pcap/file: normalize file timestamps

Normalize the timestamps that are too far in the past to epoch. Bug: #6240.
2 years ago · 33fca4d4db
parent 8dc12f5f14
commit 33fca4d4db
2 changed files with 8 additions and 1 deletions
--- a/src/source-pcap-file-helper.c
+++ b/src/source-pcap-file-helper.c
@ -77,7 +77,7 @@ void PcapFileCallbackLoop(char *user, struct pcap_pkthdr *h, u_char *pkt)
    PACKET_PROFILING_TMM_START(p, TMM_RECEIVEPCAPFILE);

    PKT_SET_SRC(p, PKT_SRC_WIRE);
-    p->ts = SCTIME_FROM_TIMEVAL(&h->ts);
+    p->ts = SCTIME_FROM_TIMEVAL_UNTRUSTED(&h->ts);
    SCLogDebug("p->ts.tv_sec %" PRIuMAX "", (uintmax_t)SCTIME_SECS(p->ts));
    p->datalink = ptv->datalink;
    p->pcap_cnt = ++pcap_g.cnt;
--- a/src/util-time.h
+++ b/src/util-time.h
@ -73,6 +73,13 @@ typedef struct {
    {                                                                                              \
        .secs = (tv)->tv_sec, .usecs = (tv)->tv_usec                                               \
    }
+/** \brief variant to deal with potentially bad timestamps, like from pcap files */
+#define SCTIME_FROM_TIMEVAL_UNTRUSTED(tv)                                                          \
+    (SCTime_t)                                                                                     \
+    {                                                                                              \
+        .secs = ((tv)->tv_sec > 0) ? (tv)->tv_sec : 0,                                             \
+        .usecs = ((tv)->tv_usec > 0) ? (tv)->tv_usec : 0                                           \
+    }
 #define SCTIME_FROM_TIMESPEC(ts)                                                                   \
    (SCTime_t)                                                                                     \
    {                                                                                              \