LLVMFuzzerTestOneInput:
   40|  4.09k|int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
   41|  4.09k|    pcap_t * pkts;
   42|  4.09k|    char errbuf[PCAP_ERRBUF_SIZE];
   43|  4.09k|    char filename[FILENAME_MAX] = { 0 };
   44|  4.09k|    const u_char *pkt;
   45|  4.09k|    struct pcap_pkthdr *header;
   46|  4.09k|    struct pcap_stat stats;
   47|  4.09k|    int fd = -1, r;
   48|       |
   49|       |    //initialize output file
   50|  4.09k|    if (outfile == NULL) {
  ------------------
  |  Branch (50:9): [True: 1, False: 4.09k]
  ------------------
   51|      1|        outfile = fopen("/dev/null", "w");
   52|      1|        if (outfile == NULL) {
  ------------------
  |  Branch (52:13): [True: 0, False: 1]
  ------------------
   53|      0|            return 0;
   54|      0|        }
   55|      1|    }
   56|       |
   57|       |    //generate temporary file name
   58|  4.09k|    snprintf(filename, FILENAME_MAX, "/tmp/libpcap_fuzz_pcap.XXXXXX");
   59|  4.09k|    if ((fd = mkstemp(filename)) < 0) {
  ------------------
  |  Branch (59:9): [True: 0, False: 4.09k]
  ------------------
   60|      0|        return 0;
   61|      0|    }
   62|  4.09k|    close(fd);
   63|       |
   64|       |    //rewrite buffer to a file as libpcap does not have buffer inputs
   65|  4.09k|    if (bufferToFile(filename, Data, Size) < 0) {
  ------------------
  |  Branch (65:9): [True: 0, False: 4.09k]
  ------------------
   66|      0|        unlink(filename);
   67|      0|        return 0;
   68|      0|    }
   69|       |
   70|       |    //initialize structure
   71|  4.09k|    pkts = pcap_open_offline(filename, errbuf);
   72|  4.09k|    if (pkts == NULL) {
  ------------------
  |  Branch (72:9): [True: 867, False: 3.22k]
  ------------------
   73|    867|        fprintf(outfile, "Couldn't open pcap file %s\n", errbuf);
   74|    867|        unlink(filename);
   75|    867|        return 0;
   76|    867|    }
   77|       |
   78|       |    //loop over packets
   79|  3.22k|    r = pcap_next_ex(pkts, &header, &pkt);
   80|  22.9k|    while (r > 0) {
  ------------------
  |  Branch (80:12): [True: 19.6k, False: 3.22k]
  ------------------
   81|       |        //TODO pcap_offline_filter
   82|  19.6k|        fprintf(outfile, "packet length=%d/%d\n",header->caplen, header->len);
   83|  19.6k|        r = pcap_next_ex(pkts, &header, &pkt);
   84|  19.6k|    }
   85|  3.22k|    if (pcap_stats(pkts, &stats) == 0) {
  ------------------
  |  Branch (85:9): [True: 0, False: 3.22k]
  ------------------
   86|      0|        fprintf(outfile, "number of packets=%d\n", stats.ps_recv);
   87|      0|    }
   88|       |    //close structure
   89|  3.22k|    pcap_close(pkts);
   90|       |
   91|  3.22k|    unlink(filename);
   92|  3.22k|    return 0;
   93|  4.09k|}
fuzz_pcap.c:bufferToFile:
   12|  4.09k|static int bufferToFile(const char * name, const uint8_t *Data, size_t Size) {
   13|  4.09k|    FILE * fd;
   14|  4.09k|    if (remove(name) != 0) {
  ------------------
  |  Branch (14:9): [True: 0, False: 4.09k]
  ------------------
   15|      0|        if (errno != ENOENT) {
  ------------------
  |  Branch (15:13): [True: 0, False: 0]
  ------------------
   16|      0|            printf("failed remove, errno=%d\n", errno);
   17|      0|            return -1;
   18|      0|        }
   19|      0|    }
   20|  4.09k|    fd = fopen(name, "wb");
   21|  4.09k|    if (fd == NULL) {
  ------------------
  |  Branch (21:9): [True: 0, False: 4.09k]
  ------------------
   22|      0|        printf("failed open, errno=%d\n", errno);
   23|      0|        return -2;
   24|      0|    }
   25|  4.09k|    if (fwrite (Data, 1, Size, fd) != Size) {
  ------------------
  |  Branch (25:9): [True: 0, False: 4.09k]
  ------------------
   26|      0|        fclose(fd);
   27|      0|        return -3;
   28|      0|    }
   29|  4.09k|    fclose(fd);
   30|  4.09k|    return 0;
   31|  4.09k|}

pcap-util.c:EXTRACT_BE_U_2:
   78|  2.19k|{
   79|  2.19k|	return ((uint16_t)ntohs(*(const uint16_t *)(p)));
   80|  2.19k|}

pcap_freecode:
  912|  3.22k|{
  913|  3.22k|	program->bf_len = 0;
  914|  3.22k|	if (program->bf_insns != NULL) {
  ------------------
  |  Branch (914:6): [True: 0, False: 3.22k]
  ------------------
  915|      0|		free((char *)program->bf_insns);
  916|      0|		program->bf_insns = NULL;
  917|      0|	}
  918|  3.22k|}

linktype_to_dlt:
 1379|  3.22k|{
 1380|  3.22k|	int i;
 1381|       |
 1382|       |	/*
 1383|       |	 * LINKTYPEs in the matching range that *don't*
 1384|       |	 * have the same value as the corresponding DLTs
 1385|       |	 * because, for some reason, not all OSes have the
 1386|       |	 * same value for that DLT.
 1387|       |	 */
 1388|  3.22k|	if (linktype == LINKTYPE_PFSYNC)
  ------------------
  |  |  922|  3.22k|#define LINKTYPE_PFSYNC		246
  ------------------
  |  Branch (1388:6): [True: 2, False: 3.22k]
  ------------------
 1389|      2|		return (DLT_PFSYNC);
  ------------------
  |  | 1249|      2|#define DLT_PFSYNC		246
  ------------------
 1390|  3.22k|	if (linktype == LINKTYPE_PKTAP)
  ------------------
  |  | 1020|  3.22k|#define LINKTYPE_PKTAP		258
  ------------------
  |  Branch (1390:6): [True: 2, False: 3.22k]
  ------------------
 1391|      2|		return (DLT_PKTAP);
  ------------------
  |  | 1376|      2|#define DLT_PKTAP	258
  ------------------
 1392|       |
 1393|       |	/*
 1394|       |	 * For all other values in the matching range, except for
 1395|       |	 * LINKTYPE_ATM_CLIP, the LINKTYPE value is the same as
 1396|       |	 * the DLT value.
 1397|       |	 *
 1398|       |	 * LINKTYPE_ATM_CLIP is a special case.  DLT_ATM_CLIP is
 1399|       |	 * not on all platforms, but, so far, there don't appear
 1400|       |	 * to be any platforms that define it as anything other
 1401|       |	 * than 19; we define LINKTYPE_ATM_CLIP as something
 1402|       |	 * other than 19, just in case.  That value is in the
 1403|       |	 * matching range, so we have to check for it.
 1404|       |	 */
 1405|  3.22k|	if (linktype >= LINKTYPE_MATCHING_MIN &&
  ------------------
  |  |  156|  6.45k|#define LINKTYPE_MATCHING_MIN	104		/* lowest value in the "matching" range */
  ------------------
  |  Branch (1405:6): [True: 2.92k, False: 304]
  ------------------
 1406|  3.22k|	    linktype <= LINKTYPE_MATCHING_MAX &&
  ------------------
  |  | 1260|  6.14k|#define LINKTYPE_MATCHING_MAX	299		/* highest value in the "matching" range */
  ------------------
  |  Branch (1406:6): [True: 2.18k, False: 736]
  ------------------
 1407|  3.22k|	    linktype != LINKTYPE_ATM_CLIP)
  ------------------
  |  |  160|  2.18k|#define LINKTYPE_ATM_CLIP	106		/* Linux Classical IP over ATM */
  ------------------
  |  Branch (1407:6): [True: 2.17k, False: 6]
  ------------------
 1408|  2.17k|		return (linktype);
 1409|       |
 1410|       |	/*
 1411|       |	 * Map the values outside that range.
 1412|       |	 */
 1413|  17.6k|	for (i = 0; map[i].linktype != -1; i++) {
  ------------------
  |  Branch (1413:14): [True: 16.8k, False: 773]
  ------------------
 1414|  16.8k|		if (map[i].linktype == linktype)
  ------------------
  |  Branch (1414:7): [True: 273, False: 16.5k]
  ------------------
 1415|    273|			return (map[i].dlt);
 1416|  16.8k|	}
 1417|       |
 1418|       |	/*
 1419|       |	 * If we don't have an entry for this LINKTYPE, return
 1420|       |	 * the link type value; it may be a DLT from an newer
 1421|       |	 * version of libpcap.
 1422|       |	 */
 1423|    773|	return linktype;
 1424|  1.04k|}
max_snaplen_for_dlt:
 1445|  21.0k|{
 1446|  21.0k|	switch (dlt) {
 1447|       |
 1448|    924|	case DLT_DBUS:
  ------------------
  |  | 1139|    924|#define DLT_DBUS		231
  ------------------
  |  Branch (1448:2): [True: 924, False: 20.0k]
  ------------------
 1449|    924|		return 128*1024*1024;
 1450|       |
 1451|    698|	case DLT_EBHSCR:
  ------------------
  |  | 1506|    698|#define DLT_EBHSCR	        279
  ------------------
  |  Branch (1451:2): [True: 698, False: 20.3k]
  ------------------
 1452|    698|		return 8*1024*1024;
 1453|       |
 1454|    487|	case DLT_USBPCAP:
  ------------------
  |  | 1271|    487|#define DLT_USBPCAP		249
  ------------------
  |  Branch (1454:2): [True: 487, False: 20.5k]
  ------------------
 1455|    487|		return 1024*1024;
 1456|       |
 1457|  18.9k|	default:
  ------------------
  |  Branch (1457:2): [True: 18.9k, False: 2.10k]
  ------------------
 1458|  18.9k|		return MAXIMUM_SNAPLEN;
  ------------------
  |  |  154|  18.9k|#define MAXIMUM_SNAPLEN		262144
  ------------------
 1459|  21.0k|	}
 1460|  21.0k|}

fix_linux_usb_mmapped_length:
   40|  1.31k|{
   41|  1.31k|	const pcap_usb_header_mmapped *hdr;
   42|  1.31k|	u_int bytes_left;
   43|       |
   44|       |	/*
   45|       |	 * All callers of this routine must ensure that pkth->caplen is
   46|       |	 * >= sizeof (pcap_usb_header_mmapped).
   47|       |	 */
   48|  1.31k|	bytes_left = pkth->caplen;
   49|  1.31k|	bytes_left -= sizeof (pcap_usb_header_mmapped);
   50|       |
   51|  1.31k|	hdr = (const pcap_usb_header_mmapped *) bp;
   52|  1.31k|	if (!hdr->data_flag && hdr->transfer_type == URB_ISOCHRONOUS &&
  ------------------
  |  |   43|  2.63k|#define URB_ISOCHRONOUS   0x0
  ------------------
  |  Branch (52:6): [True: 1.31k, False: 0]
  |  Branch (52:25): [True: 1.11k, False: 201]
  ------------------
   53|  1.31k|	    hdr->event_type == URB_COMPLETE &&
  ------------------
  |  |   52|  2.43k|#define URB_COMPLETE      'C'
  ------------------
  |  Branch (53:6): [True: 901, False: 215]
  ------------------
   54|  1.31k|	    (hdr->endpoint_number & URB_TRANSFER_IN) &&
  ------------------
  |  |   42|    901|#define URB_TRANSFER_IN   0x80
  ------------------
  |  Branch (54:6): [True: 699, False: 202]
  ------------------
   55|  1.31k|	    pkth->len == sizeof(pcap_usb_header_mmapped) +
  ------------------
  |  Branch (55:6): [True: 699, False: 0]
  ------------------
   56|    699|	                 (hdr->ndesc * sizeof (usb_isodesc)) + hdr->urb_len) {
   57|    699|		usb_isodesc *descs;
   58|    699|		u_int pre_truncation_data_len, pre_truncation_len;
   59|       |
   60|    699|		descs = (usb_isodesc *) (bp + sizeof(pcap_usb_header_mmapped));
   61|       |
   62|       |		/*
   63|       |		 * We have data (yes, data_flag is 0 if we *do* have data),
   64|       |		 * and this is a "this is complete" incoming isochronous
   65|       |		 * transfer event, and the length was calculated based
   66|       |		 * on the URB length.
   67|       |		 *
   68|       |		 * That's not correct, because the data isn't contiguous,
   69|       |		 * and the isochronous descriptos show how it's scattered.
   70|       |		 *
   71|       |		 * Find the end of the last chunk of data in the buffer
   72|       |		 * referred to by the isochronous descriptors; that indicates
   73|       |		 * how far into the buffer the data would have gone.
   74|       |		 *
   75|       |		 * Make sure we don't run past the end of the captured data
   76|       |		 * while processing the isochronous descriptors.
   77|       |		 */
   78|    699|		pre_truncation_data_len = 0;
   79|    699|		for (uint32_t desc = 0;
   80|  10.2k|		    desc < hdr->ndesc && bytes_left >= sizeof (usb_isodesc);
  ------------------
  |  Branch (80:7): [True: 9.66k, False: 570]
  |  Branch (80:28): [True: 9.53k, False: 129]
  ------------------
   81|  9.53k|		    desc++, bytes_left -= sizeof (usb_isodesc)) {
   82|  9.53k|			u_int desc_end;
   83|       |
   84|  9.53k|			if (descs[desc].len != 0) {
  ------------------
  |  Branch (84:8): [True: 6.98k, False: 2.55k]
  ------------------
   85|  6.98k|				desc_end = descs[desc].offset + descs[desc].len;
   86|  6.98k|				if (desc_end > pre_truncation_data_len)
  ------------------
  |  Branch (86:9): [True: 458, False: 6.52k]
  ------------------
   87|    458|					pre_truncation_data_len = desc_end;
   88|  6.98k|			}
   89|  9.53k|		}
   90|       |
   91|       |		/*
   92|       |		 * Now calculate the total length based on that data
   93|       |		 * length.
   94|       |		 */
   95|    699|		pre_truncation_len = sizeof(pcap_usb_header_mmapped) +
   96|    699|		    (hdr->ndesc * sizeof (usb_isodesc)) +
   97|    699|		    pre_truncation_data_len;
   98|       |
   99|       |		/*
  100|       |		 * If that's greater than or equal to the captured length,
  101|       |		 * use that as the length.
  102|       |		 */
  103|    699|		if (pre_truncation_len >= pkth->caplen)
  ------------------
  |  Branch (103:7): [True: 495, False: 204]
  ------------------
  104|    495|			pkth->len = pre_truncation_len;
  105|       |
  106|       |		/*
  107|       |		 * If the captured length is greater than the length,
  108|       |		 * use the captured length.
  109|       |		 *
  110|       |		 * For completion events for incoming isochronous transfers,
  111|       |		 * it's based on data_len, which is calculated the same way
  112|       |		 * we calculated pre_truncation_data_len above, except that
  113|       |		 * it has access to all the isochronous descriptors, not
  114|       |		 * just the ones that the kernel were able to provide us or,
  115|       |		 * for a capture file, that weren't sliced off by a snapshot
  116|       |		 * length.
  117|       |		 *
  118|       |		 * However, it might have been reduced by the USB capture
  119|       |		 * mechanism arbitrarily limiting the amount of data it
  120|       |		 * provides to userland, or by the libpcap capture code
  121|       |		 * limiting it to being no more than the snapshot, so
  122|       |		 * we don't want to just use it all the time; we only
  123|       |		 * do so to try to get a better estimate of the actual
  124|       |		 * length - and to make sure the on-the-network length
  125|       |		 * is always >= the captured length.
  126|       |		 */
  127|    699|		if (pkth->caplen > pkth->len)
  ------------------
  |  Branch (127:7): [True: 195, False: 504]
  ------------------
  128|    195|			pkth->len = pkth->caplen;
  129|    699|	}
  130|  1.31k|}

pcap_post_process:
  434|  19.6k|{
  435|  19.6k|	if (swapped)
  ------------------
  |  Branch (435:6): [True: 18.5k, False: 1.17k]
  ------------------
  436|  18.5k|		swap_pseudo_headers(linktype, hdr, data);
  437|       |
  438|  19.6k|	fixup_pcap_pkthdr(linktype, hdr, data);
  439|  19.6k|}
fixup_pcap_pkthdr:
  443|  19.6k|{
  444|  19.6k|	const pcap_usb_header_mmapped *usb_hdr;
  445|       |
  446|  19.6k|	usb_hdr = (const pcap_usb_header_mmapped *) data;
  447|  19.6k|	if (linktype == DLT_USB_LINUX_MMAPPED &&
  ------------------
  |  | 1002|  39.3k|#define DLT_USB_LINUX_MMAPPED	220
  ------------------
  |  Branch (447:6): [True: 5.29k, False: 14.4k]
  ------------------
  448|  19.6k|	    hdr->caplen >= sizeof (pcap_usb_header_mmapped)) {
  ------------------
  |  Branch (448:6): [True: 2.43k, False: 2.85k]
  ------------------
  449|       |		/*
  450|       |		 * In older versions of libpcap, in memory-mapped captures,
  451|       |		 * the "on-the-bus length" for completion events for
  452|       |		 * incoming isochronous transfers was miscalculated; it
  453|       |		 * needed to be calculated based on the* offsets and lengths
  454|       |		 * in the descriptors, not on the raw URB length, but it
  455|       |		 * wasn't.
  456|       |		 *
  457|       |		 * If this packet contains transferred data (yes, data_flag
  458|       |		 * is 0 if we *do* have data), and the total on-the-network
  459|       |		 * length is equal to the value calculated from the raw URB
  460|       |		 * length, then it might be one of those transfers.
  461|       |		 *
  462|       |		 * We only do this if we have the full USB pseudo-header.
  463|       |		 */
  464|  2.43k|		if (!usb_hdr->data_flag &&
  ------------------
  |  Branch (464:7): [True: 1.91k, False: 519]
  ------------------
  465|  2.43k|		    hdr->len == sizeof(pcap_usb_header_mmapped) +
  ------------------
  |  Branch (465:7): [True: 1.31k, False: 596]
  ------------------
  466|  1.91k|		      (usb_hdr->ndesc * sizeof (usb_isodesc)) + usb_hdr->urb_len) {
  467|       |			/*
  468|       |			 * It might need fixing; fix it if it's a completion
  469|       |			 * event for an incoming isochronous transfer.
  470|       |			 */
  471|  1.31k|			fix_linux_usb_mmapped_length(hdr, data);
  472|  1.31k|		}
  473|  2.43k|	}
  474|  19.6k|}
pcap-util.c:swap_pseudo_headers:
  397|  18.5k|{
  398|       |	/*
  399|       |	 * Convert pseudo-headers from the byte order of
  400|       |	 * the host on which the file was saved to our
  401|       |	 * byte order, as necessary.
  402|       |	 */
  403|  18.5k|	switch (linktype) {
  ------------------
  |  Branch (403:10): [True: 3.34k, False: 15.1k]
  ------------------
  404|       |
  405|  2.87k|	case DLT_PFLOG:
  ------------------
  |  |  343|  2.87k|#define DLT_PFLOG	117
  ------------------
  |  Branch (405:2): [True: 2.87k, False: 15.6k]
  ------------------
  406|  2.87k|		swap_pflog_header(hdr, data);
  407|  2.87k|		break;
  408|       |
  409|  1.50k|	case DLT_LINUX_SLL:
  ------------------
  |  |  323|  1.50k|#define DLT_LINUX_SLL	113
  ------------------
  |  Branch (409:2): [True: 1.50k, False: 17.0k]
  ------------------
  410|  1.50k|		swap_linux_sll_header(hdr, data);
  411|  1.50k|		break;
  412|       |
  413|  1.65k|	case DLT_LINUX_SLL2:
  ------------------
  |  | 1478|  1.65k|#define DLT_LINUX_SLL2	276
  ------------------
  |  Branch (413:2): [True: 1.65k, False: 16.8k]
  ------------------
  414|  1.65k|		swap_linux_sll2_header(hdr, data);
  415|  1.65k|		break;
  416|       |
  417|  2.26k|	case DLT_USB_LINUX:
  ------------------
  |  |  773|  2.26k|#define DLT_USB_LINUX		189
  ------------------
  |  Branch (417:2): [True: 2.26k, False: 16.2k]
  ------------------
  418|  2.26k|		swap_linux_usb_header(hdr, data, 0);
  419|  2.26k|		break;
  420|       |
  421|  5.29k|	case DLT_USB_LINUX_MMAPPED:
  ------------------
  |  | 1002|  5.29k|#define DLT_USB_LINUX_MMAPPED	220
  ------------------
  |  Branch (421:2): [True: 5.29k, False: 13.2k]
  ------------------
  422|  5.29k|		swap_linux_usb_header(hdr, data, 1);
  423|  5.29k|		break;
  424|       |
  425|  1.59k|	case DLT_NFLOG:
  ------------------
  |  | 1186|  1.59k|#define DLT_NFLOG		239
  ------------------
  |  Branch (425:2): [True: 1.59k, False: 16.9k]
  ------------------
  426|  1.59k|		swap_nflog_header(hdr, data);
  427|  1.59k|		break;
  428|  18.5k|	}
  429|  18.5k|}
pcap-util.c:swap_pflog_header:
   52|  2.87k|{
   53|  2.87k|	u_int caplen = hdr->caplen;
   54|  2.87k|	u_int length = hdr->len;
   55|  2.87k|	u_int pfloghdr_length;
   56|  2.87k|	struct pfloghdr *pflhdr = (struct pfloghdr *)buf;
   57|       |
   58|  2.87k|	if (caplen < (u_int) (offsetof(struct pfloghdr, uid) + sizeof pflhdr->uid) ||
  ------------------
  |  Branch (58:6): [True: 316, False: 2.56k]
  ------------------
   59|  2.87k|	    length < (u_int) (offsetof(struct pfloghdr, uid) + sizeof pflhdr->uid)) {
  ------------------
  |  Branch (59:6): [True: 199, False: 2.36k]
  ------------------
   60|       |		/* Not enough data to have the uid field */
   61|    515|		return;
   62|    515|	}
   63|       |
   64|  2.36k|	pfloghdr_length = pflhdr->length;
   65|       |
   66|  2.36k|	if (pfloghdr_length < (u_int) (offsetof(struct pfloghdr, uid) + sizeof pflhdr->uid)) {
  ------------------
  |  Branch (66:6): [True: 211, False: 2.15k]
  ------------------
   67|       |		/* Header doesn't include uid field */
   68|    211|		return;
   69|    211|	}
   70|  2.15k|	pflhdr->uid = SWAPLONG(pflhdr->uid);
  ------------------
  |  |   42|  2.15k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  2.15k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  2.15k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  2.15k|     ((((u_int)(y))>>24)&0xff))
  ------------------
   71|       |
   72|  2.15k|	if (caplen < (u_int) (offsetof(struct pfloghdr, pid) + sizeof pflhdr->pid) ||
  ------------------
  |  Branch (72:6): [True: 217, False: 1.93k]
  ------------------
   73|  2.15k|	    length < (u_int) (offsetof(struct pfloghdr, pid) + sizeof pflhdr->pid)) {
  ------------------
  |  Branch (73:6): [True: 197, False: 1.73k]
  ------------------
   74|       |		/* Not enough data to have the pid field */
   75|    414|		return;
   76|    414|	}
   77|  1.73k|	if (pfloghdr_length < (u_int) (offsetof(struct pfloghdr, pid) + sizeof pflhdr->pid)) {
  ------------------
  |  Branch (77:6): [True: 204, False: 1.53k]
  ------------------
   78|       |		/* Header doesn't include pid field */
   79|    204|		return;
   80|    204|	}
   81|  1.53k|	pflhdr->pid = SWAPLONG(pflhdr->pid);
  ------------------
  |  |   42|  1.53k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  1.53k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  1.53k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  1.53k|     ((((u_int)(y))>>24)&0xff))
  ------------------
   82|       |
   83|  1.53k|	if (caplen < (u_int) (offsetof(struct pfloghdr, rule_uid) + sizeof pflhdr->rule_uid) ||
  ------------------
  |  Branch (83:6): [True: 231, False: 1.30k]
  ------------------
   84|  1.53k|	    length < (u_int) (offsetof(struct pfloghdr, rule_uid) + sizeof pflhdr->rule_uid)) {
  ------------------
  |  Branch (84:6): [True: 196, False: 1.10k]
  ------------------
   85|       |		/* Not enough data to have the rule_uid field */
   86|    427|		return;
   87|    427|	}
   88|  1.10k|	if (pfloghdr_length < (u_int) (offsetof(struct pfloghdr, rule_uid) + sizeof pflhdr->rule_uid)) {
  ------------------
  |  Branch (88:6): [True: 201, False: 906]
  ------------------
   89|       |		/* Header doesn't include rule_uid field */
   90|    201|		return;
   91|    201|	}
   92|    906|	pflhdr->rule_uid = SWAPLONG(pflhdr->rule_uid);
  ------------------
  |  |   42|    906|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    906|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    906|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    906|     ((((u_int)(y))>>24)&0xff))
  ------------------
   93|       |
   94|    906|	if (caplen < (u_int) (offsetof(struct pfloghdr, rule_pid) + sizeof pflhdr->rule_pid) ||
  ------------------
  |  Branch (94:6): [True: 234, False: 672]
  ------------------
   95|    906|	    length < (u_int) (offsetof(struct pfloghdr, rule_pid) + sizeof pflhdr->rule_pid)) {
  ------------------
  |  Branch (95:6): [True: 198, False: 474]
  ------------------
   96|       |		/* Not enough data to have the rule_pid field */
   97|    432|		return;
   98|    432|	}
   99|    474|	if (pfloghdr_length < (u_int) (offsetof(struct pfloghdr, rule_pid) + sizeof pflhdr->rule_pid)) {
  ------------------
  |  Branch (99:6): [True: 208, False: 266]
  ------------------
  100|       |		/* Header doesn't include rule_pid field */
  101|    208|		return;
  102|    208|	}
  103|    266|	pflhdr->rule_pid = SWAPLONG(pflhdr->rule_pid);
  ------------------
  |  |   42|    266|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    266|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    266|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    266|     ((((u_int)(y))>>24)&0xff))
  ------------------
  104|    266|}
pcap-util.c:swap_linux_sll_header:
  117|  1.50k|{
  118|  1.50k|	u_int caplen = hdr->caplen;
  119|  1.50k|	u_int length = hdr->len;
  120|  1.50k|	struct sll_header *shdr = (struct sll_header *)buf;
  121|  1.50k|	uint16_t protocol;
  122|  1.50k|	pcap_can_socketcan_hdr *chdr;
  123|       |
  124|  1.50k|	if (caplen < (u_int) sizeof(struct sll_header) ||
  ------------------
  |  Branch (124:6): [True: 203, False: 1.30k]
  ------------------
  125|  1.50k|	    length < (u_int) sizeof(struct sll_header)) {
  ------------------
  |  Branch (125:6): [True: 198, False: 1.10k]
  ------------------
  126|       |		/* Not enough data to have the protocol field */
  127|    401|		return;
  128|    401|	}
  129|       |
  130|  1.10k|	protocol = EXTRACT_BE_U_2(&shdr->sll_protocol);
  131|  1.10k|	if (protocol != LINUX_SLL_P_CAN && protocol != LINUX_SLL_P_CANFD)
  ------------------
  |  |  146|  2.20k|#define LINUX_SLL_P_CAN		0x000C	/* CAN frames, with SocketCAN pseudo-headers */
  ------------------
              	if (protocol != LINUX_SLL_P_CAN && protocol != LINUX_SLL_P_CANFD)
  ------------------
  |  |  147|    572|#define LINUX_SLL_P_CANFD	0x000D	/* CAN FD frames, with SocketCAN pseudo-headers */
  ------------------
  |  Branch (131:6): [True: 572, False: 531]
  |  Branch (131:37): [True: 255, False: 317]
  ------------------
  132|    255|		return;
  133|       |
  134|       |	/*
  135|       |	 * SocketCAN packet; fix up the packet's header.
  136|       |	 */
  137|    848|	chdr = (pcap_can_socketcan_hdr *)(buf + sizeof(struct sll_header));
  138|    848|	if (caplen < (u_int) sizeof(struct sll_header) + sizeof(chdr->can_id) ||
  ------------------
  |  Branch (138:6): [True: 383, False: 465]
  ------------------
  139|    848|	    length < (u_int) sizeof(struct sll_header) + sizeof(chdr->can_id)) {
  ------------------
  |  Branch (139:6): [True: 197, False: 268]
  ------------------
  140|       |		/* Not enough data to have the CAN ID */
  141|    580|		return;
  142|    580|	}
  143|    268|	chdr->can_id = SWAPLONG(chdr->can_id);
  ------------------
  |  |   42|    268|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    268|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    268|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    268|     ((((u_int)(y))>>24)&0xff))
  ------------------
  144|    268|}
pcap-util.c:swap_linux_sll2_header:
  151|  1.65k|{
  152|  1.65k|	u_int caplen = hdr->caplen;
  153|  1.65k|	u_int length = hdr->len;
  154|  1.65k|	struct sll2_header *shdr = (struct sll2_header *)buf;
  155|  1.65k|	uint16_t protocol;
  156|  1.65k|	pcap_can_socketcan_hdr *chdr;
  157|       |
  158|  1.65k|	if (caplen < (u_int) sizeof(struct sll2_header) ||
  ------------------
  |  Branch (158:6): [True: 368, False: 1.28k]
  ------------------
  159|  1.65k|	    length < (u_int) sizeof(struct sll2_header)) {
  ------------------
  |  Branch (159:6): [True: 196, False: 1.08k]
  ------------------
  160|       |		/* Not enough data to have the protocol field */
  161|    564|		return;
  162|    564|	}
  163|       |
  164|  1.08k|	protocol = EXTRACT_BE_U_2(&shdr->sll2_protocol);
  165|  1.08k|	if (protocol != LINUX_SLL_P_CAN && protocol != LINUX_SLL_P_CANFD)
  ------------------
  |  |  146|  2.17k|#define LINUX_SLL_P_CAN		0x000C	/* CAN frames, with SocketCAN pseudo-headers */
  ------------------
              	if (protocol != LINUX_SLL_P_CAN && protocol != LINUX_SLL_P_CANFD)
  ------------------
  |  |  147|    747|#define LINUX_SLL_P_CANFD	0x000D	/* CAN FD frames, with SocketCAN pseudo-headers */
  ------------------
  |  Branch (165:6): [True: 747, False: 341]
  |  Branch (165:37): [True: 261, False: 486]
  ------------------
  166|    261|		return;
  167|       |
  168|       |	/*
  169|       |	 * SocketCAN packet; fix up the packet's header.
  170|       |	 */
  171|    827|	chdr = (pcap_can_socketcan_hdr *)(buf + sizeof(struct sll2_header));
  172|    827|	if (caplen < (u_int) sizeof(struct sll2_header) + sizeof(chdr->can_id) ||
  ------------------
  |  Branch (172:6): [True: 346, False: 481]
  ------------------
  173|    827|	    length < (u_int) sizeof(struct sll2_header) + sizeof(chdr->can_id)) {
  ------------------
  |  Branch (173:6): [True: 196, False: 285]
  ------------------
  174|       |		/* Not enough data to have the CAN ID */
  175|    542|		return;
  176|    542|	}
  177|    285|	chdr->can_id = SWAPLONG(chdr->can_id);
  ------------------
  |  |   42|    285|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    285|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    285|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    285|     ((((u_int)(y))>>24)&0xff))
  ------------------
  178|    285|}
pcap-util.c:swap_linux_usb_header:
  192|  7.55k|{
  193|  7.55k|	pcap_usb_header_mmapped *uhdr = (pcap_usb_header_mmapped *)buf;
  194|  7.55k|	bpf_u_int32 offset = 0;
  195|       |
  196|       |	/*
  197|       |	 * "offset" is the offset *past* the field we're swapping;
  198|       |	 * we skip the field *before* checking to make sure
  199|       |	 * the captured data length includes the entire field.
  200|       |	 */
  201|       |
  202|       |	/*
  203|       |	 * The URB id is a totally opaque value; do we really need to
  204|       |	 * convert it to the reading host's byte order???
  205|       |	 */
  206|  7.55k|	offset += 8;			/* skip past id */
  207|  7.55k|	if (hdr->caplen < offset)
  ------------------
  |  Branch (207:6): [True: 513, False: 7.03k]
  ------------------
  208|    513|		return;
  209|  7.03k|	uhdr->id = SWAPLL(uhdr->id);
  ------------------
  |  |  119|  7.03k|#define SWAPLL(ull)  ((ull & 0xff00000000000000ULL) >> 56) | \
  |  |  120|  7.03k|                      ((ull & 0x00ff000000000000ULL) >> 40) | \
  |  |  121|  7.03k|                      ((ull & 0x0000ff0000000000ULL) >> 24) | \
  |  |  122|  7.03k|                      ((ull & 0x000000ff00000000ULL) >> 8)  | \
  |  |  123|  7.03k|                      ((ull & 0x00000000ff000000ULL) << 8)  | \
  |  |  124|  7.03k|                      ((ull & 0x0000000000ff0000ULL) << 24) | \
  |  |  125|  7.03k|                      ((ull & 0x000000000000ff00ULL) << 40) | \
  |  |  126|  7.03k|                      ((ull & 0x00000000000000ffULL) << 56)
  ------------------
  210|       |
  211|  7.03k|	offset += 4;			/* skip past various 1-byte fields */
  212|       |
  213|  7.03k|	offset += 2;			/* skip past bus_id */
  214|  7.03k|	if (hdr->caplen < offset)
  ------------------
  |  Branch (214:6): [True: 393, False: 6.64k]
  ------------------
  215|    393|		return;
  216|  6.64k|	uhdr->bus_id = SWAPSHORT(uhdr->bus_id);
  ------------------
  |  |   47|  6.64k|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|  6.64k|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
  217|       |
  218|  6.64k|	offset += 2;			/* skip past various 1-byte fields */
  219|       |
  220|  6.64k|	offset += 8;			/* skip past ts_sec */
  221|  6.64k|	if (hdr->caplen < offset)
  ------------------
  |  Branch (221:6): [True: 397, False: 6.24k]
  ------------------
  222|    397|		return;
  223|  6.24k|	uhdr->ts_sec = SWAPLL(uhdr->ts_sec);
  ------------------
  |  |  119|  6.24k|#define SWAPLL(ull)  ((ull & 0xff00000000000000ULL) >> 56) | \
  |  |  120|  6.24k|                      ((ull & 0x00ff000000000000ULL) >> 40) | \
  |  |  121|  6.24k|                      ((ull & 0x0000ff0000000000ULL) >> 24) | \
  |  |  122|  6.24k|                      ((ull & 0x000000ff00000000ULL) >> 8)  | \
  |  |  123|  6.24k|                      ((ull & 0x00000000ff000000ULL) << 8)  | \
  |  |  124|  6.24k|                      ((ull & 0x0000000000ff0000ULL) << 24) | \
  |  |  125|  6.24k|                      ((ull & 0x000000000000ff00ULL) << 40) | \
  |  |  126|  6.24k|                      ((ull & 0x00000000000000ffULL) << 56)
  ------------------
  224|       |
  225|  6.24k|	offset += 4;			/* skip past ts_usec */
  226|  6.24k|	if (hdr->caplen < offset)
  ------------------
  |  Branch (226:6): [True: 395, False: 5.85k]
  ------------------
  227|    395|		return;
  228|  5.85k|	uhdr->ts_usec = SWAPLONG(uhdr->ts_usec);
  ------------------
  |  |   42|  5.85k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  5.85k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  5.85k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  5.85k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  229|       |
  230|  5.85k|	offset += 4;			/* skip past status */
  231|  5.85k|	if (hdr->caplen < offset)
  ------------------
  |  Branch (231:6): [True: 392, False: 5.46k]
  ------------------
  232|    392|		return;
  233|  5.46k|	uhdr->status = SWAPLONG(uhdr->status);
  ------------------
  |  |   42|  5.46k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  5.46k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  5.46k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  5.46k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  234|       |
  235|  5.46k|	offset += 4;			/* skip past urb_len */
  236|  5.46k|	if (hdr->caplen < offset)
  ------------------
  |  Branch (236:6): [True: 393, False: 5.06k]
  ------------------
  237|    393|		return;
  238|  5.06k|	uhdr->urb_len = SWAPLONG(uhdr->urb_len);
  ------------------
  |  |   42|  5.06k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  5.06k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  5.06k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  5.06k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  239|       |
  240|  5.06k|	offset += 4;			/* skip past data_len */
  241|  5.06k|	if (hdr->caplen < offset)
  ------------------
  |  Branch (241:6): [True: 397, False: 4.67k]
  ------------------
  242|    397|		return;
  243|  4.67k|	uhdr->data_len = SWAPLONG(uhdr->data_len);
  ------------------
  |  |   42|  4.67k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  4.67k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  4.67k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  4.67k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  244|       |
  245|  4.67k|	if (uhdr->transfer_type == URB_ISOCHRONOUS) {
  ------------------
  |  |   43|  4.67k|#define URB_ISOCHRONOUS   0x0
  ------------------
  |  Branch (245:6): [True: 3.44k, False: 1.23k]
  ------------------
  246|  3.44k|		offset += 4;			/* skip past s.iso.error_count */
  247|  3.44k|		if (hdr->caplen < offset)
  ------------------
  |  Branch (247:7): [True: 394, False: 3.04k]
  ------------------
  248|    394|			return;
  249|  3.04k|		uhdr->s.iso.error_count = SWAPLONG(uhdr->s.iso.error_count);
  ------------------
  |  |   42|  3.04k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  3.04k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  3.04k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  3.04k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  250|       |
  251|  3.04k|		offset += 4;			/* skip past s.iso.numdesc */
  252|  3.04k|		if (hdr->caplen < offset)
  ------------------
  |  Branch (252:7): [True: 392, False: 2.65k]
  ------------------
  253|    392|			return;
  254|  2.65k|		uhdr->s.iso.numdesc = SWAPLONG(uhdr->s.iso.numdesc);
  ------------------
  |  |   42|  2.65k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  2.65k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  2.65k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  2.65k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  255|  2.65k|	} else
  256|  1.23k|		offset += 8;			/* skip USB setup header */
  257|       |
  258|       |	/*
  259|       |	 * With the old header, there are no isochronous descriptors
  260|       |	 * after the header.
  261|       |	 *
  262|       |	 * With the new header, the actual number of descriptors in
  263|       |	 * the header is not s.iso.numdesc, it's ndesc - only the
  264|       |	 * first N descriptors, for some value of N, are put into
  265|       |	 * the header, and ndesc is set to the actual number copied.
  266|       |	 * In addition, if s.iso.numdesc is negative, no descriptors
  267|       |	 * are captured, and ndesc is set to 0.
  268|       |	 */
  269|  3.88k|	if (header_len_64_bytes) {
  ------------------
  |  Branch (269:6): [True: 3.41k, False: 468]
  ------------------
  270|       |		/*
  271|       |		 * This is either the "version 1" header, with
  272|       |		 * 16 bytes of additional fields at the end, or
  273|       |		 * a "version 0" header from a memory-mapped
  274|       |		 * capture, with 16 bytes of zeroed-out padding
  275|       |		 * at the end.  Byte swap them as if this were
  276|       |		 * a "version 1" header.
  277|       |		 */
  278|  3.41k|		offset += 4;			/* skip past interval */
  279|  3.41k|		if (hdr->caplen < offset)
  ------------------
  |  Branch (279:7): [True: 397, False: 3.02k]
  ------------------
  280|    397|			return;
  281|  3.02k|		uhdr->interval = SWAPLONG(uhdr->interval);
  ------------------
  |  |   42|  3.02k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  3.02k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  3.02k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  3.02k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  282|       |
  283|  3.02k|		offset += 4;			/* skip past start_frame */
  284|  3.02k|		if (hdr->caplen < offset)
  ------------------
  |  Branch (284:7): [True: 196, False: 2.82k]
  ------------------
  285|    196|			return;
  286|  2.82k|		uhdr->start_frame = SWAPLONG(uhdr->start_frame);
  ------------------
  |  |   42|  2.82k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  2.82k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  2.82k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  2.82k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  287|       |
  288|  2.82k|		offset += 4;			/* skip past xfer_flags */
  289|  2.82k|		if (hdr->caplen < offset)
  ------------------
  |  Branch (289:7): [True: 196, False: 2.62k]
  ------------------
  290|    196|			return;
  291|  2.62k|		uhdr->xfer_flags = SWAPLONG(uhdr->xfer_flags);
  ------------------
  |  |   42|  2.62k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  2.62k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  2.62k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  2.62k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  292|       |
  293|  2.62k|		offset += 4;			/* skip past ndesc */
  294|  2.62k|		if (hdr->caplen < offset)
  ------------------
  |  Branch (294:7): [True: 196, False: 2.43k]
  ------------------
  295|    196|			return;
  296|  2.43k|		uhdr->ndesc = SWAPLONG(uhdr->ndesc);
  ------------------
  |  |   42|  2.43k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  2.43k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  2.43k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  2.43k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  297|       |
  298|  2.43k|		if (uhdr->transfer_type == URB_ISOCHRONOUS) {
  ------------------
  |  |   43|  2.43k|#define URB_ISOCHRONOUS   0x0
  ------------------
  |  Branch (298:7): [True: 1.99k, False: 435]
  ------------------
  299|       |			/* swap the values in struct linux_usb_isodesc */
  300|  1.99k|			usb_isodesc *pisodesc;
  301|  1.99k|			uint32_t i;
  302|       |
  303|  1.99k|			pisodesc = (usb_isodesc *)(void *)(buf+offset);
  304|  63.6k|			for (i = 0; i < uhdr->ndesc; i++) {
  ------------------
  |  Branch (304:16): [True: 62.5k, False: 1.09k]
  ------------------
  305|  62.5k|				offset += 4;		/* skip past status */
  306|  62.5k|				if (hdr->caplen < offset)
  ------------------
  |  Branch (306:9): [True: 430, False: 62.1k]
  ------------------
  307|    430|					return;
  308|  62.1k|				pisodesc->status = SWAPLONG(pisodesc->status);
  ------------------
  |  |   42|  62.1k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  62.1k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  62.1k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  62.1k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  309|       |
  310|  62.1k|				offset += 4;		/* skip past offset */
  311|  62.1k|				if (hdr->caplen < offset)
  ------------------
  |  Branch (311:9): [True: 242, False: 61.8k]
  ------------------
  312|    242|					return;
  313|  61.8k|				pisodesc->offset = SWAPLONG(pisodesc->offset);
  ------------------
  |  |   42|  61.8k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  61.8k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  61.8k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  61.8k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  314|       |
  315|  61.8k|				offset += 4;		/* skip past len */
  316|  61.8k|				if (hdr->caplen < offset)
  ------------------
  |  Branch (316:9): [True: 230, False: 61.6k]
  ------------------
  317|    230|					return;
  318|  61.6k|				pisodesc->len = SWAPLONG(pisodesc->len);
  ------------------
  |  |   42|  61.6k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  61.6k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  61.6k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  61.6k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  319|       |
  320|  61.6k|				offset += 4;		/* skip past padding */
  321|       |
  322|  61.6k|				pisodesc++;
  323|  61.6k|			}
  324|  1.99k|		}
  325|  2.43k|	}
  326|  3.88k|}
pcap-util.c:swap_nflog_header:
  341|  1.59k|{
  342|  1.59k|	u_char *p = buf;
  343|  1.59k|	nflog_hdr_t *nfhdr = (nflog_hdr_t *)buf;
  344|  1.59k|	nflog_tlv_t *tlv;
  345|  1.59k|	u_int caplen = hdr->caplen;
  346|  1.59k|	u_int length = hdr->len;
  347|  1.59k|	uint16_t size;
  348|       |
  349|  1.59k|	if (caplen < (u_int) sizeof(nflog_hdr_t) ||
  ------------------
  |  Branch (349:6): [True: 209, False: 1.38k]
  ------------------
  350|  1.59k|	    length < (u_int) sizeof(nflog_hdr_t)) {
  ------------------
  |  Branch (350:6): [True: 196, False: 1.18k]
  ------------------
  351|       |		/* Not enough data to have any TLVs. */
  352|    405|		return;
  353|    405|	}
  354|       |
  355|  1.18k|	if (nfhdr->nflog_version != 0) {
  ------------------
  |  Branch (355:6): [True: 223, False: 964]
  ------------------
  356|       |		/* Unknown NFLOG version */
  357|    223|		return;
  358|    223|	}
  359|       |
  360|    964|	length -= sizeof(nflog_hdr_t);
  361|    964|	caplen -= sizeof(nflog_hdr_t);
  362|    964|	p += sizeof(nflog_hdr_t);
  363|       |
  364|  1.79k|	while (caplen >= sizeof(nflog_tlv_t)) {
  ------------------
  |  Branch (364:9): [True: 1.36k, False: 427]
  ------------------
  365|  1.36k|		tlv = (nflog_tlv_t *) p;
  366|       |
  367|       |		/* Swap the type and length. */
  368|  1.36k|		tlv->tlv_type = SWAPSHORT(tlv->tlv_type);
  ------------------
  |  |   47|  1.36k|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|  1.36k|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
  369|  1.36k|		tlv->tlv_length = SWAPSHORT(tlv->tlv_length);
  ------------------
  |  |   47|  1.36k|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|  1.36k|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
  370|       |
  371|       |		/* Get the length of the TLV. */
  372|  1.36k|		size = tlv->tlv_length;
  373|  1.36k|		if (size % 4 != 0)
  ------------------
  |  Branch (373:7): [True: 614, False: 752]
  ------------------
  374|    614|			size += 4 - size % 4;
  375|       |
  376|       |		/* Is the TLV's length less than the minimum? */
  377|  1.36k|		if (size < sizeof(nflog_tlv_t)) {
  ------------------
  |  Branch (377:7): [True: 227, False: 1.13k]
  ------------------
  378|       |			/* Yes. Give up now. */
  379|    227|			return;
  380|    227|		}
  381|       |
  382|       |		/* Do we have enough data for the full TLV? */
  383|  1.13k|		if (caplen < size || length < size) {
  ------------------
  |  Branch (383:7): [True: 310, False: 829]
  |  Branch (383:24): [True: 0, False: 829]
  ------------------
  384|       |			/* No. */
  385|    310|			return;
  386|    310|		}
  387|       |
  388|       |		/* Skip over the TLV. */
  389|    829|		length -= size;
  390|    829|		caplen -= size;
  391|    829|		p += size;
  392|    829|	}
  393|    964|}

pcap_oneshot:
  591|  19.6k|{
  592|  19.6k|	struct oneshot_userdata *sp = (struct oneshot_userdata *)user;
  593|       |
  594|  19.6k|	*sp->hdr = *h;
  595|  19.6k|	*sp->pkt = pkt;
  596|  19.6k|}
pcap_next_ex:
  615|  22.9k|{
  616|  22.9k|	struct oneshot_userdata s;
  617|       |
  618|  22.9k|	s.hdr = &p->pcap_header;
  619|  22.9k|	s.pkt = pkt_data;
  620|  22.9k|	s.pd = p;
  621|       |
  622|       |	/* Saves a pointer to the packet headers */
  623|  22.9k|	*pkt_header= &p->pcap_header;
  624|       |
  625|  22.9k|	if (p->rfile != NULL) {
  ------------------
  |  Branch (625:6): [True: 22.9k, False: 0]
  ------------------
  626|  22.9k|		int status;
  627|       |
  628|       |		/* We are on an offline capture */
  629|  22.9k|		status = pcap_offline_read(p, 1, p->oneshot_callback,
  630|  22.9k|		    (u_char *)&s);
  631|       |
  632|       |		/*
  633|       |		 * Return codes for pcap_offline_read() are:
  634|       |		 *   -  0: EOF
  635|       |		 *   - -1: error
  636|       |		 *   - >0: OK - result is number of packets read, so
  637|       |		 *         it will be 1 in this case, as we've passed
  638|       |		 *         a maximum packet count of 1
  639|       |		 * The first one ('0') conflicts with the return code of
  640|       |		 * 0 from pcap_read() meaning "no packets arrived before
  641|       |		 * the timeout expired", so we map it to -2 so you can
  642|       |		 * distinguish between an EOF from a savefile and a
  643|       |		 * "no packets arrived before the timeout expired, try
  644|       |		 * again" from a live capture.
  645|       |		 */
  646|  22.9k|		if (status == 0)
  ------------------
  |  Branch (646:7): [True: 2.42k, False: 20.5k]
  ------------------
  647|  2.42k|			return (-2);
  648|  20.5k|		else
  649|  20.5k|			return (status);
  650|  22.9k|	}
  651|       |
  652|       |	/*
  653|       |	 * Return codes for pcap_read() are:
  654|       |	 *   -  0: timeout
  655|       |	 *   - -1: error
  656|       |	 *   - -2: loop was broken out of with pcap_breakloop()
  657|       |	 *   - >0: OK, result is number of packets captured, so
  658|       |	 *         it will be 1 in this case, as we've passed
  659|       |	 *         a maximum packet count of 1
  660|       |	 * The first one ('0') conflicts with the return code of 0 from
  661|       |	 * pcap_offline_read() meaning "end of file".
  662|       |	*/
  663|      0|	return (p->read_op(p, 1, p->oneshot_callback, (u_char *)&s));
  664|  22.9k|}
pcap_open_offline_common:
 2925|  3.63k|{
 2926|  3.63k|	pcap_t *p;
 2927|       |
 2928|  3.63k|	p = pcap_alloc_pcap_t(ebuf, total_size, private_offset);
 2929|  3.63k|	if (p == NULL)
  ------------------
  |  Branch (2929:6): [True: 0, False: 3.63k]
  ------------------
 2930|      0|		return (NULL);
 2931|       |
 2932|  3.63k|	p->opt.tstamp_precision = PCAP_TSTAMP_PRECISION_MICRO;
  ------------------
  |  |  560|  3.63k|#define PCAP_TSTAMP_PRECISION_MICRO	0	/* use timestamps with microsecond precision, default */
  ------------------
 2933|       |
 2934|  3.63k|	return (p);
 2935|  3.63k|}
pcap_stats:
 3803|  3.22k|{
 3804|  3.22k|	return (p->stats_op(p, ps));
 3805|  3.22k|}
pcap_close:
 4136|  3.22k|{
 4137|  3.22k|	p->cleanup_op(p);
 4138|  3.22k|	free(p);
 4139|  3.22k|}
pcap.c:pcap_alloc_pcap_t:
 2473|  3.63k|{
 2474|  3.63k|	char *chunk;
 2475|  3.63k|	pcap_t *p;
 2476|       |
 2477|       |	/*
 2478|       |	 * total_size is the size of a structure containing a pcap_t
 2479|       |	 * followed by a private structure.
 2480|       |	 */
 2481|  3.63k|	chunk = calloc(total_size, 1);
 2482|  3.63k|	if (chunk == NULL) {
  ------------------
  |  Branch (2482:6): [True: 0, False: 3.63k]
  ------------------
 2483|      0|		pcap_fmt_errmsg_for_errno(ebuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
 2484|      0|		    errno, "malloc");
 2485|      0|		return (NULL);
 2486|      0|	}
 2487|       |
 2488|       |	/*
 2489|       |	 * Get a pointer to the pcap_t at the beginning.
 2490|       |	 */
 2491|  3.63k|	p = (pcap_t *)chunk;
 2492|       |
 2493|       |#ifdef _WIN32
 2494|       |	p->handle = INVALID_HANDLE_VALUE;	/* not opened yet */
 2495|       |#else /* _WIN32 */
 2496|  3.63k|	p->fd = -1;	/* not opened yet */
 2497|  3.63k|#ifndef MSDOS
 2498|  3.63k|	p->selectable_fd = -1;
 2499|  3.63k|	p->required_select_timeout = NULL;
 2500|  3.63k|#endif /* MSDOS */
 2501|  3.63k|#endif /* _WIN32 */
 2502|       |
 2503|       |	/*
 2504|       |	 * private_offset is the offset, in bytes, of the private
 2505|       |	 * data from the beginning of the structure.
 2506|       |	 *
 2507|       |	 * Set the pointer to the private data; that's private_offset
 2508|       |	 * bytes past the pcap_t.
 2509|       |	 */
 2510|  3.63k|	p->priv = (void *)(chunk + private_offset);
 2511|       |
 2512|  3.63k|	return (p);
 2513|  3.63k|}

pcap_sf_cleanup:
  252|  3.22k|{
  253|  3.22k|	if (p->rfile != stdin)
  ------------------
  |  Branch (253:6): [True: 3.22k, False: 0]
  ------------------
  254|  3.22k|		(void)fclose(p->rfile);
  255|  3.22k|	if (p->buffer != NULL)
  ------------------
  |  Branch (255:6): [True: 3.22k, False: 0]
  ------------------
  256|  3.22k|		free(p->buffer);
  257|  3.22k|	pcap_freecode(&p->fcode);
  258|  3.22k|}
pcap_open_offline_with_tstamp_precision:
  351|  4.09k|{
  352|  4.09k|	FILE *fp;
  353|  4.09k|	pcap_t *p;
  354|       |
  355|  4.09k|	if (fname == NULL) {
  ------------------
  |  Branch (355:6): [True: 0, False: 4.09k]
  ------------------
  356|      0|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  357|      0|		    "A null pointer was supplied as the file name");
  358|      0|		return (NULL);
  359|      0|	}
  360|  4.09k|	if (fname[0] == '-' && fname[1] == '\0')
  ------------------
  |  Branch (360:6): [True: 0, False: 4.09k]
  |  Branch (360:25): [True: 0, False: 0]
  ------------------
  361|      0|	{
  362|      0|		fp = stdin;
  363|      0|		if (fp == NULL) {
  ------------------
  |  Branch (363:7): [True: 0, False: 0]
  ------------------
  364|      0|			snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  365|      0|			    "The standard input is not open");
  366|      0|			return (NULL);
  367|      0|		}
  368|       |#if defined(_WIN32) || defined(MSDOS)
  369|       |		/*
  370|       |		 * We're reading from the standard input, so put it in binary
  371|       |		 * mode, as savefiles are binary files.
  372|       |		 */
  373|       |		SET_BINMODE(fp);
  374|       |#endif
  375|      0|	}
  376|  4.09k|	else {
  377|       |		/*
  378|       |		 * Use pcap_charset_fopen(); on Windows, it tests whether we're
  379|       |		 * in "local code page" or "UTF-8" mode, and treats the
  380|       |		 * pathname appropriately, and on other platforms, it just
  381|       |		 * wraps fopen().
  382|       |		 *
  383|       |		 * "b" is supported as of C90, so *all* UN*Xes should
  384|       |		 * support it, even though it does nothing.  For MS-DOS,
  385|       |		 * we again need it.
  386|       |		 */
  387|  4.09k|		fp = pcap_charset_fopen(fname, "rb");
  ------------------
  |  |  595|  4.09k|#define pcap_charset_fopen(path, mode)	fopen((path), (mode))
  ------------------
  388|  4.09k|		if (fp == NULL) {
  ------------------
  |  Branch (388:7): [True: 0, False: 4.09k]
  ------------------
  389|      0|			pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  390|      0|			    errno, "%s", fname);
  391|      0|			return (NULL);
  392|      0|		}
  393|  4.09k|	}
  394|  4.09k|	p = pcap_fopen_offline_with_tstamp_precision(fp, precision, errbuf);
  395|  4.09k|	if (p == NULL) {
  ------------------
  |  Branch (395:6): [True: 867, False: 3.22k]
  ------------------
  396|    867|		if (fp != stdin)
  ------------------
  |  Branch (396:7): [True: 867, False: 0]
  ------------------
  397|    867|			fclose(fp);
  398|    867|	}
  399|  4.09k|	return (p);
  400|  4.09k|}
pcap_open_offline:
  404|  4.09k|{
  405|  4.09k|	return (pcap_open_offline_with_tstamp_precision(fname,
  406|  4.09k|	    PCAP_TSTAMP_PRECISION_MICRO, errbuf));
  ------------------
  |  |  560|  4.09k|#define PCAP_TSTAMP_PRECISION_MICRO	0	/* use timestamps with microsecond precision, default */
  ------------------
  407|  4.09k|}
pcap_adjust_snapshot:
  455|  9.99k|{
  456|  9.99k|	if (snaplen == 0 || snaplen > INT_MAX) {
  ------------------
  |  Branch (456:6): [True: 1.07k, False: 8.92k]
  |  Branch (456:22): [True: 1.25k, False: 7.66k]
  ------------------
  457|       |		/*
  458|       |		 * Bogus snapshot length; use the maximum for this
  459|       |		 * link-layer type as a fallback.
  460|       |		 *
  461|       |		 * XXX - we don't clamp snapshot lengths that are
  462|       |		 * <= INT_MAX but > max_snaplen_for_dlt(linktype),
  463|       |		 * so a capture file could cause us to allocate
  464|       |		 * a Really Big Buffer.
  465|       |		 */
  466|  2.33k|		snaplen = max_snaplen_for_dlt(linktype);
  467|  2.33k|	}
  468|  9.99k|	return snaplen;
  469|  9.99k|}
pcap_fopen_offline_with_tstamp_precision:
  484|  4.09k|{
  485|  4.09k|	register pcap_t *p;
  486|  4.09k|	uint8_t magic[4];
  487|  4.09k|	size_t amt_read;
  488|  4.09k|	u_int i;
  489|  4.09k|	int err;
  490|       |
  491|       |	/*
  492|       |	 * Fail if we were passed a NULL fp.
  493|       |	 *
  494|       |	 * That shouldn't happen if we're opening with a path name, but
  495|       |	 * it could happen if buggy code is opening with a FILE * and
  496|       |	 * didn't bother to make sure the FILE * isn't null.
  497|       |	 */
  498|  4.09k|	if (fp == NULL) {
  ------------------
  |  Branch (498:6): [True: 0, False: 4.09k]
  ------------------
  499|      0|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  500|      0|		    "Null FILE * pointer provided to savefile open routine");
  501|      0|		return (NULL);
  502|      0|	}
  503|       |
  504|       |	/*
  505|       |	 * Read the first 4 bytes of the file; the network analyzer dump
  506|       |	 * file formats we support (pcap and pcapng), and several other
  507|       |	 * formats we might support in the future (such as snoop, DOS and
  508|       |	 * Windows Sniffer, and Microsoft Network Monitor) all have magic
  509|       |	 * numbers that are unique in their first 4 bytes.
  510|       |	 */
  511|  4.09k|	amt_read = fread(&magic, 1, sizeof(magic), fp);
  512|  4.09k|	if (amt_read != sizeof(magic)) {
  ------------------
  |  Branch (512:6): [True: 3, False: 4.09k]
  ------------------
  513|      3|		if (ferror(fp)) {
  ------------------
  |  Branch (513:7): [True: 0, False: 3]
  ------------------
  514|      0|			pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  515|      0|			    errno, "error reading dump file");
  516|      3|		} else {
  517|      3|			snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      3|#define PCAP_ERRBUF_SIZE 256
  ------------------
  518|      3|			    "truncated dump file; tried to read %zu file header bytes, only got %zu",
  519|      3|			    sizeof(magic), amt_read);
  520|      3|		}
  521|      3|		return (NULL);
  522|      3|	}
  523|       |
  524|       |	/*
  525|       |	 * Try all file types.
  526|       |	 */
  527|  6.06k|	for (i = 0; i < N_FILE_TYPES; i++) {
  ------------------
  |  |  476|  6.06k|#define	N_FILE_TYPES	(sizeof check_headers / sizeof check_headers[0])
  ------------------
  |  Branch (527:14): [True: 5.73k, False: 332]
  ------------------
  528|  5.73k|		p = (*check_headers[i])(magic, fp, precision, errbuf, &err);
  529|  5.73k|		if (p != NULL) {
  ------------------
  |  Branch (529:7): [True: 3.22k, False: 2.50k]
  ------------------
  530|       |			/* Yup, that's it. */
  531|  3.22k|			goto found;
  532|  3.22k|		}
  533|  2.50k|		if (err) {
  ------------------
  |  Branch (533:7): [True: 532, False: 1.97k]
  ------------------
  534|       |			/*
  535|       |			 * Error trying to read the header.
  536|       |			 */
  537|    532|			return (NULL);
  538|    532|		}
  539|  2.50k|	}
  540|       |
  541|       |	/*
  542|       |	 * Well, who knows what this mess is....
  543|       |	 */
  544|    332|	snprintf(errbuf, PCAP_ERRBUF_SIZE, "unknown file format");
  ------------------
  |  |  152|    332|#define PCAP_ERRBUF_SIZE 256
  ------------------
  545|    332|	return (NULL);
  546|       |
  547|  3.22k|found:
  548|  3.22k|	p->rfile = fp;
  549|       |
  550|       |	/* Padding only needed for live capture fcode */
  551|  3.22k|	p->fddipad = 0;
  552|       |
  553|  3.22k|#if !defined(_WIN32) && !defined(MSDOS)
  554|       |	/*
  555|       |	 * You can do "select()" and "poll()" on plain files on most
  556|       |	 * platforms, and should be able to do so on pipes.
  557|       |	 *
  558|       |	 * You can't do "select()" on anything other than sockets in
  559|       |	 * Windows, so, on Win32 systems, we don't have "selectable_fd".
  560|       |	 */
  561|  3.22k|	p->selectable_fd = fileno(fp);
  562|  3.22k|#endif
  563|       |
  564|  3.22k|	p->can_set_rfmon_op = sf_cant_set_rfmon;
  565|  3.22k|	p->read_op = pcap_offline_read;
  566|  3.22k|	p->inject_op = sf_inject;
  567|  3.22k|	p->setfilter_op = pcap_install_bpf_program;
  568|  3.22k|	p->setdirection_op = sf_setdirection;
  569|  3.22k|	p->set_datalink_op = NULL;	/* we don't support munging link-layer headers */
  570|  3.22k|	p->getnonblock_op = sf_getnonblock;
  571|  3.22k|	p->setnonblock_op = sf_setnonblock;
  572|  3.22k|	p->stats_op = sf_stats;
  573|       |#ifdef _WIN32
  574|       |	p->stats_ex_op = sf_stats_ex;
  575|       |	p->setbuff_op = sf_setbuff;
  576|       |	p->setmode_op = sf_setmode;
  577|       |	p->setmintocopy_op = sf_setmintocopy;
  578|       |	p->getevent_op = sf_getevent;
  579|       |	p->oid_get_request_op = sf_oid_get_request;
  580|       |	p->oid_set_request_op = sf_oid_set_request;
  581|       |	p->sendqueue_transmit_op = sf_sendqueue_transmit;
  582|       |	p->setuserbuffer_op = sf_setuserbuffer;
  583|       |	p->live_dump_op = sf_live_dump;
  584|       |	p->live_dump_ended_op = sf_live_dump_ended;
  585|       |	p->get_airpcap_handle_op = sf_get_airpcap_handle;
  586|       |#endif
  587|       |
  588|       |	/*
  589|       |	 * For offline captures, the standard one-shot callback can
  590|       |	 * be used for pcap_next()/pcap_next_ex().
  591|       |	 */
  592|  3.22k|	p->oneshot_callback = pcap_oneshot;
  593|       |
  594|       |	/*
  595|       |	 * Default breakloop operation.
  596|       |	 */
  597|  3.22k|	p->breakloop_op = pcap_breakloop_common;
  598|       |
  599|       |	/*
  600|       |	 * Savefiles never require special BPF code generation.
  601|       |	 */
  602|  3.22k|	p->bpf_codegen_flags = 0;
  603|       |
  604|  3.22k|	p->activated = 1;
  605|       |
  606|  3.22k|	return (p);
  607|  4.09k|}
pcap_offline_read:
  630|  22.9k|{
  631|  22.9k|	struct bpf_insn *fcode;
  632|  22.9k|	int n = 0;
  633|  22.9k|	u_char *data;
  634|       |
  635|       |	/*
  636|       |	 * This can conceivably process more than INT_MAX packets,
  637|       |	 * which would overflow the packet count, causing it either
  638|       |	 * to look like a negative number, and thus cause us to
  639|       |	 * return a value that looks like an error, or overflow
  640|       |	 * back into positive territory, and thus cause us to
  641|       |	 * return a too-low count.
  642|       |	 *
  643|       |	 * Therefore, if the packet count is unlimited, we clip
  644|       |	 * it at INT_MAX; this routine is not expected to
  645|       |	 * process packets indefinitely, so that's not an issue.
  646|       |	 */
  647|  22.9k|	if (PACKET_COUNT_IS_UNLIMITED(cnt))
  ------------------
  |  |  467|  22.9k|#define PACKET_COUNT_IS_UNLIMITED(count)	((count) <= 0)
  |  |  ------------------
  |  |  |  Branch (467:42): [True: 0, False: 22.9k]
  |  |  ------------------
  ------------------
  648|      0|		cnt = INT_MAX;
  649|       |
  650|  22.9k|	for (;;) {
  651|  22.9k|		struct pcap_pkthdr h;
  652|  22.9k|		int status;
  653|       |
  654|       |		/*
  655|       |		 * Has "pcap_breakloop()" been called?
  656|       |		 * If so, return immediately - if we haven't read any
  657|       |		 * packets, clear the flag and return -2 to indicate
  658|       |		 * that we were told to break out of the loop, otherwise
  659|       |		 * leave the flag set, so that the *next* call will break
  660|       |		 * out of the loop without having read any packets, and
  661|       |		 * return the number of packets we've processed so far.
  662|       |		 */
  663|  22.9k|		if (p->break_loop) {
  ------------------
  |  Branch (663:7): [True: 0, False: 22.9k]
  ------------------
  664|      0|			if (n == 0) {
  ------------------
  |  Branch (664:8): [True: 0, False: 0]
  ------------------
  665|      0|				p->break_loop = 0;
  666|      0|				return (-2);
  667|      0|			} else
  668|      0|				return (n);
  669|      0|		}
  670|       |
  671|  22.9k|		status = p->next_packet_op(p, &h, &data);
  672|  22.9k|		if (status < 0) {
  ------------------
  |  Branch (672:7): [True: 808, False: 22.1k]
  ------------------
  673|       |			/*
  674|       |			 * Error.  Pass it back to the caller.
  675|       |			 */
  676|    808|			return (status);
  677|    808|		}
  678|  22.1k|		if (status == 0) {
  ------------------
  |  Branch (678:7): [True: 2.42k, False: 19.6k]
  ------------------
  679|       |			/*
  680|       |			 * EOF.  Nothing more to process;
  681|       |			 */
  682|  2.42k|			break;
  683|  2.42k|		}
  684|       |
  685|       |		/*
  686|       |		 * OK, we've read a packet; run it through the filter
  687|       |		 * and, if it passes, process it.
  688|       |		 */
  689|  19.6k|		if ((fcode = p->fcode.bf_insns) == NULL ||
  ------------------
  |  Branch (689:7): [True: 19.6k, False: 0]
  ------------------
  690|  19.6k|		    pcap_filter(fcode, data, h.len, h.caplen)) {
  ------------------
  |  Branch (690:7): [True: 0, False: 0]
  ------------------
  691|  19.6k|			(*callback)(user, &h, data);
  692|  19.6k|			n++;	/* count the packet */
  693|  19.6k|			if (n >= cnt)
  ------------------
  |  Branch (693:8): [True: 19.6k, False: 0]
  ------------------
  694|  19.6k|				break;
  695|  19.6k|		}
  696|  19.6k|	}
  697|       |	/*XXX this breaks semantics tcpslice expects */
  698|  22.1k|	return (n);
  699|  22.9k|}
savefile.c:sf_stats:
  126|  3.22k|{
  127|  3.22k|	snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|  3.22k|#define PCAP_ERRBUF_SIZE 256
  ------------------
  128|  3.22k|	    "Statistics aren't available from savefiles");
  129|  3.22k|	return (-1);
  130|  3.22k|}

pcap_check_header:
  153|  4.09k|{
  154|  4.09k|	bpf_u_int32 magic_int;
  155|  4.09k|	struct pcap_file_header hdr;
  156|  4.09k|	size_t amt_read;
  157|  4.09k|	pcap_t *p;
  158|  4.09k|	int swapped = 0;
  159|  4.09k|	struct pcap_sf *ps;
  160|       |
  161|       |	/*
  162|       |	 * Assume no read errors.
  163|       |	 */
  164|  4.09k|	*err = 0;
  165|       |
  166|       |	/*
  167|       |	 * Check whether the first 4 bytes of the file are the magic
  168|       |	 * number for a pcap savefile, or for a byte-swapped pcap
  169|       |	 * savefile.
  170|       |	 */
  171|  4.09k|	memcpy(&magic_int, magic, sizeof(magic_int));
  172|  4.09k|	if (magic_int != TCPDUMP_MAGIC &&
  ------------------
  |  |   79|  8.18k|#define TCPDUMP_MAGIC		0xa1b2c3d4
  ------------------
  |  Branch (172:6): [True: 4.08k, False: 10]
  ------------------
  173|  4.09k|	    magic_int != KUZNETZOV_TCPDUMP_MAGIC &&
  ------------------
  |  |   84|  8.17k|#define KUZNETZOV_TCPDUMP_MAGIC	0xa1b2cd34
  ------------------
  |  Branch (173:6): [True: 4.03k, False: 49]
  ------------------
  174|  4.09k|	    magic_int != NSEC_TCPDUMP_MAGIC) {
  ------------------
  |  |  102|  4.03k|#define NSEC_TCPDUMP_MAGIC	0xa1b23c4d
  ------------------
  |  Branch (174:6): [True: 4.00k, False: 26]
  ------------------
  175|  4.00k|		magic_int = SWAPLONG(magic_int);
  ------------------
  |  |   42|  4.00k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  4.00k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  4.00k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  4.00k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  176|  4.00k|		if (magic_int != TCPDUMP_MAGIC &&
  ------------------
  |  |   79|  8.01k|#define TCPDUMP_MAGIC		0xa1b2c3d4
  ------------------
  |  Branch (176:7): [True: 2.80k, False: 1.20k]
  ------------------
  177|  4.00k|		    magic_int != KUZNETZOV_TCPDUMP_MAGIC &&
  ------------------
  |  |   84|  6.81k|#define KUZNETZOV_TCPDUMP_MAGIC	0xa1b2cd34
  ------------------
  |  Branch (177:7): [True: 2.75k, False: 55]
  ------------------
  178|  4.00k|		    magic_int != NSEC_TCPDUMP_MAGIC)
  ------------------
  |  |  102|  2.75k|#define NSEC_TCPDUMP_MAGIC	0xa1b23c4d
  ------------------
  |  Branch (178:7): [True: 1.63k, False: 1.11k]
  ------------------
  179|  1.63k|			return (NULL);	/* nope */
  180|  2.37k|		swapped = 1;
  181|  2.37k|	}
  182|       |
  183|       |	/*
  184|       |	 * They are.  Put the magic number in the header, and read
  185|       |	 * the rest of the header.
  186|       |	 */
  187|  2.45k|	hdr.magic = magic_int;
  188|  2.45k|	amt_read = fread(((char *)&hdr) + sizeof hdr.magic, 1,
  189|  2.45k|	    sizeof(hdr) - sizeof(hdr.magic), fp);
  190|  2.45k|	if (amt_read != sizeof(hdr) - sizeof(hdr.magic)) {
  ------------------
  |  Branch (190:6): [True: 14, False: 2.44k]
  ------------------
  191|     14|		if (ferror(fp)) {
  ------------------
  |  Branch (191:7): [True: 0, False: 14]
  ------------------
  192|      0|			pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  193|      0|			    errno, "error reading dump file");
  194|     14|		} else {
  195|     14|			snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     14|#define PCAP_ERRBUF_SIZE 256
  ------------------
  196|     14|			    "truncated dump file; tried to read %zu file header bytes, only got %zu",
  197|     14|			    sizeof(hdr), amt_read);
  198|     14|		}
  199|     14|		*err = 1;
  200|     14|		return (NULL);
  201|     14|	}
  202|       |
  203|       |	/*
  204|       |	 * If it's a byte-swapped capture file, byte-swap the header.
  205|       |	 */
  206|  2.44k|	if (swapped) {
  ------------------
  |  Branch (206:6): [True: 2.36k, False: 80]
  ------------------
  207|  2.36k|		hdr.version_major = SWAPSHORT(hdr.version_major);
  ------------------
  |  |   47|  2.36k|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|  2.36k|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
  208|  2.36k|		hdr.version_minor = SWAPSHORT(hdr.version_minor);
  ------------------
  |  |   47|  2.36k|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|  2.36k|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
  209|  2.36k|		hdr.thiszone = SWAPLONG(hdr.thiszone);
  ------------------
  |  |   42|  2.36k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  2.36k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  2.36k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  2.36k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  210|  2.36k|		hdr.sigfigs = SWAPLONG(hdr.sigfigs);
  ------------------
  |  |   42|  2.36k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  2.36k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  2.36k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  2.36k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  211|  2.36k|		hdr.snaplen = SWAPLONG(hdr.snaplen);
  ------------------
  |  |   42|  2.36k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  2.36k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  2.36k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  2.36k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  212|  2.36k|		hdr.linktype = SWAPLONG(hdr.linktype);
  ------------------
  |  |   42|  2.36k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  2.36k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  2.36k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  2.36k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  213|  2.36k|	}
  214|       |
  215|  2.44k|	if (hdr.version_major < PCAP_VERSION_MAJOR) {
  ------------------
  |  |  149|  2.44k|#define PCAP_VERSION_MAJOR 2
  ------------------
  |  Branch (215:6): [True: 2, False: 2.43k]
  ------------------
  216|      2|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      2|#define PCAP_ERRBUF_SIZE 256
  ------------------
  217|      2|		    "archaic pcap savefile format");
  218|      2|		*err = 1;
  219|      2|		return (NULL);
  220|      2|	}
  221|       |
  222|       |	/*
  223|       |	 * currently only versions 2.[0-4] are supported with
  224|       |	 * the exception of 543.0 for DG/UX tcpdump.
  225|       |	 */
  226|  2.43k|	if (! ((hdr.version_major == PCAP_VERSION_MAJOR &&
  ------------------
  |  |  149|  4.87k|#define PCAP_VERSION_MAJOR 2
  ------------------
  |  Branch (226:10): [True: 2.37k, False: 64]
  ------------------
  227|  2.43k|		hdr.version_minor <= PCAP_VERSION_MINOR) ||
  ------------------
  |  |  150|  2.37k|#define PCAP_VERSION_MINOR 4
  ------------------
  |  Branch (227:3): [True: 2.36k, False: 13]
  ------------------
  228|  2.43k|	       (hdr.version_major == 543 &&
  ------------------
  |  Branch (228:10): [True: 35, False: 42]
  ------------------
  229|     77|		hdr.version_minor == 0))) {
  ------------------
  |  Branch (229:3): [True: 19, False: 16]
  ------------------
  230|     58|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     58|#define PCAP_ERRBUF_SIZE 256
  ------------------
  231|     58|			 "unsupported pcap savefile version %u.%u",
  232|     58|			 hdr.version_major, hdr.version_minor);
  233|     58|		*err = 1;
  234|     58|		return NULL;
  235|     58|	}
  236|       |
  237|       |	/*
  238|       |	 * Check the main reserved field.
  239|       |	 */
  240|  2.38k|	if (LT_RESERVED1(hdr.linktype) != 0) {
  ------------------
  |  |  270|  2.38k|#define LT_RESERVED1(x)			((x) & 0x03FF0000)
  ------------------
  |  Branch (240:6): [True: 10, False: 2.37k]
  ------------------
  241|     10|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     10|#define PCAP_ERRBUF_SIZE 256
  ------------------
  242|     10|			 "savefile linktype reserved field not zero (0x%08x)",
  243|     10|			 LT_RESERVED1(hdr.linktype));
  ------------------
  |  |  270|     10|#define LT_RESERVED1(x)			((x) & 0x03FF0000)
  ------------------
  244|     10|		*err = 1;
  245|     10|		return NULL;
  246|     10|	}
  247|       |
  248|       |	/*
  249|       |	 * OK, this is a good pcap file.
  250|       |	 * Allocate a pcap_t for it.
  251|       |	 */
  252|  2.37k|	p = PCAP_OPEN_OFFLINE_COMMON(errbuf, struct pcap_sf);
  ------------------
  |  |  582|  2.37k|	pcap_open_offline_common(ebuf, \
  |  |  583|  2.37k|	    sizeof (struct { pcap_t __common; type __private; }), \
  |  |  584|  2.37k|	    offsetof (struct { pcap_t __common; type __private; }, __private))
  ------------------
  253|  2.37k|	if (p == NULL) {
  ------------------
  |  Branch (253:6): [True: 0, False: 2.37k]
  ------------------
  254|       |		/* Allocation failed. */
  255|      0|		*err = 1;
  256|      0|		return (NULL);
  257|      0|	}
  258|  2.37k|	p->swapped = swapped;
  259|  2.37k|	p->version_major = hdr.version_major;
  260|  2.37k|	p->version_minor = hdr.version_minor;
  261|  2.37k|	p->linktype = linktype_to_dlt(LT_LINKTYPE(hdr.linktype));
  ------------------
  |  |  268|  2.37k|#define LT_LINKTYPE(x)			((x) & 0x0000FFFF)
  ------------------
  262|  2.37k|	p->linktype_ext = LT_LINKTYPE_EXT(hdr.linktype);
  ------------------
  |  |  269|  2.37k|#define LT_LINKTYPE_EXT(x)		((x) & 0xFFFF0000)
  ------------------
  263|  2.37k|	p->snapshot = pcap_adjust_snapshot(p->linktype, hdr.snaplen);
  264|       |
  265|  2.37k|	p->next_packet_op = pcap_next_packet;
  266|       |
  267|  2.37k|	ps = p->priv;
  268|       |
  269|  2.37k|	p->opt.tstamp_precision = precision;
  270|       |
  271|       |	/*
  272|       |	 * Will we need to scale the timestamps to match what the
  273|       |	 * user wants?
  274|       |	 */
  275|  2.37k|	switch (precision) {
  276|       |
  277|  2.37k|	case PCAP_TSTAMP_PRECISION_MICRO:
  ------------------
  |  |  560|  2.37k|#define PCAP_TSTAMP_PRECISION_MICRO	0	/* use timestamps with microsecond precision, default */
  ------------------
  |  Branch (277:2): [True: 2.37k, False: 0]
  ------------------
  278|  2.37k|		if (magic_int == NSEC_TCPDUMP_MAGIC) {
  ------------------
  |  |  102|  2.37k|#define NSEC_TCPDUMP_MAGIC	0xa1b23c4d
  ------------------
  |  Branch (278:7): [True: 1.10k, False: 1.26k]
  ------------------
  279|       |			/*
  280|       |			 * The file has nanoseconds, the user
  281|       |			 * wants microseconds; scale the
  282|       |			 * precision down.
  283|       |			 */
  284|  1.10k|			ps->scale_type = SCALE_DOWN;
  285|  1.26k|		} else {
  286|       |			/*
  287|       |			 * The file has microseconds, the
  288|       |			 * user wants microseconds; nothing to do.
  289|       |			 */
  290|  1.26k|			ps->scale_type = PASS_THROUGH;
  291|  1.26k|		}
  292|  2.37k|		break;
  293|       |
  294|      0|	case PCAP_TSTAMP_PRECISION_NANO:
  ------------------
  |  |  561|      0|#define PCAP_TSTAMP_PRECISION_NANO	1	/* use timestamps with nanosecond precision */
  ------------------
  |  Branch (294:2): [True: 0, False: 2.37k]
  ------------------
  295|      0|		if (magic_int == NSEC_TCPDUMP_MAGIC) {
  ------------------
  |  |  102|      0|#define NSEC_TCPDUMP_MAGIC	0xa1b23c4d
  ------------------
  |  Branch (295:7): [True: 0, False: 0]
  ------------------
  296|       |			/*
  297|       |			 * The file has nanoseconds, the
  298|       |			 * user wants nanoseconds; nothing to do.
  299|       |			 */
  300|      0|			ps->scale_type = PASS_THROUGH;
  301|      0|		} else {
  302|       |			/*
  303|       |			 * The file has microseconds, the user
  304|       |			 * wants nanoseconds; scale the
  305|       |			 * precision up.
  306|       |			 */
  307|      0|			ps->scale_type = SCALE_UP;
  308|      0|		}
  309|      0|		break;
  310|       |
  311|      0|	default:
  ------------------
  |  Branch (311:2): [True: 0, False: 2.37k]
  ------------------
  312|      0|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  313|      0|		    "unknown time stamp resolution %u", precision);
  314|      0|		free(p);
  315|      0|		*err = 1;
  316|      0|		return (NULL);
  317|  2.37k|	}
  318|       |
  319|       |	/*
  320|       |	 * We interchanged the caplen and len fields at version 2.3,
  321|       |	 * in order to match the bpf header layout.  But unfortunately
  322|       |	 * some files were written with version 2.3 in their headers
  323|       |	 * but without the interchanged fields.
  324|       |	 *
  325|       |	 * In addition, DG/UX tcpdump writes out files with a version
  326|       |	 * number of 543.0, and with the caplen and len fields in the
  327|       |	 * pre-2.3 order.
  328|       |	 */
  329|  2.37k|	switch (hdr.version_major) {
  330|       |
  331|  2.35k|	case 2:
  ------------------
  |  Branch (331:2): [True: 2.35k, False: 18]
  ------------------
  332|  2.35k|		if (hdr.version_minor < 3)
  ------------------
  |  Branch (332:7): [True: 671, False: 1.68k]
  ------------------
  333|    671|			ps->lengths_swapped = SWAPPED;
  334|  1.68k|		else if (hdr.version_minor == 3)
  ------------------
  |  Branch (334:12): [True: 1.29k, False: 390]
  ------------------
  335|  1.29k|			ps->lengths_swapped = MAYBE_SWAPPED;
  336|    390|		else
  337|    390|			ps->lengths_swapped = NOT_SWAPPED;
  338|  2.35k|		break;
  339|       |
  340|     18|	case 543:
  ------------------
  |  Branch (340:2): [True: 18, False: 2.35k]
  ------------------
  341|     18|		ps->lengths_swapped = SWAPPED;
  342|     18|		break;
  343|       |
  344|      0|	default:
  ------------------
  |  Branch (344:2): [True: 0, False: 2.37k]
  ------------------
  345|      0|		ps->lengths_swapped = NOT_SWAPPED;
  346|      0|		break;
  347|  2.37k|	}
  348|       |
  349|  2.37k|	if (magic_int == KUZNETZOV_TCPDUMP_MAGIC) {
  ------------------
  |  |   84|  2.37k|#define KUZNETZOV_TCPDUMP_MAGIC	0xa1b2cd34
  ------------------
  |  Branch (349:6): [True: 82, False: 2.28k]
  ------------------
  350|       |		/*
  351|       |		 * XXX - the patch that's in some versions of libpcap
  352|       |		 * changes the packet header but not the magic number,
  353|       |		 * and some other versions with this magic number have
  354|       |		 * some extra debugging information in the packet header;
  355|       |		 * we'd have to use some hacks^H^H^H^H^Hheuristics to
  356|       |		 * detect those variants.
  357|       |		 *
  358|       |		 * Ethereal does that, but it does so by trying to read
  359|       |		 * the first two packets of the file with each of the
  360|       |		 * record header formats.  That currently means it seeks
  361|       |		 * backwards and retries the reads, which doesn't work
  362|       |		 * on pipes.  We want to be able to read from a pipe, so
  363|       |		 * that strategy won't work; we'd have to buffer some
  364|       |		 * data ourselves and read from that buffer in order to
  365|       |		 * make that work.
  366|       |		 */
  367|     82|		ps->hdrsize = sizeof(struct pcap_sf_patched_pkthdr);
  368|       |
  369|     82|		if (p->linktype == DLT_EN10MB) {
  ------------------
  |  |   63|     82|#define DLT_EN10MB	1	/* Ethernet (10Mb) */
  ------------------
  |  Branch (369:7): [True: 57, False: 25]
  ------------------
  370|       |			/*
  371|       |			 * This capture might have been done in raw mode
  372|       |			 * or cooked mode.
  373|       |			 *
  374|       |			 * If it was done in cooked mode, p->snapshot was
  375|       |			 * passed to recvfrom() as the buffer size, meaning
  376|       |			 * that the most packet data that would be copied
  377|       |			 * would be p->snapshot.  However, a faked Ethernet
  378|       |			 * header would then have been added to it, so the
  379|       |			 * most data that would be in a packet in the file
  380|       |			 * would be p->snapshot + 14.
  381|       |			 *
  382|       |			 * We can't easily tell whether the capture was done
  383|       |			 * in raw mode or cooked mode, so we'll assume it was
  384|       |			 * cooked mode, and add 14 to the snapshot length.
  385|       |			 * That means that, for a raw capture, the snapshot
  386|       |			 * length will be misleading if you use it to figure
  387|       |			 * out why a capture doesn't have all the packet data,
  388|       |			 * but there's not much we can do to avoid that.
  389|       |			 *
  390|       |			 * But don't grow the snapshot length past the
  391|       |			 * maximum value of an int.
  392|       |			 */
  393|     57|			if (p->snapshot <= INT_MAX - 14)
  ------------------
  |  Branch (393:8): [True: 55, False: 2]
  ------------------
  394|     55|				p->snapshot += 14;
  395|      2|			else
  396|      2|				p->snapshot = INT_MAX;
  397|     57|		}
  398|     82|	} else
  399|  2.28k|		ps->hdrsize = sizeof(struct pcap_sf_pkthdr);
  400|       |
  401|       |	/*
  402|       |	 * Allocate a buffer for the packet data.
  403|       |	 * Choose the minimum of the file's snapshot length and 2K bytes;
  404|       |	 * that should be enough for most network packets - we'll grow it
  405|       |	 * if necessary.  That way, we don't allocate a huge chunk of
  406|       |	 * memory just because there's a huge snapshot length, as the
  407|       |	 * snapshot length might be larger than the size of the largest
  408|       |	 * packet.
  409|       |	 */
  410|  2.37k|	p->bufsize = p->snapshot;
  411|  2.37k|	if (p->bufsize > 2048)
  ------------------
  |  Branch (411:6): [True: 2.18k, False: 191]
  ------------------
  412|  2.18k|		p->bufsize = 2048;
  413|  2.37k|	p->buffer = malloc(p->bufsize);
  414|  2.37k|	if (p->buffer == NULL) {
  ------------------
  |  Branch (414:6): [True: 0, False: 2.37k]
  ------------------
  415|      0|		snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  416|      0|		free(p);
  417|      0|		*err = 1;
  418|      0|		return (NULL);
  419|      0|	}
  420|       |
  421|  2.37k|	p->cleanup_op = pcap_sf_cleanup;
  422|       |
  423|  2.37k|	return (p);
  424|  2.37k|}
sf-pcap.c:pcap_next_packet:
  451|  19.8k|{
  452|  19.8k|	struct pcap_sf *ps = p->priv;
  453|  19.8k|	struct pcap_sf_patched_pkthdr sf_hdr;
  454|  19.8k|	FILE *fp = p->rfile;
  455|  19.8k|	size_t amt_read;
  456|  19.8k|	bpf_u_int32 t;
  457|       |
  458|       |	/*
  459|       |	 * Read the packet header; the structure we use as a buffer
  460|       |	 * is the longer structure for files generated by the patched
  461|       |	 * libpcap, but if the file has the magic number for an
  462|       |	 * unpatched libpcap we only read as many bytes as the regular
  463|       |	 * header has.
  464|       |	 */
  465|  19.8k|	amt_read = fread(&sf_hdr, 1, ps->hdrsize, fp);
  466|  19.8k|	if (amt_read != ps->hdrsize) {
  ------------------
  |  Branch (466:6): [True: 2.08k, False: 17.7k]
  ------------------
  467|  2.08k|		if (ferror(fp)) {
  ------------------
  |  Branch (467:7): [True: 0, False: 2.08k]
  ------------------
  468|      0|			pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  469|      0|			    errno, "error reading dump file");
  470|      0|			return (-1);
  471|  2.08k|		} else {
  472|  2.08k|			if (amt_read != 0) {
  ------------------
  |  Branch (472:8): [True: 22, False: 2.06k]
  ------------------
  473|     22|				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     22|#define PCAP_ERRBUF_SIZE 256
  ------------------
  474|     22|				    "truncated dump file; tried to read %zu header bytes, only got %zu",
  475|     22|				    ps->hdrsize, amt_read);
  476|     22|				return (-1);
  477|     22|			}
  478|       |			/* EOF */
  479|  2.06k|			return (0);
  480|  2.08k|		}
  481|  2.08k|	}
  482|       |
  483|  17.7k|	if (p->swapped) {
  ------------------
  |  Branch (483:6): [True: 17.5k, False: 245]
  ------------------
  484|       |		/* these were written in opposite byte order */
  485|  17.5k|		hdr->caplen = SWAPLONG(sf_hdr.caplen);
  ------------------
  |  |   42|  17.5k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  17.5k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  17.5k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  17.5k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  486|  17.5k|		hdr->len = SWAPLONG(sf_hdr.len);
  ------------------
  |  |   42|  17.5k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  17.5k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  17.5k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  17.5k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  487|  17.5k|		hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec);
  ------------------
  |  |   42|  17.5k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  17.5k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  17.5k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  17.5k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  488|  17.5k|		hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec);
  ------------------
  |  |   42|  17.5k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  17.5k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  17.5k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  17.5k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  489|  17.5k|	} else {
  490|    245|		hdr->caplen = sf_hdr.caplen;
  491|    245|		hdr->len = sf_hdr.len;
  492|    245|		hdr->ts.tv_sec = sf_hdr.ts.tv_sec;
  493|    245|		hdr->ts.tv_usec = sf_hdr.ts.tv_usec;
  494|    245|	}
  495|       |
  496|  17.7k|	switch (ps->scale_type) {
  ------------------
  |  Branch (496:10): [True: 0, False: 17.7k]
  ------------------
  497|       |
  498|  8.64k|	case PASS_THROUGH:
  ------------------
  |  Branch (498:2): [True: 8.64k, False: 9.14k]
  ------------------
  499|       |		/*
  500|       |		 * Just pass the time stamp through.
  501|       |		 */
  502|  8.64k|		break;
  503|       |
  504|      0|	case SCALE_UP:
  ------------------
  |  Branch (504:2): [True: 0, False: 17.7k]
  ------------------
  505|       |		/*
  506|       |		 * File has microseconds, user wants nanoseconds; convert
  507|       |		 * it.
  508|       |		 */
  509|      0|		hdr->ts.tv_usec = hdr->ts.tv_usec * 1000;
  510|      0|		break;
  511|       |
  512|  9.14k|	case SCALE_DOWN:
  ------------------
  |  Branch (512:2): [True: 9.14k, False: 8.64k]
  ------------------
  513|       |		/*
  514|       |		 * File has nanoseconds, user wants microseconds; convert
  515|       |		 * it.
  516|       |		 */
  517|  9.14k|		hdr->ts.tv_usec = hdr->ts.tv_usec / 1000;
  518|  9.14k|		break;
  519|  17.7k|	}
  520|       |
  521|       |	/* Swap the caplen and len fields, if necessary. */
  522|  17.7k|	switch (ps->lengths_swapped) {
  ------------------
  |  Branch (522:10): [True: 0, False: 17.7k]
  ------------------
  523|       |
  524|  3.36k|	case NOT_SWAPPED:
  ------------------
  |  Branch (524:2): [True: 3.36k, False: 14.4k]
  ------------------
  525|  3.36k|		break;
  526|       |
  527|  10.0k|	case MAYBE_SWAPPED:
  ------------------
  |  Branch (527:2): [True: 10.0k, False: 7.79k]
  ------------------
  528|  10.0k|		if (hdr->caplen <= hdr->len) {
  ------------------
  |  Branch (528:7): [True: 7.15k, False: 2.84k]
  ------------------
  529|       |			/*
  530|       |			 * The captured length is <= the actual length,
  531|       |			 * so presumably they weren't swapped.
  532|       |			 */
  533|  7.15k|			break;
  534|  7.15k|		}
  535|       |		/* FALLTHROUGH */
  536|       |
  537|  7.26k|	case SWAPPED:
  ------------------
  |  Branch (537:2): [True: 4.42k, False: 13.3k]
  ------------------
  538|  7.26k|		t = hdr->caplen;
  539|  7.26k|		hdr->caplen = hdr->len;
  540|  7.26k|		hdr->len = t;
  541|  7.26k|		break;
  542|  17.7k|	}
  543|       |
  544|       |	/*
  545|       |	 * Is the packet bigger than we consider sane?
  546|       |	 */
  547|  17.7k|	if (hdr->caplen > max_snaplen_for_dlt(p->linktype)) {
  ------------------
  |  Branch (547:6): [True: 78, False: 17.7k]
  ------------------
  548|       |		/*
  549|       |		 * Yes.  This may be a damaged or fuzzed file.
  550|       |		 *
  551|       |		 * Is it bigger than the snapshot length?
  552|       |		 * (We don't treat that as an error if it's not
  553|       |		 * bigger than the maximum we consider sane; see
  554|       |		 * below.)
  555|       |		 */
  556|     78|		if (hdr->caplen > (bpf_u_int32)p->snapshot) {
  ------------------
  |  Branch (556:7): [True: 62, False: 16]
  ------------------
  557|     62|			snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     62|#define PCAP_ERRBUF_SIZE 256
  ------------------
  558|     62|			    "invalid packet capture length %u, bigger than "
  559|     62|			    "snaplen of %d", hdr->caplen, p->snapshot);
  560|     62|		} else {
  561|     16|			snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     16|#define PCAP_ERRBUF_SIZE 256
  ------------------
  562|     16|			    "invalid packet capture length %u, bigger than "
  563|     16|			    "maximum of %u", hdr->caplen,
  564|     16|			    max_snaplen_for_dlt(p->linktype));
  565|     16|		}
  566|     78|		return (-1);
  567|     78|	}
  568|       |
  569|  17.7k|	if (hdr->caplen > (bpf_u_int32)p->snapshot) {
  ------------------
  |  Branch (569:6): [True: 1.26k, False: 16.4k]
  ------------------
  570|       |		/*
  571|       |		 * The packet is bigger than the snapshot length
  572|       |		 * for this file.
  573|       |		 *
  574|       |		 * This can happen due to Solaris 2.3 systems tripping
  575|       |		 * over the BUFMOD problem and not setting the snapshot
  576|       |		 * length correctly in the savefile header.
  577|       |		 *
  578|       |		 * libpcap 0.4 and later on Solaris 2.3 should set the
  579|       |		 * snapshot length correctly in the pcap file header,
  580|       |		 * even though they don't set a snapshot length in bufmod
  581|       |		 * (the buggy bufmod chops off the *beginning* of the
  582|       |		 * packet if a snapshot length is specified); they should
  583|       |		 * also reduce the captured length, as supplied to the
  584|       |		 * per-packet callback, to the snapshot length if it's
  585|       |		 * greater than the snapshot length, so the code using
  586|       |		 * libpcap should see the packet cut off at the snapshot
  587|       |		 * length, even though the full packet is copied up to
  588|       |		 * userland.
  589|       |		 *
  590|       |		 * However, perhaps some versions of libpcap failed to
  591|       |		 * set the snapshot length correctly in the file header
  592|       |		 * or the per-packet header, or perhaps this is a
  593|       |		 * corrupted safefile or a savefile built/modified by a
  594|       |		 * fuzz tester, so we check anyway.  We grow the buffer
  595|       |		 * to be big enough for the snapshot length, read up
  596|       |		 * to the snapshot length, discard the rest of the
  597|       |		 * packet, and report the snapshot length as the captured
  598|       |		 * length; we don't want to hand our caller a packet
  599|       |		 * bigger than the snapshot length, because they might
  600|       |		 * be assuming they'll never be handed such a packet,
  601|       |		 * and might copy the packet into a snapshot-length-
  602|       |		 * sized buffer, assuming it'll fit.
  603|       |		 */
  604|  1.26k|		size_t bytes_to_discard;
  605|  1.26k|		size_t bytes_to_read, bytes_read;
  606|  1.26k|		char discard_buf[4096];
  607|       |
  608|  1.26k|		if (hdr->caplen > p->bufsize) {
  ------------------
  |  Branch (608:7): [True: 1.26k, False: 0]
  ------------------
  609|       |			/*
  610|       |			 * Grow the buffer to the snapshot length.
  611|       |			 */
  612|  1.26k|			if (!grow_buffer(p, p->snapshot))
  ------------------
  |  Branch (612:8): [True: 0, False: 1.26k]
  ------------------
  613|      0|				return (-1);
  614|  1.26k|		}
  615|       |
  616|       |		/*
  617|       |		 * Read the first p->snapshot bytes into the buffer.
  618|       |		 */
  619|  1.26k|		amt_read = fread(p->buffer, 1, p->snapshot, fp);
  620|  1.26k|		if (amt_read != (bpf_u_int32)p->snapshot) {
  ------------------
  |  Branch (620:7): [True: 65, False: 1.20k]
  ------------------
  621|     65|			if (ferror(fp)) {
  ------------------
  |  Branch (621:8): [True: 0, False: 65]
  ------------------
  622|      0|				pcap_fmt_errmsg_for_errno(p->errbuf,
  623|      0|				     PCAP_ERRBUF_SIZE, errno,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  624|      0|				    "error reading dump file");
  625|     65|			} else {
  626|       |				/*
  627|       |				 * Yes, this uses hdr->caplen; technically,
  628|       |				 * it's true, because we would try to read
  629|       |				 * and discard the rest of those bytes, and
  630|       |				 * that would fail because we got EOF before
  631|       |				 * the read finished.
  632|       |				 */
  633|     65|				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     65|#define PCAP_ERRBUF_SIZE 256
  ------------------
  634|     65|				    "truncated dump file; tried to read %d captured bytes, only got %zu",
  635|     65|				    p->snapshot, amt_read);
  636|     65|			}
  637|     65|			return (-1);
  638|     65|		}
  639|       |
  640|       |		/*
  641|       |		 * Now read and discard what's left.
  642|       |		 */
  643|  1.20k|		bytes_to_discard = hdr->caplen - p->snapshot;
  644|  1.20k|		bytes_read = amt_read;
  645|  2.39k|		while (bytes_to_discard != 0) {
  ------------------
  |  Branch (645:10): [True: 1.24k, False: 1.15k]
  ------------------
  646|  1.24k|			bytes_to_read = bytes_to_discard;
  647|  1.24k|			if (bytes_to_read > sizeof (discard_buf))
  ------------------
  |  Branch (647:8): [True: 64, False: 1.17k]
  ------------------
  648|     64|				bytes_to_read = sizeof (discard_buf);
  649|  1.24k|			amt_read = fread(discard_buf, 1, bytes_to_read, fp);
  650|  1.24k|			bytes_read += amt_read;
  651|  1.24k|			if (amt_read != bytes_to_read) {
  ------------------
  |  Branch (651:8): [True: 42, False: 1.19k]
  ------------------
  652|     42|				if (ferror(fp)) {
  ------------------
  |  Branch (652:9): [True: 0, False: 42]
  ------------------
  653|      0|					pcap_fmt_errmsg_for_errno(p->errbuf,
  654|      0|					    PCAP_ERRBUF_SIZE, errno,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  655|      0|					    "error reading dump file");
  656|     42|				} else {
  657|     42|					snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     42|#define PCAP_ERRBUF_SIZE 256
  ------------------
  658|     42|					    "truncated dump file; tried to read %u captured bytes, only got %zu",
  659|     42|					    hdr->caplen, bytes_read);
  660|     42|				}
  661|     42|				return (-1);
  662|     42|			}
  663|  1.19k|			bytes_to_discard -= amt_read;
  664|  1.19k|		}
  665|       |
  666|       |		/*
  667|       |		 * Adjust caplen accordingly, so we don't get confused later
  668|       |		 * as to how many bytes we have to play with.
  669|       |		 */
  670|  1.15k|		hdr->caplen = p->snapshot;
  671|  16.4k|	} else {
  672|       |		/*
  673|       |		 * The packet is within the snapshot length for this file.
  674|       |		 */
  675|  16.4k|		if (hdr->caplen > p->bufsize) {
  ------------------
  |  Branch (675:7): [True: 252, False: 16.1k]
  ------------------
  676|       |			/*
  677|       |			 * Grow the buffer to the next power of 2, or
  678|       |			 * the snaplen, whichever is lower.
  679|       |			 */
  680|    252|			u_int new_bufsize;
  681|       |
  682|    252|			new_bufsize = hdr->caplen;
  683|       |			/*
  684|       |			 * https://graphics.stanford.edu/~seander/bithacks.html#RoundUpPowerOf2
  685|       |			 */
  686|    252|			new_bufsize--;
  687|    252|			new_bufsize |= new_bufsize >> 1;
  688|    252|			new_bufsize |= new_bufsize >> 2;
  689|    252|			new_bufsize |= new_bufsize >> 4;
  690|    252|			new_bufsize |= new_bufsize >> 8;
  691|    252|			new_bufsize |= new_bufsize >> 16;
  692|    252|			new_bufsize++;
  693|       |
  694|    252|			if (new_bufsize > (u_int)p->snapshot)
  ------------------
  |  Branch (694:8): [True: 33, False: 219]
  ------------------
  695|     33|				new_bufsize = p->snapshot;
  696|       |
  697|    252|			if (!grow_buffer(p, new_bufsize))
  ------------------
  |  Branch (697:8): [True: 0, False: 252]
  ------------------
  698|      0|				return (-1);
  699|    252|		}
  700|       |
  701|       |		/* read the packet itself */
  702|  16.4k|		amt_read = fread(p->buffer, 1, hdr->caplen, fp);
  703|  16.4k|		if (amt_read != hdr->caplen) {
  ------------------
  |  Branch (703:7): [True: 101, False: 16.3k]
  ------------------
  704|    101|			if (ferror(fp)) {
  ------------------
  |  Branch (704:8): [True: 0, False: 101]
  ------------------
  705|      0|				pcap_fmt_errmsg_for_errno(p->errbuf,
  706|      0|				    PCAP_ERRBUF_SIZE, errno,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  707|      0|				    "error reading dump file");
  708|    101|			} else {
  709|    101|				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|    101|#define PCAP_ERRBUF_SIZE 256
  ------------------
  710|    101|				    "truncated dump file; tried to read %u captured bytes, only got %zu",
  711|    101|				    hdr->caplen, amt_read);
  712|    101|			}
  713|    101|			return (-1);
  714|    101|		}
  715|  16.4k|	}
  716|  17.5k|	*data = p->buffer;
  717|       |
  718|  17.5k|	pcap_post_process(p->linktype, p->swapped, hdr, *data);
  719|       |
  720|  17.5k|	return (1);
  721|  17.7k|}
sf-pcap.c:grow_buffer:
  431|  1.51k|{
  432|  1.51k|	void *bigger_buffer;
  433|       |
  434|  1.51k|	bigger_buffer = realloc(p->buffer, bufsize);
  435|  1.51k|	if (bigger_buffer == NULL) {
  ------------------
  |  Branch (435:6): [True: 0, False: 1.51k]
  ------------------
  436|      0|		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "out of memory");
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  437|      0|		return (0);
  438|      0|	}
  439|  1.51k|	p->buffer = bigger_buffer;
  440|  1.51k|	p->bufsize = bufsize;
  441|  1.51k|	return (1);
  442|  1.51k|}

pcap_ng_check_header:
  772|  1.63k|{
  773|  1.63k|	bpf_u_int32 magic_int;
  774|  1.63k|	size_t amt_read;
  775|  1.63k|	bpf_u_int32 total_length;
  776|  1.63k|	bpf_u_int32 byte_order_magic;
  777|  1.63k|	struct block_header *bhdrp;
  778|  1.63k|	struct section_header_block *shbp;
  779|  1.63k|	pcap_t *p;
  780|  1.63k|	int swapped = 0;
  781|  1.63k|	struct pcap_ng_sf *ps;
  782|  1.63k|	int status;
  783|  1.63k|	struct block_cursor cursor;
  784|  1.63k|	struct interface_description_block *idbp;
  785|       |
  786|       |	/*
  787|       |	 * Assume no read errors.
  788|       |	 */
  789|  1.63k|	*err = 0;
  790|       |
  791|       |	/*
  792|       |	 * Check whether the first 4 bytes of the file are the block
  793|       |	 * type for a pcapng savefile.
  794|       |	 */
  795|  1.63k|	memcpy(&magic_int, magic, sizeof(magic_int));
  796|  1.63k|	if (magic_int != BT_SHB) {
  ------------------
  |  |   88|  1.63k|#define BT_SHB			0x0A0D0D0A
  ------------------
  |  Branch (796:6): [True: 236, False: 1.40k]
  ------------------
  797|       |		/*
  798|       |		 * XXX - check whether this looks like what the block
  799|       |		 * type would be after being munged by mapping between
  800|       |		 * UN*X and DOS/Windows text file format and, if it
  801|       |		 * does, look for the byte-order magic number in
  802|       |		 * the appropriate place and, if we find it, report
  803|       |		 * this as possibly being a pcapng file transferred
  804|       |		 * between UN*X and Windows in text file format?
  805|       |		 */
  806|    236|		return (NULL);	/* nope */
  807|    236|	}
  808|       |
  809|       |	/*
  810|       |	 * OK, they are.  However, that's just \n\r\r\n, so it could,
  811|       |	 * conceivably, be an ordinary text file.
  812|       |	 *
  813|       |	 * It could not, however, conceivably be any other type of
  814|       |	 * capture file, so we can read the rest of the putative
  815|       |	 * Section Header Block; put the block type in the common
  816|       |	 * header, read the rest of the common header and the
  817|       |	 * fixed-length portion of the SHB, and look for the byte-order
  818|       |	 * magic value.
  819|       |	 */
  820|  1.40k|	amt_read = fread(&total_length, 1, sizeof(total_length), fp);
  821|  1.40k|	if (amt_read < sizeof(total_length)) {
  ------------------
  |  Branch (821:6): [True: 3, False: 1.39k]
  ------------------
  822|      3|		if (ferror(fp)) {
  ------------------
  |  Branch (822:7): [True: 0, False: 3]
  ------------------
  823|      0|			pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  824|      0|			    errno, "error reading dump file");
  825|      0|			*err = 1;
  826|      0|			return (NULL);	/* fail */
  827|      0|		}
  828|       |
  829|       |		/*
  830|       |		 * Possibly a weird short text file, so just say
  831|       |		 * "not pcapng".
  832|       |		 */
  833|      3|		return (NULL);
  834|      3|	}
  835|  1.39k|	amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
  836|  1.39k|	if (amt_read < sizeof(byte_order_magic)) {
  ------------------
  |  Branch (836:6): [True: 3, False: 1.39k]
  ------------------
  837|      3|		if (ferror(fp)) {
  ------------------
  |  Branch (837:7): [True: 0, False: 3]
  ------------------
  838|      0|			pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  839|      0|			    errno, "error reading dump file");
  840|      0|			*err = 1;
  841|      0|			return (NULL);	/* fail */
  842|      0|		}
  843|       |
  844|       |		/*
  845|       |		 * Possibly a weird short text file, so just say
  846|       |		 * "not pcapng".
  847|       |		 */
  848|      3|		return (NULL);
  849|      3|	}
  850|  1.39k|	if (byte_order_magic != BYTE_ORDER_MAGIC) {
  ------------------
  |  |  101|  1.39k|#define BYTE_ORDER_MAGIC	0x1A2B3C4D
  ------------------
  |  Branch (850:6): [True: 424, False: 972]
  ------------------
  851|    424|		byte_order_magic = SWAPLONG(byte_order_magic);
  ------------------
  |  |   42|    424|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    424|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    424|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    424|     ((((u_int)(y))>>24)&0xff))
  ------------------
  852|    424|		if (byte_order_magic != BYTE_ORDER_MAGIC) {
  ------------------
  |  |  101|    424|#define BYTE_ORDER_MAGIC	0x1A2B3C4D
  ------------------
  |  Branch (852:7): [True: 90, False: 334]
  ------------------
  853|       |			/*
  854|       |			 * Not a pcapng file.
  855|       |			 */
  856|     90|			return (NULL);
  857|     90|		}
  858|    334|		swapped = 1;
  859|    334|		total_length = SWAPLONG(total_length);
  ------------------
  |  |   42|    334|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    334|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    334|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    334|     ((((u_int)(y))>>24)&0xff))
  ------------------
  860|    334|	}
  861|       |
  862|       |	/*
  863|       |	 * Check the sanity of the total length.
  864|       |	 */
  865|  1.30k|	if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
  ------------------
  |  Branch (865:6): [True: 5, False: 1.30k]
  ------------------
  866|  1.30k|            (total_length > BT_SHB_INSANE_MAX)) {
  ------------------
  |  |   89|  1.30k|#define BT_SHB_INSANE_MAX       1024U*1024U*1U  /* 1MB should be enough */
  ------------------
  |  Branch (866:13): [True: 39, False: 1.26k]
  ------------------
  867|     44|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     44|#define PCAP_ERRBUF_SIZE 256
  ------------------
  868|     44|		    "Section Header Block in pcapng dump file has invalid length %zu < _%u_ < %u (BT_SHB_INSANE_MAX)",
  869|     44|		    sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer),
  870|     44|		    total_length,
  871|     44|		    BT_SHB_INSANE_MAX);
  ------------------
  |  |   89|     44|#define BT_SHB_INSANE_MAX       1024U*1024U*1U  /* 1MB should be enough */
  ------------------
  872|       |
  873|     44|		*err = 1;
  874|     44|		return (NULL);
  875|     44|	}
  876|       |
  877|       |	/*
  878|       |	 * OK, this is a good pcapng file.
  879|       |	 * Allocate a pcap_t for it.
  880|       |	 */
  881|  1.26k|	p = PCAP_OPEN_OFFLINE_COMMON(errbuf, struct pcap_ng_sf);
  ------------------
  |  |  582|  1.26k|	pcap_open_offline_common(ebuf, \
  |  |  583|  1.26k|	    sizeof (struct { pcap_t __common; type __private; }), \
  |  |  584|  1.26k|	    offsetof (struct { pcap_t __common; type __private; }, __private))
  ------------------
  882|  1.26k|	if (p == NULL) {
  ------------------
  |  Branch (882:6): [True: 0, False: 1.26k]
  ------------------
  883|       |		/* Allocation failed. */
  884|      0|		*err = 1;
  885|      0|		return (NULL);
  886|      0|	}
  887|  1.26k|	p->swapped = swapped;
  888|  1.26k|	ps = p->priv;
  889|       |
  890|       |	/*
  891|       |	 * What precision does the user want?
  892|       |	 */
  893|  1.26k|	switch (precision) {
  894|       |
  895|  1.26k|	case PCAP_TSTAMP_PRECISION_MICRO:
  ------------------
  |  |  560|  1.26k|#define PCAP_TSTAMP_PRECISION_MICRO	0	/* use timestamps with microsecond precision, default */
  ------------------
  |  Branch (895:2): [True: 1.26k, False: 0]
  ------------------
  896|  1.26k|		ps->user_tsresol = 1000000;
  897|  1.26k|		break;
  898|       |
  899|      0|	case PCAP_TSTAMP_PRECISION_NANO:
  ------------------
  |  |  561|      0|#define PCAP_TSTAMP_PRECISION_NANO	1	/* use timestamps with nanosecond precision */
  ------------------
  |  Branch (899:2): [True: 0, False: 1.26k]
  ------------------
  900|      0|		ps->user_tsresol = 1000000000;
  901|      0|		break;
  902|       |
  903|      0|	default:
  ------------------
  |  Branch (903:2): [True: 0, False: 1.26k]
  ------------------
  904|      0|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  905|      0|		    "unknown time stamp resolution %u", precision);
  906|      0|		free(p);
  907|      0|		*err = 1;
  908|      0|		return (NULL);
  909|  1.26k|	}
  910|       |
  911|  1.26k|	p->opt.tstamp_precision = precision;
  912|       |
  913|       |	/*
  914|       |	 * Allocate a buffer into which to read blocks.  We default to
  915|       |	 * the maximum of:
  916|       |	 *
  917|       |	 *	the total length of the SHB for which we read the header;
  918|       |	 *
  919|       |	 *	2K, which should be more than large enough for an Enhanced
  920|       |	 *	Packet Block containing a full-size Ethernet frame, and
  921|       |	 *	leaving room for some options.
  922|       |	 *
  923|       |	 * If we find a bigger block, we reallocate the buffer, up to
  924|       |	 * the maximum size.  We start out with a maximum size of
  925|       |	 * INITIAL_MAX_BLOCKSIZE; if we see any link-layer header types
  926|       |	 * with a maximum snapshot that results in a larger maximum
  927|       |	 * block length, we boost the maximum.
  928|       |	 */
  929|  1.26k|	p->bufsize = 2048;
  930|  1.26k|	if (p->bufsize < total_length)
  ------------------
  |  Branch (930:6): [True: 52, False: 1.21k]
  ------------------
  931|     52|		p->bufsize = total_length;
  932|  1.26k|	p->buffer = malloc(p->bufsize);
  933|  1.26k|	if (p->buffer == NULL) {
  ------------------
  |  Branch (933:6): [True: 0, False: 1.26k]
  ------------------
  934|      0|		snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  935|      0|		free(p);
  936|      0|		*err = 1;
  937|      0|		return (NULL);
  938|      0|	}
  939|  1.26k|	ps->max_blocksize = INITIAL_MAX_BLOCKSIZE;
  ------------------
  |  |  240|  1.26k|#define INITIAL_MAX_BLOCKSIZE	(16*1024*1024)
  ------------------
  940|       |
  941|       |	/*
  942|       |	 * Copy the stuff we've read to the buffer, and read the rest
  943|       |	 * of the SHB.
  944|       |	 */
  945|  1.26k|	bhdrp = (struct block_header *)p->buffer;
  946|  1.26k|	shbp = (struct section_header_block *)(p->buffer + sizeof(struct block_header));
  947|  1.26k|	bhdrp->block_type = magic_int;
  948|  1.26k|	bhdrp->total_length = total_length;
  949|  1.26k|	shbp->byte_order_magic = byte_order_magic;
  950|  1.26k|	if (read_bytes(fp,
  ------------------
  |  Branch (950:6): [True: 65, False: 1.19k]
  ------------------
  951|  1.26k|	    p->buffer + (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
  952|  1.26k|	    total_length - (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
  953|  1.26k|	    1, errbuf) == -1)
  954|     65|		goto fail;
  955|       |
  956|  1.19k|	if (p->swapped) {
  ------------------
  |  Branch (956:6): [True: 310, False: 887]
  ------------------
  957|       |		/*
  958|       |		 * Byte-swap the fields we've read.
  959|       |		 */
  960|    310|		shbp->major_version = SWAPSHORT(shbp->major_version);
  ------------------
  |  |   47|    310|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|    310|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
  961|    310|		shbp->minor_version = SWAPSHORT(shbp->minor_version);
  ------------------
  |  |   47|    310|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|    310|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
  962|       |
  963|       |		/*
  964|       |		 * XXX - we don't care about the section length.
  965|       |		 */
  966|    310|	}
  967|       |	/* Currently only SHB versions 1.0 and 1.2 are supported;
  968|       |	   version 1.2 is treated as being the same as version 1.0.
  969|       |	   See the current version of the pcapng specification.
  970|       |
  971|       |	   Version 1.2 is written by some programs that write additional
  972|       |	   block types (which can be read by any code that handles them,
  973|       |	   regardless of whether the minor version if 0 or 2, so that's
  974|       |	   not a reason to change the minor version number).
  975|       |
  976|       |	   XXX - the pcapng specification says that readers should
  977|       |	   just ignore sections with an unsupported version number;
  978|       |	   presumably they can also report an error if they skip
  979|       |	   all the way to the end of the file without finding
  980|       |	   any versions that they support. */
  981|  1.19k|	if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
  ------------------
  |  |  108|  2.39k|#define PCAP_NG_VERSION_MAJOR	1
  ------------------
  |  Branch (981:9): [True: 1.18k, False: 16]
  ------------------
  982|  1.19k|	       (shbp->minor_version == PCAP_NG_VERSION_MINOR ||
  ------------------
  |  |  109|  2.36k|#define PCAP_NG_VERSION_MINOR	0
  ------------------
  |  Branch (982:10): [True: 1.14k, False: 35]
  ------------------
  983|  1.18k|	        shbp->minor_version == 2))) {
  ------------------
  |  Branch (983:10): [True: 13, False: 22]
  ------------------
  984|     38|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     38|#define PCAP_ERRBUF_SIZE 256
  ------------------
  985|     38|		    "unsupported pcapng savefile version %u.%u",
  986|     38|		    shbp->major_version, shbp->minor_version);
  987|     38|		goto fail;
  988|     38|	}
  989|  1.15k|	p->version_major = shbp->major_version;
  990|  1.15k|	p->version_minor = shbp->minor_version;
  991|       |
  992|       |	/*
  993|       |	 * Save the time stamp resolution the user requested.
  994|       |	 */
  995|  1.15k|	p->opt.tstamp_precision = precision;
  996|       |
  997|       |	/*
  998|       |	 * Now start looking for an Interface Description Block.
  999|       |	 */
 1000|  2.14k|	for (;;) {
 1001|       |		/*
 1002|       |		 * Read the next block.
 1003|       |		 */
 1004|  2.14k|		status = read_block(fp, p, &cursor, errbuf);
 1005|  2.14k|		if (status == 0) {
  ------------------
  |  Branch (1005:7): [True: 17, False: 2.12k]
  ------------------
 1006|       |			/* EOF - no IDB in this file */
 1007|     17|			snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     17|#define PCAP_ERRBUF_SIZE 256
  ------------------
 1008|     17|			    "the capture file has no Interface Description Blocks");
 1009|     17|			goto fail;
 1010|     17|		}
 1011|  2.12k|		if (status == -1)
  ------------------
  |  Branch (1011:7): [True: 192, False: 1.93k]
  ------------------
 1012|    192|			goto fail;	/* error */
 1013|  1.93k|		switch (cursor.block_type) {
 1014|       |
 1015|    947|		case BT_IDB:
  ------------------
  |  |  114|    947|#define BT_IDB			0x00000001
  ------------------
  |  Branch (1015:3): [True: 947, False: 988]
  ------------------
 1016|       |			/*
 1017|       |			 * Get a pointer to the fixed-length portion of the
 1018|       |			 * IDB.
 1019|       |			 */
 1020|    947|			idbp = get_from_block_data(&cursor, sizeof(*idbp),
 1021|    947|			    errbuf);
 1022|    947|			if (idbp == NULL)
  ------------------
  |  Branch (1022:8): [True: 2, False: 945]
  ------------------
 1023|      2|				goto fail;	/* error */
 1024|       |
 1025|       |			/*
 1026|       |			 * Byte-swap it if necessary.
 1027|       |			 */
 1028|    945|			if (p->swapped) {
  ------------------
  |  Branch (1028:8): [True: 231, False: 714]
  ------------------
 1029|    231|				idbp->linktype = SWAPSHORT(idbp->linktype);
  ------------------
  |  |   47|    231|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|    231|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
 1030|    231|				idbp->snaplen = SWAPLONG(idbp->snaplen);
  ------------------
  |  |   42|    231|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    231|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    231|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    231|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1031|    231|			}
 1032|       |
 1033|       |			/*
 1034|       |			 * Try to add this interface.
 1035|       |			 */
 1036|    945|			if (!add_interface(p, idbp, &cursor, errbuf))
  ------------------
  |  Branch (1036:8): [True: 87, False: 858]
  ------------------
 1037|     87|				goto fail;
 1038|       |
 1039|    858|			goto done;
 1040|       |
 1041|    858|		case BT_EPB:
  ------------------
  |  |  143|      1|#define BT_EPB			0x00000006
  ------------------
  |  Branch (1041:3): [True: 1, False: 1.93k]
  ------------------
 1042|      2|		case BT_SPB:
  ------------------
  |  |  157|      2|#define BT_SPB			0x00000003
  ------------------
  |  Branch (1042:3): [True: 1, False: 1.93k]
  ------------------
 1043|      3|		case BT_PB:
  ------------------
  |  |  167|      3|#define BT_PB			0x00000002
  ------------------
  |  Branch (1043:3): [True: 1, False: 1.93k]
  ------------------
 1044|       |			/*
 1045|       |			 * Saw a packet before we saw any IDBs.  That's
 1046|       |			 * not valid, as we don't know what link-layer
 1047|       |			 * encapsulation the packet has.
 1048|       |			 */
 1049|      3|			snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      3|#define PCAP_ERRBUF_SIZE 256
  ------------------
 1050|      3|			    "the capture file has a packet block before any Interface Description Blocks");
 1051|      3|			goto fail;
 1052|       |
 1053|    985|		default:
  ------------------
  |  Branch (1053:3): [True: 985, False: 950]
  ------------------
 1054|       |			/*
 1055|       |			 * Just ignore it.
 1056|       |			 */
 1057|    985|			break;
 1058|  1.93k|		}
 1059|  1.93k|	}
 1060|       |
 1061|    858|done:
 1062|    858|	p->linktype = linktype_to_dlt(idbp->linktype);
 1063|    858|	p->snapshot = pcap_adjust_snapshot(p->linktype, idbp->snaplen);
 1064|    858|	p->linktype_ext = 0;
 1065|       |
 1066|       |	/*
 1067|       |	 * If the maximum block size for a packet with the maximum
 1068|       |	 * snapshot length for this DLT_ is bigger than the current
 1069|       |	 * maximum block size, increase the maximum.
 1070|       |	 */
 1071|    858|	if (MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
  ------------------
  |  |  248|    858|	(sizeof (struct block_header) + \
  |  |  249|    858|	 sizeof (struct enhanced_packet_block) + \
  |  |  250|    858|	 (max_snaplen) + 131072 + \
  |  |  251|    858|	 sizeof (struct block_trailer))
  ------------------
  |  Branch (1071:6): [True: 17, False: 841]
  ------------------
 1072|     17|		ps->max_blocksize = MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype));
  ------------------
  |  |  248|     17|	(sizeof (struct block_header) + \
  |  |  249|     17|	 sizeof (struct enhanced_packet_block) + \
  |  |  250|     17|	 (max_snaplen) + 131072 + \
  |  |  251|     17|	 sizeof (struct block_trailer))
  ------------------
 1073|       |
 1074|    858|	p->next_packet_op = pcap_ng_next_packet;
 1075|    858|	p->cleanup_op = pcap_ng_cleanup;
 1076|       |
 1077|    858|	return (p);
 1078|       |
 1079|    404|fail:
 1080|    404|	free(ps->ifaces);
 1081|    404|	free(p->buffer);
 1082|    404|	free(p);
 1083|    404|	*err = 1;
 1084|    404|	return (NULL);
 1085|  1.15k|}
sf-pcapng.c:read_bytes:
  260|  26.0k|{
  261|  26.0k|	size_t amt_read;
  262|       |
  263|  26.0k|	amt_read = fread(buf, 1, bytes_to_read, fp);
  264|  26.0k|	if (amt_read != bytes_to_read) {
  ------------------
  |  Branch (264:6): [True: 519, False: 25.5k]
  ------------------
  265|    519|		if (ferror(fp)) {
  ------------------
  |  Branch (265:7): [True: 0, False: 519]
  ------------------
  266|      0|			pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  267|      0|			    errno, "error reading dump file");
  268|    519|		} else {
  269|    519|			if (amt_read == 0 && !fail_on_eof)
  ------------------
  |  Branch (269:8): [True: 467, False: 52]
  |  Branch (269:25): [True: 375, False: 92]
  ------------------
  270|    375|				return (0);	/* EOF */
  271|    144|			snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|    144|#define PCAP_ERRBUF_SIZE 256
  ------------------
  272|    144|			    "truncated pcapng dump file; tried to read %zu bytes, only got %zu",
  273|    144|			    bytes_to_read, amt_read);
  274|    144|		}
  275|    144|		return (-1);
  276|    519|	}
  277|  25.5k|	return (1);
  278|  26.0k|}
sf-pcapng.c:read_block:
  282|  12.6k|{
  283|  12.6k|	struct pcap_ng_sf *ps;
  284|  12.6k|	int status;
  285|  12.6k|	struct block_header bhdr;
  286|  12.6k|	struct block_trailer *btrlr;
  287|  12.6k|	u_char *bdata;
  288|  12.6k|	size_t data_remaining;
  289|       |
  290|  12.6k|	ps = p->priv;
  291|       |
  292|  12.6k|	status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
  293|  12.6k|	if (status <= 0)
  ------------------
  |  Branch (293:6): [True: 403, False: 12.2k]
  ------------------
  294|    403|		return (status);	/* error or EOF */
  295|       |
  296|  12.2k|	if (p->swapped) {
  ------------------
  |  Branch (296:6): [True: 3.33k, False: 8.93k]
  ------------------
  297|  3.33k|		bhdr.block_type = SWAPLONG(bhdr.block_type);
  ------------------
  |  |   42|  3.33k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  3.33k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  3.33k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  3.33k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  298|  3.33k|		bhdr.total_length = SWAPLONG(bhdr.total_length);
  ------------------
  |  |   42|  3.33k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  3.33k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  3.33k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  3.33k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  299|  3.33k|	}
  300|       |
  301|       |	/*
  302|       |	 * Is this block "too small" - i.e., is it shorter than a block
  303|       |	 * header plus a block trailer?
  304|       |	 */
  305|  12.2k|	if (bhdr.total_length < sizeof(struct block_header) +
  ------------------
  |  Branch (305:6): [True: 8, False: 12.2k]
  ------------------
  306|  12.2k|	    sizeof(struct block_trailer)) {
  307|      8|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      8|#define PCAP_ERRBUF_SIZE 256
  ------------------
  308|      8|		    "block in pcapng dump file has a length of %u < %zu",
  309|      8|		    bhdr.total_length,
  310|      8|		    sizeof(struct block_header) + sizeof(struct block_trailer));
  311|      8|		return (-1);
  312|      8|	}
  313|       |
  314|       |	/*
  315|       |	 * Is the block total length a multiple of 4?
  316|       |	 */
  317|  12.2k|	if ((bhdr.total_length % 4) != 0) {
  ------------------
  |  Branch (317:6): [True: 16, False: 12.2k]
  ------------------
  318|       |		/*
  319|       |		 * No.  Report that as an error.
  320|       |		 */
  321|     16|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     16|#define PCAP_ERRBUF_SIZE 256
  ------------------
  322|     16|		    "block in pcapng dump file has a length of %u that is not a multiple of 4",
  323|     16|		    bhdr.total_length);
  324|     16|		return (-1);
  325|     16|	}
  326|       |
  327|       |	/*
  328|       |	 * Is the buffer big enough?
  329|       |	 */
  330|  12.2k|	if (p->bufsize < bhdr.total_length) {
  ------------------
  |  Branch (330:6): [True: 167, False: 12.0k]
  ------------------
  331|       |		/*
  332|       |		 * No - make it big enough, unless it's too big, in
  333|       |		 * which case we fail.
  334|       |		 */
  335|    167|		void *bigger_buffer;
  336|       |
  337|    167|		if (bhdr.total_length > ps->max_blocksize) {
  ------------------
  |  Branch (337:7): [True: 77, False: 90]
  ------------------
  338|     77|			snprintf(errbuf, PCAP_ERRBUF_SIZE, "pcapng block size %u > maximum %u", bhdr.total_length,
  ------------------
  |  |  152|     77|#define PCAP_ERRBUF_SIZE 256
  ------------------
  339|     77|			    ps->max_blocksize);
  340|     77|			return (-1);
  341|     77|		}
  342|     90|		bigger_buffer = realloc(p->buffer, bhdr.total_length);
  343|     90|		if (bigger_buffer == NULL) {
  ------------------
  |  Branch (343:7): [True: 0, False: 90]
  ------------------
  344|      0|			snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  345|      0|			return (-1);
  346|      0|		}
  347|     90|		p->buffer = bigger_buffer;
  348|     90|	}
  349|       |
  350|       |	/*
  351|       |	 * Copy the stuff we've read to the buffer, and read the rest
  352|       |	 * of the block.
  353|       |	 */
  354|  12.1k|	memcpy(p->buffer, &bhdr, sizeof(bhdr));
  355|  12.1k|	bdata = p->buffer + sizeof(bhdr);
  356|  12.1k|	data_remaining = bhdr.total_length - sizeof(bhdr);
  357|  12.1k|	if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
  ------------------
  |  Branch (357:6): [True: 51, False: 12.1k]
  ------------------
  358|     51|		return (-1);
  359|       |
  360|       |	/*
  361|       |	 * Get the block size from the trailer.
  362|       |	 */
  363|  12.1k|	btrlr = (struct block_trailer *)(bdata + data_remaining - sizeof (struct block_trailer));
  364|  12.1k|	if (p->swapped)
  ------------------
  |  Branch (364:6): [True: 3.28k, False: 8.82k]
  ------------------
  365|  3.28k|		btrlr->total_length = SWAPLONG(btrlr->total_length);
  ------------------
  |  |   42|  3.28k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  3.28k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  3.28k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  3.28k|     ((((u_int)(y))>>24)&0xff))
  ------------------
  366|       |
  367|       |	/*
  368|       |	 * Is the total length from the trailer the same as the total
  369|       |	 * length from the header?
  370|       |	 */
  371|  12.1k|	if (bhdr.total_length != btrlr->total_length) {
  ------------------
  |  Branch (371:6): [True: 45, False: 12.0k]
  ------------------
  372|       |		/*
  373|       |		 * No.
  374|       |		 */
  375|     45|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     45|#define PCAP_ERRBUF_SIZE 256
  ------------------
  376|     45|		    "block total length in header and trailer don't match");
  377|     45|		return (-1);
  378|     45|	}
  379|       |
  380|       |	/*
  381|       |	 * Initialize the cursor.
  382|       |	 */
  383|  12.0k|	cursor->data = bdata;
  384|  12.0k|	cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
  385|  12.0k|	cursor->block_type = bhdr.block_type;
  386|  12.0k|	return (1);
  387|  12.1k|}
sf-pcapng.c:get_from_block_data:
  392|  18.1k|{
  393|  18.1k|	void *data;
  394|       |
  395|       |	/*
  396|       |	 * Make sure we have the specified amount of data remaining in
  397|       |	 * the block data.
  398|       |	 */
  399|  18.1k|	if (cursor->data_remaining < chunk_size) {
  ------------------
  |  Branch (399:6): [True: 127, False: 18.0k]
  ------------------
  400|    127|		snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|    127|#define PCAP_ERRBUF_SIZE 256
  ------------------
  401|    127|		    "block of type %u in pcapng dump file is too short",
  402|    127|		    cursor->block_type);
  403|    127|		return (NULL);
  404|    127|	}
  405|       |
  406|       |	/*
  407|       |	 * Return the current pointer, and skip past the chunk.
  408|       |	 */
  409|  18.0k|	data = cursor->data;
  410|  18.0k|	cursor->data += chunk_size;
  411|  18.0k|	cursor->data_remaining -= chunk_size;
  412|  18.0k|	return (data);
  413|  18.1k|}
sf-pcapng.c:add_interface:
  595|  7.65k|{
  596|  7.65k|	struct pcap_ng_sf *ps;
  597|  7.65k|	uint64_t tsresol;
  598|  7.65k|	uint64_t tsoffset;
  599|  7.65k|	int is_binary;
  600|       |
  601|  7.65k|	ps = p->priv;
  602|       |
  603|       |	/*
  604|       |	 * Count this interface.
  605|       |	 */
  606|  7.65k|	ps->ifcount++;
  607|       |
  608|       |	/*
  609|       |	 * Grow the array of per-interface information as necessary.
  610|       |	 */
  611|  7.65k|	if (ps->ifcount > ps->ifaces_size) {
  ------------------
  |  Branch (611:6): [True: 1.36k, False: 6.28k]
  ------------------
  612|       |		/*
  613|       |		 * We need to grow the array.
  614|       |		 */
  615|  1.36k|		bpf_u_int32 new_ifaces_size;
  616|  1.36k|		struct pcap_ng_if *new_ifaces;
  617|       |
  618|  1.36k|		if (ps->ifaces_size == 0) {
  ------------------
  |  Branch (618:7): [True: 945, False: 423]
  ------------------
  619|       |			/*
  620|       |			 * It's currently empty.
  621|       |			 *
  622|       |			 * (The Clang static analyzer doesn't do enough,
  623|       |			 * err, umm, dataflow *analysis* to realize that
  624|       |			 * ps->ifaces_size == 0 if ps->ifaces == NULL,
  625|       |			 * and so complains about a possible zero argument
  626|       |			 * to realloc(), so we check for the former
  627|       |			 * condition to shut it up.
  628|       |			 *
  629|       |			 * However, it doesn't complain that one of the
  630|       |			 * multiplications below could overflow, which is
  631|       |			 * a real, albeit extremely unlikely, problem (you'd
  632|       |			 * need a pcapng file with tens of millions of
  633|       |			 * interfaces).)
  634|       |			 */
  635|    945|			new_ifaces_size = 1;
  636|    945|			new_ifaces = malloc(sizeof (struct pcap_ng_if));
  637|    945|		} else {
  638|       |			/*
  639|       |			 * It's not currently empty; double its size.
  640|       |			 * (Perhaps overkill once we have a lot of interfaces.)
  641|       |			 *
  642|       |			 * Check for overflow if we double it.
  643|       |			 */
  644|    423|			if (ps->ifaces_size * 2 < ps->ifaces_size) {
  ------------------
  |  Branch (644:8): [True: 0, False: 423]
  ------------------
  645|       |				/*
  646|       |				 * The maximum number of interfaces before
  647|       |				 * ps->ifaces_size overflows is the largest
  648|       |				 * possible 32-bit power of 2, as we do
  649|       |				 * size doubling.
  650|       |				 */
  651|      0|				snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  652|      0|				    "more than %u interfaces in the file",
  653|      0|				    0x80000000U);
  654|      0|				return (0);
  655|      0|			}
  656|       |
  657|       |			/*
  658|       |			 * ps->ifaces_size * 2 doesn't overflow, so it's
  659|       |			 * safe to multiply.
  660|       |			 */
  661|    423|			new_ifaces_size = ps->ifaces_size * 2;
  662|       |
  663|       |			/*
  664|       |			 * Now make sure that's not so big that it overflows
  665|       |			 * if we multiply by sizeof (struct pcap_ng_if).
  666|       |			 *
  667|       |			 * That can happen on 32-bit platforms, with a 32-bit
  668|       |			 * size_t; it shouldn't happen on 64-bit platforms,
  669|       |			 * with a 64-bit size_t, as new_ifaces_size is
  670|       |			 * 32 bits.
  671|       |			 */
  672|    423|			if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
  ------------------
  |  Branch (672:8): [True: 0, False: 423]
  ------------------
  673|       |				/*
  674|       |				 * As this fails only with 32-bit size_t,
  675|       |				 * the multiplication was 32x32->32, and
  676|       |				 * the largest 32-bit value that can safely
  677|       |				 * be multiplied by sizeof (struct pcap_ng_if)
  678|       |				 * without overflow is the largest 32-bit
  679|       |				 * (unsigned) value divided by
  680|       |				 * sizeof (struct pcap_ng_if).
  681|       |				 */
  682|      0|				snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  683|      0|				    "more than %u interfaces in the file",
  684|      0|				    0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
  685|      0|				return (0);
  686|      0|			}
  687|    423|			new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
  688|    423|		}
  689|  1.36k|		if (new_ifaces == NULL) {
  ------------------
  |  Branch (689:7): [True: 0, False: 1.36k]
  ------------------
  690|       |			/*
  691|       |			 * We ran out of memory.
  692|       |			 * Give up.
  693|       |			 */
  694|      0|			snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      0|#define PCAP_ERRBUF_SIZE 256
  ------------------
  695|      0|			    "out of memory for per-interface information (%u interfaces)",
  696|      0|			    ps->ifcount);
  697|      0|			return (0);
  698|      0|		}
  699|  1.36k|		ps->ifaces_size = new_ifaces_size;
  700|  1.36k|		ps->ifaces = new_ifaces;
  701|  1.36k|	}
  702|       |
  703|  7.65k|	ps->ifaces[ps->ifcount - 1].snaplen = idbp->snaplen;
  704|       |
  705|       |	/*
  706|       |	 * Set the default time stamp resolution and offset.
  707|       |	 */
  708|  7.65k|	tsresol = 1000000;	/* microsecond resolution */
  709|  7.65k|	is_binary = 0;		/* which is a power of 10 */
  710|  7.65k|	tsoffset = 0;		/* absolute timestamps */
  711|       |
  712|       |	/*
  713|       |	 * Now look for various time stamp options, so we know
  714|       |	 * how to interpret the time stamps for this interface.
  715|       |	 */
  716|  7.65k|	if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
  ------------------
  |  Branch (716:6): [True: 89, False: 7.56k]
  ------------------
  717|  7.65k|	    errbuf) == -1)
  718|     89|		return (0);
  719|       |
  720|  7.56k|	ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
  721|  7.56k|	ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
  722|       |
  723|       |	/*
  724|       |	 * Determine whether we're scaling up or down or not
  725|       |	 * at all for this interface.
  726|       |	 */
  727|  7.56k|	if (tsresol == ps->user_tsresol) {
  ------------------
  |  Branch (727:6): [True: 6.54k, False: 1.02k]
  ------------------
  728|       |		/*
  729|       |		 * The resolution is the resolution the user wants,
  730|       |		 * so we don't have to do scaling.
  731|       |		 */
  732|  6.54k|		ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
  733|  6.54k|	} else if (tsresol > ps->user_tsresol) {
  ------------------
  |  Branch (733:13): [True: 465, False: 555]
  ------------------
  734|       |		/*
  735|       |		 * The resolution is greater than what the user wants,
  736|       |		 * so we have to scale the timestamps down.
  737|       |		 */
  738|    465|		if (is_binary)
  ------------------
  |  Branch (738:7): [True: 249, False: 216]
  ------------------
  739|    249|			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
  740|    216|		else {
  741|       |			/*
  742|       |			 * Calculate the scale factor.
  743|       |			 */
  744|    216|			ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
  745|    216|			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
  746|    216|		}
  747|    555|	} else {
  748|       |		/*
  749|       |		 * The resolution is less than what the user wants,
  750|       |		 * so we have to scale the timestamps up.
  751|       |		 */
  752|    555|		if (is_binary)
  ------------------
  |  Branch (752:7): [True: 204, False: 351]
  ------------------
  753|    204|			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
  754|    351|		else {
  755|       |			/*
  756|       |			 * Calculate the scale factor.
  757|       |			 */
  758|    351|			ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
  759|    351|			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
  760|    351|		}
  761|    555|	}
  762|  7.56k|	return (1);
  763|  7.65k|}
sf-pcapng.c:process_idb_options:
  464|  7.65k|{
  465|  7.65k|	struct option_header *opthdr;
  466|  7.65k|	void *optvalue;
  467|  7.65k|	int saw_tsresol, saw_tsoffset;
  468|  7.65k|	uint8_t tsresol_opt;
  469|  7.65k|	u_int i;
  470|       |
  471|  7.65k|	saw_tsresol = 0;
  472|  7.65k|	saw_tsoffset = 0;
  473|  9.94k|	while (cursor->data_remaining != 0) {
  ------------------
  |  Branch (473:9): [True: 2.59k, False: 7.35k]
  ------------------
  474|       |		/*
  475|       |		 * Get the option header.
  476|       |		 */
  477|  2.59k|		opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
  478|  2.59k|		if (opthdr == NULL) {
  ------------------
  |  Branch (478:7): [True: 0, False: 2.59k]
  ------------------
  479|       |			/*
  480|       |			 * Option header is cut short.
  481|       |			 */
  482|      0|			return (-1);
  483|      0|		}
  484|       |
  485|       |		/*
  486|       |		 * Get option value.
  487|       |		 */
  488|  2.59k|		optvalue = get_optvalue_from_block_data(cursor, opthdr,
  489|  2.59k|		    errbuf);
  490|  2.59k|		if (optvalue == NULL) {
  ------------------
  |  Branch (490:7): [True: 31, False: 2.55k]
  ------------------
  491|       |			/*
  492|       |			 * Option value is cut short.
  493|       |			 */
  494|     31|			return (-1);
  495|     31|		}
  496|       |
  497|  2.55k|		switch (opthdr->option_code) {
  498|       |
  499|    235|		case OPT_ENDOFOPT:
  ------------------
  |  |   69|    235|#define OPT_ENDOFOPT	0	/* end of options */
  ------------------
  |  Branch (499:3): [True: 235, False: 2.32k]
  ------------------
  500|    235|			if (opthdr->option_length != 0) {
  ------------------
  |  Branch (500:8): [True: 21, False: 214]
  ------------------
  501|     21|				snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     21|#define PCAP_ERRBUF_SIZE 256
  ------------------
  502|     21|				    "Interface Description Block has opt_endofopt option with length %u != 0",
  503|     21|				    opthdr->option_length);
  504|     21|				return (-1);
  505|     21|			}
  506|    214|			goto done;
  507|       |
  508|  1.04k|		case IF_TSRESOL:
  ------------------
  |  |  133|  1.04k|#define IF_TSRESOL	9	/* interface's time stamp resolution */
  ------------------
  |  Branch (508:3): [True: 1.04k, False: 1.51k]
  ------------------
  509|  1.04k|			if (opthdr->option_length != 1) {
  ------------------
  |  Branch (509:8): [True: 17, False: 1.02k]
  ------------------
  510|     17|				snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     17|#define PCAP_ERRBUF_SIZE 256
  ------------------
  511|     17|				    "Interface Description Block has if_tsresol option with length %u != 1",
  512|     17|				    opthdr->option_length);
  513|     17|				return (-1);
  514|     17|			}
  515|  1.02k|			if (saw_tsresol) {
  ------------------
  |  Branch (515:8): [True: 1, False: 1.02k]
  ------------------
  516|      1|				snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      1|#define PCAP_ERRBUF_SIZE 256
  ------------------
  517|      1|				    "Interface Description Block has more than one if_tsresol option");
  518|      1|				return (-1);
  519|      1|			}
  520|  1.02k|			saw_tsresol = 1;
  521|  1.02k|			memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
  522|  1.02k|			if (tsresol_opt & 0x80) {
  ------------------
  |  Branch (522:8): [True: 456, False: 572]
  ------------------
  523|       |				/*
  524|       |				 * Resolution is negative power of 2.
  525|       |				 */
  526|    456|				uint8_t tsresol_shift = (tsresol_opt & 0x7F);
  527|       |
  528|    456|				if (tsresol_shift > 63) {
  ------------------
  |  Branch (528:9): [True: 3, False: 453]
  ------------------
  529|       |					/*
  530|       |					 * Resolution is too high; 2^-{res}
  531|       |					 * won't fit in a 64-bit value.
  532|       |					 */
  533|      3|					snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      3|#define PCAP_ERRBUF_SIZE 256
  ------------------
  534|      3|					    "Interface Description Block if_tsresol option resolution 2^-%u is too high",
  535|      3|					    tsresol_shift);
  536|      3|					return (-1);
  537|      3|				}
  538|    453|				*is_binary = 1;
  539|    453|				*tsresol = ((uint64_t)1) << tsresol_shift;
  540|    572|			} else {
  541|       |				/*
  542|       |				 * Resolution is negative power of 10.
  543|       |				 */
  544|    572|				if (tsresol_opt > 19) {
  ------------------
  |  Branch (544:9): [True: 3, False: 569]
  ------------------
  545|       |					/*
  546|       |					 * Resolution is too high; 2^-{res}
  547|       |					 * won't fit in a 64-bit value (the
  548|       |					 * largest power of 10 that fits
  549|       |					 * in a 64-bit value is 10^19, as
  550|       |					 * the largest 64-bit unsigned
  551|       |					 * value is ~1.8*10^19).
  552|       |					 */
  553|      3|					snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      3|#define PCAP_ERRBUF_SIZE 256
  ------------------
  554|      3|					    "Interface Description Block if_tsresol option resolution 10^-%u is too high",
  555|      3|					    tsresol_opt);
  556|      3|					return (-1);
  557|      3|				}
  558|    569|				*is_binary = 0;
  559|    569|				*tsresol = 1;
  560|  4.44k|				for (i = 0; i < tsresol_opt; i++)
  ------------------
  |  Branch (560:17): [True: 3.87k, False: 569]
  ------------------
  561|  3.87k|					*tsresol *= 10;
  562|    569|			}
  563|  1.02k|			break;
  564|       |
  565|  1.02k|		case IF_TSOFFSET:
  ------------------
  |  |  138|    406|#define IF_TSOFFSET	14	/* time stamp offset for this interface */
  ------------------
  |  Branch (565:3): [True: 406, False: 2.15k]
  ------------------
  566|    406|			if (opthdr->option_length != 8) {
  ------------------
  |  Branch (566:8): [True: 12, False: 394]
  ------------------
  567|     12|				snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     12|#define PCAP_ERRBUF_SIZE 256
  ------------------
  568|     12|				    "Interface Description Block has if_tsoffset option with length %u != 8",
  569|     12|				    opthdr->option_length);
  570|     12|				return (-1);
  571|     12|			}
  572|    394|			if (saw_tsoffset) {
  ------------------
  |  Branch (572:8): [True: 1, False: 393]
  ------------------
  573|      1|				snprintf(errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      1|#define PCAP_ERRBUF_SIZE 256
  ------------------
  574|      1|				    "Interface Description Block has more than one if_tsoffset option");
  575|      1|				return (-1);
  576|      1|			}
  577|    393|			saw_tsoffset = 1;
  578|    393|			memcpy(tsoffset, optvalue, sizeof(*tsoffset));
  579|    393|			if (p->swapped)
  ------------------
  |  Branch (579:8): [True: 194, False: 199]
  ------------------
  580|    194|				*tsoffset = SWAPLL(*tsoffset);
  ------------------
  |  |  119|    194|#define SWAPLL(ull)  ((ull & 0xff00000000000000ULL) >> 56) | \
  |  |  120|    194|                      ((ull & 0x00ff000000000000ULL) >> 40) | \
  |  |  121|    194|                      ((ull & 0x0000ff0000000000ULL) >> 24) | \
  |  |  122|    194|                      ((ull & 0x000000ff00000000ULL) >> 8)  | \
  |  |  123|    194|                      ((ull & 0x00000000ff000000ULL) << 8)  | \
  |  |  124|    194|                      ((ull & 0x0000000000ff0000ULL) << 24) | \
  |  |  125|    194|                      ((ull & 0x000000000000ff00ULL) << 40) | \
  |  |  126|    194|                      ((ull & 0x00000000000000ffULL) << 56)
  ------------------
  581|    393|			break;
  582|       |
  583|    872|		default:
  ------------------
  |  Branch (583:3): [True: 872, False: 1.68k]
  ------------------
  584|    872|			break;
  585|  2.55k|		}
  586|  2.55k|	}
  587|       |
  588|  7.56k|done:
  589|  7.56k|	return (0);
  590|  7.65k|}
sf-pcapng.c:get_opthdr_from_block_data:
  417|  2.59k|{
  418|  2.59k|	struct option_header *opthdr;
  419|       |
  420|  2.59k|	opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
  421|  2.59k|	if (opthdr == NULL) {
  ------------------
  |  Branch (421:6): [True: 0, False: 2.59k]
  ------------------
  422|       |		/*
  423|       |		 * Option header is cut short.
  424|       |		 */
  425|      0|		return (NULL);
  426|      0|	}
  427|       |
  428|       |	/*
  429|       |	 * Byte-swap it if necessary.
  430|       |	 */
  431|  2.59k|	if (p->swapped) {
  ------------------
  |  Branch (431:6): [True: 1.02k, False: 1.56k]
  ------------------
  432|  1.02k|		opthdr->option_code = SWAPSHORT(opthdr->option_code);
  ------------------
  |  |   47|  1.02k|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|  1.02k|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
  433|  1.02k|		opthdr->option_length = SWAPSHORT(opthdr->option_length);
  ------------------
  |  |   47|  1.02k|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|  1.02k|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
  434|  1.02k|	}
  435|       |
  436|  2.59k|	return (opthdr);
  437|  2.59k|}
sf-pcapng.c:get_optvalue_from_block_data:
  442|  2.59k|{
  443|  2.59k|	size_t padded_option_len;
  444|  2.59k|	void *optvalue;
  445|       |
  446|       |	/* Pad option length to 4-byte boundary */
  447|  2.59k|	padded_option_len = opthdr->option_length;
  448|  2.59k|	padded_option_len = ((padded_option_len + 3)/4)*4;
  449|       |
  450|  2.59k|	optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
  451|  2.59k|	if (optvalue == NULL) {
  ------------------
  |  Branch (451:6): [True: 31, False: 2.55k]
  ------------------
  452|       |		/*
  453|       |		 * Option value is cut short.
  454|       |		 */
  455|     31|		return (NULL);
  456|     31|	}
  457|       |
  458|  2.55k|	return (optvalue);
  459|  2.59k|}
sf-pcapng.c:pcap_ng_cleanup:
 1089|    858|{
 1090|    858|	struct pcap_ng_sf *ps = p->priv;
 1091|       |
 1092|    858|	free(ps->ifaces);
 1093|    858|	pcap_sf_cleanup(p);
 1094|    858|}
sf-pcapng.c:pcap_ng_next_packet:
 1103|  3.05k|{
 1104|  3.05k|	struct pcap_ng_sf *ps = p->priv;
 1105|  3.05k|	struct block_cursor cursor;
 1106|  3.05k|	int status;
 1107|  3.05k|	struct enhanced_packet_block *epbp;
 1108|  3.05k|	struct simple_packet_block *spbp;
 1109|  3.05k|	struct packet_block *pbp;
 1110|  3.05k|	bpf_u_int32 interface_id = 0xFFFFFFFF;
 1111|  3.05k|	struct interface_description_block *idbp;
 1112|  3.05k|	struct section_header_block *shbp;
 1113|  3.05k|	FILE *fp = p->rfile;
 1114|  3.05k|	uint64_t t, sec, frac;
 1115|       |
 1116|       |	/*
 1117|       |	 * Look for an Enhanced Packet Block, a Simple Packet Block,
 1118|       |	 * or a Packet Block.
 1119|       |	 */
 1120|  10.5k|	for (;;) {
 1121|       |		/*
 1122|       |		 * Read the block type and length; those are common
 1123|       |		 * to all blocks.
 1124|       |		 */
 1125|  10.5k|		status = read_block(fp, p, &cursor, p->errbuf);
 1126|  10.5k|		if (status == 0)
  ------------------
  |  Branch (1126:7): [True: 358, False: 10.1k]
  ------------------
 1127|    358|			return (0);	/* EOF */
 1128|  10.1k|		if (status == -1)
  ------------------
  |  Branch (1128:7): [True: 33, False: 10.1k]
  ------------------
 1129|     33|			return (-1);	/* error */
 1130|  10.1k|		switch (cursor.block_type) {
 1131|       |
 1132|    478|		case BT_EPB:
  ------------------
  |  |  143|    478|#define BT_EPB			0x00000006
  ------------------
  |  Branch (1132:3): [True: 478, False: 9.65k]
  ------------------
 1133|       |			/*
 1134|       |			 * Get a pointer to the fixed-length portion of the
 1135|       |			 * EPB.
 1136|       |			 */
 1137|    478|			epbp = get_from_block_data(&cursor, sizeof(*epbp),
 1138|    478|			    p->errbuf);
 1139|    478|			if (epbp == NULL)
  ------------------
  |  Branch (1139:8): [True: 4, False: 474]
  ------------------
 1140|      4|				return (-1);	/* error */
 1141|       |
 1142|       |			/*
 1143|       |			 * Byte-swap it if necessary.
 1144|       |			 */
 1145|    474|			if (p->swapped) {
  ------------------
  |  Branch (1145:8): [True: 217, False: 257]
  ------------------
 1146|       |				/* these were written in opposite byte order */
 1147|    217|				interface_id = SWAPLONG(epbp->interface_id);
  ------------------
  |  |   42|    217|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    217|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    217|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    217|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1148|    217|				hdr->caplen = SWAPLONG(epbp->caplen);
  ------------------
  |  |   42|    217|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    217|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    217|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    217|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1149|    217|				hdr->len = SWAPLONG(epbp->len);
  ------------------
  |  |   42|    217|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    217|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    217|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    217|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1150|    217|				t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
  ------------------
  |  |   42|    217|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    217|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    217|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    217|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1151|    217|				    SWAPLONG(epbp->timestamp_low);
  ------------------
  |  |   42|    217|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    217|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    217|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    217|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1152|    257|			} else {
 1153|    257|				interface_id = epbp->interface_id;
 1154|    257|				hdr->caplen = epbp->caplen;
 1155|    257|				hdr->len = epbp->len;
 1156|    257|				t = ((uint64_t)epbp->timestamp_high) << 32 |
 1157|    257|				    epbp->timestamp_low;
 1158|    257|			}
 1159|    474|			goto found;
 1160|       |
 1161|  1.49k|		case BT_SPB:
  ------------------
  |  |  157|  1.49k|#define BT_SPB			0x00000003
  ------------------
  |  Branch (1161:3): [True: 1.49k, False: 8.63k]
  ------------------
 1162|       |			/*
 1163|       |			 * Get a pointer to the fixed-length portion of the
 1164|       |			 * SPB.
 1165|       |			 */
 1166|  1.49k|			spbp = get_from_block_data(&cursor, sizeof(*spbp),
 1167|  1.49k|			    p->errbuf);
 1168|  1.49k|			if (spbp == NULL)
  ------------------
  |  Branch (1168:8): [True: 1, False: 1.49k]
  ------------------
 1169|      1|				return (-1);	/* error */
 1170|       |
 1171|       |			/*
 1172|       |			 * SPB packets are assumed to have arrived on
 1173|       |			 * the first interface.
 1174|       |			 */
 1175|  1.49k|			interface_id = 0;
 1176|       |
 1177|       |			/*
 1178|       |			 * Byte-swap it if necessary.
 1179|       |			 */
 1180|  1.49k|			if (p->swapped) {
  ------------------
  |  Branch (1180:8): [True: 888, False: 609]
  ------------------
 1181|       |				/* these were written in opposite byte order */
 1182|    888|				hdr->len = SWAPLONG(spbp->len);
  ------------------
  |  |   42|    888|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    888|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    888|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    888|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1183|    888|			} else
 1184|    609|				hdr->len = spbp->len;
 1185|       |
 1186|       |			/*
 1187|       |			 * The SPB doesn't give the captured length;
 1188|       |			 * it's the minimum of the snapshot length
 1189|       |			 * and the packet length.
 1190|       |			 */
 1191|  1.49k|			hdr->caplen = hdr->len;
 1192|  1.49k|			if (hdr->caplen > (bpf_u_int32)p->snapshot)
  ------------------
  |  Branch (1192:8): [True: 224, False: 1.27k]
  ------------------
 1193|    224|				hdr->caplen = p->snapshot;
 1194|  1.49k|			t = 0;	/* no time stamps */
 1195|  1.49k|			goto found;
 1196|       |
 1197|    403|		case BT_PB:
  ------------------
  |  |  167|    403|#define BT_PB			0x00000002
  ------------------
  |  Branch (1197:3): [True: 403, False: 9.72k]
  ------------------
 1198|       |			/*
 1199|       |			 * Get a pointer to the fixed-length portion of the
 1200|       |			 * PB.
 1201|       |			 */
 1202|    403|			pbp = get_from_block_data(&cursor, sizeof(*pbp),
 1203|    403|			    p->errbuf);
 1204|    403|			if (pbp == NULL)
  ------------------
  |  Branch (1204:8): [True: 4, False: 399]
  ------------------
 1205|      4|				return (-1);	/* error */
 1206|       |
 1207|       |			/*
 1208|       |			 * Byte-swap it if necessary.
 1209|       |			 */
 1210|    399|			if (p->swapped) {
  ------------------
  |  Branch (1210:8): [True: 195, False: 204]
  ------------------
 1211|       |				/* these were written in opposite byte order */
 1212|    195|				interface_id = SWAPSHORT(pbp->interface_id);
  ------------------
  |  |   47|    195|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|    195|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
 1213|    195|				hdr->caplen = SWAPLONG(pbp->caplen);
  ------------------
  |  |   42|    195|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    195|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    195|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    195|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1214|    195|				hdr->len = SWAPLONG(pbp->len);
  ------------------
  |  |   42|    195|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    195|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    195|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    195|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1215|    195|				t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
  ------------------
  |  |   42|    195|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    195|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    195|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    195|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1216|    195|				    SWAPLONG(pbp->timestamp_low);
  ------------------
  |  |   42|    195|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    195|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    195|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    195|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1217|    204|			} else {
 1218|    204|				interface_id = pbp->interface_id;
 1219|    204|				hdr->caplen = pbp->caplen;
 1220|    204|				hdr->len = pbp->len;
 1221|    204|				t = ((uint64_t)pbp->timestamp_high) << 32 |
 1222|    204|				    pbp->timestamp_low;
 1223|    204|			}
 1224|    399|			goto found;
 1225|       |
 1226|  6.80k|		case BT_IDB:
  ------------------
  |  |  114|  6.80k|#define BT_IDB			0x00000001
  ------------------
  |  Branch (1226:3): [True: 6.80k, False: 3.32k]
  ------------------
 1227|       |			/*
 1228|       |			 * Interface Description Block.  Get a pointer
 1229|       |			 * to its fixed-length portion.
 1230|       |			 */
 1231|  6.80k|			idbp = get_from_block_data(&cursor, sizeof(*idbp),
 1232|  6.80k|			    p->errbuf);
 1233|  6.80k|			if (idbp == NULL)
  ------------------
  |  Branch (1233:8): [True: 2, False: 6.80k]
  ------------------
 1234|      2|				return (-1);	/* error */
 1235|       |
 1236|       |			/*
 1237|       |			 * Byte-swap it if necessary.
 1238|       |			 */
 1239|  6.80k|			if (p->swapped) {
  ------------------
  |  Branch (1239:8): [True: 1.08k, False: 5.71k]
  ------------------
 1240|  1.08k|				idbp->linktype = SWAPSHORT(idbp->linktype);
  ------------------
  |  |   47|  1.08k|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|  1.08k|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
 1241|  1.08k|				idbp->snaplen = SWAPLONG(idbp->snaplen);
  ------------------
  |  |   42|  1.08k|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|  1.08k|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|  1.08k|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|  1.08k|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1242|  1.08k|			}
 1243|       |
 1244|       |			/*
 1245|       |			 * If the link-layer type or snapshot length
 1246|       |			 * differ from the ones for the first IDB we
 1247|       |			 * saw, quit.
 1248|       |			 *
 1249|       |			 * XXX - just discard packets from those
 1250|       |			 * interfaces?
 1251|       |			 */
 1252|  6.80k|			if (p->linktype != idbp->linktype) {
  ------------------
  |  Branch (1252:8): [True: 34, False: 6.76k]
  ------------------
 1253|     34|				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     34|#define PCAP_ERRBUF_SIZE 256
  ------------------
 1254|     34|				    "an interface has a type %u different from the type of the first interface",
 1255|     34|				    idbp->linktype);
 1256|     34|				return (-1);
 1257|     34|			}
 1258|       |
 1259|       |			/*
 1260|       |			 * Check against the *adjusted* value of this IDB's
 1261|       |			 * snapshot length.
 1262|       |			 */
 1263|  6.76k|			if ((bpf_u_int32)p->snapshot !=
  ------------------
  |  Branch (1263:8): [True: 55, False: 6.71k]
  ------------------
 1264|  6.76k|			    pcap_adjust_snapshot(p->linktype, idbp->snaplen)) {
 1265|     55|				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     55|#define PCAP_ERRBUF_SIZE 256
  ------------------
 1266|     55|				    "an interface has a snapshot length %u different from the snapshot length of the first interface",
 1267|     55|				    idbp->snaplen);
 1268|     55|				return (-1);
 1269|     55|			}
 1270|       |
 1271|       |			/*
 1272|       |			 * Try to add this interface.
 1273|       |			 */
 1274|  6.71k|			if (!add_interface(p, idbp, &cursor, p->errbuf))
  ------------------
  |  Branch (1274:8): [True: 2, False: 6.70k]
  ------------------
 1275|      2|				return (-1);
 1276|  6.70k|			break;
 1277|       |
 1278|  6.70k|		case BT_SHB:
  ------------------
  |  |   88|    580|#define BT_SHB			0x0A0D0D0A
  ------------------
  |  Branch (1278:3): [True: 580, False: 9.55k]
  ------------------
 1279|       |			/*
 1280|       |			 * Section Header Block.  Get a pointer
 1281|       |			 * to its fixed-length portion.
 1282|       |			 */
 1283|    580|			shbp = get_from_block_data(&cursor, sizeof(*shbp),
 1284|    580|			    p->errbuf);
 1285|    580|			if (shbp == NULL)
  ------------------
  |  Branch (1285:8): [True: 3, False: 577]
  ------------------
 1286|      3|				return (-1);	/* error */
 1287|       |
 1288|       |			/*
 1289|       |			 * Assume the byte order of this section is
 1290|       |			 * the same as that of the previous section.
 1291|       |			 * We'll check for that later.
 1292|       |			 */
 1293|    577|			if (p->swapped) {
  ------------------
  |  Branch (1293:8): [True: 209, False: 368]
  ------------------
 1294|    209|				shbp->byte_order_magic =
 1295|    209|				    SWAPLONG(shbp->byte_order_magic);
  ------------------
  |  |   42|    209|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|    209|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|    209|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|    209|     ((((u_int)(y))>>24)&0xff))
  ------------------
 1296|    209|				shbp->major_version =
 1297|    209|				    SWAPSHORT(shbp->major_version);
  ------------------
  |  |   47|    209|     ((u_short)(((((u_int)(y))&0xff)<<8) | \
  |  |   48|    209|                ((((u_int)(y))&0xff00)>>8)))
  ------------------
 1298|    209|			}
 1299|       |
 1300|       |			/*
 1301|       |			 * Make sure the byte order doesn't change;
 1302|       |			 * pcap_is_swapped() shouldn't change its
 1303|       |			 * return value in the middle of reading a capture.
 1304|       |			 */
 1305|    577|			switch (shbp->byte_order_magic) {
 1306|       |
 1307|    394|			case BYTE_ORDER_MAGIC:
  ------------------
  |  |  101|    394|#define BYTE_ORDER_MAGIC	0x1A2B3C4D
  ------------------
  |  Branch (1307:4): [True: 394, False: 183]
  ------------------
 1308|       |				/*
 1309|       |				 * OK.
 1310|       |				 */
 1311|    394|				break;
 1312|       |
 1313|      1|			case SWAPLONG(BYTE_ORDER_MAGIC):
  ------------------
  |  |   42|      1|    (((((u_int)(y))&0xff)<<24) | \
  |  |   43|      1|     ((((u_int)(y))&0xff00)<<8) | \
  |  |   44|      1|     ((((u_int)(y))&0xff0000)>>8) | \
  |  |   45|      1|     ((((u_int)(y))>>24)&0xff))
  ------------------
  |  Branch (1313:4): [True: 1, False: 576]
  ------------------
 1314|       |				/*
 1315|       |				 * Byte order changes.
 1316|       |				 */
 1317|      1|				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      1|#define PCAP_ERRBUF_SIZE 256
  ------------------
 1318|      1|				    "the file has sections with different byte orders");
 1319|      1|				return (-1);
 1320|       |
 1321|    182|			default:
  ------------------
  |  Branch (1321:4): [True: 182, False: 395]
  ------------------
 1322|       |				/*
 1323|       |				 * Not a valid SHB.
 1324|       |				 */
 1325|    182|				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|    182|#define PCAP_ERRBUF_SIZE 256
  ------------------
 1326|    182|				    "the file has a section with a bad byte order magic field");
 1327|    182|				return (-1);
 1328|    577|			}
 1329|       |
 1330|       |			/*
 1331|       |			 * Make sure the major version is the version
 1332|       |			 * we handle.
 1333|       |			 */
 1334|    394|			if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
  ------------------
  |  |  108|    394|#define PCAP_NG_VERSION_MAJOR	1
  ------------------
  |  Branch (1334:8): [True: 4, False: 390]
  ------------------
 1335|      4|				snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|      4|#define PCAP_ERRBUF_SIZE 256
  ------------------
 1336|      4|				    "unknown pcapng savefile major version number %u",
 1337|      4|				    shbp->major_version);
 1338|      4|				return (-1);
 1339|      4|			}
 1340|       |
 1341|       |			/*
 1342|       |			 * Reset the interface count; this section should
 1343|       |			 * have its own set of IDBs.  If any of them
 1344|       |			 * don't have the same interface type, snapshot
 1345|       |			 * length, or resolution as the first interface
 1346|       |			 * we saw, we'll fail.  (And if we don't see
 1347|       |			 * any IDBs, we'll fail when we see a packet
 1348|       |			 * block.)
 1349|       |			 */
 1350|    390|			ps->ifcount = 0;
 1351|    390|			break;
 1352|       |
 1353|    370|		default:
  ------------------
  |  Branch (1353:3): [True: 370, False: 9.76k]
  ------------------
 1354|       |			/*
 1355|       |			 * Not a packet block, IDB, or SHB; ignore it.
 1356|       |			 */
 1357|    370|			break;
 1358|  10.1k|		}
 1359|  10.1k|	}
 1360|       |
 1361|  2.37k|found:
 1362|       |	/*
 1363|       |	 * Is the interface ID an interface we know?
 1364|       |	 */
 1365|  2.37k|	if (interface_id >= ps->ifcount) {
  ------------------
  |  Branch (1365:6): [True: 61, False: 2.30k]
  ------------------
 1366|       |		/*
 1367|       |		 * Yes.  Fail.
 1368|       |		 */
 1369|     61|		snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     61|#define PCAP_ERRBUF_SIZE 256
  ------------------
 1370|     61|		    "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
 1371|     61|		    interface_id);
 1372|     61|		return (-1);
 1373|     61|	}
 1374|       |
 1375|  2.30k|	if (hdr->caplen > (bpf_u_int32)p->snapshot) {
  ------------------
  |  Branch (1375:6): [True: 34, False: 2.27k]
  ------------------
 1376|     34|		snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
  ------------------
  |  |  152|     34|#define PCAP_ERRBUF_SIZE 256
  ------------------
 1377|     34|		    "invalid packet capture length %u, bigger than "
 1378|     34|		    "snaplen of %d", hdr->caplen, p->snapshot);
 1379|     34|		return (-1);
 1380|     34|	}
 1381|       |
 1382|       |	/*
 1383|       |	 * Convert the time stamp to seconds and fractions of a second,
 1384|       |	 * with the fractions being in units of the file-supplied resolution.
 1385|       |	 */
 1386|  2.27k|	sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
 1387|  2.27k|	frac = t % ps->ifaces[interface_id].tsresol;
 1388|       |
 1389|       |	/*
 1390|       |	 * Convert the fractions from units of the file-supplied resolution
 1391|       |	 * to units of the user-requested resolution.
 1392|       |	 */
 1393|  2.27k|	switch (ps->ifaces[interface_id].scale_type) {
  ------------------
  |  Branch (1393:10): [True: 0, False: 2.27k]
  ------------------
 1394|       |
 1395|  1.49k|	case PASS_THROUGH:
  ------------------
  |  Branch (1395:2): [True: 1.49k, False: 776]
  ------------------
 1396|       |		/*
 1397|       |		 * The interface resolution is what the user wants,
 1398|       |		 * so we're done.
 1399|       |		 */
 1400|  1.49k|		break;
 1401|       |
 1402|    194|	case SCALE_UP_DEC:
  ------------------
  |  Branch (1402:2): [True: 194, False: 2.08k]
  ------------------
 1403|       |		/*
 1404|       |		 * The interface resolution is less than what the user
 1405|       |		 * wants; scale the fractional part up to the units of
 1406|       |		 * the resolution the user requested by multiplying by
 1407|       |		 * the quotient of the user-requested resolution and the
 1408|       |		 * file-supplied resolution.
 1409|       |		 *
 1410|       |		 * Those resolutions are both powers of 10, and the user-
 1411|       |		 * requested resolution is greater than the file-supplied
 1412|       |		 * resolution, so the quotient in question is an integer.
 1413|       |		 * We've calculated that quotient already, so we just
 1414|       |		 * multiply by it.
 1415|       |		 */
 1416|    194|		frac *= ps->ifaces[interface_id].scale_factor;
 1417|    194|		break;
 1418|       |
 1419|    194|	case SCALE_UP_BIN:
  ------------------
  |  Branch (1419:2): [True: 194, False: 2.08k]
  ------------------
 1420|       |		/*
 1421|       |		 * The interface resolution is less than what the user
 1422|       |		 * wants; scale the fractional part up to the units of
 1423|       |		 * the resolution the user requested by multiplying by
 1424|       |		 * the quotient of the user-requested resolution and the
 1425|       |		 * file-supplied resolution.
 1426|       |		 *
 1427|       |		 * The file-supplied resolution is a power of 2, so the
 1428|       |		 * quotient is not an integer, so, in order to do this
 1429|       |		 * entirely with integer arithmetic, we multiply by the
 1430|       |		 * user-requested resolution and divide by the file-
 1431|       |		 * supplied resolution.
 1432|       |		 *
 1433|       |		 * XXX - Is there something clever we could do here,
 1434|       |		 * given that we know that the file-supplied resolution
 1435|       |		 * is a power of 2?  Doing a multiplication followed by
 1436|       |		 * a division runs the risk of overflowing, and involves
 1437|       |		 * two non-simple arithmetic operations.
 1438|       |		 */
 1439|    194|		frac *= ps->user_tsresol;
 1440|    194|		frac /= ps->ifaces[interface_id].tsresol;
 1441|    194|		break;
 1442|       |
 1443|    194|	case SCALE_DOWN_DEC:
  ------------------
  |  Branch (1443:2): [True: 194, False: 2.08k]
  ------------------
 1444|       |		/*
 1445|       |		 * The interface resolution is greater than what the user
 1446|       |		 * wants; scale the fractional part up to the units of
 1447|       |		 * the resolution the user requested by multiplying by
 1448|       |		 * the quotient of the user-requested resolution and the
 1449|       |		 * file-supplied resolution.
 1450|       |		 *
 1451|       |		 * Those resolutions are both powers of 10, and the user-
 1452|       |		 * requested resolution is less than the file-supplied
 1453|       |		 * resolution, so the quotient in question isn't an
 1454|       |		 * integer, but its reciprocal is, and we can just divide
 1455|       |		 * by the reciprocal of the quotient.  We've calculated
 1456|       |		 * the reciprocal of that quotient already, so we must
 1457|       |		 * divide by it.
 1458|       |		 */
 1459|    194|		frac /= ps->ifaces[interface_id].scale_factor;
 1460|    194|		break;
 1461|       |
 1462|       |
 1463|    194|	case SCALE_DOWN_BIN:
  ------------------
  |  Branch (1463:2): [True: 194, False: 2.08k]
  ------------------
 1464|       |		/*
 1465|       |		 * The interface resolution is greater than what the user
 1466|       |		 * wants; convert the fractional part to units of the
 1467|       |		 * resolution the user requested by multiplying by the
 1468|       |		 * quotient of the user-requested resolution and the
 1469|       |		 * file-supplied resolution.  We do that by multiplying
 1470|       |		 * by the user-requested resolution and dividing by the
 1471|       |		 * file-supplied resolution, as the quotient might not
 1472|       |		 * fit in an integer.
 1473|       |		 *
 1474|       |		 * The file-supplied resolution is a power of 2, so the
 1475|       |		 * quotient is not an integer, and neither is its
 1476|       |		 * reciprocal, so, in order to do this entirely with
 1477|       |		 * integer arithmetic, we multiply by the user-requested
 1478|       |		 * resolution and divide by the file-supplied resolution.
 1479|       |		 *
 1480|       |		 * XXX - Is there something clever we could do here,
 1481|       |		 * given that we know that the file-supplied resolution
 1482|       |		 * is a power of 2?  Doing a multiplication followed by
 1483|       |		 * a division runs the risk of overflowing, and involves
 1484|       |		 * two non-simple arithmetic operations.
 1485|       |		 */
 1486|    194|		frac *= ps->user_tsresol;
 1487|    194|		frac /= ps->ifaces[interface_id].tsresol;
 1488|    194|		break;
 1489|  2.27k|	}
 1490|       |#ifdef _WIN32
 1491|       |	/*
 1492|       |	 * tv_sec and tv_used in the Windows struct timeval are both
 1493|       |	 * longs.
 1494|       |	 */
 1495|       |	hdr->ts.tv_sec = (long)sec;
 1496|       |	hdr->ts.tv_usec = (long)frac;
 1497|       |#else
 1498|       |	/*
 1499|       |	 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
 1500|       |	 * suseconds_t in UN*Xes that work the way the current Single
 1501|       |	 * UNIX Standard specify - but not all older UN*Xes necessarily
 1502|       |	 * support that type, so just cast to int.
 1503|       |	 */
 1504|  2.27k|	hdr->ts.tv_sec = (time_t)sec;
 1505|  2.27k|	hdr->ts.tv_usec = (int)frac;
 1506|  2.27k|#endif
 1507|       |
 1508|       |	/*
 1509|       |	 * Get a pointer to the packet data.
 1510|       |	 */
 1511|  2.27k|	*data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
 1512|  2.27k|	if (*data == NULL)
  ------------------
  |  Branch (1512:6): [True: 80, False: 2.19k]
  ------------------
 1513|     80|		return (-1);
 1514|       |
 1515|  2.19k|	pcap_post_process(p->linktype, p->swapped, hdr, *data);
 1516|       |
 1517|  2.19k|	return (1);
 1518|  2.27k|}

