"Fossies" - the Fresh Open Source Software Archive

Member "libpcap-1.10.1/./pcap-rpcap.c" (7 Jun 2021, 105522 Bytes) of package /linux/misc/libpcap-1.10.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "pcap-rpcap.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 1.10.0_vs_1.10.1.

    1 /*
    2  * Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy)
    3  * Copyright (c) 2005 - 2008 CACE Technologies, Davis (California)
    4  * All rights reserved.
    5  *
    6  * Redistribution and use in source and binary forms, with or without
    7  * modification, are permitted provided that the following conditions
    8  * are met:
    9  *
   10  * 1. Redistributions of source code must retain the above copyright
   11  * notice, this list of conditions and the following disclaimer.
   12  * 2. Redistributions in binary form must reproduce the above copyright
   13  * notice, this list of conditions and the following disclaimer in the
   14  * documentation and/or other materials provided with the distribution.
   15  * 3. Neither the name of the Politecnico di Torino, CACE Technologies
   16  * nor the names of its contributors may be used to endorse or promote
   17  * products derived from this software without specific prior written
   18  * permission.
   19  *
   20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
   21  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
   22  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
   23  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
   24  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   25  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   26  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
   30  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   31  *
   32  */
   33 
   34 #ifdef HAVE_CONFIG_H
   35 #include <config.h>
   36 #endif
   37 
   38 #include "ftmacros.h"
   39 
   40 #include <string.h>     /* for strlen(), ... */
   41 #include <stdlib.h>     /* for malloc(), free(), ... */
   42 #include <stdarg.h>     /* for functions with variable number of arguments */
   43 #include <errno.h>      /* for the errno variable */
   44 #include "sockutils.h"
   45 #include "pcap-int.h"
   46 #include "rpcap-protocol.h"
   47 #include "pcap-rpcap.h"
   48 
   49 #ifdef _WIN32
   50 #include "charconv.h"       /* for utf_8_to_acp_truncated() */
   51 #endif
   52 
   53 #ifdef HAVE_OPENSSL
   54 #include "sslutils.h"
   55 #endif
   56 
   57 /*
   58  * This file contains the pcap module for capturing from a remote machine's
   59  * interfaces using the RPCAP protocol.
   60  *
   61  * WARNING: All the RPCAP functions that are allowed to return a buffer
   62  * containing the error description can return max PCAP_ERRBUF_SIZE characters.
   63  * However there is no guarantees that the string will be zero-terminated.
   64  * Best practice is to define the errbuf variable as a char of size
   65  * 'PCAP_ERRBUF_SIZE+1' and to insert manually a NULL character at the end
   66  * of the buffer. This will guarantee that no buffer overflows occur even
   67  * if we use the printf() to show the error on the screen.
   68  *
   69  * XXX - actually, null-terminating the error string is part of the
   70  * contract for the pcap API; if there's any place in the pcap code
   71  * that doesn't guarantee null-termination, even at the expense of
   72  * cutting the message short, that's a bug and needs to be fixed.
   73  */
   74 
   75 #define PCAP_STATS_STANDARD 0   /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
   76 #ifdef _WIN32
   77 #define PCAP_STATS_EX       1   /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
   78 #endif
   79 
   80 /*
   81  * \brief Keeps a list of all the opened connections in the active mode.
   82  *
   83  * This structure defines a linked list of items that are needed to keep the info required to
   84  * manage the active mode.
   85  * In other words, when a new connection in active mode starts, this structure is updated so that
   86  * it reflects the list of active mode connections currently opened.
   87  * This structure is required by findalldevs() and open_remote() to see if they have to open a new
   88  * control connection toward the host, or they already have a control connection in place.
   89  */
   90 struct activehosts
   91 {
   92     struct sockaddr_storage host;
   93     SOCKET sockctrl;
   94     SSL *ssl;
   95     uint8 protocol_version;
   96     struct activehosts *next;
   97 };
   98 
   99 /* Keeps a list of all the opened connections in the active mode. */
  100 static struct activehosts *activeHosts;
  101 
  102 /*
  103  * Keeps the main socket identifier when we want to accept a new remote
  104  * connection (active mode only).
  105  * See the documentation of pcap_remoteact_accept() and
  106  * pcap_remoteact_cleanup() for more details.
  107  */
  108 static SOCKET sockmain;
  109 static SSL *ssl_main;
  110 
  111 /*
  112  * Private data for capturing remotely using the rpcap protocol.
  113  */
  114 struct pcap_rpcap {
  115     /*
  116      * This is '1' if we're the network client; it is needed by several
  117      * functions (such as pcap_setfilter()) to know whether they have
  118      * to use the socket or have to open the local adapter.
  119      */
  120     int rmt_clientside;
  121 
  122     SOCKET rmt_sockctrl;        /* socket ID of the socket used for the control connection */
  123     SOCKET rmt_sockdata;        /* socket ID of the socket used for the data connection */
  124     SSL *ctrl_ssl, *data_ssl;   /* optional transport of rmt_sockctrl and rmt_sockdata via TLS */
  125     int rmt_flags;          /* we have to save flags, since they are passed by the pcap_open_live(), but they are used by the pcap_startcapture() */
  126     int rmt_capstarted;     /* 'true' if the capture is already started (needed to knoe if we have to call the pcap_startcapture() */
  127     char *currentfilter;        /* Pointer to a buffer (allocated at run-time) that stores the current filter. Needed when flag PCAP_OPENFLAG_NOCAPTURE_RPCAP is turned on. */
  128 
  129     uint8 protocol_version;     /* negotiated protocol version */
  130     uint8 uses_ssl;             /* User asked for rpcaps scheme */
  131 
  132     unsigned int TotNetDrops;   /* keeps the number of packets that have been dropped by the network */
  133 
  134     /*
  135      * This keeps the number of packets that have been received by the
  136      * application.
  137      *
  138      * Packets dropped by the kernel buffer are not counted in this
  139      * variable. It is always equal to (TotAccepted - TotDrops),
  140      * except for the case of remote capture, in which we have also
  141      * packets in flight, i.e. that have been transmitted by the remote
  142      * host, but that have not been received (yet) from the client.
  143      * In this case, (TotAccepted - TotDrops - TotNetDrops) gives a
  144      * wrong result, since this number does not corresponds always to
  145      * the number of packet received by the application. For this reason,
  146      * in the remote capture we need another variable that takes into
  147      * account of the number of packets actually received by the
  148      * application.
  149      */
  150     unsigned int TotCapt;
  151 
  152     struct pcap_stat stat;
  153     /* XXX */
  154     struct pcap *next;      /* list of open pcaps that need stuff cleared on close */
  155 };
  156 
  157 /****************************************************
  158  *                                                  *
  159  * Locally defined functions                        *
  160  *                                                  *
  161  ****************************************************/
  162 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode);
  163 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog);
  164 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog);
  165 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog);
  166 static void pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter);
  167 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog);
  168 static int pcap_setsampling_remote(pcap_t *fp);
  169 static int pcap_startcapture_remote(pcap_t *fp);
  170 static int rpcap_recv_msg_header(SOCKET sock, SSL *, struct rpcap_header *header, char *errbuf);
  171 static int rpcap_check_msg_ver(SOCKET sock, SSL *, uint8 expected_ver, struct rpcap_header *header, char *errbuf);
  172 static int rpcap_check_msg_type(SOCKET sock, SSL *, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf);
  173 static int rpcap_process_msg_header(SOCKET sock, SSL *, uint8 ver, uint8 request_type, struct rpcap_header *header, char *errbuf);
  174 static int rpcap_recv(SOCKET sock, SSL *, void *buffer, size_t toread, uint32 *plen, char *errbuf);
  175 static void rpcap_msg_err(SOCKET sockctrl, SSL *, uint32 plen, char *remote_errbuf);
  176 static int rpcap_discard(SOCKET sock, SSL *, uint32 len, char *errbuf);
  177 static int rpcap_read_packet_msg(struct pcap_rpcap const *, pcap_t *p, size_t size);
  178 
  179 /****************************************************
  180  *                                                  *
  181  * Function bodies                                  *
  182  *                                                  *
  183  ****************************************************/
  184 
  185 /*
  186  * This function translates (i.e. de-serializes) a 'rpcap_sockaddr'
  187  * structure from the network byte order to a 'sockaddr_in" or
  188  * 'sockaddr_in6' structure in the host byte order.
  189  *
  190  * It accepts an 'rpcap_sockaddr' structure as it is received from the
  191  * network, and checks the address family field against various values
  192  * to see whether it looks like an IPv4 address, an IPv6 address, or
  193  * neither of those.  It checks for multiple values in order to try
  194  * to handle older rpcap daemons that sent the native OS's 'sockaddr_in'
  195  * or 'sockaddr_in6' structures over the wire with some members
  196  * byte-swapped, and to handle the fact that AF_INET6 has different
  197  * values on different OSes.
  198  *
  199  * For IPv4 addresses, it converts the address family to host byte
  200  * order from network byte order and puts it into the structure,
  201  * sets the length if a sockaddr structure has a length, converts the
  202  * port number to host byte order from network byte order and puts
  203  * it into the structure, copies over the IPv4 address, and zeroes
  204  * out the zero padding.
  205  *
  206  * For IPv6 addresses, it converts the address family to host byte
  207  * order from network byte order and puts it into the structure,
  208  * sets the length if a sockaddr structure has a length, converts the
  209  * port number and flow information to host byte order from network
  210  * byte order and puts them into the structure, copies over the IPv6
  211  * address, and converts the scope ID to host byte order from network
  212  * byte order and puts it into the structure.
  213  *
  214  * The function will allocate the 'sockaddrout' variable according to the
  215  * address family in use. In case the address does not belong to the
  216  * AF_INET nor AF_INET6 families, 'sockaddrout' is not allocated and a
  217  * NULL pointer is returned.  This usually happens because that address
  218  * does not exist on the other host, or is of an address family other
  219  * than AF_INET or AF_INET6, so the RPCAP daemon sent a 'sockaddr_storage'
  220  * structure containing all 'zero' values.
  221  *
  222  * Older RPCAPDs sent the addresses over the wire in the OS's native
  223  * structure format.  For most OSes, this looks like the over-the-wire
  224  * format, but might have a different value for AF_INET6 than the value
  225  * on the machine receiving the reply.  For OSes with the newer BSD-style
  226  * sockaddr structures, this has, instead of a 2-byte address family,
  227  * a 1-byte structure length followed by a 1-byte address family.  The
  228  * RPCAPD code would put the address family in network byte order before
  229  * sending it; that would set it to 0 on a little-endian machine, as
  230  * htons() of any value between 1 and 255 would result in a value > 255,
  231  * with its lower 8 bits zero, so putting that back into a 1-byte field
  232  * would set it to 0.
  233  *
  234  * Therefore, for older RPCAPDs running on an OS with newer BSD-style
  235  * sockaddr structures, the family field, if treated as a big-endian
  236  * (network byte order) 16-bit field, would be:
  237  *
  238  *  (length << 8) | family if sent by a big-endian machine
  239  *  (length << 8) if sent by a little-endian machine
  240  *
  241  * For current RPCAPDs, and for older RPCAPDs running on an OS with
  242  * older BSD-style sockaddr structures, the family field, if treated
  243  * as a big-endian 16-bit field, would just contain the family.
  244  *
  245  * \param sockaddrin: a 'rpcap_sockaddr' pointer to the variable that has
  246  * to be de-serialized.
  247  *
  248  * \param sockaddrout: a 'sockaddr_storage' pointer to the variable that will contain
  249  * the de-serialized data. The structure returned can be either a 'sockaddr_in' or 'sockaddr_in6'.
  250  * This variable will be allocated automatically inside this function.
  251  *
  252  * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
  253  * that will contain the error message (in case there is one).
  254  *
  255  * \return '0' if everything is fine, '-1' if some errors occurred. Basically, the error
  256  * can be only the fact that the malloc() failed to allocate memory.
  257  * The error message is returned in the 'errbuf' variable, while the deserialized address
  258  * is returned into the 'sockaddrout' variable.
  259  *
  260  * \warning This function supports only AF_INET and AF_INET6 address families.
  261  *
  262  * \warning The sockaddrout (if not NULL) must be deallocated by the user.
  263  */
  264 
  265 /*
  266  * Possible IPv4 family values other than the designated over-the-wire value,
  267  * which is 2 (because everybody uses 2 for AF_INET4).
  268  */
  269 #define SOCKADDR_IN_LEN     16  /* length of struct sockaddr_in */
  270 #define SOCKADDR_IN6_LEN    28  /* length of struct sockaddr_in6 */
  271 #define NEW_BSD_AF_INET_BE  ((SOCKADDR_IN_LEN << 8) | 2)
  272 #define NEW_BSD_AF_INET_LE  (SOCKADDR_IN_LEN << 8)
  273 
  274 /*
  275  * Possible IPv6 family values other than the designated over-the-wire value,
  276  * which is 23 (because that's what Windows uses, and most RPCAP servers
  277  * out there are probably running Windows, as WinPcap includes the server
  278  * but few if any UN*Xes build and ship it).
  279  *
  280  * The new BSD sockaddr structure format was in place before 4.4-Lite, so
  281  * all the free-software BSDs use it.
  282  */
  283 #define NEW_BSD_AF_INET6_BSD_BE     ((SOCKADDR_IN6_LEN << 8) | 24)  /* NetBSD, OpenBSD, BSD/OS */
  284 #define NEW_BSD_AF_INET6_FREEBSD_BE ((SOCKADDR_IN6_LEN << 8) | 28)  /* FreeBSD, DragonFly BSD */
  285 #define NEW_BSD_AF_INET6_DARWIN_BE  ((SOCKADDR_IN6_LEN << 8) | 30)  /* macOS, iOS, anything else Darwin-based */
  286 #define NEW_BSD_AF_INET6_LE     (SOCKADDR_IN6_LEN << 8)
  287 #define LINUX_AF_INET6          10
  288 #define HPUX_AF_INET6           22
  289 #define AIX_AF_INET6            24
  290 #define SOLARIS_AF_INET6        26
  291 
  292 static int
  293 rpcap_deseraddr(struct rpcap_sockaddr *sockaddrin, struct sockaddr_storage **sockaddrout, char *errbuf)
  294 {
  295     /* Warning: we support only AF_INET and AF_INET6 */
  296     switch (ntohs(sockaddrin->family))
  297     {
  298     case RPCAP_AF_INET:
  299     case NEW_BSD_AF_INET_BE:
  300     case NEW_BSD_AF_INET_LE:
  301         {
  302         struct rpcap_sockaddr_in *sockaddrin_ipv4;
  303         struct sockaddr_in *sockaddrout_ipv4;
  304 
  305         (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in));
  306         if ((*sockaddrout) == NULL)
  307         {
  308             pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
  309                 errno, "malloc() failed");
  310             return -1;
  311         }
  312         sockaddrin_ipv4 = (struct rpcap_sockaddr_in *) sockaddrin;
  313         sockaddrout_ipv4 = (struct sockaddr_in *) (*sockaddrout);
  314         sockaddrout_ipv4->sin_family = AF_INET;
  315         sockaddrout_ipv4->sin_port = ntohs(sockaddrin_ipv4->port);
  316         memcpy(&sockaddrout_ipv4->sin_addr, &sockaddrin_ipv4->addr, sizeof(sockaddrout_ipv4->sin_addr));
  317         memset(sockaddrout_ipv4->sin_zero, 0, sizeof(sockaddrout_ipv4->sin_zero));
  318         break;
  319         }
  320 
  321 #ifdef AF_INET6
  322     case RPCAP_AF_INET6:
  323     case NEW_BSD_AF_INET6_BSD_BE:
  324     case NEW_BSD_AF_INET6_FREEBSD_BE:
  325     case NEW_BSD_AF_INET6_DARWIN_BE:
  326     case NEW_BSD_AF_INET6_LE:
  327     case LINUX_AF_INET6:
  328     case HPUX_AF_INET6:
  329     case AIX_AF_INET6:
  330     case SOLARIS_AF_INET6:
  331         {
  332         struct rpcap_sockaddr_in6 *sockaddrin_ipv6;
  333         struct sockaddr_in6 *sockaddrout_ipv6;
  334 
  335         (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in6));
  336         if ((*sockaddrout) == NULL)
  337         {
  338             pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
  339                 errno, "malloc() failed");
  340             return -1;
  341         }
  342         sockaddrin_ipv6 = (struct rpcap_sockaddr_in6 *) sockaddrin;
  343         sockaddrout_ipv6 = (struct sockaddr_in6 *) (*sockaddrout);
  344         sockaddrout_ipv6->sin6_family = AF_INET6;
  345         sockaddrout_ipv6->sin6_port = ntohs(sockaddrin_ipv6->port);
  346         sockaddrout_ipv6->sin6_flowinfo = ntohl(sockaddrin_ipv6->flowinfo);
  347         memcpy(&sockaddrout_ipv6->sin6_addr, &sockaddrin_ipv6->addr, sizeof(sockaddrout_ipv6->sin6_addr));
  348         sockaddrout_ipv6->sin6_scope_id = ntohl(sockaddrin_ipv6->scope_id);
  349         break;
  350         }
  351 #endif
  352 
  353     default:
  354         /*
  355          * It is neither AF_INET nor AF_INET6 (or, if the OS doesn't
  356          * support AF_INET6, it's not AF_INET).
  357          */
  358         *sockaddrout = NULL;
  359         break;
  360     }
  361     return 0;
  362 }
  363 
  364 /*
  365  * This function reads a packet from the network socket.  It does not
  366  * deliver the packet to a pcap_dispatch()/pcap_loop() callback (hence
  367  * the "nocb" string into its name).
  368  *
  369  * This function is called by pcap_read_rpcap().
  370  *
  371  * WARNING: By choice, this function does not make use of semaphores. A smarter
  372  * implementation should put a semaphore into the data thread, and a signal will
  373  * be raised as soon as there is data into the socket buffer.
  374  * However this is complicated and it does not bring any advantages when reading
  375  * from the network, in which network delays can be much more important than
  376  * these optimizations. Therefore, we chose the following approach:
  377  * - the 'timeout' chosen by the user is split in two (half on the server side,
  378  * with the usual meaning, and half on the client side)
  379  * - this function checks for packets; if there are no packets, it waits for
  380  * timeout/2 and then it checks again. If packets are still missing, it returns,
  381  * otherwise it reads packets.
  382  */
  383 static int pcap_read_nocb_remote(pcap_t *p, struct pcap_pkthdr *pkt_header, u_char **pkt_data)
  384 {
  385     struct pcap_rpcap *pr = p->priv;    /* structure used when doing a remote live capture */
  386     struct rpcap_header *header;        /* general header according to the RPCAP format */
  387     struct rpcap_pkthdr *net_pkt_header;    /* header of the packet, from the message */
  388     u_char *net_pkt_data;           /* packet data from the message */
  389     uint32 plen;
  390     int retval = 0;             /* generic return value */
  391     int msglen;
  392 
  393     /* Structures needed for the select() call */
  394     struct timeval tv;          /* maximum time the select() can block waiting for data */
  395     fd_set rfds;                /* set of socket descriptors we have to check */
  396 
  397     /*
  398      * Define the packet buffer timeout, to be used in the select()
  399      * 'timeout', in pcap_t, is in milliseconds; we have to convert it into sec and microsec
  400      */
  401     tv.tv_sec = p->opt.timeout / 1000;
  402     tv.tv_usec = (suseconds_t)((p->opt.timeout - tv.tv_sec * 1000) * 1000);
  403 
  404 #ifdef HAVE_OPENSSL
  405     /* Check if we still have bytes available in the last decoded TLS record.
  406      * If that's the case, we know SSL_read will not block. */
  407     retval = pr->data_ssl && SSL_pending(pr->data_ssl) > 0;
  408 #endif
  409     if (! retval)
  410     {
  411         /* Watch out sockdata to see if it has input */
  412         FD_ZERO(&rfds);
  413 
  414         /*
  415          * 'fp->rmt_sockdata' has always to be set before calling the select(),
  416          * since it is cleared by the select()
  417          */
  418         FD_SET(pr->rmt_sockdata, &rfds);
  419 
  420 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  421         retval = 1;
  422 #else
  423         retval = select((int) pr->rmt_sockdata + 1, &rfds, NULL, NULL, &tv);
  424 #endif
  425 
  426         if (retval == -1)
  427         {
  428 #ifndef _WIN32
  429             if (errno == EINTR)
  430             {
  431                 /* Interrupted. */
  432                 return 0;
  433             }
  434 #endif
  435             sock_geterror("select()", p->errbuf, PCAP_ERRBUF_SIZE);
  436             return -1;
  437         }
  438     }
  439 
  440     /* There is no data waiting, so return '0' */
  441     if (retval == 0)
  442         return 0;
  443 
  444     /*
  445      * We have to define 'header' as a pointer to a larger buffer,
  446      * because in case of UDP we have to read all the message within a single call
  447      */
  448     header = (struct rpcap_header *) p->buffer;
  449     net_pkt_header = (struct rpcap_pkthdr *) ((char *)p->buffer + sizeof(struct rpcap_header));
  450     net_pkt_data = (u_char *)p->buffer + sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr);
  451 
  452     if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
  453     {
  454         /* Read the entire message from the network */
  455         msglen = sock_recv_dgram(pr->rmt_sockdata, pr->data_ssl, p->buffer,
  456             p->bufsize, p->errbuf, PCAP_ERRBUF_SIZE);
  457         if (msglen == -1)
  458         {
  459             /* Network error. */
  460             return -1;
  461         }
  462         if (msglen == -3)
  463         {
  464             /* Interrupted receive. */
  465             return 0;
  466         }
  467         if ((size_t)msglen < sizeof(struct rpcap_header))
  468         {
  469             /*
  470              * Message is shorter than an rpcap header.
  471              */
  472             snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  473                 "UDP packet message is shorter than an rpcap header");
  474             return -1;
  475         }
  476         plen = ntohl(header->plen);
  477         if ((size_t)msglen < sizeof(struct rpcap_header) + plen)
  478         {
  479             /*
  480              * Message is shorter than the header claims it
  481              * is.
  482              */
  483             snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  484                 "UDP packet message is shorter than its rpcap header claims");
  485             return -1;
  486         }
  487     }
  488     else
  489     {
  490         int status;
  491 
  492         if ((size_t)p->cc < sizeof(struct rpcap_header))
  493         {
  494             /*
  495              * We haven't read any of the packet header yet.
  496              * The size we should get is the size of the
  497              * packet header.
  498              */
  499             status = rpcap_read_packet_msg(pr, p, sizeof(struct rpcap_header));
  500             if (status == -1)
  501             {
  502                 /* Network error. */
  503                 return -1;
  504             }
  505             if (status == -3)
  506             {
  507                 /* Interrupted receive. */
  508                 return 0;
  509             }
  510         }
  511 
  512         /*
  513          * We have the header, so we know how long the
  514          * message payload is.  The size we should get
  515          * is the size of the packet header plus the
  516          * size of the payload.
  517          */
  518         plen = ntohl(header->plen);
  519         if (plen > p->bufsize - sizeof(struct rpcap_header))
  520         {
  521             /*
  522              * This is bigger than the largest
  523              * record we'd expect.  (We do it by
  524              * subtracting in order to avoid an
  525              * overflow.)
  526              */
  527             snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  528                 "Server sent us a message larger than the largest expected packet message");
  529             return -1;
  530         }
  531         status = rpcap_read_packet_msg(pr, p, sizeof(struct rpcap_header) + plen);
  532         if (status == -1)
  533         {
  534             /* Network error. */
  535             return -1;
  536         }
  537         if (status == -3)
  538         {
  539             /* Interrupted receive. */
  540             return 0;
  541         }
  542 
  543         /*
  544          * We have the entire message; reset the buffer pointer
  545          * and count, as the next read should start a new
  546          * message.
  547          */
  548         p->bp = p->buffer;
  549         p->cc = 0;
  550     }
  551 
  552     /*
  553      * We have the entire message.
  554      */
  555     header->plen = plen;
  556 
  557     /*
  558      * Did the server specify the version we negotiated?
  559      */
  560     if (rpcap_check_msg_ver(pr->rmt_sockdata, pr->data_ssl, pr->protocol_version,
  561         header, p->errbuf) == -1)
  562     {
  563         return 0;   /* Return 'no packets received' */
  564     }
  565 
  566     /*
  567      * Is this a RPCAP_MSG_PACKET message?
  568      */
  569     if (header->type != RPCAP_MSG_PACKET)
  570     {
  571         return 0;   /* Return 'no packets received' */
  572     }
  573 
  574     if (ntohl(net_pkt_header->caplen) > plen)
  575     {
  576         snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  577             "Packet's captured data goes past the end of the received packet message.");
  578         return -1;
  579     }
  580 
  581     /* Fill in packet header */
  582     pkt_header->caplen = ntohl(net_pkt_header->caplen);
  583     pkt_header->len = ntohl(net_pkt_header->len);
  584     pkt_header->ts.tv_sec = ntohl(net_pkt_header->timestamp_sec);
  585     pkt_header->ts.tv_usec = ntohl(net_pkt_header->timestamp_usec);
  586 
  587     /* Supply a pointer to the beginning of the packet data */
  588     *pkt_data = net_pkt_data;
  589 
  590     /*
  591      * I don't update the counter of the packets dropped by the network since we're using TCP,
  592      * therefore no packets are dropped. Just update the number of packets received correctly
  593      */
  594     pr->TotCapt++;
  595 
  596     if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
  597     {
  598         unsigned int npkt;
  599 
  600         /* We're using UDP, so we need to update the counter of the packets dropped by the network */
  601         npkt = ntohl(net_pkt_header->npkt);
  602 
  603         if (pr->TotCapt != npkt)
  604         {
  605             pr->TotNetDrops += (npkt - pr->TotCapt);
  606             pr->TotCapt = npkt;
  607         }
  608     }
  609 
  610     /* Packet read successfully */
  611     return 1;
  612 }
  613 
  614 /*
  615  * This function reads a packet from the network socket.
  616  *
  617  * This function relies on the pcap_read_nocb_remote to deliver packets. The
  618  * difference, here, is that as soon as a packet is read, it is delivered
  619  * to the application by means of a callback function.
  620  */
  621 static int pcap_read_rpcap(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
  622 {
  623     struct pcap_rpcap *pr = p->priv;    /* structure used when doing a remote live capture */
  624     struct pcap_pkthdr pkt_header;
  625     u_char *pkt_data;
  626     int n = 0;
  627     int ret;
  628 
  629     /*
  630      * If this is client-side, and we haven't already started
  631      * the capture, start it now.
  632      */
  633     if (pr->rmt_clientside)
  634     {
  635         /* We are on an remote capture */
  636         if (!pr->rmt_capstarted)
  637         {
  638             /*
  639              * The capture isn't started yet, so try to
  640              * start it.
  641              */
  642             if (pcap_startcapture_remote(p))
  643                 return -1;
  644         }
  645     }
  646 
  647     while (n < cnt || PACKET_COUNT_IS_UNLIMITED(cnt))
  648     {
  649         /*
  650          * Has "pcap_breakloop()" been called?
  651          */
  652         if (p->break_loop) {
  653             /*
  654              * Yes - clear the flag that indicates that it
  655              * has, and return PCAP_ERROR_BREAK to indicate
  656              * that we were told to break out of the loop.
  657              */
  658             p->break_loop = 0;
  659             return (PCAP_ERROR_BREAK);
  660         }
  661 
  662         /*
  663          * Read some packets.
  664          */
  665         ret = pcap_read_nocb_remote(p, &pkt_header, &pkt_data);
  666         if (ret == 1)
  667         {
  668             /*
  669              * We got a packet.  Hand it to the callback
  670              * and count it so we can return the count.
  671              */
  672             (*callback)(user, &pkt_header, pkt_data);
  673             n++;
  674         }
  675         else if (ret == -1)
  676         {
  677             /* Error. */
  678             return ret;
  679         }
  680         else
  681         {
  682             /*
  683              * No packet; this could mean that we timed
  684              * out, or that we got interrupted, or that
  685              * we got a bad packet.
  686              *
  687              * Were we told to break out of the loop?
  688              */
  689             if (p->break_loop) {
  690                 /*
  691                  * Yes.
  692                  */
  693                 p->break_loop = 0;
  694                 return (PCAP_ERROR_BREAK);
  695             }
  696             /* No - return the number of packets we've processed. */
  697             return n;
  698         }
  699     }
  700     return n;
  701 }
  702 
  703 /*
  704  * This function sends a CLOSE command to the capture server if we're in
  705  * passive mode and an ENDCAP command to the capture server if we're in
  706  * active mode.
  707  *
  708  * It is called when the user calls pcap_close().  It sends a command
  709  * to our peer that says 'ok, let's stop capturing'.
  710  *
  711  * WARNING: Since we're closing the connection, we do not check for errors.
  712  */
  713 static void pcap_cleanup_rpcap(pcap_t *fp)
  714 {
  715     struct pcap_rpcap *pr = fp->priv;   /* structure used when doing a remote live capture */
  716     struct rpcap_header header;     /* header of the RPCAP packet */
  717     struct activehosts *temp;       /* temp var needed to scan the host list chain, to detect if we're in active mode */
  718     int active = 0;             /* active mode or not? */
  719 
  720     /* detect if we're in active mode */
  721     temp = activeHosts;
  722     while (temp)
  723     {
  724         if (temp->sockctrl == pr->rmt_sockctrl)
  725         {
  726             active = 1;
  727             break;
  728         }
  729         temp = temp->next;
  730     }
  731 
  732     if (!active)
  733     {
  734         rpcap_createhdr(&header, pr->protocol_version,
  735             RPCAP_MSG_CLOSE, 0, 0);
  736 
  737         /*
  738          * Send the close request; don't report any errors, as
  739          * we're closing this pcap_t, and have no place to report
  740          * the error.  No reply is sent to this message.
  741          */
  742         (void)sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
  743             sizeof(struct rpcap_header), NULL, 0);
  744     }
  745     else
  746     {
  747         rpcap_createhdr(&header, pr->protocol_version,
  748             RPCAP_MSG_ENDCAP_REQ, 0, 0);
  749 
  750         /*
  751          * Send the end capture request; don't report any errors,
  752          * as we're closing this pcap_t, and have no place to
  753          * report the error.
  754          */
  755         if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
  756             sizeof(struct rpcap_header), NULL, 0) == 0)
  757         {
  758             /*
  759              * Wait for the answer; don't report any errors,
  760              * as we're closing this pcap_t, and have no
  761              * place to report the error.
  762              */
  763             if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl,
  764                 pr->protocol_version, RPCAP_MSG_ENDCAP_REQ,
  765                 &header, NULL) == 0)
  766             {
  767                 (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl,
  768                     header.plen, NULL);
  769             }
  770         }
  771     }
  772 
  773     if (pr->rmt_sockdata)
  774     {
  775 #ifdef HAVE_OPENSSL
  776         if (pr->data_ssl)
  777         {
  778             // Finish using the SSL handle for the data socket.
  779             // This must be done *before* the socket is closed.
  780             ssl_finish(pr->data_ssl);
  781             pr->data_ssl = NULL;
  782         }
  783 #endif
  784         sock_close(pr->rmt_sockdata, NULL, 0);
  785         pr->rmt_sockdata = 0;
  786     }
  787 
  788     if ((!active) && (pr->rmt_sockctrl))
  789     {
  790 #ifdef HAVE_OPENSSL
  791         if (pr->ctrl_ssl)
  792         {
  793             // Finish using the SSL handle for the control socket.
  794             // This must be done *before* the socket is closed.
  795             ssl_finish(pr->ctrl_ssl);
  796             pr->ctrl_ssl = NULL;
  797         }
  798 #endif
  799         sock_close(pr->rmt_sockctrl, NULL, 0);
  800     }
  801 
  802     pr->rmt_sockctrl = 0;
  803     pr->ctrl_ssl = NULL;
  804 
  805     if (pr->currentfilter)
  806     {
  807         free(pr->currentfilter);
  808         pr->currentfilter = NULL;
  809     }
  810 
  811     pcap_cleanup_live_common(fp);
  812 
  813     /* To avoid inconsistencies in the number of sock_init() */
  814     sock_cleanup();
  815 }
  816 
  817 /*
  818  * This function retrieves network statistics from our peer;
  819  * it provides only the standard statistics.
  820  */
  821 static int pcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps)
  822 {
  823     struct pcap_stat *retval;
  824 
  825     retval = rpcap_stats_rpcap(p, ps, PCAP_STATS_STANDARD);
  826 
  827     if (retval)
  828         return 0;
  829     else
  830         return -1;
  831 }
  832 
  833 #ifdef _WIN32
  834 /*
  835  * This function retrieves network statistics from our peer;
  836  * it provides the additional statistics supported by pcap_stats_ex().
  837  */
  838 static struct pcap_stat *pcap_stats_ex_rpcap(pcap_t *p, int *pcap_stat_size)
  839 {
  840     *pcap_stat_size = sizeof (p->stat);
  841 
  842     /* PCAP_STATS_EX (third param) means 'extended pcap_stats()' */
  843     return (rpcap_stats_rpcap(p, &(p->stat), PCAP_STATS_EX));
  844 }
  845 #endif
  846 
  847 /*
  848  * This function retrieves network statistics from our peer.  It
  849  * is used by the two previous functions.
  850  *
  851  * It can be called in two modes:
  852  * - PCAP_STATS_STANDARD: if we want just standard statistics (i.e.,
  853  *   for pcap_stats())
  854  * - PCAP_STATS_EX: if we want extended statistics (i.e., for
  855  *   pcap_stats_ex())
  856  *
  857  * This 'mode' parameter is needed because in pcap_stats() the variable that
  858  * keeps the statistics is allocated by the user. On Windows, this structure
  859  * has been extended in order to keep new stats. However, if the user has a
  860  * smaller structure and it passes it to pcap_stats(), this function will
  861  * try to fill in more data than the size of the structure, so that memory
  862  * after the structure will be overwritten.
  863  *
  864  * So, we need to know it we have to copy just the standard fields, or the
  865  * extended fields as well.
  866  *
  867  * In case we want to copy the extended fields as well, the problem of
  868  * memory overflow no longer exists because the structure that's filled
  869  * in is part of the pcap_t, so that it can be guaranteed to be large
  870  * enough for the additional statistics.
  871  *
  872  * \param p: the pcap_t structure related to the current instance.
  873  *
  874  * \param ps: a pointer to a 'pcap_stat' structure, needed for compatibility
  875  * with pcap_stat(), where the structure is allocated by the user. In case
  876  * of pcap_stats_ex(), this structure and the function return value point
  877  * to the same variable.
  878  *
  879  * \param mode: one of PCAP_STATS_STANDARD or PCAP_STATS_EX.
  880  *
  881  * \return The structure that keeps the statistics, or NULL in case of error.
  882  * The error string is placed in the pcap_t structure.
  883  */
  884 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode)
  885 {
  886     struct pcap_rpcap *pr = p->priv;    /* structure used when doing a remote live capture */
  887     struct rpcap_header header;     /* header of the RPCAP packet */
  888     struct rpcap_stats netstats;        /* statistics sent on the network */
  889     uint32 plen;                /* data remaining in the message */
  890 
  891 #ifdef _WIN32
  892     if (mode != PCAP_STATS_STANDARD && mode != PCAP_STATS_EX)
  893 #else
  894     if (mode != PCAP_STATS_STANDARD)
  895 #endif
  896     {
  897         snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  898             "Invalid stats mode %d", mode);
  899         return NULL;
  900     }
  901 
  902     /*
  903      * If the capture has not yet started, we cannot request statistics
  904      * for the capture from our peer, so we return 0 for all statistics,
  905      * as nothing's been seen yet.
  906      */
  907     if (!pr->rmt_capstarted)
  908     {
  909         ps->ps_drop = 0;
  910         ps->ps_ifdrop = 0;
  911         ps->ps_recv = 0;
  912 #ifdef _WIN32
  913         if (mode == PCAP_STATS_EX)
  914         {
  915             ps->ps_capt = 0;
  916             ps->ps_sent = 0;
  917             ps->ps_netdrop = 0;
  918         }
  919 #endif /* _WIN32 */
  920 
  921         return ps;
  922     }
  923 
  924     rpcap_createhdr(&header, pr->protocol_version,
  925         RPCAP_MSG_STATS_REQ, 0, 0);
  926 
  927     /* Send the PCAP_STATS command */
  928     if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
  929         sizeof(struct rpcap_header), p->errbuf, PCAP_ERRBUF_SIZE) < 0)
  930         return NULL;        /* Unrecoverable network error */
  931 
  932     /* Receive and process the reply message header. */
  933     if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
  934         RPCAP_MSG_STATS_REQ, &header, p->errbuf) == -1)
  935         return NULL;        /* Error */
  936 
  937     plen = header.plen;
  938 
  939     /* Read the reply body */
  940     if (rpcap_recv(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&netstats,
  941         sizeof(struct rpcap_stats), &plen, p->errbuf) == -1)
  942         goto error;
  943 
  944     ps->ps_drop = ntohl(netstats.krnldrop);
  945     ps->ps_ifdrop = ntohl(netstats.ifdrop);
  946     ps->ps_recv = ntohl(netstats.ifrecv);
  947 #ifdef _WIN32
  948     if (mode == PCAP_STATS_EX)
  949     {
  950         ps->ps_capt = pr->TotCapt;
  951         ps->ps_netdrop = pr->TotNetDrops;
  952         ps->ps_sent = ntohl(netstats.svrcapt);
  953     }
  954 #endif /* _WIN32 */
  955 
  956     /* Discard the rest of the message. */
  957     if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, p->errbuf) == -1)
  958         goto error_nodiscard;
  959 
  960     return ps;
  961 
  962 error:
  963     /*
  964      * Discard the rest of the message.
  965      * We already reported an error; if this gets an error, just
  966      * drive on.
  967      */
  968     (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, NULL);
  969 
  970 error_nodiscard:
  971     return NULL;
  972 }
  973 
  974 /*
  975  * This function returns the entry in the list of active hosts for this
  976  * active connection (active mode only), or NULL if there is no
  977  * active connection or an error occurred.  It is just for internal
  978  * use.
  979  *
  980  * \param host: a string that keeps the host name of the host for which we
  981  * want to get the socket ID for that active connection.
  982  *
  983  * \param error: a pointer to an int that is set to 1 if an error occurred
  984  * and 0 otherwise.
  985  *
  986  * \param errbuf: a pointer to a user-allocated buffer (of size
  987  * PCAP_ERRBUF_SIZE) that will contain the error message (in case
  988  * there is one).
  989  *
  990  * \return the entry for this host in the list of active connections
  991  * if found, NULL if it's not found or there's an error.
  992  */
  993 static struct activehosts *
  994 rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
  995 {
  996     struct activehosts *temp;           /* temp var needed to scan the host list chain */
  997     struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
  998     int retval;
  999 
 1000     /* retrieve the network address corresponding to 'host' */
 1001     addrinfo = NULL;
 1002     memset(&hints, 0, sizeof(struct addrinfo));
 1003     hints.ai_family = PF_UNSPEC;
 1004     hints.ai_socktype = SOCK_STREAM;
 1005 
 1006     retval = sock_initaddress(host, "0", &hints, &addrinfo, errbuf,
 1007         PCAP_ERRBUF_SIZE);
 1008     if (retval != 0)
 1009     {
 1010         *error = 1;
 1011         return NULL;
 1012     }
 1013 
 1014     temp = activeHosts;
 1015 
 1016     while (temp)
 1017     {
 1018         ai_next = addrinfo;
 1019         while (ai_next)
 1020         {
 1021             if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
 1022             {
 1023                 *error = 0;
 1024                 freeaddrinfo(addrinfo);
 1025                 return temp;
 1026             }
 1027 
 1028             ai_next = ai_next->ai_next;
 1029         }
 1030         temp = temp->next;
 1031     }
 1032 
 1033     if (addrinfo)
 1034         freeaddrinfo(addrinfo);
 1035 
 1036     /*
 1037      * The host for which you want to get the socket ID does not have an
 1038      * active connection.
 1039      */
 1040     *error = 0;
 1041     return NULL;
 1042 }
 1043 
 1044 /*
 1045  * This function starts a remote capture.
 1046  *
 1047  * This function is required since the RPCAP protocol decouples the 'open'
 1048  * from the 'start capture' functions.
 1049  * This function takes all the parameters needed (which have been stored
 1050  * into the pcap_t structure) and sends them to the server.
 1051  *
 1052  * \param fp: the pcap_t descriptor of the device currently open.
 1053  *
 1054  * \return '0' if everything is fine, '-1' otherwise. The error message
 1055  * (if one) is returned into the 'errbuf' field of the pcap_t structure.
 1056  */
 1057 static int pcap_startcapture_remote(pcap_t *fp)
 1058 {
 1059     struct pcap_rpcap *pr = fp->priv;   /* structure used when doing a remote live capture */
 1060     char sendbuf[RPCAP_NETBUF_SIZE];    /* temporary buffer in which data to be sent is buffered */
 1061     int sendbufidx = 0;         /* index which keeps the number of bytes currently buffered */
 1062     char portdata[PCAP_BUF_SIZE];       /* temp variable needed to keep the network port for the data connection */
 1063     uint32 plen;
 1064     int active = 0;             /* '1' if we're in active mode */
 1065     struct activehosts *temp;       /* temp var needed to scan the host list chain, to detect if we're in active mode */
 1066     char host[INET6_ADDRSTRLEN + 1];    /* numeric name of the other host */
 1067 
 1068     /* socket-related variables*/
 1069     struct addrinfo hints;          /* temp, needed to open a socket connection */
 1070     struct addrinfo *addrinfo;      /* temp, needed to open a socket connection */
 1071     SOCKET sockdata = 0;            /* socket descriptor of the data connection */
 1072     struct sockaddr_storage saddr;      /* temp, needed to retrieve the network data port chosen on the local machine */
 1073     socklen_t saddrlen;         /* temp, needed to retrieve the network data port chosen on the local machine */
 1074     int ai_family;              /* temp, keeps the address family used by the control connection */
 1075 
 1076     /* RPCAP-related variables*/
 1077     struct rpcap_header header;         /* header of the RPCAP packet */
 1078     struct rpcap_startcapreq *startcapreq;      /* start capture request message */
 1079     struct rpcap_startcapreply startcapreply;   /* start capture reply message */
 1080 
 1081     /* Variables related to the buffer setting */
 1082     int res;
 1083     socklen_t itemp;
 1084     int sockbufsize = 0;
 1085     uint32 server_sockbufsize;
 1086 
 1087     // Take the opportunity to clear pr->data_ssl before any goto error,
 1088     // as it seems pr->priv is not zeroed after its malloced.
 1089     pr->data_ssl = NULL;
 1090 
 1091     /*
 1092      * Let's check if sampling has been required.
 1093      * If so, let's set it first
 1094      */
 1095     if (pcap_setsampling_remote(fp) != 0)
 1096         return -1;
 1097 
 1098     /* detect if we're in active mode */
 1099     temp = activeHosts;
 1100     while (temp)
 1101     {
 1102         if (temp->sockctrl == pr->rmt_sockctrl)
 1103         {
 1104             active = 1;
 1105             break;
 1106         }
 1107         temp = temp->next;
 1108     }
 1109 
 1110     addrinfo = NULL;
 1111 
 1112     /*
 1113      * Gets the complete sockaddr structure used in the ctrl connection
 1114      * This is needed to get the address family of the control socket
 1115      * Tip: I cannot save the ai_family of the ctrl sock in the pcap_t struct,
 1116      * since the ctrl socket can already be open in case of active mode;
 1117      * so I would have to call getpeername() anyway
 1118      */
 1119     saddrlen = sizeof(struct sockaddr_storage);
 1120     if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
 1121     {
 1122         sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
 1123         goto error_nodiscard;
 1124     }
 1125     ai_family = ((struct sockaddr_storage *) &saddr)->ss_family;
 1126 
 1127     /* Get the numeric address of the remote host we are connected to */
 1128     if (getnameinfo((struct sockaddr *) &saddr, saddrlen, host,
 1129         sizeof(host), NULL, 0, NI_NUMERICHOST))
 1130     {
 1131         sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
 1132         goto error_nodiscard;
 1133     }
 1134 
 1135     /*
 1136      * Data connection is opened by the server toward the client if:
 1137      * - we're using TCP, and the user wants us to be in active mode
 1138      * - we're using UDP
 1139      */
 1140     if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
 1141     {
 1142         /*
 1143          * We have to create a new socket to receive packets
 1144          * We have to do that immediately, since we have to tell the other
 1145          * end which network port we picked up
 1146          */
 1147         memset(&hints, 0, sizeof(struct addrinfo));
 1148         /* TEMP addrinfo is NULL in case of active */
 1149         hints.ai_family = ai_family;    /* Use the same address family of the control socket */
 1150         hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
 1151         hints.ai_flags = AI_PASSIVE;    /* Data connection is opened by the server toward the client */
 1152 
 1153         /* Let's the server pick up a free network port for us */
 1154         if (sock_initaddress(NULL, "0", &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
 1155             goto error_nodiscard;
 1156 
 1157         if ((sockdata = sock_open(addrinfo, SOCKOPEN_SERVER,
 1158             1 /* max 1 connection in queue */, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
 1159             goto error_nodiscard;
 1160 
 1161         /* addrinfo is no longer used */
 1162         freeaddrinfo(addrinfo);
 1163         addrinfo = NULL;
 1164 
 1165         /* get the complete sockaddr structure used in the data connection */
 1166         saddrlen = sizeof(struct sockaddr_storage);
 1167         if (getsockname(sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
 1168         {
 1169             sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
 1170             goto error_nodiscard;
 1171         }
 1172 
 1173         /* Get the local port the system picked up */
 1174         if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL,
 1175             0, portdata, sizeof(portdata), NI_NUMERICSERV))
 1176         {
 1177             sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
 1178             goto error_nodiscard;
 1179         }
 1180     }
 1181 
 1182     /*
 1183      * Now it's time to start playing with the RPCAP protocol
 1184      * RPCAP start capture command: create the request message
 1185      */
 1186     if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
 1187         &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
 1188         goto error_nodiscard;
 1189 
 1190     rpcap_createhdr((struct rpcap_header *) sendbuf,
 1191         pr->protocol_version, RPCAP_MSG_STARTCAP_REQ, 0,
 1192         sizeof(struct rpcap_startcapreq) + sizeof(struct rpcap_filter) + fp->fcode.bf_len * sizeof(struct rpcap_filterbpf_insn));
 1193 
 1194     /* Fill the structure needed to open an adapter remotely */
 1195     startcapreq = (struct rpcap_startcapreq *) &sendbuf[sendbufidx];
 1196 
 1197     if (sock_bufferize(NULL, sizeof(struct rpcap_startcapreq), NULL,
 1198         &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
 1199         goto error_nodiscard;
 1200 
 1201     memset(startcapreq, 0, sizeof(struct rpcap_startcapreq));
 1202 
 1203     /* By default, apply half the timeout on one side, half of the other */
 1204     fp->opt.timeout = fp->opt.timeout / 2;
 1205     startcapreq->read_timeout = htonl(fp->opt.timeout);
 1206 
 1207     /* portdata on the openreq is meaningful only if we're in active mode */
 1208     if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
 1209     {
 1210         sscanf(portdata, "%d", (int *)&(startcapreq->portdata));    /* cast to avoid a compiler warning */
 1211         startcapreq->portdata = htons(startcapreq->portdata);
 1212     }
 1213 
 1214     startcapreq->snaplen = htonl(fp->snapshot);
 1215     startcapreq->flags = 0;
 1216 
 1217     if (pr->rmt_flags & PCAP_OPENFLAG_PROMISCUOUS)
 1218         startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_PROMISC;
 1219     if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
 1220         startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_DGRAM;
 1221     if (active)
 1222         startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_SERVEROPEN;
 1223 
 1224     startcapreq->flags = htons(startcapreq->flags);
 1225 
 1226     /* Pack the capture filter */
 1227     if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, &fp->fcode))
 1228         goto error_nodiscard;
 1229 
 1230     if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
 1231         PCAP_ERRBUF_SIZE) < 0)
 1232         goto error_nodiscard;
 1233 
 1234     /* Receive and process the reply message header. */
 1235     if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
 1236         RPCAP_MSG_STARTCAP_REQ, &header, fp->errbuf) == -1)
 1237         goto error_nodiscard;
 1238 
 1239     plen = header.plen;
 1240 
 1241     if (rpcap_recv(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&startcapreply,
 1242         sizeof(struct rpcap_startcapreply), &plen, fp->errbuf) == -1)
 1243         goto error;
 1244 
 1245     /*
 1246      * In case of UDP data stream, the connection is always opened by the daemon
 1247      * So, this case is already covered by the code above.
 1248      * Now, we have still to handle TCP connections, because:
 1249      * - if we're in active mode, we have to wait for a remote connection
 1250      * - if we're in passive more, we have to start a connection
 1251      *
 1252      * We have to do he job in two steps because in case we're opening a TCP connection, we have
 1253      * to tell the port we're using to the remote side; in case we're accepting a TCP
 1254      * connection, we have to wait this info from the remote side.
 1255      */
 1256     if (!(pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
 1257     {
 1258         if (!active)
 1259         {
 1260             memset(&hints, 0, sizeof(struct addrinfo));
 1261             hints.ai_family = ai_family;        /* Use the same address family of the control socket */
 1262             hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
 1263             snprintf(portdata, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
 1264 
 1265             /* Let's the server pick up a free network port for us */
 1266             if (sock_initaddress(host, portdata, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
 1267                 goto error;
 1268 
 1269             if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
 1270                 goto error;
 1271 
 1272             /* addrinfo is no longer used */
 1273             freeaddrinfo(addrinfo);
 1274             addrinfo = NULL;
 1275         }
 1276         else
 1277         {
 1278             SOCKET socktemp;    /* We need another socket, since we're going to accept() a connection */
 1279 
 1280             /* Connection creation */
 1281             saddrlen = sizeof(struct sockaddr_storage);
 1282 
 1283             socktemp = accept(sockdata, (struct sockaddr *) &saddr, &saddrlen);
 1284 
 1285             if (socktemp == INVALID_SOCKET)
 1286             {
 1287                 sock_geterror("accept()", fp->errbuf, PCAP_ERRBUF_SIZE);
 1288                 goto error;
 1289             }
 1290 
 1291             /* Now that I accepted the connection, the server socket is no longer needed */
 1292             sock_close(sockdata, fp->errbuf, PCAP_ERRBUF_SIZE);
 1293             sockdata = socktemp;
 1294         }
 1295     }
 1296 
 1297     /* Let's save the socket of the data connection */
 1298     pr->rmt_sockdata = sockdata;
 1299 
 1300 #ifdef HAVE_OPENSSL
 1301     if (pr->uses_ssl)
 1302     {
 1303         pr->data_ssl = ssl_promotion(0, sockdata, fp->errbuf, PCAP_ERRBUF_SIZE);
 1304         if (! pr->data_ssl) goto error;
 1305     }
 1306 #endif
 1307 
 1308     /*
 1309      * Set the size of the socket buffer for the data socket.
 1310      * It has the same size as the local capture buffer used
 1311      * on the other side of the connection.
 1312      */
 1313     server_sockbufsize = ntohl(startcapreply.bufsize);
 1314 
 1315     /* Let's get the actual size of the socket buffer */
 1316     itemp = sizeof(sockbufsize);
 1317 
 1318     res = getsockopt(sockdata, SOL_SOCKET, SO_RCVBUF, (char *)&sockbufsize, &itemp);
 1319     if (res == -1)
 1320     {
 1321         sock_geterror("pcap_startcapture_remote(): getsockopt() failed", fp->errbuf, PCAP_ERRBUF_SIZE);
 1322         goto error;
 1323     }
 1324 
 1325     /*
 1326      * Warning: on some kernels (e.g. Linux), the size of the user
 1327      * buffer does not take into account the pcap_header and such,
 1328      * and it is set equal to the snaplen.
 1329      *
 1330      * In my view, this is wrong (the meaning of the bufsize became
 1331      * a bit strange).  So, here bufsize is the whole size of the
 1332      * user buffer.  In case the bufsize returned is too small,
 1333      * let's adjust it accordingly.
 1334      */
 1335     if (server_sockbufsize <= (u_int) fp->snapshot)
 1336         server_sockbufsize += sizeof(struct pcap_pkthdr);
 1337 
 1338     /* if the current socket buffer is smaller than the desired one */
 1339     if ((u_int) sockbufsize < server_sockbufsize)
 1340     {
 1341         /*
 1342          * Loop until the buffer size is OK or the original
 1343          * socket buffer size is larger than this one.
 1344          */
 1345         for (;;)
 1346         {
 1347             res = setsockopt(sockdata, SOL_SOCKET, SO_RCVBUF,
 1348                 (char *)&(server_sockbufsize),
 1349                 sizeof(server_sockbufsize));
 1350 
 1351             if (res == 0)
 1352                 break;
 1353 
 1354             /*
 1355              * If something goes wrong, halve the buffer size
 1356              * (checking that it does not become smaller than
 1357              * the current one).
 1358              */
 1359             server_sockbufsize /= 2;
 1360 
 1361             if ((u_int) sockbufsize >= server_sockbufsize)
 1362             {
 1363                 server_sockbufsize = sockbufsize;
 1364                 break;
 1365             }
 1366         }
 1367     }
 1368 
 1369     /*
 1370      * Let's allocate the packet; this is required in order to put
 1371      * the packet somewhere when extracting data from the socket.
 1372      * Since buffering has already been done in the socket buffer,
 1373      * here we need just a buffer whose size is equal to the
 1374      * largest possible packet message for the snapshot size,
 1375      * namely the length of the message header plus the length
 1376      * of the packet header plus the snapshot length.
 1377      */
 1378     fp->bufsize = sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr) + fp->snapshot;
 1379 
 1380     fp->buffer = (u_char *)malloc(fp->bufsize);
 1381     if (fp->buffer == NULL)
 1382     {
 1383         pcap_fmt_errmsg_for_errno(fp->errbuf, PCAP_ERRBUF_SIZE,
 1384             errno, "malloc");
 1385         goto error;
 1386     }
 1387 
 1388     /*
 1389      * The buffer is currently empty.
 1390      */
 1391     fp->bp = fp->buffer;
 1392     fp->cc = 0;
 1393 
 1394     /* Discard the rest of the message. */
 1395     if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, fp->errbuf) == -1)
 1396         goto error_nodiscard;
 1397 
 1398     /*
 1399      * In case the user does not want to capture RPCAP packets, let's update the filter
 1400      * We have to update it here (instead of sending it into the 'StartCapture' message
 1401      * because when we generate the 'start capture' we do not know (yet) all the ports
 1402      * we're currently using.
 1403      */
 1404     if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP)
 1405     {
 1406         struct bpf_program fcode;
 1407 
 1408         if (pcap_createfilter_norpcappkt(fp, &fcode) == -1)
 1409             goto error;
 1410 
 1411         /* We cannot use 'pcap_setfilter_rpcap' because formally the capture has not been started yet */
 1412         /* (the 'pr->rmt_capstarted' variable will be updated some lines below) */
 1413         if (pcap_updatefilter_remote(fp, &fcode) == -1)
 1414             goto error;
 1415 
 1416         pcap_freecode(&fcode);
 1417     }
 1418 
 1419     pr->rmt_capstarted = 1;
 1420     return 0;
 1421 
 1422 error:
 1423     /*
 1424      * When the connection has been established, we have to close it. So, at the
 1425      * beginning of this function, if an error occur we return immediately with
 1426      * a return NULL; when the connection is established, we have to come here
 1427      * ('goto error;') in order to close everything properly.
 1428      */
 1429 
 1430     /*
 1431      * Discard the rest of the message.
 1432      * We already reported an error; if this gets an error, just
 1433      * drive on.
 1434      */
 1435     (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, NULL);
 1436 
 1437 error_nodiscard:
 1438 #ifdef HAVE_OPENSSL
 1439     if (pr->data_ssl)
 1440     {
 1441         // Finish using the SSL handle for the data socket.
 1442         // This must be done *before* the socket is closed.
 1443         ssl_finish(pr->data_ssl);
 1444         pr->data_ssl = NULL;
 1445     }
 1446 #endif
 1447 
 1448     /* we can be here because sockdata said 'error' */
 1449     if ((sockdata != 0) && (sockdata != INVALID_SOCKET))
 1450         sock_close(sockdata, NULL, 0);
 1451 
 1452     if (!active)
 1453     {
 1454 #ifdef HAVE_OPENSSL
 1455         if (pr->ctrl_ssl)
 1456         {
 1457             // Finish using the SSL handle for the control socket.
 1458             // This must be done *before* the socket is closed.
 1459             ssl_finish(pr->ctrl_ssl);
 1460             pr->ctrl_ssl = NULL;
 1461         }
 1462 #endif
 1463         sock_close(pr->rmt_sockctrl, NULL, 0);
 1464     }
 1465 
 1466     if (addrinfo != NULL)
 1467         freeaddrinfo(addrinfo);
 1468 
 1469     /*
 1470      * We do not have to call pcap_close() here, because this function is always called
 1471      * by the user in case something bad happens
 1472      */
 1473 #if 0
 1474     if (fp)
 1475     {
 1476         pcap_close(fp);
 1477         fp= NULL;
 1478     }
 1479 #endif
 1480 
 1481     return -1;
 1482 }
 1483 
 1484 /*
 1485  * This function takes a bpf program and sends it to the other host.
 1486  *
 1487  * This function can be called in two cases:
 1488  * - pcap_startcapture_remote() is called (we have to send the filter
 1489  *   along with the 'start capture' command)
 1490  * - we want to update the filter during a capture (i.e. pcap_setfilter()
 1491  *   after the capture has been started)
 1492  *
 1493  * This function serializes the filter into the sending buffer ('sendbuf',
 1494  * passed as a parameter) and return back. It does not send anything on
 1495  * the network.
 1496  *
 1497  * \param fp: the pcap_t descriptor of the device currently opened.
 1498  *
 1499  * \param sendbuf: the buffer on which the serialized data has to copied.
 1500  *
 1501  * \param sendbufidx: it is used to return the abounf of bytes copied into the buffer.
 1502  *
 1503  * \param prog: the bpf program we have to copy.
 1504  *
 1505  * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
 1506  * is returned into the 'errbuf' field of the pcap_t structure.
 1507  */
 1508 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog)
 1509 {
 1510     struct rpcap_filter *filter;
 1511     struct rpcap_filterbpf_insn *insn;
 1512     struct bpf_insn *bf_insn;
 1513     struct bpf_program fake_prog;       /* To be used just in case the user forgot to set a filter */
 1514     unsigned int i;
 1515 
 1516     if (prog->bf_len == 0)  /* No filters have been specified; so, let's apply a "fake" filter */
 1517     {
 1518         if (pcap_compile(fp, &fake_prog, NULL /* buffer */, 1, 0) == -1)
 1519             return -1;
 1520 
 1521         prog = &fake_prog;
 1522     }
 1523 
 1524     filter = (struct rpcap_filter *) sendbuf;
 1525 
 1526     if (sock_bufferize(NULL, sizeof(struct rpcap_filter), NULL, sendbufidx,
 1527         RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
 1528         return -1;
 1529 
 1530     filter->filtertype = htons(RPCAP_UPDATEFILTER_BPF);
 1531     filter->nitems = htonl((int32)prog->bf_len);
 1532 
 1533     if (sock_bufferize(NULL, prog->bf_len * sizeof(struct rpcap_filterbpf_insn),
 1534         NULL, sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
 1535         return -1;
 1536 
 1537     insn = (struct rpcap_filterbpf_insn *) (filter + 1);
 1538     bf_insn = prog->bf_insns;
 1539 
 1540     for (i = 0; i < prog->bf_len; i++)
 1541     {
 1542         insn->code = htons(bf_insn->code);
 1543         insn->jf = bf_insn->jf;
 1544         insn->jt = bf_insn->jt;
 1545         insn->k = htonl(bf_insn->k);
 1546 
 1547         insn++;
 1548         bf_insn++;
 1549     }
 1550 
 1551     return 0;
 1552 }
 1553 
 1554 /*
 1555  * This function updates a filter on a remote host.
 1556  *
 1557  * It is called when the user wants to update a filter.
 1558  * In case we're capturing from the network, it sends the filter to our
 1559  * peer.
 1560  * This function is *not* called automatically when the user calls
 1561  * pcap_setfilter().
 1562  * There will be two cases:
 1563  * - the capture has been started: in this case, pcap_setfilter_rpcap()
 1564  *   calls pcap_updatefilter_remote()
 1565  * - the capture has not started yet: in this case, pcap_setfilter_rpcap()
 1566  *   stores the filter into the pcap_t structure, and then the filter is
 1567  *   sent with pcap_startcap().
 1568  *
 1569  * WARNING This function *does not* clear the packet currently into the
 1570  * buffers. Therefore, the user has to expect to receive some packets
 1571  * that are related to the previous filter.  If you want to discard all
 1572  * the packets before applying a new filter, you have to close the
 1573  * current capture session and start a new one.
 1574  *
 1575  * XXX - we really should have pcap_setfilter() always discard packets
 1576  * received with the old filter, and have a separate pcap_setfilter_noflush()
 1577  * function that doesn't discard any packets.
 1578  */
 1579 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog)
 1580 {
 1581     struct pcap_rpcap *pr = fp->priv;   /* structure used when doing a remote live capture */
 1582     char sendbuf[RPCAP_NETBUF_SIZE];    /* temporary buffer in which data to be sent is buffered */
 1583     int sendbufidx = 0;         /* index which keeps the number of bytes currently buffered */
 1584     struct rpcap_header header;     /* To keep the reply message */
 1585 
 1586     if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, &sendbufidx,
 1587         RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
 1588         return -1;
 1589 
 1590     rpcap_createhdr((struct rpcap_header *) sendbuf,
 1591         pr->protocol_version, RPCAP_MSG_UPDATEFILTER_REQ, 0,
 1592         sizeof(struct rpcap_filter) + prog->bf_len * sizeof(struct rpcap_filterbpf_insn));
 1593 
 1594     if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, prog))
 1595         return -1;
 1596 
 1597     if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
 1598         PCAP_ERRBUF_SIZE) < 0)
 1599         return -1;
 1600 
 1601     /* Receive and process the reply message header. */
 1602     if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
 1603         RPCAP_MSG_UPDATEFILTER_REQ, &header, fp->errbuf) == -1)
 1604         return -1;
 1605 
 1606     /*
 1607      * It shouldn't have any contents; discard it if it does.
 1608      */
 1609     if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, header.plen, fp->errbuf) == -1)
 1610         return -1;
 1611 
 1612     return 0;
 1613 }
 1614 
 1615 static void
 1616 pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter)
 1617 {
 1618     struct pcap_rpcap *pr = fp->priv;   /* structure used when doing a remote live capture */
 1619 
 1620     /*
 1621      * Check if:
 1622      *  - We are on an remote capture
 1623      *  - we do not want to capture RPCAP traffic
 1624      *
 1625      * If so, we have to save the current filter, because we have to
 1626      * add some piece of stuff later
 1627      */
 1628     if (pr->rmt_clientside &&
 1629         (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP))
 1630     {
 1631         if (pr->currentfilter)
 1632             free(pr->currentfilter);
 1633 
 1634         if (filter == NULL)
 1635             filter = "";
 1636 
 1637         pr->currentfilter = strdup(filter);
 1638     }
 1639 }
 1640 
 1641 /*
 1642  * This function sends a filter to a remote host.
 1643  *
 1644  * This function is called when the user wants to set a filter.
 1645  * It sends the filter to our peer.
 1646  * This function is called automatically when the user calls pcap_setfilter().
 1647  *
 1648  * Parameters and return values are exactly the same of pcap_setfilter().
 1649  */
 1650 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog)
 1651 {
 1652     struct pcap_rpcap *pr = fp->priv;   /* structure used when doing a remote live capture */
 1653 
 1654     if (!pr->rmt_capstarted)
 1655     {
 1656         /* copy filter into the pcap_t structure */
 1657         if (install_bpf_program(fp, prog) == -1)
 1658             return -1;
 1659         return 0;
 1660     }
 1661 
 1662     /* we have to update a filter during run-time */
 1663     if (pcap_updatefilter_remote(fp, prog))
 1664         return -1;
 1665 
 1666     return 0;
 1667 }
 1668 
 1669 /*
 1670  * This function updates the current filter in order not to capture rpcap
 1671  * packets.
 1672  *
 1673  * This function is called *only* when the user wants exclude RPCAP packets
 1674  * related to the current session from the captured packets.
 1675  *
 1676  * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
 1677  * is returned into the 'errbuf' field of the pcap_t structure.
 1678  */
 1679 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog)
 1680 {
 1681     struct pcap_rpcap *pr = fp->priv;   /* structure used when doing a remote live capture */
 1682     int RetVal = 0;
 1683 
 1684     /* We do not want to capture our RPCAP traffic. So, let's update the filter */
 1685     if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP)
 1686     {
 1687         struct sockaddr_storage saddr;      /* temp, needed to retrieve the network data port chosen on the local machine */
 1688         socklen_t saddrlen;                 /* temp, needed to retrieve the network data port chosen on the local machine */
 1689         char myaddress[128];
 1690         char myctrlport[128];
 1691         char mydataport[128];
 1692         char peeraddress[128];
 1693         char peerctrlport[128];
 1694         char *newfilter;
 1695 
 1696         /* Get the name/port of our peer */
 1697         saddrlen = sizeof(struct sockaddr_storage);
 1698         if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
 1699         {
 1700             sock_geterror("getpeername()", fp->errbuf, PCAP_ERRBUF_SIZE);
 1701             return -1;
 1702         }
 1703 
 1704         if (getnameinfo((struct sockaddr *) &saddr, saddrlen, peeraddress,
 1705             sizeof(peeraddress), peerctrlport, sizeof(peerctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
 1706         {
 1707             sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
 1708             return -1;
 1709         }
 1710 
 1711         /* We cannot check the data port, because this is available only in case of TCP sockets */
 1712         /* Get the name/port of the current host */
 1713         if (getsockname(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
 1714         {
 1715             sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
 1716             return -1;
 1717         }
 1718 
 1719         /* Get the local port the system picked up */
 1720         if (getnameinfo((struct sockaddr *) &saddr, saddrlen, myaddress,
 1721             sizeof(myaddress), myctrlport, sizeof(myctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
 1722         {
 1723             sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
 1724             return -1;
 1725         }
 1726 
 1727         /* Let's now check the data port */
 1728         if (getsockname(pr->rmt_sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
 1729         {
 1730             sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
 1731             return -1;
 1732         }
 1733 
 1734         /* Get the local port the system picked up */
 1735         if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL, 0, mydataport, sizeof(mydataport), NI_NUMERICSERV))
 1736         {
 1737             sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
 1738             return -1;
 1739         }
 1740 
 1741         if (pr->currentfilter && pr->currentfilter[0] != '\0')
 1742         {
 1743             /*
 1744              * We have a current filter; add items to it to
 1745              * filter out this rpcap session.
 1746              */
 1747             if (pcap_asprintf(&newfilter,
 1748                 "(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
 1749                 pr->currentfilter, myaddress, peeraddress,
 1750                 myctrlport, peerctrlport, myaddress, peeraddress,
 1751                 mydataport) == -1)
 1752             {
 1753                 /* Failed. */
 1754                 snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
 1755                     "Can't allocate memory for new filter");
 1756                 return -1;
 1757             }
 1758         }
 1759         else
 1760         {
 1761             /*
 1762              * We have no current filter; construct a filter to
 1763              * filter out this rpcap session.
 1764              */
 1765             if (pcap_asprintf(&newfilter,
 1766                 "not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
 1767                 myaddress, peeraddress, myctrlport, peerctrlport,
 1768                 myaddress, peeraddress, mydataport) == -1)
 1769             {
 1770                 /* Failed. */
 1771                 snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
 1772                     "Can't allocate memory for new filter");
 1773                 return -1;
 1774             }
 1775         }
 1776 
 1777         /*
 1778          * This is only an hack to prevent the save_current_filter
 1779          * routine, which will be called when we call pcap_compile(),
 1780          * from saving the modified filter.
 1781          */
 1782         pr->rmt_clientside = 0;
 1783 
 1784         if (pcap_compile(fp, prog, newfilter, 1, 0) == -1)
 1785             RetVal = -1;
 1786 
 1787         /* Undo the hack. */
 1788         pr->rmt_clientside = 1;
 1789 
 1790         free(newfilter);
 1791     }
 1792 
 1793     return RetVal;
 1794 }
 1795 
 1796 /*
 1797  * This function sets sampling parameters in the remote host.
 1798  *
 1799  * It is called when the user wants to set activate sampling on the
 1800  * remote host.
 1801  *
 1802  * Sampling parameters are defined into the 'pcap_t' structure.
 1803  *
 1804  * \param p: the pcap_t descriptor of the device currently opened.
 1805  *
 1806  * \return '0' if everything is OK, '-1' is something goes wrong. The
 1807  * error message is returned in the 'errbuf' member of the pcap_t structure.
 1808  */
 1809 static int pcap_setsampling_remote(pcap_t *fp)
 1810 {
 1811     struct pcap_rpcap *pr = fp->priv;   /* structure used when doing a remote live capture */
 1812     char sendbuf[RPCAP_NETBUF_SIZE];/* temporary buffer in which data to be sent is buffered */
 1813     int sendbufidx = 0;         /* index which keeps the number of bytes currently buffered */
 1814     struct rpcap_header header;     /* To keep the reply message */
 1815     struct rpcap_sampling *sampling_pars;   /* Structure that is needed to send sampling parameters to the remote host */
 1816 
 1817     /* If no samping is requested, return 'ok' */
 1818     if (fp->rmt_samp.method == PCAP_SAMP_NOSAMP)
 1819         return 0;
 1820 
 1821     /*
 1822      * Check for sampling parameters that don't fit in a message.
 1823      * We'll let the server complain about invalid parameters
 1824      * that do fit into the message.
 1825      */
 1826     if (fp->rmt_samp.method < 0 || fp->rmt_samp.method > 255) {
 1827         snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
 1828             "Invalid sampling method %d", fp->rmt_samp.method);
 1829         return -1;
 1830     }
 1831     if (fp->rmt_samp.value < 0 || fp->rmt_samp.value > 65535) {
 1832         snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
 1833             "Invalid sampling value %d", fp->rmt_samp.value);
 1834         return -1;
 1835     }
 1836 
 1837     if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
 1838         &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
 1839         return -1;
 1840 
 1841     rpcap_createhdr((struct rpcap_header *) sendbuf,
 1842         pr->protocol_version, RPCAP_MSG_SETSAMPLING_REQ, 0,
 1843         sizeof(struct rpcap_sampling));
 1844 
 1845     /* Fill the structure needed to open an adapter remotely */
 1846     sampling_pars = (struct rpcap_sampling *) &sendbuf[sendbufidx];
 1847 
 1848     if (sock_bufferize(NULL, sizeof(struct rpcap_sampling), NULL,
 1849         &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
 1850         return -1;
 1851 
 1852     memset(sampling_pars, 0, sizeof(struct rpcap_sampling));
 1853 
 1854     sampling_pars->method = (uint8)fp->rmt_samp.method;
 1855     sampling_pars->value = (uint16)htonl(fp->rmt_samp.value);
 1856 
 1857     if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
 1858         PCAP_ERRBUF_SIZE) < 0)
 1859         return -1;
 1860 
 1861     /* Receive and process the reply message header. */
 1862     if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
 1863         RPCAP_MSG_SETSAMPLING_REQ, &header, fp->errbuf) == -1)
 1864         return -1;
 1865 
 1866     /*
 1867      * It shouldn't have any contents; discard it if it does.
 1868      */
 1869     if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, header.plen, fp->errbuf) == -1)
 1870         return -1;
 1871 
 1872     return 0;
 1873 }
 1874 
 1875 /*********************************************************
 1876  *                                                       *
 1877  * Miscellaneous functions                               *
 1878  *                                                       *
 1879  *********************************************************/
 1880 
 1881 /*
 1882  * This function performs authentication and protocol version
 1883  * negotiation.  It is required in order to open the connection
 1884  * with the other end party.
 1885  *
 1886  * It sends authentication parameters on the control socket and
 1887  * reads the reply.  If the reply is a success indication, it
 1888  * checks whether the reply includes minimum and maximum supported
 1889  * versions from the server; if not, it assumes both are 0, as
 1890  * that means it's an older server that doesn't return supported
 1891  * version numbers in authentication replies, so it only supports
 1892  * version 0.  It then tries to determine the maximum version
 1893  * supported both by us and by the server.  If it can find such a
 1894  * version, it sets us up to use that version; otherwise, it fails,
 1895  * indicating that there is no version supported by us and by the
 1896  * server.
 1897  *
 1898  * \param sock: the socket we are currently using.
 1899  *
 1900  * \param ver: pointer to variable to which to set the protocol version
 1901  * number we selected.
 1902  *
 1903  * \param auth: authentication parameters that have to be sent.
 1904  *
 1905  * \param errbuf: a pointer to a user-allocated buffer (of size
 1906  * PCAP_ERRBUF_SIZE) that will contain the error message (in case there
 1907  * is one). It could be a network problem or the fact that the authorization
 1908  * failed.
 1909  *
 1910  * \return '0' if everything is fine, '-1' for an error.  For errors,
 1911  * an error message string is returned in the 'errbuf' variable.
 1912  */
 1913 static int rpcap_doauth(SOCKET sockctrl, SSL *ssl, uint8 *ver, struct pcap_rmtauth *auth, char *errbuf)
 1914 {
 1915     char sendbuf[RPCAP_NETBUF_SIZE];    /* temporary buffer in which data that has to be sent is buffered */
 1916     int sendbufidx = 0;         /* index which keeps the number of bytes currently buffered */
 1917     uint16 length;              /* length of the payload of this message */
 1918     struct rpcap_auth *rpauth;
 1919     uint16 auth_type;
 1920     struct rpcap_header header;
 1921     size_t str_length;
 1922     uint32 plen;
 1923     struct rpcap_authreply authreply;   /* authentication reply message */
 1924     uint8 ourvers;
 1925 
 1926     if (auth)
 1927     {
 1928         switch (auth->type)
 1929         {
 1930         case RPCAP_RMTAUTH_NULL:
 1931             length = sizeof(struct rpcap_auth);
 1932             break;
 1933 
 1934         case RPCAP_RMTAUTH_PWD:
 1935             length = sizeof(struct rpcap_auth);
 1936             if (auth->username)
 1937             {
 1938                 str_length = strlen(auth->username);
 1939                 if (str_length > 65535)
 1940                 {
 1941                     snprintf(errbuf, PCAP_ERRBUF_SIZE, "User name is too long (> 65535 bytes)");
 1942                     return -1;
 1943                 }
 1944                 length += (uint16)str_length;
 1945             }
 1946             if (auth->password)
 1947             {
 1948                 str_length = strlen(auth->password);
 1949                 if (str_length > 65535)
 1950                 {
 1951                     snprintf(errbuf, PCAP_ERRBUF_SIZE, "Password is too long (> 65535 bytes)");
 1952                     return -1;
 1953                 }
 1954                 length += (uint16)str_length;
 1955             }
 1956             break;
 1957 
 1958         default:
 1959             snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication type not recognized.");
 1960             return -1;
 1961         }
 1962 
 1963         auth_type = (uint16)auth->type;
 1964     }
 1965     else
 1966     {
 1967         auth_type = RPCAP_RMTAUTH_NULL;
 1968         length = sizeof(struct rpcap_auth);
 1969     }
 1970 
 1971     if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
 1972         &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
 1973         return -1;
 1974 
 1975     rpcap_createhdr((struct rpcap_header *) sendbuf, 0,
 1976         RPCAP_MSG_AUTH_REQ, 0, length);
 1977 
 1978     rpauth = (struct rpcap_auth *) &sendbuf[sendbufidx];
 1979 
 1980     if (sock_bufferize(NULL, sizeof(struct rpcap_auth), NULL,
 1981         &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
 1982         return -1;
 1983 
 1984     memset(rpauth, 0, sizeof(struct rpcap_auth));
 1985 
 1986     rpauth->type = htons(auth_type);
 1987 
 1988     if (auth_type == RPCAP_RMTAUTH_PWD)
 1989     {
 1990         if (auth->username)
 1991             rpauth->slen1 = (uint16)strlen(auth->username);
 1992         else
 1993             rpauth->slen1 = 0;
 1994 
 1995         if (sock_bufferize(auth->username, rpauth->slen1, sendbuf,
 1996             &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
 1997             return -1;
 1998 
 1999         if (auth->password)
 2000             rpauth->slen2 = (uint16)strlen(auth->password);
 2001         else
 2002             rpauth->slen2 = 0;
 2003 
 2004         if (sock_bufferize(auth->password, rpauth->slen2, sendbuf,
 2005             &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
 2006             return -1;
 2007 
 2008         rpauth->slen1 = htons(rpauth->slen1);
 2009         rpauth->slen2 = htons(rpauth->slen2);
 2010     }
 2011 
 2012     if (sock_send(sockctrl, ssl, sendbuf, sendbufidx, errbuf,
 2013         PCAP_ERRBUF_SIZE) < 0)
 2014         return -1;
 2015 
 2016     /* Receive and process the reply message header */
 2017     if (rpcap_process_msg_header(sockctrl, ssl, 0, RPCAP_MSG_AUTH_REQ,
 2018         &header, errbuf) == -1)
 2019         return -1;
 2020 
 2021     /*
 2022      * OK, it's an authentication reply, so we're logged in.
 2023      *
 2024      * Did it send any additional information?
 2025      */
 2026     plen = header.plen;
 2027     if (plen != 0)
 2028     {
 2029         /* Yes - is it big enough to be version information? */
 2030         if (plen < sizeof(struct rpcap_authreply))
 2031         {
 2032             /* No - discard it and fail. */
 2033             (void)rpcap_discard(sockctrl, ssl, plen, NULL);
 2034             return -1;
 2035         }
 2036 
 2037         /* Read the reply body */
 2038         if (rpcap_recv(sockctrl, ssl, (char *)&authreply,
 2039             sizeof(struct rpcap_authreply), &plen, errbuf) == -1)
 2040         {
 2041             (void)rpcap_discard(sockctrl, ssl, plen, NULL);
 2042             return -1;
 2043         }
 2044 
 2045         /* Discard the rest of the message, if there is any. */
 2046         if (rpcap_discard(sockctrl, ssl, plen, errbuf) == -1)
 2047             return -1;
 2048 
 2049         /*
 2050          * Check the minimum and maximum versions for sanity;
 2051          * the minimum must be <= the maximum.
 2052          */
 2053         if (authreply.minvers > authreply.maxvers)
 2054         {
 2055             /*
 2056              * Bogus - give up on this server.
 2057              */
 2058             snprintf(errbuf, PCAP_ERRBUF_SIZE,
 2059                 "The server's minimum supported protocol version is greater than its maximum supported protocol version");
 2060             return -1;
 2061         }
 2062     }
 2063     else
 2064     {
 2065         /* No - it supports only version 0. */
 2066         authreply.minvers = 0;
 2067         authreply.maxvers = 0;
 2068     }
 2069 
 2070     /*
 2071      * OK, let's start with the maximum version the server supports.
 2072      */
 2073     ourvers = authreply.maxvers;
 2074 
 2075 #if RPCAP_MIN_VERSION != 0
 2076     /*
 2077      * If that's less than the minimum version we support, we
 2078      * can't communicate.
 2079      */
 2080     if (ourvers < RPCAP_MIN_VERSION)
 2081         goto novers;
 2082 #endif
 2083 
 2084     /*
 2085      * If that's greater than the maximum version we support,
 2086      * choose the maximum version we support.
 2087      */
 2088     if (ourvers > RPCAP_MAX_VERSION)
 2089     {
 2090         ourvers = RPCAP_MAX_VERSION;
 2091 
 2092         /*
 2093          * If that's less than the minimum version they
 2094          * support, we can't communicate.
 2095          */
 2096         if (ourvers < authreply.minvers)
 2097             goto novers;
 2098     }
 2099 
 2100     *ver = ourvers;
 2101     return 0;
 2102 
 2103 novers:
 2104     /*
 2105      * There is no version we both support; that is a fatal error.
 2106      */
 2107     snprintf(errbuf, PCAP_ERRBUF_SIZE,
 2108         "The server doesn't support any protocol version that we support");
 2109     return -1;
 2110 }
 2111 
 2112 /* We don't currently support non-blocking mode. */
 2113 static int
 2114 pcap_getnonblock_rpcap(pcap_t *p)
 2115 {
 2116     snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
 2117         "Non-blocking mode isn't supported for capturing remotely with rpcap");
 2118     return (-1);
 2119 }
 2120 
 2121 static int
 2122 pcap_setnonblock_rpcap(pcap_t *p, int nonblock _U_)
 2123 {
 2124     snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
 2125         "Non-blocking mode isn't supported for capturing remotely with rpcap");
 2126     return (-1);
 2127 }
 2128 
 2129 static int
 2130 rpcap_setup_session(const char *source, struct pcap_rmtauth *auth,
 2131     int *activep, SOCKET *sockctrlp, uint8 *uses_sslp, SSL **sslp,
 2132     int rmt_flags, uint8 *protocol_versionp, char *host, char *port,
 2133     char *iface, char *errbuf)
 2134 {
 2135     int type;
 2136     struct activehosts *activeconn;     /* active connection, if there is one */
 2137     int error;              /* 1 if rpcap_remoteact_getsock got an error */
 2138 
 2139     /*
 2140      * Determine the type of the source (NULL, file, local, remote).
 2141      * You must have a valid source string even if we're in active mode,
 2142      * because otherwise the call to the following function will fail.
 2143      */
 2144     if (pcap_parsesrcstr_ex(source, &type, host, port, iface, uses_sslp,
 2145         errbuf) == -1)
 2146         return -1;
 2147 
 2148     /*
 2149      * It must be remote.
 2150      */
 2151     if (type != PCAP_SRC_IFREMOTE)
 2152     {
 2153         snprintf(errbuf, PCAP_ERRBUF_SIZE,
 2154             "Non-remote interface passed to remote capture routine");
 2155         return -1;
 2156     }
 2157 
 2158     /*
 2159      * We don't yet support DTLS, so if the user asks for a TLS
 2160      * connection and asks for data packets to be sent over UDP,
 2161      * we have to give up.
 2162      */
 2163     if (*uses_sslp && (rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
 2164     {
 2165         snprintf(errbuf, PCAP_ERRBUF_SIZE,
 2166             "TLS not supported with UDP forward of remote packets");
 2167         return -1;
 2168     }
 2169 
 2170     /* Warning: this call can be the first one called by the user. */
 2171     /* For this reason, we have to initialize the Winsock support. */
 2172     if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
 2173         return -1;
 2174 
 2175     /* Check for active mode */
 2176     activeconn = rpcap_remoteact_getsock(host, &error, errbuf);
 2177     if (activeconn != NULL)
 2178     {
 2179         *activep = 1;
 2180         *sockctrlp = activeconn->sockctrl;
 2181         *sslp = activeconn->ssl;
 2182         *protocol_versionp = activeconn->protocol_version;
 2183     }
 2184     else
 2185     {
 2186         *activep = 0;
 2187         struct addrinfo hints;      /* temp variable needed to resolve hostnames into to socket representation */
 2188         struct addrinfo *addrinfo;  /* temp variable needed to resolve hostnames into to socket representation */
 2189 
 2190         if (error)
 2191         {
 2192             /*
 2193              * Call failed.
 2194              */
 2195             return -1;
 2196         }
 2197 
 2198         /*
 2199          * We're not in active mode; let's try to open a new
 2200          * control connection.
 2201          */
 2202         memset(&hints, 0, sizeof(struct addrinfo));
 2203         hints.ai_family = PF_UNSPEC;
 2204         hints.ai_socktype = SOCK_STREAM;
 2205 
 2206         if (port[0] == 0)
 2207         {
 2208             /* the user chose not to specify the port */
 2209             if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
 2210                 &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
 2211                 return -1;
 2212         }
 2213         else
 2214         {
 2215             if (sock_initaddress(host, port, &hints, &addrinfo,
 2216                 errbuf, PCAP_ERRBUF_SIZE) == -1)
 2217                 return -1;
 2218         }
 2219 
 2220         if ((*sockctrlp = sock_open(addrinfo, SOCKOPEN_CLIENT, 0,
 2221             errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
 2222         {
 2223             freeaddrinfo(addrinfo);
 2224             return -1;
 2225         }
 2226 
 2227         /* addrinfo is no longer used */
 2228         freeaddrinfo(addrinfo);
 2229         addrinfo = NULL;
 2230 
 2231         if (*uses_sslp)
 2232         {
 2233 #ifdef HAVE_OPENSSL
 2234             *sslp = ssl_promotion(0, *sockctrlp, errbuf,
 2235                 PCAP_ERRBUF_SIZE);
 2236             if (!*sslp)
 2237             {
 2238                 sock_close(*sockctrlp, NULL, 0);
 2239                 return -1;
 2240             }
 2241 #else
 2242             snprintf(errbuf, PCAP_ERRBUF_SIZE,
 2243                 "No TLS support");
 2244             sock_close(*sockctrlp, NULL, 0);
 2245             return -1;
 2246 #endif
 2247         }
 2248 
 2249         if (rpcap_doauth(*sockctrlp, *sslp, protocol_versionp, auth,
 2250             errbuf) == -1)
 2251         {
 2252 #ifdef HAVE_OPENSSL
 2253             if (*sslp)
 2254             {
 2255                 // Finish using the SSL handle for the socket.
 2256                 // This must be done *before* the socket is
 2257                 // closed.
 2258                 ssl_finish(*sslp);
 2259             }
 2260 #endif
 2261             sock_close(*sockctrlp, NULL, 0);
 2262             return -1;
 2263         }
 2264     }
 2265     return 0;
 2266 }
 2267 
 2268 /*
 2269  * This function opens a remote adapter by opening an RPCAP connection and
 2270  * so on.
 2271  *
 2272  * It does the job of pcap_open_live() for a remote interface; it's called
 2273  * by pcap_open() for remote interfaces.
 2274  *
 2275  * We do not start the capture until pcap_startcapture_remote() is called.
 2276  *
 2277  * This is because, when doing a remote capture, we cannot start capturing
 2278  * data as soon as the 'open adapter' command is sent. Suppose the remote
 2279  * adapter is already overloaded; if we start a capture (which, by default,
 2280  * has a NULL filter) the new traffic can saturate the network.
 2281  *
 2282  * Instead, we want to "open" the adapter, then send a "start capture"
 2283  * command only when we're ready to start the capture.
 2284  * This function does this job: it sends an "open adapter" command
 2285  * (according to the RPCAP protocol), but it does not start the capture.
 2286  *
 2287  * Since the other libpcap functions do not share this way of life, we
 2288  * have to do some dirty things in order to make everything work.
 2289  *
 2290  * \param source: see pcap_open().
 2291  * \param snaplen: see pcap_open().
 2292  * \param flags: see pcap_open().
 2293  * \param read_timeout: see pcap_open().
 2294  * \param auth: see pcap_open().
 2295  * \param errbuf: see pcap_open().
 2296  *
 2297  * \return a pcap_t pointer in case of success, NULL otherwise. In case of
 2298  * success, the pcap_t pointer can be used as a parameter to the following
 2299  * calls (pcap_compile() and so on). In case of problems, errbuf contains
 2300  * a text explanation of error.
 2301  *
 2302  * WARNING: In case we call pcap_compile() and the capture has not yet
 2303  * been started, the filter will be saved into the pcap_t structure,
 2304  * and it will be sent to the other host later (when
 2305  * pcap_startcapture_remote() is called).
 2306  */
 2307 pcap_t *pcap_open_rpcap(const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf)
 2308 {
 2309     pcap_t *fp;
 2310     char *source_str;
 2311     struct pcap_rpcap *pr;      /* structure used when doing a remote live capture */
 2312     char host[PCAP_BUF_SIZE], ctrlport[PCAP_BUF_SIZE], iface[PCAP_BUF_SIZE];
 2313     SOCKET sockctrl;
 2314     SSL *ssl = NULL;
 2315     uint8 protocol_version;         /* negotiated protocol version */
 2316     int active;
 2317     uint32 plen;
 2318     char sendbuf[RPCAP_NETBUF_SIZE];    /* temporary buffer in which data to be sent is buffered */
 2319     int sendbufidx = 0;         /* index which keeps the number of bytes currently buffered */
 2320 
 2321     /* RPCAP-related variables */
 2322     struct rpcap_header header;     /* header of the RPCAP packet */
 2323     struct rpcap_openreply openreply;   /* open reply message */
 2324 
 2325     fp = PCAP_CREATE_COMMON(errbuf, struct pcap_rpcap);
 2326     if (fp == NULL)
 2327     {
 2328         return NULL;
 2329     }
 2330     source_str = strdup(source);
 2331     if (source_str == NULL) {
 2332         pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
 2333             errno, "malloc");
 2334         return NULL;
 2335     }
 2336 
 2337     /*
 2338      * Turn a negative snapshot value (invalid), a snapshot value of
 2339      * 0 (unspecified), or a value bigger than the normal maximum
 2340      * value, into the maximum allowed value.
 2341      *
 2342      * If some application really *needs* a bigger snapshot
 2343      * length, we should just increase MAXIMUM_SNAPLEN.
 2344      *
 2345      * XXX - should we leave this up to the remote server to
 2346      * do?
 2347      */
 2348     if (snaplen <= 0 || snaplen > MAXIMUM_SNAPLEN)
 2349         snaplen = MAXIMUM_SNAPLEN;
 2350 
 2351     fp->opt.device = source_str;
 2352     fp->snapshot = snaplen;
 2353     fp->opt.timeout = read_timeout;
 2354     pr = fp->priv;
 2355     pr->rmt_flags = flags;
 2356 
 2357     /*
 2358      * Attempt to set up the session with the server.
 2359      */
 2360     if (rpcap_setup_session(fp->opt.device, auth, &active, &sockctrl,
 2361         &pr->uses_ssl, &ssl, flags, &protocol_version, host, ctrlport,
 2362         iface, errbuf) == -1)
 2363     {
 2364         /* Session setup failed. */
 2365         pcap_close(fp);
 2366         return NULL;
 2367     }
 2368 
 2369     /* All good so far, save the ssl handler */
 2370     ssl_main = ssl;
 2371 
 2372     /*
 2373      * Now it's time to start playing with the RPCAP protocol
 2374      * RPCAP open command: create the request message
 2375      */
 2376     if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
 2377         &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
 2378         goto error_nodiscard;
 2379 
 2380     rpcap_createhdr((struct rpcap_header *) sendbuf, protocol_version,
 2381         RPCAP_MSG_OPEN_REQ, 0, (uint32) strlen(iface));
 2382 
 2383     if (sock_bufferize(iface, (int) strlen(iface), sendbuf, &sendbufidx,
 2384         RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
 2385         goto error_nodiscard;
 2386 
 2387     if (sock_send(sockctrl, ssl, sendbuf, sendbufidx, errbuf,
 2388         PCAP_ERRBUF_SIZE) < 0)
 2389         goto error_nodiscard;
 2390 
 2391     /* Receive and process the reply message header. */
 2392     if (rpcap_process_msg_header(sockctrl, ssl, protocol_version,
 2393         RPCAP_MSG_OPEN_REQ, &header, errbuf) == -1)
 2394         goto error_nodiscard;
 2395     plen = header.plen;
 2396 
 2397     /* Read the reply body */
 2398     if (rpcap_recv(sockctrl, ssl, (char *)&openreply,
 2399         sizeof(struct rpcap_openreply), &plen, errbuf) == -1)
 2400         goto error;
 2401 
 2402     /* Discard the rest of the message, if there is any. */
 2403     if (rpcap_discard(sockctrl, ssl, plen, errbuf) == -1)
 2404         goto error_nodiscard;
 2405 
 2406     /* Set proper fields into the pcap_t struct */
 2407     fp->linktype = ntohl(openreply.linktype);
 2408     pr->rmt_sockctrl = sockctrl;
 2409     pr->ctrl_ssl = ssl;
 2410     pr->protocol_version = protocol_version;
 2411     pr->rmt_clientside = 1;
 2412 
 2413     /* This code is duplicated from the end of this function */
 2414     fp->read_op = pcap_read_rpcap;
 2415     fp->save_current_filter_op = pcap_save_current_filter_rpcap;
 2416     fp->setfilter_op = pcap_setfilter_rpcap;
 2417     fp->getnonblock_op = pcap_getnonblock_rpcap;
 2418     fp->setnonblock_op = pcap_setnonblock_rpcap;
 2419     fp->stats_op = pcap_stats_rpcap;
 2420 #ifdef _WIN32
 2421     fp->stats_ex_op = pcap_stats_ex_rpcap;
 2422 #endif
 2423     fp->cleanup_op = pcap_cleanup_rpcap;
 2424 
 2425     fp->activated = 1;
 2426     return fp;
 2427 
 2428 error:
 2429     /*
 2430      * When the connection has been established, we have to close it. So, at the
 2431      * beginning of this function, if an error occur we return immediately with
 2432      * a return NULL; when the connection is established, we have to come here
 2433      * ('goto error;') in order to close everything properly.
 2434      */
 2435 
 2436     /*
 2437      * Discard the rest of the message.
 2438      * We already reported an error; if this gets an error, just
 2439      * drive on.
 2440      */
 2441     (void)rpcap_discard(sockctrl, pr->ctrl_ssl, plen, NULL);
 2442 
 2443 error_nodiscard:
 2444     if (!active)
 2445     {
 2446 #ifdef HAVE_OPENSSL
 2447         if (ssl)
 2448         {
 2449             // Finish using the SSL handle for the socket.
 2450             // This must be done *before* the socket is closed.
 2451             ssl_finish(ssl);
 2452         }
 2453 #endif
 2454         sock_close(sockctrl, NULL, 0);
 2455     }
 2456 
 2457     pcap_close(fp);
 2458     return NULL;
 2459 }
 2460 
 2461 /* String identifier to be used in the pcap_findalldevs_ex() */
 2462 #define PCAP_TEXT_SOURCE_ADAPTER "Network adapter"
 2463 #define PCAP_TEXT_SOURCE_ADAPTER_LEN (sizeof PCAP_TEXT_SOURCE_ADAPTER - 1)
 2464 /* String identifier to be used in the pcap_findalldevs_ex() */
 2465 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST "on remote node"
 2466 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST_LEN (sizeof PCAP_TEXT_SOURCE_ON_REMOTE_HOST - 1)
 2467 
 2468 static void
 2469 freeaddr(struct pcap_addr *addr)
 2470 {
 2471     free(addr->addr);
 2472     free(addr->netmask);
 2473     free(addr->broadaddr);
 2474     free(addr->dstaddr);
 2475     free(addr);
 2476 }
 2477 
 2478 int
 2479 pcap_findalldevs_ex_remote(const char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf)
 2480 {
 2481     uint8 protocol_version;     /* protocol version */
 2482     SOCKET sockctrl;        /* socket descriptor of the control connection */
 2483     SSL *ssl = NULL;        /* optional SSL handler for sockctrl */
 2484     uint32 plen;
 2485     struct rpcap_header header; /* structure that keeps the general header of the rpcap protocol */
 2486     int i, j;       /* temp variables */
 2487     int nif;        /* Number of interfaces listed */
 2488     int active;         /* 'true' if we the other end-party is in active mode */
 2489     uint8 uses_ssl;
 2490     char host[PCAP_BUF_SIZE], port[PCAP_BUF_SIZE];
 2491     char tmpstring[PCAP_BUF_SIZE + 1];      /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
 2492     pcap_if_t *lastdev; /* Last device in the pcap_if_t list */
 2493     pcap_if_t *dev;     /* Device we're adding to the pcap_if_t list */
 2494 
 2495     /* List starts out empty. */
 2496     (*alldevs) = NULL;
 2497     lastdev = NULL;
 2498 
 2499     /*
 2500      * Attempt to set up the session with the server.
 2501      */
 2502     if (rpcap_setup_session(source, auth, &active, &sockctrl, &uses_ssl,
 2503         &ssl, 0, &protocol_version, host, port, NULL, errbuf) == -1)
 2504     {
 2505         /* Session setup failed. */
 2506         return -1;
 2507     }
 2508 
 2509     /* RPCAP findalldevs command */
 2510     rpcap_createhdr(&header, protocol_version, RPCAP_MSG_FINDALLIF_REQ,
 2511         0, 0);
 2512 
 2513     if (sock_send(sockctrl, ssl, (char *)&header, sizeof(struct rpcap_header),
 2514         errbuf, PCAP_ERRBUF_SIZE) < 0)
 2515         goto error_nodiscard;
 2516 
 2517     /* Receive and process the reply message header. */
 2518     if (rpcap_process_msg_header(sockctrl, ssl, protocol_version,
 2519         RPCAP_MSG_FINDALLIF_REQ, &header, errbuf) == -1)
 2520         goto error_nodiscard;
 2521 
 2522     plen = header.plen;
 2523 
 2524     /* read the number of interfaces */
 2525     nif = ntohs(header.value);
 2526 
 2527     /* loop until all interfaces have been received */
 2528     for (i = 0; i < nif; i++)
 2529     {
 2530         struct rpcap_findalldevs_if findalldevs_if;
 2531         char tmpstring2[PCAP_BUF_SIZE + 1];     /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
 2532         struct pcap_addr *addr, *prevaddr;
 2533 
 2534         tmpstring2[PCAP_BUF_SIZE] = 0;
 2535 
 2536         /* receive the findalldevs structure from remote host */
 2537         if (rpcap_recv(sockctrl, ssl, (char *)&findalldevs_if,
 2538             sizeof(struct rpcap_findalldevs_if), &plen, errbuf) == -1)
 2539             goto error;
 2540 
 2541         findalldevs_if.namelen = ntohs(findalldevs_if.namelen);
 2542         findalldevs_if.desclen = ntohs(findalldevs_if.desclen);
 2543         findalldevs_if.naddr = ntohs(findalldevs_if.naddr);
 2544 
 2545         /* allocate the main structure */
 2546         dev = (pcap_if_t *)malloc(sizeof(pcap_if_t));
 2547         if (dev == NULL)
 2548         {
 2549             pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
 2550                 errno, "malloc() failed");
 2551             goto error;
 2552         }
 2553 
 2554         /* Initialize the structure to 'zero' */
 2555         memset(dev, 0, sizeof(pcap_if_t));
 2556 
 2557         /* Append it to the list. */
 2558         if (lastdev == NULL)
 2559         {
 2560             /*
 2561              * List is empty, so it's also the first device.
 2562              */
 2563             *alldevs = dev;
 2564         }
 2565         else
 2566         {
 2567             /*
 2568              * Append after the last device.
 2569              */
 2570             lastdev->next = dev;
 2571         }
 2572         /* It's now the last device. */
 2573         lastdev = dev;
 2574 
 2575         /* allocate mem for name and description */
 2576         if (findalldevs_if.namelen)
 2577         {
 2578 
 2579             if (findalldevs_if.namelen >= sizeof(tmpstring))
 2580             {
 2581                 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface name too long");
 2582                 goto error;
 2583             }
 2584 
 2585             /* Retrieve adapter name */
 2586             if (rpcap_recv(sockctrl, ssl, tmpstring,
 2587                 findalldevs_if.namelen, &plen, errbuf) == -1)
 2588                 goto error;
 2589 
 2590             tmpstring[findalldevs_if.namelen] = 0;
 2591 
 2592             /* Create the new device identifier */
 2593             if (pcap_createsrcstr_ex(tmpstring2, PCAP_SRC_IFREMOTE,
 2594                 host, port, tmpstring, uses_ssl, errbuf) == -1)
 2595                 goto error;
 2596 
 2597             dev->name = strdup(tmpstring2);
 2598             if (dev->name == NULL)
 2599             {
 2600                 pcap_fmt_errmsg_for_errno(errbuf,
 2601                     PCAP_ERRBUF_SIZE, errno, "malloc() failed");
 2602                 goto error;
 2603             }
 2604         }
 2605 
 2606         if (findalldevs_if.desclen)
 2607         {
 2608             if (findalldevs_if.desclen >= sizeof(tmpstring))
 2609             {
 2610                 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface description too long");
 2611                 goto error;
 2612             }
 2613 
 2614             /* Retrieve adapter description */
 2615             if (rpcap_recv(sockctrl, ssl, tmpstring,
 2616                 findalldevs_if.desclen, &plen, errbuf) == -1)
 2617                 goto error;
 2618 
 2619             tmpstring[findalldevs_if.desclen] = 0;
 2620 
 2621             if (pcap_asprintf(&dev->description,
 2622                 "%s '%s' %s %s", PCAP_TEXT_SOURCE_ADAPTER,
 2623                 tmpstring, PCAP_TEXT_SOURCE_ON_REMOTE_HOST, host) == -1)
 2624             {
 2625                 pcap_fmt_errmsg_for_errno(errbuf,
 2626                     PCAP_ERRBUF_SIZE, errno, "malloc() failed");
 2627                 goto error;
 2628             }
 2629         }
 2630 
 2631         dev->flags = ntohl(findalldevs_if.flags);
 2632 
 2633         prevaddr = NULL;
 2634         /* loop until all addresses have been received */
 2635         for (j = 0; j < findalldevs_if.naddr; j++)
 2636         {
 2637             struct rpcap_findalldevs_ifaddr ifaddr;
 2638 
 2639             /* Retrieve the interface addresses */
 2640             if (rpcap_recv(sockctrl, ssl, (char *)&ifaddr,
 2641                 sizeof(struct rpcap_findalldevs_ifaddr),
 2642                 &plen, errbuf) == -1)
 2643                 goto error;
 2644 
 2645             /*
 2646              * Deserialize all the address components.
 2647              */
 2648             addr = (struct pcap_addr *) malloc(sizeof(struct pcap_addr));
 2649             if (addr == NULL)
 2650             {
 2651                 pcap_fmt_errmsg_for_errno(errbuf,
 2652                     PCAP_ERRBUF_SIZE, errno, "malloc() failed");
 2653                 goto error;
 2654             }
 2655             addr->next = NULL;
 2656             addr->addr = NULL;
 2657             addr->netmask = NULL;
 2658             addr->broadaddr = NULL;
 2659             addr->dstaddr = NULL;
 2660 
 2661             if (rpcap_deseraddr(&ifaddr.addr,
 2662                 (struct sockaddr_storage **) &addr->addr, errbuf) == -1)
 2663             {
 2664                 freeaddr(addr);
 2665                 goto error;
 2666             }
 2667             if (rpcap_deseraddr(&ifaddr.netmask,
 2668                 (struct sockaddr_storage **) &addr->netmask, errbuf) == -1)
 2669             {
 2670                 freeaddr(addr);
 2671                 goto error;
 2672             }
 2673             if (rpcap_deseraddr(&ifaddr.broadaddr,
 2674                 (struct sockaddr_storage **) &addr->broadaddr, errbuf) == -1)
 2675             {
 2676                 freeaddr(addr);
 2677                 goto error;
 2678             }
 2679             if (rpcap_deseraddr(&ifaddr.dstaddr,
 2680                 (struct sockaddr_storage **) &addr->dstaddr, errbuf) == -1)
 2681             {
 2682                 freeaddr(addr);
 2683                 goto error;
 2684             }
 2685 
 2686             if ((addr->addr == NULL) && (addr->netmask == NULL) &&
 2687                 (addr->broadaddr == NULL) && (addr->dstaddr == NULL))
 2688             {
 2689                 /*
 2690                  * None of the addresses are IPv4 or IPv6
 2691                  * addresses, so throw this entry away.
 2692                  */
 2693                 free(addr);
 2694             }
 2695             else
 2696             {
 2697                 /*
 2698                  * Add this entry to the list.
 2699                  */
 2700                 if (prevaddr == NULL)
 2701                 {
 2702                     dev->addresses = addr;
 2703                 }
 2704                 else
 2705                 {
 2706                     prevaddr->next = addr;
 2707                 }
 2708                 prevaddr = addr;
 2709             }
 2710         }
 2711     }
 2712 
 2713     /* Discard the rest of the message. */
 2714     if (rpcap_discard(sockctrl, ssl, plen, errbuf) == 1)
 2715         goto error_nodiscard;
 2716 
 2717     /* Control connection has to be closed only in case the remote machine is in passive mode */
 2718     if (!active)
 2719     {
 2720         /* DO not send RPCAP_CLOSE, since we did not open a pcap_t; no need to free resources */
 2721 #ifdef HAVE_OPENSSL
 2722         if (ssl)
 2723         {
 2724             // Finish using the SSL handle for the socket.
 2725             // This must be done *before* the socket is closed.
 2726             ssl_finish(ssl);
 2727         }
 2728 #endif
 2729         if (sock_close(sockctrl, errbuf, PCAP_ERRBUF_SIZE))
 2730             return -1;
 2731     }
 2732 
 2733     /* To avoid inconsistencies in the number of sock_init() */
 2734     sock_cleanup();
 2735 
 2736     return 0;
 2737 
 2738 error:
 2739     /*
 2740      * In case there has been an error, I don't want to overwrite it with a new one
 2741      * if the following call fails. I want to return always the original error.
 2742      *
 2743      * Take care: this connection can already be closed when we try to close it.
 2744      * This happens because a previous error in the rpcapd, which requested to
 2745      * closed the connection. In that case, we already recognized that into the
 2746      * rpspck_isheaderok() and we already acknowledged the closing.
 2747      * In that sense, this call is useless here (however it is needed in case
 2748      * the client generates the error).
 2749      *
 2750      * Checks if all the data has been read; if not, discard the data in excess
 2751      */
 2752     (void) rpcap_discard(sockctrl, ssl, plen, NULL);
 2753 
 2754 error_nodiscard:
 2755     /* Control connection has to be closed only in case the remote machine is in passive mode */
 2756     if (!active)
 2757     {
 2758 #ifdef HAVE_OPENSSL
 2759         if (ssl)
 2760         {
 2761             // Finish using the SSL handle for the socket.
 2762             // This must be done *before* the socket is closed.
 2763             ssl_finish(ssl);
 2764         }
 2765 #endif
 2766         sock_close(sockctrl, NULL, 0);
 2767     }
 2768 
 2769     /* To avoid inconsistencies in the number of sock_init() */
 2770     sock_cleanup();
 2771 
 2772     /* Free whatever interfaces we've allocated. */
 2773     pcap_freealldevs(*alldevs);
 2774 
 2775     return -1;
 2776 }
 2777 
 2778 /*
 2779  * Active mode routines.
 2780  *
 2781  * The old libpcap API is somewhat ugly, and makes active mode difficult
 2782  * to implement; we provide some APIs for it that work only with rpcap.
 2783  */
 2784 
 2785 SOCKET pcap_remoteact_accept_ex(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, int uses_ssl, char *errbuf)
 2786 {
 2787     /* socket-related variables */
 2788     struct addrinfo hints;          /* temporary struct to keep settings needed to open the new socket */
 2789     struct addrinfo *addrinfo;      /* keeps the addrinfo chain; required to open a new socket */
 2790     struct sockaddr_storage from;   /* generic sockaddr_storage variable */
 2791     socklen_t fromlen;              /* keeps the length of the sockaddr_storage variable */
 2792     SOCKET sockctrl;                /* keeps the main socket identifier */
 2793     SSL *ssl = NULL;                /* Optional SSL handler for sockctrl */
 2794     uint8 protocol_version;         /* negotiated protocol version */
 2795     struct activehosts *temp, *prev;    /* temp var needed to scan he host list chain */
 2796 
 2797     *connectinghost = 0;        /* just in case */
 2798 
 2799     /* Prepare to open a new server socket */
 2800     memset(&hints, 0, sizeof(struct addrinfo));
 2801     /* WARNING Currently it supports only ONE socket family among ipv4 and IPv6  */
 2802     hints.ai_family = AF_INET;      /* PF_UNSPEC to have both IPv4 and IPv6 server */
 2803     hints.ai_flags = AI_PASSIVE;    /* Ready to a bind() socket */
 2804     hints.ai_socktype = SOCK_STREAM;
 2805 
 2806     /* Warning: this call can be the first one called by the user. */
 2807     /* For this reason, we have to initialize the Winsock support. */
 2808     if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
 2809         return (SOCKET)-1;
 2810 
 2811     /* Do the work */
 2812     if ((port == NULL) || (port[0] == 0))
 2813     {
 2814         if (sock_initaddress(address, RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
 2815         {
 2816             return (SOCKET)-2;
 2817         }
 2818     }
 2819     else
 2820     {
 2821         if (sock_initaddress(address, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
 2822         {
 2823             return (SOCKET)-2;
 2824         }
 2825     }
 2826 
 2827 
 2828     if ((sockmain = sock_open(addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
 2829     {
 2830         freeaddrinfo(addrinfo);
 2831         return (SOCKET)-2;
 2832     }
 2833     freeaddrinfo(addrinfo);
 2834 
 2835     /* Connection creation */
 2836     fromlen = sizeof(struct sockaddr_storage);
 2837 
 2838     sockctrl = accept(sockmain, (struct sockaddr *) &from, &fromlen);
 2839 
 2840     /* We're not using sock_close, since we do not want to send a shutdown */
 2841     /* (which is not allowed on a non-connected socket) */
 2842     closesocket(sockmain);
 2843     sockmain = 0;
 2844 
 2845     if (sockctrl == INVALID_SOCKET)
 2846     {
 2847         sock_geterror("accept()", errbuf, PCAP_ERRBUF_SIZE);
 2848         return (SOCKET)-2;
 2849     }
 2850 
 2851     /* Promote to SSL early before any error message may be sent */
 2852     if (uses_ssl)
 2853     {
 2854 #ifdef HAVE_OPENSSL
 2855         ssl = ssl_promotion(0, sockctrl, errbuf, PCAP_ERRBUF_SIZE);
 2856         if (! ssl)
 2857         {
 2858             sock_close(sockctrl, NULL, 0);
 2859             return (SOCKET)-1;
 2860         }
 2861 #else
 2862         snprintf(errbuf, PCAP_ERRBUF_SIZE, "No TLS support");
 2863         sock_close(sockctrl, NULL, 0);
 2864         return (SOCKET)-1;
 2865 #endif
 2866     }
 2867 
 2868     /* Get the numeric for of the name of the connecting host */
 2869     if (getnameinfo((struct sockaddr *) &from, fromlen, connectinghost, RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST))
 2870     {
 2871         sock_geterror("getnameinfo()", errbuf, PCAP_ERRBUF_SIZE);
 2872         rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
 2873 #ifdef HAVE_OPENSSL
 2874         if (ssl)
 2875         {
 2876             // Finish using the SSL handle for the socket.
 2877             // This must be done *before* the socket is closed.
 2878             ssl_finish(ssl);
 2879         }
 2880 #endif
 2881         sock_close(sockctrl, NULL, 0);
 2882         return (SOCKET)-1;
 2883     }
 2884 
 2885     /* checks if the connecting host is among the ones allowed */
 2886     if (sock_check_hostlist((char *)hostlist, RPCAP_HOSTLIST_SEP, &from, errbuf, PCAP_ERRBUF_SIZE) < 0)
 2887     {
 2888         rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
 2889 #ifdef HAVE_OPENSSL
 2890         if (ssl)
 2891         {
 2892             // Finish using the SSL handle for the socket.
 2893             // This must be done *before* the socket is closed.
 2894             ssl_finish(ssl);
 2895         }
 2896 #endif
 2897         sock_close(sockctrl, NULL, 0);
 2898         return (SOCKET)-1;
 2899     }
 2900 
 2901     /*
 2902      * Send authentication to the remote machine.
 2903      */
 2904     if (rpcap_doauth(sockctrl, ssl, &protocol_version, auth, errbuf) == -1)
 2905     {
 2906         /* Unrecoverable error. */
 2907         rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
 2908 #ifdef HAVE_OPENSSL
 2909         if (ssl)
 2910         {
 2911             // Finish using the SSL handle for the socket.
 2912             // This must be done *before* the socket is closed.
 2913             ssl_finish(ssl);
 2914         }
 2915 #endif
 2916         sock_close(sockctrl, NULL, 0);
 2917         return (SOCKET)-3;
 2918     }
 2919 
 2920     /* Checks that this host does not already have a cntrl connection in place */
 2921 
 2922     /* Initialize pointers */
 2923     temp = activeHosts;
 2924     prev = NULL;
 2925 
 2926     while (temp)
 2927     {
 2928         /* This host already has an active connection in place, so I don't have to update the host list */
 2929         if (sock_cmpaddr(&temp->host, &from) == 0)
 2930             return sockctrl;
 2931 
 2932         prev = temp;
 2933         temp = temp->next;
 2934     }
 2935 
 2936     /* The host does not exist in the list; so I have to update the list */
 2937     if (prev)
 2938     {
 2939         prev->next = (struct activehosts *) malloc(sizeof(struct activehosts));
 2940         temp = prev->next;
 2941     }
 2942     else
 2943     {
 2944         activeHosts = (struct activehosts *) malloc(sizeof(struct activehosts));
 2945         temp = activeHosts;
 2946     }
 2947 
 2948     if (temp == NULL)
 2949     {
 2950         pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
 2951             errno, "malloc() failed");
 2952         rpcap_senderror(sockctrl, ssl, protocol_version, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
 2953 #ifdef HAVE_OPENSSL
 2954         if (ssl)
 2955         {
 2956             // Finish using the SSL handle for the socket.
 2957             // This must be done *before* the socket is closed.
 2958             ssl_finish(ssl);
 2959         }
 2960 #endif
 2961         sock_close(sockctrl, NULL, 0);
 2962         return (SOCKET)-1;
 2963     }
 2964 
 2965     memcpy(&temp->host, &from, fromlen);
 2966     temp->sockctrl = sockctrl;
 2967     temp->ssl = ssl;
 2968     temp->protocol_version = protocol_version;
 2969     temp->next = NULL;
 2970 
 2971     return sockctrl;
 2972 }
 2973 
 2974 SOCKET pcap_remoteact_accept(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, char *errbuf)
 2975 {
 2976     return pcap_remoteact_accept_ex(address, port, hostlist, connectinghost, auth, 0, errbuf);
 2977 }
 2978 
 2979 int pcap_remoteact_close(const char *host, char *errbuf)
 2980 {
 2981     struct activehosts *temp, *prev;    /* temp var needed to scan the host list chain */
 2982     struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
 2983     int retval;
 2984 
 2985     temp = activeHosts;
 2986     prev = NULL;
 2987 
 2988     /* retrieve the network address corresponding to 'host' */
 2989     addrinfo = NULL;
 2990     memset(&hints, 0, sizeof(struct addrinfo));
 2991     hints.ai_family = PF_UNSPEC;
 2992     hints.ai_socktype = SOCK_STREAM;
 2993 
 2994     retval = sock_initaddress(host, "0", &hints, &addrinfo, errbuf,
 2995         PCAP_ERRBUF_SIZE);
 2996     if (retval != 0)
 2997     {
 2998         return -1;
 2999     }
 3000 
 3001     while (temp)
 3002     {
 3003         ai_next = addrinfo;
 3004         while (ai_next)
 3005         {
 3006             if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
 3007             {
 3008                 struct rpcap_header header;
 3009                 int status = 0;
 3010 
 3011                 /* Close this connection */
 3012                 rpcap_createhdr(&header, temp->protocol_version,
 3013                     RPCAP_MSG_CLOSE, 0, 0);
 3014 
 3015                 /*
 3016                  * Don't check for errors, since we're
 3017                  * just cleaning up.
 3018                  */
 3019                 if (sock_send(temp->sockctrl, temp->ssl,
 3020                     (char *)&header,
 3021                     sizeof(struct rpcap_header), errbuf,
 3022                     PCAP_ERRBUF_SIZE) < 0)
 3023                 {
 3024                     /*
 3025                      * Let that error be the one we
 3026                      * report.
 3027                      */
 3028 #ifdef HAVE_OPENSSL
 3029                     if (temp->ssl)
 3030                     {
 3031                         // Finish using the SSL handle
 3032                         // for the socket.
 3033                         // This must be done *before*
 3034                         // the socket is closed.
 3035                         ssl_finish(temp->ssl);
 3036                     }
 3037 #endif
 3038                     (void)sock_close(temp->sockctrl, NULL,
 3039                        0);
 3040                     status = -1;
 3041                 }
 3042                 else
 3043                 {
 3044 #ifdef HAVE_OPENSSL
 3045                     if (temp->ssl)
 3046                     {
 3047                         // Finish using the SSL handle
 3048                         // for the socket.
 3049                         // This must be done *before*
 3050                         // the socket is closed.
 3051                         ssl_finish(temp->ssl);
 3052                     }
 3053 #endif
 3054                     if (sock_close(temp->sockctrl, errbuf,
 3055                        PCAP_ERRBUF_SIZE) == -1)
 3056                         status = -1;
 3057                 }
 3058 
 3059                 /*
 3060                  * Remove the host from the list of active
 3061                  * hosts.
 3062                  */
 3063                 if (prev)
 3064                     prev->next = temp->next;
 3065                 else
 3066                     activeHosts = temp->next;
 3067 
 3068                 freeaddrinfo(addrinfo);
 3069 
 3070                 free(temp);
 3071 
 3072                 /* To avoid inconsistencies in the number of sock_init() */
 3073                 sock_cleanup();
 3074 
 3075                 return status;
 3076             }
 3077 
 3078             ai_next = ai_next->ai_next;
 3079         }
 3080         prev = temp;
 3081         temp = temp->next;
 3082     }
 3083 
 3084     if (addrinfo)
 3085         freeaddrinfo(addrinfo);
 3086 
 3087     /* To avoid inconsistencies in the number of sock_init() */
 3088     sock_cleanup();
 3089 
 3090     snprintf(errbuf, PCAP_ERRBUF_SIZE, "The host you want to close the active connection is not known");
 3091     return -1;
 3092 }
 3093 
 3094 void pcap_remoteact_cleanup(void)
 3095 {
 3096 #   ifdef HAVE_OPENSSL
 3097     if (ssl_main)
 3098     {
 3099         // Finish using the SSL handle for the main active socket.
 3100         // This must be done *before* the socket is closed.
 3101         ssl_finish(ssl_main);
 3102         ssl_main = NULL;
 3103     }
 3104 #   endif
 3105 
 3106     /* Very dirty, but it works */
 3107     if (sockmain)
 3108     {
 3109         closesocket(sockmain);
 3110 
 3111         /* To avoid inconsistencies in the number of sock_init() */
 3112         sock_cleanup();
 3113     }
 3114 }
 3115 
 3116 int pcap_remoteact_list(char *hostlist, char sep, int size, char *errbuf)
 3117 {
 3118     struct activehosts *temp;   /* temp var needed to scan the host list chain */
 3119     size_t len;
 3120     char hoststr[RPCAP_HOSTLIST_SIZE + 1];
 3121 
 3122     temp = activeHosts;
 3123 
 3124     len = 0;
 3125     *hostlist = 0;
 3126 
 3127     while (temp)
 3128     {
 3129         /*int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *address, int addrlen, char *port, int portlen, int flags, char *errbuf, int errbuflen) */
 3130 
 3131         /* Get the numeric form of the name of the connecting host */
 3132         if (sock_getascii_addrport((struct sockaddr_storage *) &temp->host, hoststr,
 3133             RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST, errbuf, PCAP_ERRBUF_SIZE) != -1)
 3134             /*  if (getnameinfo( (struct sockaddr *) &temp->host, sizeof (struct sockaddr_storage), hoststr, */
 3135             /*      RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST) ) */
 3136         {
 3137             /*  sock_geterror("getnameinfo()", errbuf, PCAP_ERRBUF_SIZE); */
 3138             return -1;
 3139         }
 3140 
 3141         len = len + strlen(hoststr) + 1 /* the separator */;
 3142 
 3143         if ((size < 0) || (len >= (size_t)size))
 3144         {
 3145             snprintf(errbuf, PCAP_ERRBUF_SIZE, "The string you provided is not able to keep "
 3146                 "the hostnames for all the active connections");
 3147             return -1;
 3148         }
 3149 
 3150         pcap_strlcat(hostlist, hoststr, PCAP_ERRBUF_SIZE);
 3151         hostlist[len - 1] = sep;
 3152         hostlist[len] = 0;
 3153 
 3154         temp = temp->next;
 3155     }
 3156 
 3157     return 0;
 3158 }
 3159 
 3160 /*
 3161  * Receive the header of a message.
 3162  */
 3163 static int rpcap_recv_msg_header(SOCKET sock, SSL *ssl, struct rpcap_header *header, char *errbuf)
 3164 {
 3165     int nrecv;
 3166 
 3167     nrecv = sock_recv(sock, ssl, (char *) header, sizeof(struct rpcap_header),
 3168         SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
 3169         PCAP_ERRBUF_SIZE);
 3170     if (nrecv == -1)
 3171     {
 3172         /* Network error. */
 3173         return -1;
 3174     }
 3175     header->plen = ntohl(header->plen);
 3176     return 0;
 3177 }
 3178 
 3179 /*
 3180  * Make sure the protocol version of a received message is what we were
 3181  * expecting.
 3182  */
 3183 static int rpcap_check_msg_ver(SOCKET sock, SSL *ssl, uint8 expected_ver, struct rpcap_header *header, char *errbuf)
 3184 {
 3185     /*
 3186      * Did the server specify the version we negotiated?
 3187      */
 3188     if (header->ver != expected_ver)
 3189     {
 3190         /*
 3191          * Discard the rest of the message.
 3192          */
 3193         if (rpcap_discard(sock, ssl, header->plen, errbuf) == -1)
 3194             return -1;
 3195 
 3196         /*
 3197          * Tell our caller that it's not the negotiated version.
 3198          */
 3199         if (errbuf != NULL)
 3200         {
 3201             snprintf(errbuf, PCAP_ERRBUF_SIZE,
 3202                 "Server sent us a message with version %u when we were expecting %u",
 3203                 header->ver, expected_ver);
 3204         }
 3205         return -1;
 3206     }
 3207     return 0;
 3208 }
 3209 
 3210 /*
 3211  * Check the message type of a received message, which should either be
 3212  * the expected message type or RPCAP_MSG_ERROR.
 3213  */
 3214 static int rpcap_check_msg_type(SOCKET sock, SSL *ssl, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf)
 3215 {
 3216     const char *request_type_string;
 3217     const char *msg_type_string;
 3218 
 3219     /*
 3220      * What type of message is it?
 3221      */
 3222     if (header->type == RPCAP_MSG_ERROR)
 3223     {
 3224         /*
 3225          * The server reported an error.
 3226          * Hand that error back to our caller.
 3227          */
 3228         *errcode = ntohs(header->value);
 3229         rpcap_msg_err(sock, ssl, header->plen, errbuf);
 3230         return -1;
 3231     }
 3232 
 3233     *errcode = 0;
 3234 
 3235     /*
 3236      * For a given request type value, the expected reply type value
 3237      * is the request type value with ORed with RPCAP_MSG_IS_REPLY.
 3238      */
 3239     if (header->type != (request_type | RPCAP_MSG_IS_REPLY))
 3240     {
 3241         /*
 3242          * This isn't a reply to the request we sent.
 3243          */
 3244 
 3245         /*
 3246          * Discard the rest of the message.
 3247          */
 3248         if (rpcap_discard(sock, ssl, header->plen, errbuf) == -1)
 3249             return -1;
 3250 
 3251         /*
 3252          * Tell our caller about it.
 3253          */
 3254         request_type_string = rpcap_msg_type_string(request_type);
 3255         msg_type_string = rpcap_msg_type_string(header->type);
 3256         if (errbuf != NULL)
 3257         {
 3258             if (request_type_string == NULL)
 3259             {
 3260                 /* This should not happen. */
 3261                 snprintf(errbuf, PCAP_ERRBUF_SIZE,
 3262                     "rpcap_check_msg_type called for request message with type %u",
 3263                     request_type);
 3264                 return -1;
 3265             }
 3266             if (msg_type_string != NULL)
 3267                 snprintf(errbuf, PCAP_ERRBUF_SIZE,
 3268                     "%s message received in response to a %s message",
 3269                     msg_type_string, request_type_string);
 3270             else
 3271                 snprintf(errbuf, PCAP_ERRBUF_SIZE,
 3272                     "Message of unknown type %u message received in response to a %s request",
 3273                     header->type, request_type_string);
 3274         }
 3275         return -1;
 3276     }
 3277 
 3278     return 0;
 3279 }
 3280 
 3281 /*
 3282  * Receive and process the header of a message.
 3283  */
 3284 static int rpcap_process_msg_header(SOCKET sock, SSL *ssl, uint8 expected_ver, uint8 request_type, struct rpcap_header *header, char *errbuf)
 3285 {
 3286     uint16 errcode;
 3287 
 3288     if (rpcap_recv_msg_header(sock, ssl, header, errbuf) == -1)
 3289     {
 3290         /* Network error. */
 3291         return -1;
 3292     }
 3293 
 3294     /*
 3295      * Did the server specify the version we negotiated?
 3296      */
 3297     if (rpcap_check_msg_ver(sock, ssl, expected_ver, header, errbuf) == -1)
 3298         return -1;
 3299 
 3300     /*
 3301      * Check the message type.
 3302      */
 3303     return rpcap_check_msg_type(sock, ssl, request_type, header,
 3304         &errcode, errbuf);
 3305 }
 3306 
 3307 /*
 3308  * Read data from a message.
 3309  * If we're trying to read more data that remains, puts an error
 3310  * message into errmsgbuf and returns -2.  Otherwise, tries to read
 3311  * the data and, if that succeeds, subtracts the amount read from
 3312  * the number of bytes of data that remains.
 3313  * Returns 0 on success, logs a message and returns -1 on a network
 3314  * error.
 3315  */
 3316 static int rpcap_recv(SOCKET sock, SSL *ssl, void *buffer, size_t toread, uint32 *plen, char *errbuf)
 3317 {
 3318     int nread;
 3319 
 3320     if (toread > *plen)
 3321     {
 3322         /* The server sent us a bad message */
 3323         snprintf(errbuf, PCAP_ERRBUF_SIZE, "Message payload is too short");
 3324         return -1;
 3325     }
 3326     nread = sock_recv(sock, ssl, buffer, toread,
 3327         SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, PCAP_ERRBUF_SIZE);
 3328     if (nread == -1)
 3329     {
 3330         return -1;
 3331     }
 3332     *plen -= nread;
 3333     return 0;
 3334 }
 3335 
 3336 /*
 3337  * This handles the RPCAP_MSG_ERROR message.
 3338  */
 3339 static void rpcap_msg_err(SOCKET sockctrl, SSL *ssl, uint32 plen, char *remote_errbuf)
 3340 {
 3341     char errbuf[PCAP_ERRBUF_SIZE];
 3342 
 3343     if (plen >= PCAP_ERRBUF_SIZE)
 3344     {
 3345         /*
 3346          * Message is too long; just read as much of it as we
 3347          * can into the buffer provided, and discard the rest.
 3348          */
 3349         if (sock_recv(sockctrl, ssl, remote_errbuf, PCAP_ERRBUF_SIZE - 1,
 3350             SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
 3351             PCAP_ERRBUF_SIZE) == -1)
 3352         {
 3353             // Network error.
 3354             snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
 3355             return;
 3356         }
 3357 
 3358         /*
 3359          * Null-terminate it.
 3360          */
 3361         remote_errbuf[PCAP_ERRBUF_SIZE - 1] = '\0';
 3362 
 3363 #ifdef _WIN32
 3364         /*
 3365          * If we're not in UTF-8 mode, convert it to the local
 3366          * code page.
 3367          */
 3368         if (!pcap_utf_8_mode)
 3369             utf_8_to_acp_truncated(remote_errbuf);
 3370 #endif
 3371 
 3372         /*
 3373          * Throw away the rest.
 3374          */
 3375         (void)rpcap_discard(sockctrl, ssl, plen - (PCAP_ERRBUF_SIZE - 1), remote_errbuf);
 3376     }
 3377     else if (plen == 0)
 3378     {
 3379         /* Empty error string. */
 3380         remote_errbuf[0] = '\0';
 3381     }
 3382     else
 3383     {
 3384         if (sock_recv(sockctrl, ssl, remote_errbuf, plen,
 3385             SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
 3386             PCAP_ERRBUF_SIZE) == -1)
 3387         {
 3388             // Network error.
 3389             snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
 3390             return;
 3391         }
 3392 
 3393         /*
 3394          * Null-terminate it.
 3395          */
 3396         remote_errbuf[plen] = '\0';
 3397     }
 3398 }
 3399 
 3400 /*
 3401  * Discard data from a connection.
 3402  * Mostly used to discard wrong-sized messages.
 3403  * Returns 0 on success, logs a message and returns -1 on a network
 3404  * error.
 3405  */
 3406 static int rpcap_discard(SOCKET sock, SSL *ssl, uint32 len, char *errbuf)
 3407 {
 3408     if (len != 0)
 3409     {
 3410         if (sock_discard(sock, ssl, len, errbuf, PCAP_ERRBUF_SIZE) == -1)
 3411         {
 3412             // Network error.
 3413             return -1;
 3414         }
 3415     }
 3416     return 0;
 3417 }
 3418 
 3419 /*
 3420  * Read bytes into the pcap_t's buffer until we have the specified
 3421  * number of bytes read or we get an error or interrupt indication.
 3422  */
 3423 static int rpcap_read_packet_msg(struct pcap_rpcap const *rp, pcap_t *p, size_t size)
 3424 {
 3425     u_char *bp;
 3426     int cc;
 3427     int bytes_read;
 3428 
 3429     bp = p->bp;
 3430     cc = p->cc;
 3431 
 3432     /*
 3433      * Loop until we have the amount of data requested or we get
 3434      * an error or interrupt.
 3435      */
 3436     while ((size_t)cc < size)
 3437     {
 3438         /*
 3439          * We haven't read all of the packet header yet.
 3440          * Read what remains, which could be all of it.
 3441          */
 3442         bytes_read = sock_recv(rp->rmt_sockdata, rp->data_ssl, bp, size - cc,
 3443             SOCK_RECEIVEALL_NO|SOCK_EOF_IS_ERROR, p->errbuf,
 3444             PCAP_ERRBUF_SIZE);
 3445 
 3446         if (bytes_read == -1)
 3447         {
 3448             /*
 3449              * Network error.  Update the read pointer and
 3450              * byte count, and return an error indication.
 3451              */
 3452             p->bp = bp;
 3453             p->cc = cc;
 3454             return -1;
 3455         }
 3456         if (bytes_read == -3)
 3457         {
 3458             /*
 3459              * Interrupted receive.  Update the read
 3460              * pointer and byte count, and return
 3461              * an interrupted indication.
 3462              */
 3463             p->bp = bp;
 3464             p->cc = cc;
 3465             return -3;
 3466         }
 3467         if (bytes_read == 0)
 3468         {
 3469             /*
 3470              * EOF - server terminated the connection.
 3471              * Update the read pointer and byte count, and
 3472              * return an error indication.
 3473              */
 3474             snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
 3475                 "The server terminated the connection.");
 3476             return -1;
 3477         }
 3478         bp += bytes_read;
 3479         cc += bytes_read;
 3480     }
 3481     p->bp = bp;
 3482     p->cc = cc;
 3483     return 0;
 3484 }