Don't fail if a pcap-NG PB or EPB has caplen > actual len.

We don't fail for other file types; there's no point in failing for
pcap-NG.  wtap_read() will ensure that caplen <= len.

Make wtap_seek_read() ensure that caplen <= len as well.

Fixes bug 10037.

Change-Id: I41fbcf54341ea0429cef875442ea1f1377177a5f
Reviewed-on: https://code.wireshark.org/review/1353
Reviewed-by: Guy Harris <guy@alum.mit.edu>

1 files changed, 19 insertions, 1 deletions

diff --git a/wiretap/wtap.c b/wiretap/wtap.c
index 2d04375366..343a9b23c4 100644
--- a/wiretap/wtap.c
+++ b/wiretap/wtap.c
@@ -1075,5 +1075,23 @@ gboolean
 wtap_seek_read(wtap *wth, gint64 seek_off,
 	struct wtap_pkthdr *phdr, Buffer *buf, int *err, gchar **err_info)
 {
-	return wth->subtype_seek_read(wth, seek_off, phdr, buf, err, err_info);
+	if (!wth->subtype_seek_read(wth, seek_off, phdr, buf, err, err_info))
+		return FALSE;
+
+	/*
+	 * It makes no sense for the captured data length to be bigger
+	 * than the actual data length.
+	 */
+	if (wth->phdr.caplen > wth->phdr.len)
+		wth->phdr.caplen = wth->phdr.len;
+
+	/*
+	 * Make sure that it's not WTAP_ENCAP_PER_PACKET, as that
+	 * probably means the file has that encapsulation type
+	 * but the read routine didn't set this packet's
+	 * encapsulation type.
+	 */
+	g_assert(wth->phdr.pkt_encap != WTAP_ENCAP_PER_PACKET);
+
+	return TRUE;
 }