void *sl
ot)
break;
}
r = PcapTryReopen(ptv);
- } while (r < 0);
+ switch(r) {
+ case PCAP_ERROR_ACTIVATED:
+ /* "the operation can't be performed on already
+ activated captures" - permanent error, exit
+ */
+ dbreak = 1;
+ retval = TM_ECODE_FAILED;
+ break;
+ }
+ } while (r < 0 && dbreak == 0);
if (dbreak) {
break;
}
@@ -292,7 +302,7 @@ TmEcode ReceivePcapLoop(ThreadVars *tv, void *data, void *slot)
PcapDumpCounters(ptv);
StatsSyncCountersIfSignalled(tv);
- SCReturnInt(TM_ECODE_OK);
+ SCReturnInt(retval);
}
/**
Actions