Qt: A file or packet comment that is too large will corrupt the pcapng file
Summary
A file level comment that is "too large" will result in a corrupted pcapng capture file when the file is saved.
Steps to reproduce
- Download the attached file "large-shb-comment.pcapng" that includes a large, but not too large, file level comment
- Confirm the presence of the large file level comment with the command:
capinfos large-shb-comment.pcapng
- Start Wireshark and open the file large-shb-comment.pcapng
- Open the Statistics -> Capture File Properties dialog:
- Insert two additional characters (such as "XX") at the beginning of the "Capture File Comments"
- Click the [Save Comments] button
- Click the [Close] button
- Select the menu item File -> Save As to open the Save Capture File As dialog:
- Enter a name to save to such as: XXlarge-shb-comment.pcapng
- Click the [Save] button
- At this point Wireshark will display error message (see below) reporting:
The file "XXlarge-shb-comment.pcapng" appears to be damaged or corrupt.
(pcapng: total block lengths (first 40 and second 20) don't match)
Note 1: The original comment data added to this pcapng file was composed of 897 lines of 72 bytes of text plus a 73rd byte for the new line character followed by one final line of 55 bytes of text without the newline character. This implies a an apparent current max file comment size of 65536 bytes ((897 * (72+1)) + 55). When the capinfos utility is used to display the file level comment, the various comment records as concatenated together as if is no end-of-line characters.
Note 2: Starting with the same test file large-shb-comment.pcapng, if only a single extra character is added to the comment block and saved to a new file, then the entire comment block will be silently missing from the newly created pcpang file.
What is the current bug behavior?
The capture file becomes unusable if the file comment is too big when the file is saved.
This bug was discovered when a large amount of the CLI output from a set of DNS "dig" commands was attempted to be saved as a file comment to the pcapng file that recorded the results of the various dig commands.
What is the expected correct behavior?
The capture file should not get corrupted because of the size of the file comment text.
Sample capture file
Relevant logs and/or screenshots
Build information
Wireshark 3.7.3rc0-28-gfe573cfe9a6d (v3.7.3rc0-28-gfe573cfe9a6d)
Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using Clang 11.0.0 (clang-1100.0.33.16), with GLib 2.68.4,
with PCRE2, with zlib 1.2.11, with Qt 5.15.3, with libpcap, without POSIX
capabilities, with Lua 5.2.4, with GnuTLS 3.6.15 and PKCS #11 support, with
Gcrypt 1.8.7, with Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with
brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with libsmi
0.4.8, with QtMultimedia, with automatic updates using Sparkle, with SpeexDSP
(using system library), with Minizip, with binary plugins.
Running on Mac OS X 10.16, build 21G72 (Darwin 21.6.0), with Intel(R) Core(TM)
i9-9880H CPU @ 2.30GHz (with SSE4.2), with 16384 MB of physical memory, with
GLib 2.68.4, with PCRE2 10.39 2021-10-29, with zlib 1.2.11, with Qt 5.15.3, with
libpcap 1.9.1, with c-ares 1.15.0, with GnuTLS 3.6.15, with Gcrypt 1.8.7, with
nghttp2 1.46.0, with brotli 1.0.9, with LZ4 1.9.2, with Zstandard 1.4.2, with
libsmi 0.4.8, with LC_TYPE=en_US.UTF-8, binary plugins supported.