PT_BYTEBUF max len mismatch with RW_MAX_SNAPLEN

[invano]

Hi there,

I'm playing around with sysdig, with chisels in particular. My specific use case requires the biggest snap len possible when recording. I see it's 65000 bytes in kernel space as specified here:

sysdig/driver/ppm_events_public.h

Line 1547 in 9722dbc

#define PPM_MAX_ARG_SIZE 65000

However, I noticed that write events with a big size always return a evt.rawarg.data/BYTEBUF with 16383 bytes at most.
I had a look at the userspace code and I found the limit here

sysdig/userspace/libsinsp/chisel_api.cpp

Lines 127 to 128 in ecafb60

	uint32_t max_len = len < sizeof(ch->m_lua_fld_storage) ?
	len : sizeof(ch->m_lua_fld_storage) - 1;

and here

sysdig/userspace/libsinsp/chisel.h

Line 156 in e404c50

char m_lua_fld_storage[16384];

The user space code is protecting the buffer dropping the last byte but, at the same time, sizeof(m_lua_fld_storage) is definitively smaller than its kernel counterpart PPM_MAX_ARG_SIZE. This prevents to work correctly with chisels every time snaplen is configured to be greater than 16383 bytes.

At this point I'm wondering if there are any reasons for the mismatch, or it's just a bug.
Thanks!

[ldegio]

This looks like a bug.

Fixed here #1361

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.