libpcap
libpcap copied to clipboard
Published
20 hours ago •
the-tcpdump-group
the-tcpdump-group
Optimization breaks matching: (1 = 0) || (1 / 4294967295 = 0) and (0 & 4294967295 = 0)
Logically, this filter is 'false or true and true', and it should match all packets. With optimization enabled, it matches no packets, although variants where 4294967295 (0xffffffff) is replaced with any other number seem to work correctly.
% tcpdump -O -ntr ../tests/data/tcp-ack-66-bytes.pcap '(1 = 0) || (2147483648 / 4294967295 = 0) and (0 & 4294967295 = 0)'
reading from file ../tests/data/tcp-ack-66-bytes.pcap, link-type EN10MB (Ethernet)
IP 149.174.156.93.54192 > 178.79.150.233.80: Flags [.], ack 3209860838, win 31, options [nop,nop,TS val 2756387939 ecr 4173199779], length 0
%
% tcpdump -ntr ../tests/data/tcp-ack-66-bytes.pcap '(1 = 0) || (2147483648 / 4294967295 = 0) and (0 & 4294967295 = 0)'
reading from file ../tests/data/tcp-ack-66-bytes.pcap, link-type EN10MB (Ethernet)
%
% tcpdump -ntr ../tests/data/tcp-ack-66-bytes.pcap -d '(1 = 0) || (2147483648 / 4294967295 = 0) and (0 & 4294967295 = 0)'
reading from file ../tests/data/tcp-ack-66-bytes.pcap, link-type EN10MB (Ethernet)
(000) ld #0x1
(001) jeq #0x0 jt 2 jf 3
(002) ret #262144
(003) ret #0
All of the above is the same if 2147483648 is replaced with smaller numbers, including 0 or 1.
tcpdump version 4.5.1 libpcap version 1.5.3
This may or may not be related to https://github.com/the-tcpdump-group/libpcap/issues/434
Interestingly, inverting the || yields the correct results.
tcpdump "(0 & 4294967295 = 0) && (1 / 4294967295 = 0) || (1 = 0)" lets all packets pass.
